Collaborative RCE Tool Library - API Monitoring Tools (including sub-categories)

Tool Updated: OSpy

Sun, 19 Jul 2009 05:10:43 GMT

Listed in categories: API Monitoring Tools

Most recent version:
1.9.8

Most recent release date:
July 18, 2009

Description:
oSpy is a tool which aids in reverse-engineering software running on the Windows platform. With the amount of proprietary systems that exist today (synchronization protocols, instant messaging, etc.), the amount of work required to keep up when developing interoperable solutions will quickly become a big burden when limited to traditional techniques.

However, when the sniffing is done on the API level it allows a much more fine-grained view of what's going on. Seeing return-addresses for each recv/send call (for example), can prove useful when you want to look at the processing code at that spot in a debugger or static analysis tool. And if an application uses encrypted communication it's easy to intercept these calls as well. oSpy already intercepts one such API, and is the API used by MSN Messenger, Google Talk, etc. for encrypting/decrypting HTTPS data.

Another neat feature is when wanting to see how an application behaves when in a firewalled environment. Normally you would have to simulate such an environment by configuring firewalls etc., which not only is time-consuming, but might also cripple the rest of the applications you've got running. oSpy solves this problem by a feature called softwalling which allows you to set rules based on the type of function-call, the return-address, local/remote address/port, etc., and lets you choose which error to signal back to the application when the rule matches. This way you can make the application think that for example a connect() timed out, connection was refused, there was no route to host, etc.

Tool Updated: WinApiOverride

Sun, 19 Jul 2009 05:08:24 GMT

Listed in categories: .NET Tracers, API Monitoring Tools, COM Monitoring Tools

Most recent version:
5.1.11

Most recent release date:
July 18, 2009

Description:
WinAPIOverride32 is an advanced api monitoring software.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- Double and float results are logged
- Preserve registers, floating stack and LastError
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- All is is done like modules : you can log or override independently for any function

Tool Updated: Win32 API Monitor

Sat, 18 Jul 2009 23:38:13 GMT

Listed in categories: API Monitoring Tools

Most recent version:
1.3.1

Most recent release date:
March 24, 2009

Description:
API Monitor is a software that allows you to spy and display Win32 API calls made by applications. It can trace any exported APIs and display wide range of information, including function name, call sequence, input and output parameters, function return value and more. A useful developer tool for seeing how win32 applications work and learn their tricks.

Main Features
Trace any exported APIs- Including win32 APIs and other 3rd-Party APIs, unnecessary to know the prototype of the functions.
Display wide range of information, including function name, call sequence, input and output parameters, function return value, GetLastError code and more.
Predefine 82 DLLs and nearly 4000 APIs' prototype.
Filter Profiles are a powerful way of storing your favorite monitor settings for use in other sessions. API Monitor preset 27 API Filter Profiler, including Handles and Objects, Dynamic-Link Libraries, Event Log, Pipes and Mailslots, Debugging, Windows Classes, COMM, Application Related, Shell, Dialog Boxes, File System, Services Related, Remote Access Service, Memory Management, Print Related, Windows, Registry, Processes and Threads, File IO, WinInet, Windows Sockets, Multimedia API, Windows GUI, Network Management, WinNT Security, Access Control Functions.
Allow content to be viewed and exported-Log content can be viewed within API Monitor, and exported to another application or saved to a file.
Support debug version and release version with no modifications to the target application.
Support Unicode and ANSI APIs.
Monitor Running Process-Spy APIs in a background or console process that is already running.
Support multithread.
Display API calls originating from ActiveX controls and COM objects instanced by an application.
MS Excel® style data filtering, customize filter criteria against any data item.
Automatic click-sorting against an unlimited number of columns, descending or ascending.
Automatic data grouping - an extremely powerful data viewing and manipulation metaphor.
Automatic runtime column selection - easily customize the columns visible on-screen with intuitive drag and drop.
Instant Online MSDN Help - This feature allows you to view online MSDN context-sensitive help for the currently selected API.

Tool Updated: Detours

Sat, 18 Jul 2009 21:01:22 GMT

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:
2.1.216

Most recent release date:
November 10, 2008

Description:
Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

Detours 2.1 is now available. Detours 2.1 includes the following new features:

* Complete documentation of the Detours API.
* Transactional model for attaching and detaching detours.
* Support for updating peer threads when attaching or detaching detours.
* Unification of dynamic and static detours into a single API.
* Support for detection of detoured processes.
* Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
* New APIs to copy payloads into target processes.
* Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
* Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).

Tool Updated: PIX with callstack patch

Fri, 03 Jul 2009 20:33:40 GMT

Listed in categories: API Monitoring Tools, DirectX Tools

Most recent version:

Most recent release date:
July 3, 2009

Description:
MSDN describes the DirectX tool "PIX" as follows (at http://msdn.microsoft.com/en-us/library/bb173085(VS.85).aspx):
"PIX is a debugging and analysis tool that captures detailed information from a Direct3D application as it executes. PIX can be configured to gather data, such as the list of Direct3D APIs called, timing information, mesh vertices before and after transformations, screenshots, and select statistics. PIX can also be used for debugging vertex and pixel shaders, including setting breakpoints and stepping through shader code."

Thus, a highly useful tool right from the MS DirectX SDK for e.g. finding the cause of a rendering problem: for any captured frame, you can click through the executed DX API functions and see how the frame is being built up, eventually finding out what part is to blame.

But what about reversing a closed source application's renderer? PIX does not store a call stack; it merely logs *what* DX functions are called, but not from *where*. Therefore it is not very useful for reversing by default.

I didn't want to let such a great tool go to waste. After some reversing work I ended up patching PIX to log and show (part of) the call stack for each DirectX call that the target program makes. Each call stack entry has both the virtual address and the module name.

Example usage of the resulting modified tool is finding out about and messing with a game's renderer, or more simply locating the HUD rendering code and quickly finding the data that it represents (e.g. health, money) rather than having to resort to memory scanning.

Tool Updated: Generic tracer

Mon, 25 May 2009 23:44:23 GMT

Listed in categories: API Monitoring Tools, Monitoring Tools, Tracers

Most recent version:
0.1

Most recent release date:
May 24, 2009

Description:
generic tracer - extremely simple win32 tracer

* Main features:

1) Setting breakpoint at any function, monitoring its arguments and return value.
2) Monitoring global variables access.

In a way, it is a kind strace utility.

Significant differences vs strace are:

1) gt is Win32 only.
2) Breakpoints not just system calls, but any function.
3) Only 4 breakpoints, because of x86 architecture limitation.
4) Usage of Oracle .SYM files: ORACLE_HOME should be defined in environment.

Tool Added: Export Log

Fri, 19 Sep 2008 23:21:01 GMT

Listed in categories: API Monitoring Tools, Dependency Analyzer Tools

Most recent version:
1.0

Most recent release date:
September 15, 2008

Description:
Program for runtime logging of used/imported external functions (i.e. in other DLLs) in target modules/processes.

Tool Updated: FastSystemCallHook

Fri, 27 Jun 2008 15:22:45 GMT

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:

Most recent release date:
April 5, 2008

Description:
A snippet of code which is a KiFastSystemCall hook I wrote that hooks all user-mode APIs by replacing the SYSENTER MSR. It works also on multi-processor systems and should be easy to extend into a fully functional library if you want to.

Tool Updated: SpyStudio

Wed, 21 May 2008 10:16:40 GMT

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:
1.0.0b

Most recent release date:
February 2008

Description:
SpyStudio is a powerful application that simplifies the code execution interception operations, also called "hooking". Users can now easily monitor and gain control over processes in their systems, to really know what is happening in the Operating System and it's applications.

With SpyStudio you can monitor and intercept API calls at any time, change its parameters, and resume execution.

SpyStudio uses the Deviare API technology to intercept functions' calls, this allows the user to monitor and hook applications in real time.
Deviare is a very complex technology, that can be used through the most simple interfaces.

This useful application provides the ability to break process execution and inspect the function's parameters at any level, and even change its values.

* Hooks any module of any application.

* Understands almost any function's parameters. Every defined data structures and types in windows.h are supported.

* Break on monitor: Break application's code execution, watch and modify function's parameters.

* Integrated Python shell: Now allows to execute Python scripts and handle hooks!

* Some of the modules included on the database are:

Advapi32.dll
Gdi32.dll
Kernel32.dll
Ntdll.dll
User32.dll
Shell32.dll
Wininet.dll

Tool Updated: DynLogger

Mon, 14 Apr 2008 21:26:44 GMT

Listed in categories: API Monitoring Tools

Most recent version:
1.1.0.1

Most recent release date:
April 14, 2008

Description:
DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application. It also logs the loaded modules.

Download the x64 version of DynLogger only if the process is not an x86 process. In all other cases download the x86 version.

I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.

Tool Updated: APIScan

Sat, 09 Feb 2008 19:18:41 GMT

Listed in categories: API Monitoring Tools, Dependency Analyzer Tools

Most recent version:
2.2

Most recent release date:
April 28, 2007

Description:
APIScan is a simple tool to gather a list of APIs that a target process uses.

You can use this list in an initial analysis to help determine a target's
general operating nature. Also can be used to help determine patch/update changes by doing a WinDiff on a "before" and "after" dump.

There are similar tools, often more robust (like "Dependency Walker"), but
most of these just parse the target IAT ("Import Address Table") alone.
APIScan catches dynamically/delayed loaded modules too; and dumps them as a simple list.
============================================================

Example dump for a module:
Code:

Library Flags Function
====================================
-- COMCTL32.DLL
[I...] ImageList_Add
[I...] ImageList_Create
[I...] ImageList_Destroy
[I.O.] InitCommonControls
[.D..] InitCommonControlsEx
[.D.F] ImNotHere
...
...

Explanation:
APIScan saw that "COMCTL32.DLL" is loaded both as an import via the IAT, plus it caught it being loaded dynamically for "InitCommonControlsEx".
That's the 'D' flag in "[.D.F] InitCommonControlsEx". The 'F' in "[.D.F] ImNotHere" means that that the application failed in one or more attempt to dynamically load (from the 'D') "ImNotHere", since this export doesn't exist in "COMCTL32.DLL". In "[I.O.] InitCommonControls", the 'I' tells us this API is in the IAT, and the 'O' tells us it was by "ordinal".
Note, you can have both 'I' and 'D' flags since an application (as well as 'O', and 'F', if there is a 'D') can have it both in it's IAT and loaded it dynamicly (with "GetProcAddress()").

Changes:
--------
2.2 Got rid of the index numbers around the DLL and API dumps, that made WinDiff'ing a mess.

TODO:
1. Add intra-module support.
API scan could parse the IATs of modules/DLLs and optionally filter out GetProcAddress() calls made within modules for better focus.
2. Optional real time output to DBGVIEW.

Tool Updated: SysAnalyzer

Sat, 05 Jan 2008 13:56:31 GMT

Listed in categories: API Monitoring Tools, Disk Monitoring Tools, File Monitoring Tools, Install Monitoring Tools, Memory Dumpers, Network Monitoring Tools, Registry Monitoring Tools

Most recent version:

Most recent release date:
January 19, 2007

Description:
SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

* Running Processes
* Open Ports
* Loaded Drivers
* Injected Libraries
* Key Registry Changes
* APIs called by a target process
* File Modifications
* HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

* Create a memory dump of target process
* parse memory dump for strings
* parse strings output for exe, reg, and url references
* scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package.

Tool Updated: Malcode Analysis Pack

Wed, 26 Dec 2007 17:48:34 GMT

Listed in categories: API Monitoring Tools, Import Editors, Malware Analysis Tools, Network Sniffers, Network Tools, Process Monitoring Tools, Reverse Engineering Frameworks, TCP Proxy Tools

Most recent version:

Most recent release date:
November 13, 2006

Description:
The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 4 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes

Tool Added: Auto Debug

Mon, 22 Oct 2007 11:18:54 GMT

Listed in categories: API Monitoring Tools

Most recent version:
4.3

Most recent release date:
2007

Description:
Auto Debug software is an API monitor tool which can automatic trace all APIs and ActiveX interface to input and output parameters. After setting the API which you want to monitor easily, this application will auto trace the target program and monitor the function of inputting and outputting calling. It analysises PDB files automatic while monitoring any DLL and ActiveX interface.

Different from others apispy or API monitor tools, Auto Debug software doesn't need the user to develop any DLL or hook DLL. It's easy to use --- Only setting the APIs which we want to monitor with ON, once the target application running and calling these APIs, it will monitor their parameters of inputting and outputting automaticly! Don't need to develop any DLL, once installing the software, we can start to monitor APIs NOW!

If we have the API prototype(often from the .h file), we can build the PDB file without origin source easily. For example, we can found a sample for generating comdlg32.dll PDB file at ($InstallPath\PDBsample). --- (need Professional Version, it also generates over 30 windows system DLL's PDB files in the Professional Version).

News: Auto Debug for Windows x64 version is available.

Features

It doesn't need to rebuild the source code while monitoring inputting parameters and outputting results of the traced APIs in the target program automaticly, only monitoring the input and output of APIs.

* Source Code level monitor.(new in Professional V4.1).
* Automatic analysis parameter type with PDB files.(new in V4.0). Support for Visual Studio 2005, Visual Studio .NET 2003 and Visual C++ 6.0.
* Very easy to generate PDB files without source code if you know the api prototype.(new in Professional V4.0).
* Tracing your application with release version.
* The best API monitor tool.
* Tracing Release version with mapfile.
* Supporting Debug version and Release version, not need source code.
* Supporting tracing COM Interface.
* Supporting multithread.
* Not need to know the prototype of the functions.
* Not only trace for exported APIs, but also be effect for undocumented APIs.

Tool Added: KaKeeware Application Monitor (KAM)

Fri, 19 Oct 2007 23:09:13 GMT

Listed in categories: API Monitoring Tools

Most recent version:
1.32

Most recent release date:
May 24, 2007

Description:
KaKeeware Application Monitor is a very small API monitor that allows the user to monitor the APIs called by the given application. KAM supports 5577 different APIs as for now.

KAM works as an API spy that may help the developers and localization engineers to find the bugs in the release versions of the software. It can be also used by malware analysts to check which APIs are used by the sample they analyse.
The executable file is packed with Upack.
Since v1.04, KAM can rerieve object names (filenames, registry keys) and shows them on UI instead of handles, making the listing more readable. 1.10 shows more information about monitored APIs. 1.20 added groups to APIs window and added support for command line for monitored program. 1.21 hopefully fixes the problem with some XP versions. 1.30 introduces a lot of new APIs (now it's over 5000!). 1.31 finally conquers Vista. 1.32 adds some APIs (as per request :).

Please be aware that some AV programs may flag kam.exe as malicious. This is a problem known as FP (False Positive). kam.exe is not malicious and it doesn't contain any malicious code.

Tool Added: BoundsChecker

Thu, 18 Oct 2007 20:23:40 GMT

Listed in categories: API Monitoring Tools

Most recent version:

Most recent release date:

Description:
Among many things, BoundsChecker is actually a pretty decent API monitor/logger.

Tool Added: Rohitab API Monitor

Thu, 18 Oct 2007 20:21:41 GMT

Listed in categories: API Monitoring Tools

Most recent version:
1.5

Most recent release date:
January 7, 2001

Description:
API Monitor is a software that monitors and displays API calls made by applications. Its a powerful tool for seeing how Windows and other applications work or tracking down problems that you have in your own applications.