Collaborative RCE Tool Library - Memory Data Tracing Tools (including sub-categories)

Tool Added: TEMU

Mon, 07 Dec 2009 01:33:04 GMT

Listed in categories: Memory Data Tracing Tools

Most recent version:
1.0

Most recent release date:
November 24, 2009

Description:
Whole-system dynamic taint analysis platform, in the form of a QEMU extension.

The BitBlaze infrastructure provides a component, called TEMU, for dynamic binary analysis. TEMU is built upon a whole-system emulator, QEMU, and provides the following functionality:

* Dynamic taint analysis. TEMU is able to perform whole-system dynamic taint analysis. Marking certain information sources (e.g., keystrokes, network inputs, reads for certain memory locations, and function call outputs) as tainted, TEMU keeps track of the tainted information propagating in the system. This feature also provides a plug-in environment for dynamic symbolic execution, in which symbolic values are marked as tainted, and concrete values as untainted.
* OS awareness. Information about OS-level abstractions like processes and files is important for many kinds of analysis. Using knowledge of the guest operating system (Windows XP or Linux), TEMU can determine what process and module is currently executing, what API calls have been invoked (with their arguments), and what disk locations belong to which files.
* In-depth behavioral analysis. TEMU is able to understand how an analyzed binary interacts with the environment, such as what API calls are invoked, and what outstanding memory locations are accessed. By marking the inputs as tainted (i.e., symbolic), TEMU provides insights about how outputs are formulated from inputs.

Tool Updated: Memory Hacking Software

Fri, 14 Aug 2009 20:32:08 GMT

Listed in categories: Code Coverage Tools, Memory Data Tracing Tools, Memory Search Tools, Trainer Generators

Most recent version:
5.009

Most recent release date:
August 14, 2009

Description:
Highly advanced software for memory search/analysis and trainer creation. Recommended!

MHS 5.005 (bundle):
Bundle includes MHS.exe, zlib1.dll, MHS Help.chm, and ChangeLog.txt.

Features:
* Fastest Searching
-- Data-Type Search
-- Pointer Search
-- String Search (ASCII, Unicode, Hex Bytes, Wildcard, Regular Expressions)
-- Group Search (Includes Pattern Matching)
-- Expression Search (Extremely Flexible)
-- Script Search (The Ultimate in Custom Searching)

* Debugger
-- Very Stable
-- Customizable Breakpoints

* Disassembler

* Code Filter
-- Easiest Way to Find Functions

* Auto-Hack

* Auto-Assembler
-- 90% Same Language/Syntax as in Cheat Engine

* DLL Injector
-- Injects any DLL into the Target Process
-- Uninject Later, Automatically or Manually
-- Remotely Call ANY Functions in the Injected DLL(s), Regardless of Calling Convention, Return Type, or Number of Parameters

* Integrated Script Language
-- IDE/Compiler Built-In
-- Syntax Matches C; No Learning Curve
-- Compiled for Fast Execution
-- Full API
-- Includes Features Specially for Hacking

* Real-Time Hex Editor
-- Fully Featured Real-Time Hex Editor for Both RAM and Files
-- Allows Browsing of Kernel RAM

* Kernel Driver
-- Allows Bypassing Anti-Cheat Systems
-- Allows Reading/Writing of Kernel RAM

* Converter

* RAM Watcher

* Memory Allocator
-- Allocates Memory in the Target Process

Tool Updated: LordCHEAT

Sun, 19 Jul 2009 05:10:19 GMT

Listed in categories: Memory Data Tracing Tools

Most recent version:
1.2.6

Most recent release date:
July 18, 2009

Description:
- Small & Powerfull Game Trainer
- Save & Load memory using simple script
- Read/Write memory using Hex Editor
- Support 16/32 bit Windows games, macromedia flash games, *emulator, etc
- Support Pointer to Pointer
- Support Plugins
- Memory monitor
- Can run under windows 98 up to *Vista
- etc.

Tool Updated: SpiderPig

Wed, 17 Jun 2009 00:23:22 GMT

Listed in categories: Memory Data Tracing Tools

Most recent version:
(not yet released)

Most recent release date:

Description:
Main idea of SpiderPig is to trace a specified memory region (or specified register value), and also be able to trace all the childs regions that were created by refferencing to previously traced regions. So whenever a previously traced memory region will be refferenced or any other memory region which bases on previously traced memory region will be created, SpiderPig will snort it.

SpiderPig is a project created for performing and visualizing data flow analysis of a selected binary program. SpiderPig was created in the purpose of providing a tool which would be able to help vulnerability and security researchers with tracing and analyzing any necessary data and it's further propagation. Such tasks are very often crucial in the vulnerability discovering/identifying process and typically require a lot of time consuming manual work. The initial concept is pretty old, the first pseudo usable version was created initialy for Immunity Debugger Plugin Contest back in the 2007 just to be frozen few days after. I have reactivated the project while having the last months of holidays (arround September 2008) and I have decided to write a little paper about it (which was finished arround November 2008). Since i switched for another research at the moment the SpiderPig research is practically frozen since the time paper was made. As you probably realize history of this project is kinda a nutty. Anyway enjoy or erm not enjoy.

Tool Added: HBGary Inspector

Fri, 15 Feb 2008 22:04:53 GMT

Listed in categories: Code Coverage Tools, Memory Data Tracing Tools, Tracers

Most recent version:
2.0

Most recent release date:

Description:
HBGary Inspector speeds team reverse engineering of software binaries. Inspector integrates dynamic runtime tracing with dataflow and static code analysis. Captured test data is recorded in a team-member shared database for further analysis with automated scripts and interactive graphing.

Packed, obfuscated, and self-modifying malware binaries resist static disassembly. Anti-debugging tricks hinder runtime analysis. However, malware must unpack and de-obfuscate itself to execute. Inspector defeats many anti-debugging tricks and recovers true program instructions and live memory evidence as malware operates. Dynamic analysis provides accurate information about malware behavior.

HBGary Inspector can trace data buffers and packets as they propagate in memory, saving countless hours and days of work for the Reverse Engineer. Complex control flow paths are mapped with interactive navigation graphs. Runtime code coverage is indicated and measured. Inspector is extensible with an exposed application program interface (API) and a powerful scripting system for analysis automation.

Tool Updated: Cheat 'O Matic

Fri, 28 Dec 2007 00:37:16 GMT

Listed in categories: Memory Data Tracing Tools, Memory Search Tools

Most recent version:
0.99a

Most recent release date:
1997

Description:
Cheat 'O Matic is an EXTREMELY easy to use UNIVERSAL cheating program designed to allow you to automatically cheat on ANY game (or other program) that will run on Windows '95, '98 and 'NT (including DOS, Windows 3.1, Windows '95, Windows '98 and Windows 'NT games) - as the game actually runs! Additionally, Cheat 'O Matic allows you to cheat on programs that don't have cheat codes, or in completely different ways that cheat codes may not exist for, and perhaps the game's programmers never intended

Tool Added: Flayer

Fri, 26 Oct 2007 11:45:37 GMT

Listed in categories: Memory Data Tracing Tools

Most recent version:
0.0.1

Most recent release date:
August 9, 2007

Description:
Flayer is a tool for dynamically exposing application innards for security testing and analysis. It is implemented on the dynamic binary instrumentation framework Valgrind and its memory error detection plug-in, Memcheck . This paper focuses on the implementation of Flayer, its supporting libraries, and their application to software security.

Flayer provides tainted, or marked, data flow analysis and instrumentation mechanisms for arbitrarily altering that flow. Flayer improves upon prior taint tracing tools with bit-precision. Taint propagation calculations are performed for each value-creating memory or register operation. These calculations are embedded in the target application's running code using dynamic instrumentation. The same technique has been employed to allow the user to control the outcome of conditional jumps and step over function calls.

Flayer's functionality provides a robust foundation for the implementation of security tools and techniques. For example, an effective fault injection testing technique and an automation library, LibFlayer. Alongside these contributions, it explores techniques for vulnerability patch analysis and guided source code auditing.

Flayer finds errors in real software. In the past year, its use has yielded the expedient discovery of flaws in security critical software including OpenSSH and OpenSSL.

See full paper at:
http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry_html

And getting-started information at:
http://code.google.com/p/flayer/wiki/GettingStarted