Collaborative RCE Tool Library - Code Injection Tools (including sub-categories)

Tool Added: DotNetasploit

Tue, 17 Aug 2010 01:40:27 GMT

Listed in categories: .NET Code Injection Tools

Most recent version:
2.5

Most recent release date:
August 2010

Description:
DotNetasploit is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion.

Tool Added: Javassist

Tue, 13 Jul 2010 19:33:16 GMT

Listed in categories: Java Code Injection Tools, Java Executable Editors & Patchers

Most recent version:
3.12.0.GA

Most recent release date:
April 16, 2010

Description:
Javassist (Java Programming Assistant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java; it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it. Unlike other similar bytecode editors, Javassist provides two levels of API: source level and bytecode level. If the users use the source-level API, they can edit a class file without knowledge of the specifications of the Java bytecode. The whole API is designed with only the vocabulary of the Java language. You can even specify inserted bytecode in the form of source text; Javassist compiles it on the fly. On the other hand, the bytecode-level API allows the users to directly edit a class file as other editors.

Aspect Oriented Programming: Javassist can be a good tool for adding new methods into a class and for inserting before/after/around advice at the both caller and callee sides.

Reflection: One of applications of Javassist is runtime reflection; Javassist enables Java programs to use a metaobject that controls method calls on base-level objects. No specialized compiler or virtual machine are needed.

Tool Updated: THYloadergen

Sun, 30 May 2010 18:58:57 GMT

Listed in categories: Code Injection Tools, Loader Generators, Memory Patchers, Patch Packaging Tools, Patcher Generators

Most recent version:
0.6

Most recent release date:
March 6, 2010

Description:
features:
* memory patch packed targets (except process redirected ones, like armadillo debugblocker)
* patch:VA (patch at a virtual address)
* patch:SnR (patch by search&replace)
* hookAPI (specify an API call that is executed after target is fully unpacked. hit count can be specified)
* hookVA (specify a VA that is executed after target is fully unpacked. hit count can be specified)
* wnd (specify a window that is created after target is fully unpacked)
* inject a dll into the process to have the possibility to include more complex stuff than the patching provided. (no live injecting, as this is a loader)
* optional splash screen at startup (pic can be specified, aswell as the transparency)

veyl/THY, MAR/2010

Tool Updated: Radare

Thu, 04 Mar 2010 17:37:43 GMT

Listed in categories: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

Most recent version:
1.5

Most recent release date:
December 13, 2009

Description:
<nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net

Tool Updated: DynamoRIO

Tue, 09 Feb 2010 18:12:27 GMT

Listed in categories: Code Coverage Tools, Code Injection Tools, Debugger Libraries, Disassembler Libraries, Profiler Tools

Most recent version:
1.50.0.1

Most recent release date:
December 29, 2009

Description:
DynamoRIO is a runtime code manipulation system that supports code transformations on any part of a program, while it executes. DynamoRIO exports an interface for building dynamic tools for a wide variety of uses: program analysis and understanding, profiling, instrumentation, optimization, translation, etc. Unlike many dynamic tool systems, DynamoRIO is not limited to insertion of callouts/trampolines and allows arbitrary modifications to application instructions via a powerful IA-32/AMD64 instruction manipulation library. DynamoRIO provides efficient, transparent, and comprehensive manipulation of unmodified applications running on stock operating systems (Windows or Linux) and commodity IA-32 and AMD64 hardware.

Previous description:

The DynamoRIO Collaboration - Dynamo from Hewlett-Packard Laboratories + RIO (Runtime Introspection and Optimization) from MIT's Laboratory for Computer Science.

The DynamoRIO dynamic code modification system, joint work between Hewlett-Packard and MIT, is being released as a binary package with an interface for both dynamic instrumentation and optimization. The system is based on Dynamo from Hewlett-Packard Laboratories. It operates on unmodified native binaries and requires no special hardware or operating system support. It is implemented for both IA-32 Windows and Linux, and is capable of running large desktop applications.

The system's release was announced at a PLDI tutorial on June 16, 2002, titled "On the Run - Building Dynamic Program Modifiers for Optimization, Introspection and Security." Here is the tutorial abstract:

In the new world of software, which heavily utilizes dynamic class loading, DLLs and interconnected components, the power and reach of static analysis is diminishing. An exciting new paradigm of dynamic program optimization, improving the performance of a program while it is being executed, is emerging. In this tutorial, we will describe intricacies of building a dynamic optimizer, explore novel application areas such as program introspection and security, and provide details of building your own dynamic code modifier using DynamoRIO. DynamoRIO, a joint development between HP Labs and MIT, is a powerful dynamic code modification infrastructure capable of running existing binaries such as Microsoft Office Suite. It runs on both Windows and Linux environments. We are offering a free release of DynamoRIO for non-commercial use. A copy of the DynamoRIO release, which includes the binary and a powerful API, will be provided to the attendees.

Tool Updated: ERESI Framework

Sat, 06 Feb 2010 10:30:34 GMT

Listed in categories: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers

Most recent version:
0.82b2

Most recent release date:
September 13, 2009

Description:
The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.

Tool Updated: IDA Inject

Sun, 19 Jul 2009 05:01:34 GMT

Listed in categories: Code Injection Tools, IDA Extensions

Most recent version:
1.0.3

Most recent release date:
July 18, 2008

Description:
This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.

Tool Updated: Detours

Sat, 18 Jul 2009 21:01:22 GMT

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:
2.1.216

Most recent release date:
November 10, 2008

Description:
Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

Detours 2.1 is now available. Detours 2.1 includes the following new features:

* Complete documentation of the Detours API.
* Transactional model for attaching and detaching detours.
* Support for updating peer threads when attaching or detaching detours.
* Unification of dynamic and static detours into a single API.
* Support for detection of detoured processes.
* Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
* New APIs to copy payloads into target processes.
* Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
* Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).

Tool Added: Code Snippet Creator (Iczelion)

Wed, 17 Jun 2009 11:54:13 GMT

Listed in categories: Code Injection Tools, Code Snippet Creators

Most recent version:
1.05 (build 2)

Most recent release date:
January 13, 2001

Description:
Code Snippet Creator is designed specifically for advanced crackers/assembly programmers who want to create custom code snippets in assembly language.

The features of this utility:
· Can generate code snippets and save them as binary files
· Support both TASM and MASM
· Provide simple integrated PE editor to edit the target file you want to patch
· Can patch the code snippet into a target PE file both as a new section and as an addition to an existing section (or PE header)
· You can use ANY functions that the target imports in your snippet! This utility will fix the calls for you.

Tool Updated: Rebel.NET

Thu, 19 Feb 2009 14:14:55 GMT

Listed in categories: .NET Code Injection Tools, .NET Executable Editors

Most recent version:
1.3.0.1

Most recent release date:
February 19, 2009

Description:
Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams.

It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header.

The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly.

Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file.

All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed.

Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.

Tool Added: PunchIt

Thu, 02 Oct 2008 15:06:39 GMT

Listed in categories: Code Injection Tools, GUI Manipulation Tools, Resource Editors

Most recent version:
1.1

Most recent release date:
October 2nd 2008

Description:
It is a program useful to automatically inject into ANY application your sound and music. The music will be played in background when the program runs as before.

The tool comes with a tutorial explaining how it works, trick and useful hints found coding it, and of its sources ..

Get the tutorial here:

http://arteam.accessroot.com/tutorials.html?fid=200

and the tool here

http://arteam.accessroot.com/releases.html?fid=25

Release notes of version 1.1
+ minor updates to improve stability
+ updated bass audio module v2.4.1
+ updated PECompact2 Student Build v2.94.1
+ (*new) Incorporates source Icon in distribution file (if exists)

I admit the Icon changing routine is a bit lame, but works even if it only takes
1st icon entry for MainIcon group of source executable.
I modded program so that PECompact2 doesn't compress resources allowing anyone
to change the Icon in the output file to whatever they would like using a 3rd party
tool (i.e. reshacker, Icon Exe changer, etc.)

Please test and report any probs. As is usually the case, if you choose a packed / protected
source executable, you may run into problems compressing and should choose the non compress
option. This is not a fault of the application, but a limitation imposed by compressor programs
such as PECompact2 (Student build) v1.94.1 (latest).

Tool Added: Nucleus Framework

Mon, 15 Sep 2008 21:29:27 GMT

Listed in categories: Code Injection Tools

Most recent version:
1.0.0028.1059

Most recent release date:
August 18, 2008

Description:
Today i decided that it's a good day for the initial release of my nucleus framework.

What you can do with it:

- Inject a specified DLL to a targets' address space

That's it. Extremely minimal usage for the first release but who cares
Would be nice if some would test it and tell me if it works.

USAGE: nucleus <switches> target.exe

--help, --h, -help, -h

display usage help. also displayed if no parameter is selected

--log, --l, -log, -l <logging mode>

select logging mode. 1 = LOG_MODE_STDOUT - log to stdout
2 = LOG_MODE_FILE - log to file
4 = LOG_MODE_NOLOG - log disabled
mode 1 and 2 can be used in combination(expl. 3 for stdout and file
together). if no logging mode selected 1 is default

Tool Added: Comrade's PE Tools

Mon, 04 Aug 2008 00:21:41 GMT

Listed in categories: Code Injection Tools, Import Editors, PE Executable Editors

Most recent version:

Most recent release date:
July 31, 2008

Description:
* Inject Tool

Inject is a tool that injects a DLL into a running process. Its command-line usage is as follows:

1. Inject C:\hook.dll into pid 1234: inject.exe 1234 C:\hook.dll
2. Inject C:\hook.dll into process notepad.exe (if multiple notepads are running, then whichever one is picked is undefined): inject.exe -p *notepad.exe C:\hook.dll
3. Inject C:\hook.dll into running process C:\myprogram.exe: inject.exe -p C:\myprogram.exe C:\hook.dll
4. Inject C:\hook.dll into process with a window named "Untitled - Notepad": inject.exe -w "Untitled - Notepad" C:\hook.dll
5. Inject C:\hook.dll into process with a window class Notepad: inject.exe -c Notepad C:\hook.dll

Note that in all uses, you should specify the full path to the injected DLL.

* Loader Tool

Loader is a tool that injects a DLL before launching a process. Its command-line usage is as follows:

1. Load notepad.exe and inject C:\hook.dll into it: loader.exe notepad.exe C:\hook.dll

Note that you should specify the full path to the injected DLL.

* Patch Tool

Patch is a tool that adds a new section to the executable. The new section becomes the new entrypoint, and contains code to load a particular DLL, and then jump back to the original entrypoint. This can be used to create static patches that behave similar to the Loader tool.
The tool's command-line usage is as follows:

1. Patch original.exe to load C:\hook.dll before execution; save the patched executable to patched.exe: patch.exe original.exe patched.exe C:\hook.dll

* Reimport Tool

Reimport is a tool that redirects certain entries of an executable's import table to another DLL. For example, running reimport.exe game.exe newgame.exe nocd.dll kernel32.dll::GetDriveTypeA kernel32.dll::CreateFileA kernel32.dll::GetVolumeInformation will create a copy of game.exe into newgame.exe, with the above 3 API functions rerouted to nocd.dll, instead of kernel32.dll. That means newgame.exe would import GetDriveTypeA, CreateFileA, and GetVolumeInformation from nocd.dll instead of kernel32.dll.

Tool Added: NetAsm

Sat, 26 Jul 2008 01:55:25 GMT

Listed in categories: .NET Code Injection Tools

Most recent version:
1.0

Most recent release date:
July 25, 2008

Description:
NetAsm provides a hook to the .NET JIT compiler and enables to inject your own native code in replacement of the default CLR JIT compilation. With this library, it is possible, at runtime, to inject x86 assembler code in CLR methods with the speed of a pure CLR method call and without the cost of Interop/PInvoke calls.

NetAsm can be used to integrate optimized native code using CPU extended instructions (SSE,MMX) into your managed code. The NetAsmDemo sample provides two benchmarks that unveil the power of using native code injection with NetAsm.

For more information about NetAsm, code injection techniques and recommendations, please consult the NetAsm-UserGuide.

Tool Updated: N-InjectLib

Mon, 21 Jul 2008 17:09:00 GMT

Listed in categories: Code Injection Tools

Most recent version:
1.0.2

Most recent release date:
July 14, 2008

Description:
N-InjectLib is a library written in C++ which allows of injecting dynamic link libraries into a remote (i.e. foreign) process.
Two techniques are available to inject a dll: the target process can be started by using the library so the first dll loaded actually is the dll to be injected, or dlls can be injected anytime while the target process is running.

Tool Updated: N-CodeHook

Mon, 21 Jul 2008 17:07:21 GMT

Listed in categories: Code Injection Tools

Most recent version:
1.0.1

Most recent release date:
July 07, 2008

Description:
N-CodeHook is a small template based C++ library which allows you to hook into functions via inline patching.
For some background info see the blog post or read the paper from the detours website on how inline patching works. Detours uses the same mechanism as N-CodeHook, but requires you to buy a license for the X64 version. Besides the IA32 version must not be used for commercial purposes.
N-CodeHook however is completely free and you can use it for whatever you like.

Tool Added: HookLib

Tue, 15 Jul 2008 18:45:38 GMT

Listed in categories: Code Injection Tools

Most recent version:
1.0

Most recent release date:

Description:
Nektra's hook engine used in Deviare.

Tool Updated: FastSystemCallHook

Fri, 27 Jun 2008 15:22:45 GMT

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:

Most recent release date:
April 5, 2008

Description:
A snippet of code which is a KiFastSystemCall hook I wrote that hooks all user-mode APIs by replacing the SYSENTER MSR. It works also on multi-processor systems and should be easy to extend into a fully functional library if you want to.

Tool Added: ManualMap

Fri, 27 Jun 2008 15:03:20 GMT

Listed in categories: Code Injection Tools

Most recent version:

Most recent release date:
September 9, 2005

Description:
ManualMap is a library I wrote for dll injection by 'manually mapping' a PE file into the remote address space of a process. Instead of calling LoadLibrary or using SetWindowsHookEx (which also essentially calls LoadLibrary internally), this code parses the PE file itself, fixes up the relocs, maps the sections, and builds the import table. It also redirects APIs like GetModuleHandle and GetProcAddress so that manualmap'd modules are visible to each other, but are not visible to any other modules in the process.

Tool Added: CHook

Fri, 27 Jun 2008 14:57:57 GMT

Listed in categories: Code Injection Tools

Most recent version:

Most recent release date:
October 16, 2005

Description:
This is my hooking library that performs a variety of different types of hooks:

- IAT hooking
- EAT hooking
- Debug register hooking
- Thread-safe jmp patch hooking using a length-disassembler engine and a code thunk that masks the problem of jumping back to the original function.