From Collaborative RCE Tool Library

Jump to: navigation, search

Tracers


Tool name: Fenris
Rating: 5.0 (1 vote)
Author: lcamtuf                        
Website: http://lcamtuf.coredump.cx/fenris
Current version: 0.07-m2 build 3245
Last updated: July 11, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are:

* Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.

* libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.

* Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.

* nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).

* Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).

* ...and some other companion utilities.
Also listed in: Reverse Engineering Frameworks, Linux Disassemblers, Linux Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 2.0.0
Last updated: October 10, 2017
Direct D/L link: http://bin.rada.re/radare2-w32-2.0.0.zip
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinApiOverride
Rating: 5.0 (3 votes)
Author: Jacquelin POTIER                        
Website: http://jacquelin.potier.free.fr/winapioverride32/
Current version: 6.5.5
Last updated: April 19, 2017
Direct D/L link: http://jacquelin.potier.free.fr/exe/winapioverride32_bin.zip
License type: Free for non commercial use (temporary closed sources due to abuse)
Description: WinAPIOverride is an advanced api monitoring software for 32 and 64 bits processes.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- You can hook hardware and software exceptions
- Double and float results are logged
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- User types (enum, struct and union) and user defines are supported
- All is is done like modules : you can log or override independently for any function
- A library is provided for developers who intend to build their one hooking software
Also listed in: .NET Tracers, API Monitoring Tools, COM Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Anathema .NET Instrumentation Tool
Rating: 0.0 (0 votes)
Author: Antonio "s4tan" Parata                        
Website: http://www.phrack.org/papers/dotnet_instrumentation.html
Current version:
Last updated: January 11, 2018
Direct D/L link: Locally archived copy
License type: Open Source
Description: |=-----------------------------------------------------------------------=|
|=--------=[ .NET Instrumentation via MSIL bytecode injection ]=---------=|
|=-----------------------------------------------------------------------=|
|=----------=[ by Antonio "s4tan" Parata <aparata@gmail.com>]=-----------=|
|=-----------------------------------------------------------------------=|


1 - Introduction
2 - CLR environment
2.1 - Basic concepts
2.1.1 - Metadata tables
2.1.2 - Metadata token
2.1.3 - MSIL bytecode
2.2 - Execution environment
3 - JIT compiler
3.1 - The compileMethod
3.2 - Hooking the compileMethod
4 - .NET Instrumentation
4.1 - MSIL injection strategy
4.2 - Resolving the method handle
4.3 - Implementing a trampoline via the calli instruction
4.4 - Crafting a dynamic method
4.5 - Invoking the user defined code
4.6 - Fixing the SEH table
5 - Real world examples
5.1 - Web application password stealer
5.2 - Malware inspection
6 - Conclusion
7 - References
8 - Source Code


--[ 1 - Introduction

In this article we will explore the internals of the .NET framework with
the purpose of providing an innovative method to instrument .NET programs
at runtime.

Actually, there are several libraries that allow to instrument .NET
programs; most of them install a hook in the code generated after compiling
a given method, or by modifying the Assembly and saving back the result of
the modification.

Microsoft also provides a profile API in order to instrument the execution
of a given program. However the API must be activated before executing the
program by setting specific environment variables.

Our goal is to instrument the program at runtime by leaving the Assembly
binary untouched; all this by using a high level .NET language. As we will
see, this is done by injecting additional MSIL code just before the target
method is compiled.


--[ 2 - CLR environment

Before describing in depth how to inject additional MSIL code in a method,
it is necessary to provide some basic concepts as on how the .NET framework
works and which are its basic components.

We will only describe the concepts that are relevant to our purpose.


---[ 2.1 - Basic concepts

A .NET binary is typically called Assembly (even if it doesn't contain any
assembly code). It is a self-describing structure, meaning that inside an
Assembly you will find all the necessary information to execute it (for
more information on this subject see [01]).

As we will shortly see, all this information can be accessed by using
reflection. Reflection allows us to have a full picture of which types and
methods are defined inside the Assembly. We can also have access to the
names and types of the parameters passed to a specific method. The only
missing information are the names of the local variables, but as we will
see this is not a problem at all.


----[ 2.1.1 - Metadata tables

All the above mentioned information is stored inside tables called
Metadata tables.

The following list taken from [02] shows the index and names of all the
existing tables:

00 - Module 01 - TypeRef 02 - TypeDef
04 - Field 06 - MethodDef 08 - Param
09 - InterfaceImpl 10 - MemberRef 11 - Constant
12 - CustomAttribute 13 - FieldMarshal 14 - DeclSecurity
15 - ClassLayout 16 - FieldLayout 17 - StandAloneSig
18 - EventMap 20 - Event 21 - PropertyMap
23 - Property 24 - MethodSemantics 25 - MethodImpl
26 - ModuleRef 27 - TypeSpec 28 - ImplMap
29 - FieldRVA 32 - Assembly 33 - AssemblyProcessor
34 - AssemblyOS 35 - AssemblyRef 36 - AssemblyRefProcessor
37 - AssemblyRefOS 38 - File 39 - ExportedType
40 - ManifestResource 41 - NestedClass 42 - GenericParam
44 - GenericParamConstraint

Each table is composed of a variable number of rows. The size of a row
depends on the kind of table and can contain a reference to other Metadata
tables.

Those tables are referenced by the Metadata token, a notion that is
described in the next paragraph.


----[ 2.1.2 - Metadata token

The Metadata token (or token for short) is a fundamental concept in the CLR
framework. A token allows you to reference a given table at a given index.
It is a 4-byte value, composed of two parts [08]: a table index and the
RID.

The table index is the topmost byte wich points to a table. A RID is a
3-byte record identifier pointing in the table, which starts at offset one.

As an example, let's consider the following Metadata token:

(06)00000F

0x06 is the number of the referenced table, which in this case is
MethodDef. The last three bytes are the RID, that in this case has a value
of 0x0F.


----[ 2.1.3 - MSIL bytecode

When we write a program in a .NET high level language, the compiler will
translate this code into an intermediate representation called MSIL or as
defined in the ECMA-335 [03] CIL, which stands for Common Intermediate
Language.

By installing Visual Studio you will also install a very handy utility
called ILDasm, that allows you to disassemble an Assembly by displaying the
MSIL code and other useful information.

As an example let try to compile the following C# source code:

------#------#------#------<START CODE>------#------#------#------
public class TestClass
{
private String _message;

public TestClass(String txt)
{
this._message = txt;
}

private String FormatMessage()
{
return "Hello " + this._message;
}

public void SayHello()
{
var message = this.FormatMessage();
Console.WriteLine(message);
}
}
------#------#------#------<END CODE>------#------#------#------

The result of the compilation is an Assembly with three methods:
.ctor : void(string), FormatMessage : string() and SayHello : void().

Let's try to display the MSIL code of the SayHello method:

------#------#------#------<START CODE>------#------#------#------
.method public hidebysig instance void SayHello() cil managed
// SIG: 20 00 01
{
// Method begins at RVA 0x21f8
// Code size 16 (0x10)
.maxstack 1
.locals init ([0] string message)
IL_0000: /* 00 | */ nop
IL_0001: /* 02 | */ ldarg.0
IL_0002: /* 28 | (06)00000F */
call instance string MockLibrary.TestClass::FormatMessage()
IL_0007: /* 0A | */ stloc.0
IL_0008: /* 06 | */ ldloc.0
IL_0009: /* 28 | (0A)000014 */
call void [mscorlib]System.Console::WriteLine(string)
IL_000e: /* 00 | */ nop
IL_000f: /* 2A | */ ret
} // end of method TestClass::SayHello
------#------#------#------<END CODE>------#------#------#------

For each instruction we can see the associated MSIL byte values. It is
interesting to see that the code doesn't contain any reference to unmanaged
memory but only to metadata tokens.

The two call instructions reference two different tables, due to the
FormatMessage method being implemented in the current Assembly and the
WriteLine method implemented in an external Assembly.

If we take a look at the list of tables presented in 2.1.1 we can see that
the Metadata token (0A)000014 references the table 0x0A which is the
MemberRef table, index 0x14 which is WriteLine. Instead the token
(06)00000F references the table 0x06 which is the MethodDef table, index
0x0F which is FormatMessage.


---[ 2.2 - Execution environment

The CLR execution environment is very strict and forbids any kind of
dangerous operation. If we compare it with the unmanaged world where we
were able to jump in the middle of an instruction to confuse the
disassembler, to create all kinds of opaque instructions or to jump to any
valid address, we will discover a sad truth: everything is forbidden.

The CLR is a stack based machine. This means that there is no concept of
registers and every parameter is pushed on the stack in order to be passed
to other functions. When we exit a method, the stack must be empty or at
least contain the value that should be returned.

As already said, everything is based on the definition of the Metadata
token. If we try to invoke a call with an invalid token we will receive a
fatal exception. This poses a serious problem for our goal, since we cannot
call methods that are not referenced by the original Assembly.


--[ 3 - JIT compiler

When a method is executed we have two different scenarios. The first one is
when the method is already compiled, in this case the code just jumps to
the compiled unmanaged code. The second scenario is when the method isn't
yet compiled, in this case the code jumps to a stub that will call the
exported method compileMethod, defined in corjit.h [04], in order to
compile and then execute the method.


---[ 3.1 - The compileMethod

Let's analyze this interesting method a bit more. The signature of
compileMethod is the following:

virtual CorJitResult __stdcall compileMethod (
ICorJitInfo *comp, /* IN */
struct CORINFO_METHOD_INFO *info, /* IN */
unsigned /* code:CorJitFlag */ flags, /* IN */
BYTE **nativeEntry, /* OUT */
ULONG *nativeSizeOfCode /* OUT */
) = 0;

The most interesting structure is the CORINFO_METHOD_INFO
which is defined in corinfo.h [05] and has the following format:

struct CORINFO_METHOD_INFO
{
CORINFO_METHOD_HANDLE ftn;
CORINFO_MODULE_HANDLE scope;
BYTE * ILCode;
unsigned ILCodeSize;
unsigned maxStack;
unsigned EHcount;
CorInfoOptions options;
CorInfoRegionKind regionKind;
CORINFO_SIG_INFO args;
CORINFO_SIG_INFO locals;
};

For our purpose the most important field is the ILCode byte pointer. It
points to a buffer which contains the MSIL bytecode. By modifying this
buffer we are able to alter the method execution flow.

As a side note, this method is also extensively used by .NET obfuscators.
In fact we can read the following comment in the source code:

Note: Obfuscators that are hacking the JIT depend on this method having
__stdcall calling convention

An obfuscator typically encrypts the MSIL bytecode of a method, then when
the method is bound to be executed they decrypt the bytecode and pass this
value as byte pointer instead of the encrypted one. This also explains why
if we open it in ILDasm or with a decompiler we receive back an error. How
can they know when a method is going to be called? This is pretty easy,
the code in charge for the replacement process is placed inside the type
constructor. This specific constructor is invoked only once: before a new
object of that specific type is created.


---[ 3.2 - Hooking the compileMethod

Since the compileMethod is exported by the Clrjit.dll (or from mscorjit.dll
for older .NET versions), we can easily install a hook to intercept all the
requests for compilation. The following F# pseudo-code shows how to do
this:

------#------#------#------<START CODE>------#------#------#------
[<DllImport(
"Clrjit.dll",
CallingConvention = CallingConvention.StdCall, PreserveSig = true)
>]
extern IntPtr getJit()

[<DllImport("kernel32.dll", SetLastError = true)>]
extern Boolean VirtualProtect(
IntPtr lpAddress,
UInt32 dwSize,
Protection flNewProtect,
UInt32& lpflOldProtect)

let pVTable = getJit()
_pCompileMethod <- Marshal.ReadIntPtr(pVTable)

// make memory writable
let mutable oldProtection = uint32 0
if not <| VirtualProtect(
_pCompileMethod,
uint32 IntPtr.Size,
Protection.PAGE_EXECUTE_READWRITE,
&oldProtection)
then
Environment.Exit(-1)

let protection = Enum.Parse(
typeof<Protection>,
oldProtection.ToString()) :?> Protection

// save original compile method
_realCompileMethod <-
Some (Marshal.GetDelegateForFunctionPointer(
Marshal.ReadIntPtr(_pCompileMethod),
typeof<CompileMethodDeclaration>) :?> CompileMethodDeclaration
)
RuntimeHelpers.PrepareDelegate(_realCompileMethod.Value)
RuntimeHelpers.PrepareDelegate(_hookedCompileMethodDelegate)

// install compileMethod hook
Marshal.WriteIntPtr(
_pCompileMethod,
Marshal.GetFunctionPointerForDelegate(_hookedCompileMethodDelegate)
)

// repristinate memory protection flags
VirtualProtect(
_pCompileMethod,
uint32 IntPtr.Size,
protection,
&oldProtection
) |> ignore
------#------#------#------<END CODE>------#------#------#------

When we modify the MSIL code we must pay attention to the stack size. Our
framework needs some stack space in order to work and if the method that is
going to be compiled doesn't need any local variables, we will receive an
exception at runtime. In order to fix this problem it is enough to modify
the maxStack variable of CORINFO_METHOD_INFO structure before writing it
back.


--[ 4 - .NET Instrumentation

Now it is time to modify the MSIL buffer of our method of choice and
redirect the flow to our code. As we will see this is not a smooth process
and we need to take care of numerous aspects.


---[ 4.1 - MSIL injection strategy

In order to invoke our code the process that we will follow is composed of
the following steps:

1. Install a trampoline at the beginning of the code. This
trampoline will call a dynamically defined method.

2. Define a dynamic method that will have a specific method signature.

3. Construct an array of objects that will contain the parameters
passed to the method.

4. Invoke a dispatcher function which will load our Assembly
and will finally call our code by passing a handle to the original
method and an array of objects representing the method parameters.

In the end the structure that we are going to create will follow the path
defined in the following diagram:

| ... |
| ... | +---------------+
| Trampoline |----> | |
| Original MSIL | | Dynamic |
| ... | | Method |---------+
| ... | | | |
+---------------+ v
+---------------+
| |
| Framework |
| Dispatcher |
| |
+---------------+
|
+----------+
|
v
+---------------+
| |
| User |
| Code Monitor |
| |
+---------------+


---[ 4.2 - Resolving the method handle

As we will see in the next paragraph, it is necessary to resolve the handle
of the method that will be compiled in order to obtain the needed
information via reflection. I have found a method to resolve it, it is not
very elegant but it works :P.

The following F# pseudo-code will show you how to resolve a method handle
given the CorMethodInfo structure:

------#------#------#------<START CODE>------#------#------#------
let getMethodInfoFromModule(
methodInfo: CorMethodInfo,
assemblyModule: Module) =
let mutable info: FilteredMethod option = None
try
// dirty trick, is there a
// better way to know the module of the compiled method?
let mPtr =
assemblyModule.ModuleHandle.GetType()
.GetField("m_ptr",
BindingFlags.NonPublic ||| BindingFlags.Instance)
let mPtrValue = mPtr.GetValue(assemblyModule.ModuleHandle)
let mpData =
mPtrValue.GetType()
.GetField("m_pData",
BindingFlags.NonPublic ||| BindingFlags.Instance)

if mpData <> null then
let mpDataValue = mpData.GetValue(mPtrValue) :?> IntPtr
if mpDataValue = methodInfo.ModuleHandle then
// module found, get method name
let tokenNum =
Marshal.ReadInt16(nativeint(methodInfo.MethodHandle))
let token = (0x06000000 + int32 tokenNum)
let methodBase = assemblyModule.ResolveMethod(token)

if methodBase.DeclaringType <> null &&
isMonitoredMethod(methodBase) then
let mutable numOfParameters =
methodBase.GetParameters() |> Seq.length
if not methodBase.IsStatic then
// take into account the this parameter
numOfParameters <- numOfParameters + 1

// compose the result info
info <- Some {
TokenNum = tokenNum
NumOfArgumentsToPushInTheStack = numOfParameters
Method = methodBase
IsConstructor = methodBase :? ConstructorInfo
Filter = this
}
with _ -> ()
info
------#------#------#------<END CODE>------#------#------#------

This method must be invoked for each module of all loaded Assemblies.

Now that we have a MethodBase object, we can use it to extract the needed
information, like the number of accepted parameters and their types.


---[ 4.3 - Implementing a trampoline via the calli instruction

Our first obstacle is to create a MSIL bytecode that can invoke an
arbitrary function. Among all the available OpCodes, the one of interest
for us is the calli instruction [06] (beware of its usage, as it makes our
code unverifiable).

From the MSDN page we can read that:

"The method entry pointer is assumed to be a specific pointer to native
code (of the target machine) that can be legitimately called with the
arguments described by the calling convention (a metadata token for a
stand-alone signature). Such a pointer can be created using the Ldftn or
Ldvirtftn instructions, or passed in from native code."

Nice, we can specify an arbitrary pointer to native code. The only
difficulty is that we cannot use the Ldftn or Ldvirtftn since they need a
metadata token, and we cannot specify this value. Not too bad, since from
the Ldftn documentation we can read that [07]:

"Pushes an unmanaged pointer (type native int) to the native code
implementing a specific method onto the evaluation stack."

So, if we have an unmanaged pointer we can simulate the Ldftn with a simple
Ldc_I4 instruction (supposing that we are operating on a 32 bit
environment) [09].

Unfortunately now we have another, even bigger, problem. The calli
instruction needs a callSiteDescr. From [08] we can read that:

"<token> - referred to callSiteDescr - must be a valid StandAloneSig".

The StandAloneSig is the table number 17. As I have already said we cannot
specify this Metadata token (since it probably doesn't exist in the table).

I have played a bit with the calli instruction in order to see if it
accepts also other kinds of Metadata tokens. In the end I discovered that
it also accepts a token from one of the following tables: TypeSpec, Field
and MethodDef.

For our purpose, the MethodDef table is the most interesting one, since we
can fake a valid MethodDef token by creating a DynamicMethod (more on this
later). We can now close the circle by using the calli instruction and
modifying the metadata token in order to specify a MethodDef.

We will use the MethodBase object that we obtained in the previous step in
order to know how many parameters the method accepts and push them in the
stack before invoking calli.

The following F# pseudo-code shows how to build the calli instruction:

------#------#------#------<START CODE>------#------#------#------
// load all arguments on the stack
for i=0 to filteredMethod.NumOfArgumentsToPushInTheStack-1 do
ilGenerator.Emit(OpCodes.Ldarg, i)

// emit calli instruction with a pointer to the dynamic method,
// the token used by the calli is not important as I'll modify it soon
ilGenerator.Emit(OpCodes.Ldc_I4, functionAddress)
ilGenerator.EmitCalli(
OpCodes.Calli,
CallingConvention.StdCall,
dispatcherMethod.ReturnType,
dispatcherArgs)

// this index allow to modify the right byte
let patchOffset = ilGenerator.ILOffset - 4
ilGenerator.Emit(OpCodes.Nop)

// check if I have to pop the return value
match filteredMethod.Method with
| :? MethodInfo as mi ->
if mi.ReturnType <> typeof<System.Void> then
ilGenerator.Emit(OpCodes.Pop)
| _ -> ()

// end method
ilGenerator.Emit(OpCodes.Ret)
------#------#------#------<END CODE>------#------#------#------

The functionAddress variable contains the native pointer of our dynamic
method. One last step is to patch the calli Metadata token with a MethodDef
token whose value we know to be correct. As value we will use the token of
the method that it is being compiled.

The following F# pseudo-code show how to modify the MSIL bytecode at the
right offset:

------#------#------#------<START CODE>------#------#------#------
// craft MethodDef metadata token index
let b1 = (filteredMethod.TokenNum &&& int16 0xFF00) >>> 8
let b2 = filteredMethod.TokenNum &&& int16 0xFF

// calli instruction accept 0x11 as table index (StandAloneSig),
// but seems that also other tables are allowed.
// In particular the following ones seem to be accepted as
// valid: TypeSpec, Field and Method (most important)
trampolineMsil.[patchOffset] <- byte b2
trampolineMsil.[patchOffset+1] <- byte b1
trampolineMsil.[patchOffset + 3] <- 6uy // 6(0x6): MethodDef Table
------#------#------#------<END CODE>------#------#------#------

Since this step is a bit complex let's try to summarize our actions:

1. We use the calli instruction to invoke an arbitrary method by specifying
a native address pointer.

2. We modify the calli metadata token by specifying a MethodDef token and
not a StandAloneSig token.

3. We pass as Metadata token value the token of the method currently
compiled. This kind of token describes the method that must be called.

Our next step is to be sure that the method invoked by calli satisfies the
information contained in the referenced Metadata token.


---[ 4.4 - Crafting a dynamic method

We now have to create the dynamic method that satisfies the information
provided by the token passed to the calli instruction. From [10] we can
read that:

"The method descriptor is a metadata token that indicates the method to
call and the number, type, and order of the arguments that have been placed
on the stack to be passed to that method as well as the calling convention
to be used."

So, in order to create a method that satisfies the signature of the method
referenced by the token we will use a very powerful .NET capability, which
allows us to define dynamic method. This step allows the following:

1. Create a method that has the same signature of the method that will be
compiled. This will guarantee that the information carried by the
metadata token is legit.

2. We are now in a situation where we can specify a valid metadata
token, since the new dynamic type is created in the current execution
environment.

This dynamic method will call another method (a dispatcher) that accepts
two arguments: a string representing the location of the Assembly to load
(more on this later) and an array of objects which contains the arguments
passed to the method.

In creating this method you have to pay attention when creating the objects
array, since in .NET not everything is an object.

The following F# pseudo-code creates the dynamic method with the right
signature:

------#------#------#------<START CODE>------#------#------#------
let argumentTypes = [|
if not filteredMethod.Method.IsStatic then
yield typeof<Object>
yield!
filteredMethod.Method.GetParameters()
|> Array.map(fun p -> p.ParameterType)
|]

let dynamicType =
_dynamicModule.DefineType(
filteredMethod.Method.Name + "_Type" + string(!_index))
let dynamicMethod =
dynamicType.DefineMethod(
dynamicMethodName,
MethodAttributes.Static |||
MethodAttributes.HideBySig |||
MethodAttributes.Public,
CallingConventions.Standard,
typeof<System.Void>,
argumentTypes
)
------#------#------#------<END CODE>------#------#------#------

We can now proceed with the creation of the method body. We need to pay
attention to two facts: ValueType parameters must be boxed, and Enum
parameters must be converted to another form (after some trials and errors
I found that Int32 is a good compromise).

------#------#------#------<START CODE>------#------#------#------
// push the location of the Assembly to load containing the monitors
let assemblyLocation =
if filteredMethod.Filter.Invoker <> null
then filteredMethod.Filter.Invoker.Assembly.Location
else String.Empty
ilGenerator.Emit(OpCodes.Ldstr, assemblyLocation)

// get the parameter types
let parameters =
filteredMethod.Method.GetParameters()
|> Seq.map(fun pi -> pi.ParameterType)
|> Seq.toList

// create argv array
ilGenerator.Emit(OpCodes.Ldc_I4,
filteredMethod.NumOfArgumentsToPushInTheStack)
ilGenerator.Emit(OpCodes.Newarr, typeof<Object>)

// fill the argv array
for i=0 to filteredMethod.NumOfArgumentsToPushInTheStack-1 do
ilGenerator.Emit(OpCodes.Dup)
ilGenerator.Emit(OpCodes.Ldc_I4, i)
ilGenerator.Emit(OpCodes.Ldarg, i)

// check if I have to box the value
if filteredMethod.Method.IsStatic || i > 0 then
// this check is necessary becasue the
// GetParameters method doesn't consider the 'this' pointer
let paramIndex = if filteredMethod.Method.IsStatic then i else i - 1
if parameters.[paramIndex].IsEnum then
// consider all enum as Int32 type to avoid access problems
ilGenerator.Emit(OpCodes.Box, typeof<Int32>)

elif parameters.[paramIndex].IsValueType then
// all value types must be boxed
ilGenerator.Emit(OpCodes.Box, parameters.[paramIndex])

// store the element in the array
ilGenerator.Emit(OpCodes.Stelem_Ref)

// emit call to dispatchCallback
let dispatchCallbackMethod =
Type.GetType("ES.Anathema.Runtime.Dispatcher")
.GetMethod("dispatchCallback", BindingFlags.Static ||| BindingFlags.Public)
ilGenerator.EmitCall(OpCodes.Call, dispatchCallbackMethod, null)

ilGenerator.Emit(OpCodes.Ret)
------#------#------#------<END CODE>------#------#------#------

The call will end up invoking a framework method that is in charge for the
dispatch of the call to the user defined code.


---[ 4.5 - Invoking the user defined code

In order to make the code easy to extend, we can implement a mechanism that
will load a user defined Assembly and invoke a specific method. In this way
we have an architecture that resembles that of a plugin-based architecture.
We call these plugins: monitors. Each monitor can be configured in order to
intercept a specific method.

In order to locate the monitors we will use the software design paradigm
"convention over configuration", which implies that all classes whose name
ends in "Monitor" are loaded.

This last method is very simple, it just retrieves the MethodBase object
from the stack in order to pass it to the monitor and finally invoke it.
The assemblyLocation parameter is the one that specifies where the user
defined Assembly is located.

------#------#------#------<START CODE>------#------#------#------
let dispatchCallback(assemblyLocation: String, argv: Object array) =
if File.Exists(assemblyLocation) then
let callingMethod =
try
// retrieve the calling method from the stack trace
let stackTrace = new StackTrace()
let frames = stackTrace.GetFrames()
frames.[2].GetMethod()
with _ -> null

// invoke all the monitors, we use "convention over configuration"
let bytes = File.ReadAllBytes(assemblyLocation)
for t in Assembly.Load(bytes).GetTypes() do
try
if t.Name.EndsWith("Monitor") && not t.IsAbstract then
let monitorConstructor =
t.GetConstructor([|
typeof<MethodBase>;
typeof<Object array>|])
if monitorConstructor <> null then
monitorConstructor.Invoke([|callingMethod; argv|]) |> ignore
with _ -> ()
------#------#------#------<END CODE>------#------#------#------


---[ 4.6 - Fixing the SEH table

We are near the end, we have modified the MSIL bytecode, we have created a
dynamic method and a trampoline. The final step is to write back the
CORINFO_METHOD_INFO structure and call the real compileMethod.
Unfortunately by doing so you will soon receive a runtime error when you
try to instrument a method that uses a try/catch clause.

This is due to the fact that the creation of the trampoline has made the
SEH table invalid. This table contains information on the portions of code
that are inside try/catch clauses. From [11] we can see that by adding
additional MSIL code, the properties TryOffset and HandlerOffset will
assume an invalid value.

This table is located after the IL Code, as shown in the following
diagram:

+--------------------+
| |
| Fat Header |
| |
+--------------------+
| |
| |
| IL Code |
| |
| |
+--------------------+
| |
| SEH Table |
| |
+--------------------+

We also have a confirmation from the source code, in fact in corhlpr.cpp
([12]) we can see that the SEH table is added to the outBuff variable after
that was already filled with the IL code.

So, to get the address of the SEH table it is enough to add to the IlCode
pointer, located in the CorMethodInfo structure, the length of the MSIL
code.

Before showing the code that does that we have to take into account that
the SEH Table can be of two different types: FAT or SMALL. What changes is
only the dimensions of its fields. So fixing this table it is just a matter
of locating it and enumerating each clause to fix their values.

The following F# pseudo-code does exactly this:

------#------#------#------<START CODE>------#------#------#------
let fixEHClausesIfNecessary(
methodInfo: CorMethodInfo,
methodBase: MethodBase,
additionalCodeLength: Int32) =
let clauses = methodBase.GetMethodBody().ExceptionHandlingClauses
if clauses.Count > 0 then
// locate SEH table
let codeSizeAligned =
if (int32 methodInfo.IlCodeSize) % 4 = 0 then 0
else 4 - (int32 methodInfo.IlCodeSize) % 4
let mutable startEHClauses =
methodInfo.IlCode +
new IntPtr(int32 methodInfo.IlCodeSize + codeSizeAligned)

let kind = Marshal.ReadByte(startEHClauses)
// try to identify FAT header
let isFat = (int32 kind &&& 0x40) <> 0

// it is always plus 3 because even if it is small it is
// padded with two bytes. See: Expert .NET 2.0 IL Assembler p. 296
startEHClauses <- startEHClauses + new IntPtr(4)

for i=0 to clauses.Count-1 do
if isFat then
let ehFatClausePointer =
box(startEHClauses.ToPointer())
 :?> nativeptr<CorILMethodSectEhFat>
let mutable ehFatClause = NativePtr.read(ehFatClausePointer)

// modify the offset value
ehFatClause.HandlerOffset <-
ehFatClause.HandlerOffset + uint32 additionalCodeLength
ehFatClause.TryOffset <-
ehFatClause.TryOffset + uint32 additionalCodeLength

// write back the result
let mutable oldProtection = uint32 0
let memSize = Marshal.SizeOf(typeof<CorILMethodSectEhFat>)
if not <| VirtualProtect(
startEHClauses,
uint32 memSize,
Protection.PAGE_READWRITE,
&oldProtection) then
Environment.Exit(-1)

let protection = Enum.Parse(
typeof<Protection>,
oldProtection.ToString()) :?> Protection
NativePtr.write ehFatClausePointer ehFatClause

// repristinate memory protection flags
VirtualProtect(
startEHClauses,
uint32 memSize,
protection,
&oldProtection) |> ignore

// go to next clause
startEHClauses <- startEHClauses + new IntPtr(memSize)
else
//... do same as above but for small size table
------#------#------#------<END CODE>------#------#------#------

Once we have fixed this table we can finally invoke the real compileMethod.


--[ 5 - Real world examples

The code presented is part of a project called Anathema that will allow you
to easily instrument .NET programs. Let's try to use the framework by
instrumenting a web application in order to steal the user passwords and to
instrument a real world malware in order to log all method calls.


---[ 5.1 - Web application password stealer

Let's see how we can use this instrumentation method in order to implement
a password stealer for a web application. For our demo we will use a very
popular .NET web server called Suave ([13]). We will write the web
application in F# and the password stealer as a C# console application, in
this way we can instrument the interesting method before it is compiled. In
the other case we have to force the .NET runtime to recompile the method in
order to apply the instrumentation (see [14] for a possible approach).

The web application is very simple and contains only a form; its HTML code
is shown below:

------#------#------#------<START CODE>------#------#------#------
<h1>-= Secure Web Shop Login =-</h1>
<form method="POST" action="/login">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="Login"></td>
</tr>
</table>
</form>
------#------#------#------<END CODE>------#------#------#------

The F# code in charge for the authentication is the following:

------#------#------#------<START CODE>------#------#------#------
let private _accounts = [
("admin", BCrypt.HashPassword("admin"))
("guest", BCrypt.HashPassword("guest"))
]

let private authenticate(username: String, password: String) =
_accounts
|> List.exists(fun (user, hash) ->
let usernameMatch = user.Equals(username, StringComparison.Ordinal)
let passwordMatch = BCrypt.Verify(password, hash)
usernameMatch && passwordMatch
)

let private doLogin(ctx: HttpContext) =
match (tryGetParameter(ctx, "username"), tryGetParameter(ctx, "password")) with
| (Some username, Some password) when authenticate(username, password) ->
OK "Authentication successfully executed!" ctx
| _ -> OK "Wrong username/password combination" ctx
------#------#------#------<END CODE>------#------#------#------

So, the best way to intercept passwords is the 'authenticate' method. We
will start by creating a class in charge of printing the received password,
this is done by creating the following simple class:

------#------#------#------<START CODE>------#------#------#------
class PasswordStealerMonitor
{
public PasswordStealerMonitor(MethodBase m, object[] args)
{
Console.WriteLine(
"[!] Username: '{0}', Password: '{1}'",
args[0],
args[1]);
}
}
------#------#------#------<END CODE>------#------#------#------

Now, the final step is to instrument the application, this is done using
the following code:

------#------#------#------<START CODE>------#------#------#------
// create runtime
var runtime = new RuntimeDispatcher();
var hook = new Hook(runtime.CompileMethod);
var authenticateMethod = GetAuthenticateMethod();
runtime.AddFilter(
typeof(PasswordStealerMonitor),
"SecureWebShop.Program.authenticate");

// apply hook
var jitHook = new JitHook();
jitHook.InstallHook(hook);
jitHook.Start();

// start the real web application
SecureWebShop.Program.main(new String[] { });
------#------#------#------<END CODE>------#------#------#------

Once the web application is run and we try to login, we will see the
following output in the console:

-= Secure Web Shop =-
Start web server on 127.0.0.1:8080
[14:45:49 INF] Smooth! Suave listener started in 631.728 with binding 127.0.0.1:8080
[!] Username: 's4tan', Password: 'wrong_password'
[!] Username: 'admin', Password: 'admin'


---[ 5.2 - Malware inspection

Let's consider a sample of the Hawkeye malware, written in .NET, with the
following MD5 hash: 130efba199b389ab71a374bf95be2304.

The sample contains two levels of packing. We could trace the packers but
let's focus on the main payload (MD5: 97d74c20f5d148ed68e45dad0122d3b5).
When the main payload is launched the following method calls are logged:

c:\>MLogger.exe malware.exe
[+] Debugger.My.MyApplication.Main(Args: System.String[]) : System.Void
[+] Debugger.My.MyProject..cctor()
[...]
[+] Debugger.My.MyProject.get_Application() : Debugger.My.MyApplication
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyApplication..ctor()
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyProject+MyForms..ctor()
[+] Debugger.Debugger..ctor()
[+] Debugger.Clipboard..ctor()
[+] Debugger.Clipboard.add_Changed(obj: Debugger.Clipboard+ChangedEventHandler)
 : System.Void
[+] Debugger.My.Resources.Resources.get_CMemoryExecute() : System.Byte[]
[+] Debugger.My.Resources.Resources.get_ResourceManager() :
System.Resources.ResourceManager
[+] Debugger.Debugger.InitializeComponent() : System.Void
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[...]
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.Debugger.GetInternalIP() : System.String
[+] Debugger.Debugger.GetExternalIP() : System.String
[+] Debugger.Debugger.GetBetween(
Source: System.String, Before: System.String, After: System.String) : System.String
[+] Debugger.Debugger.GetAntiVirus() : System.String
[+] Debugger.Debugger.GetFirewall() : System.String
[+] Debugger.Debugger.unHide() : System.Void
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyComputer..ctor()
[+] Debugger.Debugger.unhidden(path: System.String) : System.Void
[...]
[+] Debugger.My.Resources.Resources.get_mailpv() : System.Byte[]
[+] Debugger.My.Resources.Resources.get_ResourceManager() :
System.Resources.ResourceManager
[+] Debugger.Debugger.HookKeyboard() : System.Void
[+] Debugger.Clipboard.Install() : System.Void
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyComputer..ctor()
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.My.MyProject.get_Computer() : Debugger.My.MyComputer
[...]


--[ 6 - Conclusion

Instrumenting a .NET program via MSIL bytecode injection is a pretty useful
technique that allows you to have full control of method invocation by
using a high level .NET language.

As we have seen, doing so requires a lot of attention and knowledge of the
internal workings of the CLR, but in the end the outcome is worth the
trouble.


--[ 7 - References

[01] Metadata and Self-Describing Components - https://goo.gl/bbSG7p
[02] The .NET File Format - http://www.ntcore.com/files/dotnetformat.htm
[03] Standard ECMA-335 - https://goo.gl/J9kko6
[04] corjit.h - https://goo.gl/J68Poi
[05] corinfo.h - https://goo.gl/G31KHP
[06] OpCodes.Calli Field - https://goo.gl/D7ug93
[07] OpCodes.Ldftn Field - https://goo.gl/sHzz1S
[08] Expert .NET 2.0 IL Assembler - https://goo.gl/3LKLSW
[09] OpCodes.Ldc_I4 Field - https://goo.gl/qEW2Lx
[10] OpCodes.Call Field - https://goo.gl/29rqZk
[11] ExceptionHandlingClause Class - https://goo.gl/bjLqSv
[12] corhlpr.cpp - https://goo.gl/DDVKgH
[13] Suave web server - https://suave.io/
[14] .NET CLR Injection - https://goo.gl/nryxYB
Also listed in: .NET Code Injection Tools, .NET Tracers, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFSearch
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11306&page=2
Current version: 1.0A
Last updated: February 15, 2008
Direct D/L link: N/A
License type: Free
Description: Extremely cool tracer tool that makes use of the "single step on branch", LBR ("last branch recording") features of current processors.

Not released yet, but we're awaiting it with great anticipation!
Also listed in: Code Coverage Tools, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Conditional Branch Logger
Rating: 0.0 (0 votes)
Author: Blabberer / dELTA / Kayaker                        
Website: N/A
Current version: 1.0
Last updated: June 13, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints.
Also listed in: Code Coverage Tools, OllyDbg Extensions, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotNET Tracer
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11859
Current version: 1.1
Last updated: February 15, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

This version can handle all .net assemblies from 2.0 up to 4.0.

I hope it's useful and as always bug reports are welcome.
Also listed in: .NET Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dream of every reverser
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version: public
Last updated: May 6, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Engine used to perfrom stealth memory trace of a target.
Public version only supports tracing of the eip in certain
range. To compile source you will need DDK.

It supports MP and win2k/winxp. Systems running KAV are
not supported as KAV installs hook in SwapContext which
is essential for this tracer.

Technical aspects:
1. Hooks int 0e and int 01
2. Hooks SwapContext
3. Installs ProcessNotifyRoutine

Due to the nature of paged memory in r3, there are 2
ways of tracing: using U/S flag, and using P bit in
PTE. Both cases are handled and supports PAE and nonPAE
addressing modes. Role of SwapContext is to set breaks on
given range when traced process is about to execute.
Role of notify routine is to stop tracer if traced
program exits by any chance during tracing.

When good range is hit, tracer will automaticaly stop
and you will see in DebugView or DbgMon when EIP is in
good range.
Also listed in: Technical PoC Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ERESI Framework
Rating: 0.0 (0 votes)
Author: The ERESI Project                        
Website: http://www.eresi-project.org
Current version: 0.82b2
Last updated: September 13, 2009
Direct D/L link: N/A
License type: Free / Open Source
Description: The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.
Also listed in: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Float Tracer
Rating: 0.0 (0 votes)
Author: j00ru                        
Website: http://vexillium.org/?sec
Current version: 0.0.1
Last updated: January 28, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers, and so on :)
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Frida
Rating: 0.0 (0 votes)
Author: Ole André Vadla Ravnås (@fridadotre)                        
Website: https://www.frida.re/
Current version: 9.1.19
Last updated: March 22, 2017
Direct D/L link: N/A
License type: Open Source
Description: Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX.

It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.

Scriptable

Your own scripts get injected into black box processes to execute custom debugging logic. Hook any function, spy on crypto APIs or trace private application code, no source code needed!


Stalking

Stealthy code tracing without relying on software or hardware breakpoints. Think DTrace in user-space, based on dynamic recompilation, like DynamoRIO and PIN.


Portable

Works on Windows, macOS, Linux, iOS, Android, and QNX. Install the Node.js bindings from npm, grab a Python package from PyPI, or use Frida through its Swift bindings, .NET bindings, Qt/Qml bindings, or C API.


Why do I need this?

Great question. We’ll try to clarify with some use-cases:

* There’s this new hot app everybody’s so excited about, but it’s only available for iOS and you’d love to interop with it. You realize it’s relying on encrypted network protocols and tools like Wireshark just won’t cut it. You pick up Frida and use it for API tracing.

* You’re building a desktop app which has been deployed at a customer’s site. There’s a problem but the built-in logging code just isn’t enough. You need to send your customer a custom build with lots of expensive logging code. Then you realize you could just use Frida and build an application- specific tool that will add all the diagnostics you need, and in just a few lines of Python. No need to send the customer a new custom build - you just send the tool which will work on many versions of your app.

* You’d like to build a Wireshark on steroids with support for sniffing encrypted protocols. It could even manipulate function calls to fake network conditions that would otherwise require you to set up a test lab.

* Your in-house app could use some black-box tests without polluting your production code with logic only required for exotic testing.
Also listed in: API Monitoring Tools, Android Tools, Code Injection Tools, IPhone Tools, Memory Data Tracing Tools, Network Monitoring Tools, Non-Intrusive Debuggers, Programming Libraries, Reverse Engineering Frameworks, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: generic tracer
Rating: 0.0 (0 votes)
Author: Dennis Yurichev                        
Website: http://conus.info/gt
Current version: 0.1
Last updated: May 24, 2009
Direct D/L link: http://conus.info/gt/gt01.zip
License type: Free
Description: generic tracer - extremely simple win32 tracer

* Main features:

1) Setting breakpoint at any function, monitoring its arguments and return value.
2) Monitoring global variables access.

In a way, it is a kind strace utility.

Significant differences vs strace are:

1) gt is Win32 only.
2) Breakpoints not just system calls, but any function.
3) Only 4 breakpoints, because of x86 architecture limitation.
4) Usage of Oracle .SYM files: ORACLE_HOME should be defined in environment.
Also listed in: API Monitoring Tools, Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HBGary Inspector
Rating: 0.0 (0 votes)
Author: HBGary                        
Website: http://www.hbgary.com/inspector_v2.shtml
Current version: 2.0
Last updated:
Direct D/L link: N/A
License type: Commercial
Description: HBGary Inspector speeds team reverse engineering of software binaries. Inspector integrates dynamic runtime tracing with dataflow and static code analysis. Captured test data is recorded in a team-member shared database for further analysis with automated scripts and interactive graphing.

Packed, obfuscated, and self-modifying malware binaries resist static disassembly. Anti-debugging tricks hinder runtime analysis. However, malware must unpack and de-obfuscate itself to execute. Inspector defeats many anti-debugging tricks and recovers true program instructions and live memory evidence as malware operates. Dynamic analysis provides accurate information about malware behavior.

HBGary Inspector can trace data buffers and packets as they propagate in memory, saving countless hours and days of work for the Reverse Engineer. Complex control flow paths are mapped with interactive navigation graphs. Runtime code coverage is indicated and measured. Inspector is extensible with an exposed application program interface (API) and a powerful scripting system for analysis automation.
Also listed in: Code Coverage Tools, Memory Data Tracing Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MSIL Dumper
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11809
Current version: 0.4
Last updated: December 12, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799
Also listed in: .NET MSIL Dumpers, .NET Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Non-Debug API Tracer
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://deroko.phearless.org/engines.html
Current version:
Last updated: January 31, 2011
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: This driver was used in some private projects of mine to achieve fast and stealth debugging. Some of them are ASProtect SKE 2.3 unpacker, and TheMida unpacker.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: oStudio - Live Tuning
Rating: 0.0 (0 votes)
Author: Objectis                        
Website: http://www.objectis-software.com/product/ostudio-live-tuning-live-debugging-functional-tests/
Current version: 1.3
Last updated: January 17, 2014
Direct D/L link: http://www.objectis-software.com/download-ostudio-2013/
License type: Free
Description: Accelerates the integration, testing and development phase by a factor of 2 to 10, in one easy-to-use application.
oStudio - Live Tuning brings a new development and real time debugging method. It's easy to connect embedded systems, automation and .NET applications to oStudio - Live Tuning, and to interact with them LIVE!

Traditional step by step debugging techniques are now history. A system doesn’t need to be halted to verify and validate its behavior anymore! This method, called live debugging, consists of observing and interacting with a real-time system while it’s still running. oStudio – Live Tuning is a new generation of debugger. It regroups new debugging tools for embedded systems and the machine industry with automated testing.
Also listed in: .NET Debuggers, .NET Tools, .NET Tracers, API Monitoring Tools, COM Debugging Tools, COM Monitoring Tools, Debug Output Monitoring Tools, Debuggers, FPGA Tools, Microcontroller Tools, Non-Intrusive Debuggers, Visual Basic Debuggers, Visual Basic Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PIN
Rating: 0.0 (0 votes)
Author: Intel                        
Website: http://rogue.colorado.edu/pin
Current version: 2.3 (rev 18525)
Last updated: April 10, 2008
Direct D/L link: N/A
License type: Free / Open source
Description: Pin is a tool for the dynamic instrumentation of programs. It supports Linux binary executables for Intel (R) Xscale (R), IA-32, IA-32E (64 bit x86), and Itanium (R) processors. It also allow instrumentation of Windows programs on IA-32 and Intel (R) 64 processors

Pin was designed to provide functionality similar to the popular ATOM toolkit for Compaq's Tru64 Unix on Alpha, i.e. arbitrary code (written in C or C++) can be injected at arbitrary places in the executable. Unlike Atom, Pin does not instrument an executable statically by rewriting it, but rather adds the code dynamically while the executable is running. This also makes it possible to attach Pin to an already running process.

Pin provides a rich API that abstracts away the underlying instruction set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template.
Also listed in: Code Injection Tools, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Pokas x86 Emulator for Generic Unpacking
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://sourceforge.net/projects/x86emu/
Current version: 1.2.0 and 1.21 visual C++
Last updated: December 28, 2012
Direct D/L link: http://sourceforge.net/projects/x86emu/files/1.2.0/x86emu-1.2.rar/download
License type: GPL
Description: Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon with the help of your feedback.

you can download it from https://sourceforge.net/projects/x86emu/

AmrThabet
amr.thabet_*at*_student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debuggers, Disassembler Libraries, Disassemblers, OEP Finders, PE Executable Editors, Programming Libraries, Unpacking Tools, Virtual Machines, X86 Disassembler Libraries, X86 Emulators, X86 Sandboxes
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Stalker
Rating: 0.0 (0 votes)
Author: Pedram Amini                        
Website: http://www.openrce.org/downloads/details/171
Current version: 1.1
Last updated: July 13, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Process Stalking is a term coined to describe the combined process of run-time profiling, state mapping and tracing. Consisting of a series of tools and scripts the goal of a successful stalk is to provide the reverse engineer with an intuitive visual interface to filtered, meaningful, run-time block-level trace data.

The Process Stalker suite is broken into three main components; an IDA Pro plug-in, a stand alone tracing tool and a series of Python scripts for instrumenting intermediary and GML graph files. The generated GML graph definitions were designed for usage with a freely available interactive graph visualization tool.

Data instrumentation is accomplished through a series of Python utilities built on top of a fully documented custom API. Binaries, source code and in-depth documentation are available in the bundled archive. An indepth article was written and released on OpenRCE.org detailing step by step usage of Process Stalker, the article is a good starting point for understanding the basics behind the tool set.

Manual:
http://pedram.redhive.com/process_stalking_manual/

API docs:
http://pedram.redhive.com/process_stalking_manual/ps_api_docs/
Also listed in: Code Coverage Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TR
Rating: 0.0 (0 votes)
Author: Liu Taotao                        
Website: N/A
Current version: 2.52
Last updated: November 30, 1998
Direct D/L link: Locally archived copy
License type: Shareware
Description: Advanced tracer for 16 bit x86 code (DOS programs).

From readme:

If you have used DEBUG, SYMDEB, TD (Turbo Debugger), CV (CodeView) or SoftICE, you should try TR which has more powerful functions than debuggers mentioned above.

TR(tracer) is a debugger based on the CPU simulation technology.

The main features are:

1. Interpret Mode

=================



TR runs a program by interpreting its code just like a REAL Intel CPU

would, step by step. TR understands every CPU opcode and will give the

correct result, without INT1, INT3, DR0-DR8, or protected mode.

Theoretically, TR will never be found by any program which is

traced, and you can never find a program which can't be traced :-)





Traditional debuggers or tracers have too many shortages:



(1) Using INT1 and the Trap Flag



Because they use INT1 and TF to step the program, so it's easy

to cheat and detect it!



(2) Using INT3



These debuggers insert INT3(CCh) into the program's code after every

instruction. If the program destroys the INT3 vector or tests

itself, the tracer would not work well :-(



(3) SoftICE doesn't use above two methods, but uses 386 hardware

interrupts instead. SoftICE is very strong but so easy to be

found :(



Overall, traditional debuggers & tracers trace the program using standard

tracing methods which can be found in INTEL's CPU manual. They could

only trace those programs which haven't any anti-debug code. If the

program won't cooperate, they all cannot work well :-( But TR will

trace all the programs that the CPU can deal with, even another TR

session.



On the other hand, traditional debuggers or tracers simply insert a

breakpoint into the program and wait until they catch the control back.

They don't know whether they will get control back or what the program

intends to do. TR runs the program in interpret mode, it controls all

things absolutely. Just because of that, TR can set more and more

complex breakpoints.



Interpret Run is the main difference between TR and all other

debuggers, and this is also why TR has a higher performance.



2.Batch File

============



Although batch is not a new word to you, you can find no one using it

in a debugger. In TR, you can put all your commands in a text file and

use it just like you execute a DOS batch file. TR as well has a special

batch file named "AUTORUN.TR". Just like its name, this file can be

executed automatically every time you start TR.



3.Magic Offset

==============



Everyone is used to the "G 100" command which means run and stop at

address CS:100. In general, debuggers do it like this: insert a

breakpoint(INT3/CC) at CS:100 and GO the program. When the CPU meets

the INT3, the program will be stopped. So, the debuggers can only set a

breakpoint at current CS and offset 100. But not TR! TR can stop the

program at every offset 100! What does this mean? It means when IP=100,

the program will be stopped! We call this Magic Offset. Hmm, what's the

use? Too many! Think by yourself :-) One simplest and direct usage is

use "G 100" you can *UNPACK* all .COM files!



4.Assembly Language Command

===========================



It's a good idea that you can use ASM opcode in your debug environment.

You can accomplish your wish in TR! You may use either "R AX 001A" or

"MOV AX, 001A". Both do the same thing. Remember, all assembly opcode

can be used in TR, e.g. "CLI", "MOV [WORD 1234], 4567", "IN AL,21"...





5.Add Comments During Tracing

=============================



"CALL 7FDE" is not good compared to "CALL OPEN_FILE". But most tracers

must face such opcodes. Even if you have known what the procedure

would do, you could only write it down on paper. Now TR can write

your comments directly into the program and saved them into another file

automatically. From now on all programs are easy for understand. TR will

as well display comments for most INT21 function calls automatically for

you.



6.Automatic Jump

================



Many protectors use lots of JMP codes to make the decryptor of their

protection unreadable. In most situations, you can only see some JMPs in

the code window. At the target address, in general, you can't see the

correct disassemble opcode because the protect programs likely insert

some DATA in front of that address, so, it's difficult to understand

these programs. With the Automatic Jump feature, TR displays the correct

code at the JMP address in code window instead of displaying a "JMP

xxxx". This way you can see the correct codes sequence but not lots of

jumps: the code is easy to read!





7.Log

=====



TR could save all CS:IP on interpret-run. This makes it possible to

analyse the program easily. If the program exits with an error, you can

find the problem by backtracing your LOG. Command 'LOGPRO' can get all

the key opcode program run. The program will have no secret after you

LOG it. Refer to the commands LOG, LOGS, VLOG and LOGPRO.



8.Write EXE file from memory

============================



You can find many universal unpackers on the net, but what would you do

if they tell you "I can't unpack it"? Unpack functions should be in

debuggers. TR's MKEXE function let you make EXE file easy!



9.Various Complex breakpoints, One-time breakpoints

===================================================



All other debuggers' breakpoints are what INTEL prepared. They cannot

fit the need of modern trace technology. TR has many revolutionary

breakpoints:



(1) BP conditions

Conditional break-point. ex.:



BP IP>4000

BP ah=2 dl=80 ch>30



(2) BPINT intnum [conditions]

Interrupt break-point.



(3) BPXB bytes [conditions]

Break-point if ??? code is encountered. For example, "MOV AX,????"

is assembled in HEX "B8????", so you can use



BPXB b8



to break on all "mov ax,????" opcodes. Other examples:



BPXB cd  ;all interrupt

BPXB 33 c0  ;xor ax,ax



(4) BPREG REG|SEG [conditions]

Break if the given register changes. You can use



BPREG cs



to get all code segment changes (jmp far,retf...). As well, you can

use something like



BPREG cs ax=0 es=#  ;# means PSP seg



to get the kernel of a shelled program.



(5) BPM [seg:]offset

Break if specified memory is accessed.



BPM 20



will stop at 'mov ax,[20]'.



(6) BPW SEG:OFFSET

Break-point if memory changes. Some opcode's changing memory

could only be found by repeatedly compare.



(7) BPIO port [conditions]



(8) BPKNL [count]

Break-point to find new program kernel.



The most important is: if you only use one break-point onetime,

you can change the break-point command 'BP???' to 'GO???' to run.

By using this one-time break-point, you need not to set any

break-point.



These break-point function make it more and more easy to track a

program. You need not to do any hard work!



TR is a real tracing, tracking, debug program. We have DEBUG,SYMDEB,

TD,CV,S-ICE, but they are all not such real tracing debug programs.

DEBUG & SYMDEB aren't, because I think a real debug software should

be full-screen. TD cannot process command line input. No mouse

clicks could replace a command line like 'F CS:DX,DX+CX 00'. In

DEBUG you can use 'L 100 0 0 1' to check floopy boot, and use

'L 400' or 'W 400' to load a program to memory or write memory to

file. In SYMDEB you could use '>' to save the unassemble result.

All these useful functions cannot be found in another debug program.

I think TD & CV are not standalone debug programs. They just debug

their C program. S-ICE is great! But it looks like that 386CPU's

debug function is for S-ICE, and that S-ICE is just a demo of this

function. Only TR does what you think, rises 9 great new ideals in

tracing technology, for the first time make TRACING an easy job.

TR is a real tracing debug program!
Also listed in: 16 bit and DOS Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: wtrace
Rating: 0.0 (0 votes)
Author: Sebastian Solnica                        
Website: https://github.com/lowleveldesign/wtrace
Current version:
Last updated: March 14, 2017
Direct D/L link: N/A
License type: Open source
Description: This application will trace in real-time all File I/O, TCP IP, ALPC and RPC operations performed by a given process. It works on Windows 7+ and requires .NET 4.5.2+. Wtrace stops when the traced process exits, or if you issue Ctrl+C in its command line.

Use pipeline to filter the events, e.g.: wtrace notepad | findstr "FileIO/Write"

It is possible to use wtrace as a PowerShell cmdlet. Please check the wiki for more details.

The available options are:

Usage: wtrace [OPTIONS] pid|imagename args

Options:
--newconsole Start the process in a new console window.
--nosummary Prints only ETW events - no summary at the end.
-h, --help Show this message and exit
-? Show this message and exit

A sample trace session might look as follows:

PS temp> wtrace mspaint
1134,4316 (1072) FileIO/Create 'C:\' (0xFFFFFA801D789CA0) rw-
1135,2725 (1072) FileIO/Create 'C:\Windows\Prefetch\MSPAINT.EXE-B4A5B5E8.pf' (0xFFFFFA8023E185A0) ---
1135,5118 (1072) FileIO/Create 'C:\Windows' (0xFFFFFA8023E185A0) rw-
1135,5514 (1072) FileIO/Create 'C:\Windows\SYSTEM32\wow64.dll' (0xFFFFFA801D789CA0) rw-
1135,8384 (1072) FileIO/Close 'C:\' (0xFFFFFA801D789CA0)
1135,8542 (1072) FileIO/Create 'C:\Windows\SYSTEM32\wow64.dll' (0xFFFFFA801D789CA0) rw-
1135,8956 (1072) FileIO/Create 'C:\Windows\SYSTEM32\' (0xFFFFFA802110BD50) rw-
1135,9198 (1072) FileIO/Close 'C:\Windows\SYSTEM32\' (0xFFFFFA802110BD50)
1136,0825 (1072) FileIO/Close 'C:\' (0xFFFFFA801D789CA0)
1136,1668 (1072) FileIO/Create 'C:\Windows\SYSTEM32\wow64win.dll' (0xFFFFFA801D789CA0) rw-
1136,1873 (1072) FileIO/Close 'C:\' (0xFFFFFA801D789CA0)
1136,2049 (1072) FileIO/Create 'C:\Windows\SYSTEM32\wow64win.dll' (0xFFFFFA801D789CA0) rw-
...
1363,8894 (1072) FileIO/Read '' (0xFFFFFA80230F5970) 0x173400 32768b
1364,7208 (1072) FileIO/Read '' (0xFFFFFA80230F5970) 0x117400 32768b
1365,6873 (1072) FileIO/Read '' (0xFFFFFA80230F5970) 0x1CD400 32768b
1375,6284 (1072) FileIO/Create 'C:\Windows\win.ini' (0xFFFFFA801A43F2F0) rw-
1375,6702 (1072) FileIO/Read 'C:\Windows\win.ini' (0xFFFFFA801A43F2F0) 0x0 516b
1375,7369 (1072) FileIO/Create 'C:\Windows\SysWOW64\MAPI32.DLL' (0xFFFFFA8023E50710) rw-
1375,7585 (1072) FileIO/Close 'C:\Windows\SysWOW64\msxml6r.dll' (0xFFFFFA8023E50710)
1384,8796 (1072) FileIO/Read '' (0xFFFFFA801FDBFCD0) 0x58200 16384b
1385,3323 (1072) FileIO/Read '' (0xFFFFFA801FDBFCD0) 0x5C200 16384b
2318,6876 (1072) FileIO/Read '' (0xFFFFFA80230F5970) 0x209400 32768b
2319,3279 (1072) FileIO/Read '' (0xFFFFFA80230F5970) 0x213400 32768b
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: xTracer
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://www.accessroot.com/arteam/site/download.php?view.309
Current version: 1.0
Last updated: May 25, 2009
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: xtracer is TLB memory tracer. It tries to locate first break in code section of traced process using split TLB which is available in intel architecture.
This code can be used to locate OEP of traced process easily. Currently only 1st break is reported, but you may modify code to handle more breaks as that's not a problem at all if you go trough ring3 program which actually controls driver. You may expect to get very good and fast results no matter which protection you are tracing. Time needed to locate OEP is equal to the time needed to execute protection layer without debugger, nor any tracer.

I hope that you will enjoy this fine release from ARTeam, as we only try to bring quality releases to the RCE community. Of course, full source is included for learning purposes (code and tool released under GPL 3.0).

Code can be customized to handle various scenarios. Eg. add more breaks on code sections, hooking more some native calls to keep control of almost every allocated buffers, but that's up to the user to implement if he needs it.

To use this code simply type:

xtracer.exe <applicaton to trace>

wait a little bit. Also note that you must have internet connection as code is using my SymbolFinder class to locate some symbols from ntoskrnl.exe which makes this code compatible with windows versions from win2k to Vista SP1.
Also listed in: OEP Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 2 subcategories to this category.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (23)
   Needs New Category  (3)