Collaborative RCE Tool Library - .NET Tracers (including sub-categories)

Tool Updated: WinApiOverride

Sun, 19 Jul 2009 05:08:24 GMT

Listed in categories: .NET Tracers, API Monitoring Tools, COM Monitoring Tools

Most recent version:
5.1.11

Most recent release date:
July 18, 2009

Description:
WinAPIOverride32 is an advanced api monitoring software.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- Double and float results are logged
- Preserve registers, floating stack and LastError
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- All is is done like modules : you can log or override independently for any function

Tool Updated: DotNET Tracer

Wed, 17 Jun 2009 00:27:47 GMT

Listed in categories: .NET Tracers

Most recent version:
0.6

Most recent release date:
June 15, 2009

Description:
This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

I hope it's useful and as always bug reports are welcome.

Tool Updated: MSIL Dumper

Tue, 30 Dec 2008 00:04:33 GMT

Listed in categories: .NET MSIL Dumpers, .NET Tracers, Tracers

Most recent version:
0.4

Most recent release date:
December 12, 2008

Description:
The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799