Collaborative RCE Tool Library - Monitoring Tools (including sub-categories)

Tool Updated: Regshot Unicode

2009-11-10T06:46:09Z

Listed in categories: Registry Diff Tools, Registry Monitoring Tools

Most recent version:
2.0.1.68 Unicode

Most recent release date:
November 9, 2009

Description:
Regshot is a small, free and open source (GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2. In addition, you can also specify folders (with sub filders) to be scanned for changes as well.

Tool Updated: Radare

2009-11-04T09:18:47Z

Listed in categories: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

Most recent version:
1.4.1

Most recent release date:
November 3, 2009

Description:
<nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net

Tool Updated: Filter Monitor

2009-10-20T21:33:29Z

Listed in categories: Kernel Filter Monitoring Tools

Most recent version:
1.1.0

Most recent release date:
October 20, 2009

Description:
This utility can list kernel mode filters and also unregister them. Monitored filters are, for instance, registry filters, create process and thread notifications. FilterMon comes both for x64 and x86 and it should work on all Windows systems from Vista RTM to Windows 7 RTM. However, I only tested it on Windows 7 RTM on x64 and I can't guarantee that it will work on future versions of Windows as it relies heavily on system internals.

As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that's why I wrote this little utility which monitors some key filters.

Since I haven't signed the driver of my utility, you have to press F8 at boot time and then select the "Disable Driver Signature Enforcement" option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.

Tool Updated: Process Monitor

2009-09-19T12:30:27Z

Listed in categories: File Monitoring Tools, Process Monitoring Tools, Registry Monitoring Tools

Most recent version:
2.7

Most recent release date:
September 18, 2009

Description:
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Tool Updated: GMER

2009-09-15T21:44:21Z

Listed in categories: Kernel Hook Detection Tools

Most recent version:
1.0.15.15087

Most recent release date:
September 15, 2009

Description:
GMER is an application that detects and removes rootkits .

It scans for:
* Hidden processes
* Hidden threads
* Hidden modules
* Hidden services
* Hidden files
* Hidden Alternate Data Streams
* Hidden registry keys
* Drivers hooking SSDT
* Drivers hooking IDT
* Drivers hooking IRP calls
* Inline hooks

GMER also allows to monitor the following system functions:
* Processes creating
* Drivers loading
* Libraries loading
* File functions
* Registry entries
* TCP/IP connections

GMER runs on Windows NT/W2K/XP/VISTA

Tool Added: TR

2009-08-30T23:08:03Z

Listed in categories: 16 bit and DOS Tracers

Most recent version:
2.52

Most recent release date:
November 30, 1998

Description:
Advanced tracer for 16 bit x86 code (DOS programs).

From readme:

If you have used DEBUG, SYMDEB, TD (Turbo Debugger), CV (CodeView) or SoftICE, you should try TR which has more powerful functions than debuggers mentioned above.

TR(tracer) is a debugger based on the CPU simulation technology.

The main features are:

1. Interpret Mode

=================

TR runs a program by interpreting its code just like a REAL Intel CPU

would, step by step. TR understands every CPU opcode and will give the

correct result, without INT1, INT3, DR0-DR8, or protected mode.

Theoretically, TR will never be found by any program which is

traced, and you can never find a program which can't be traced :-)

Traditional debuggers or tracers have too many shortages:

(1) Using INT1 and the Trap Flag

Because they use INT1 and TF to step the program, so it's easy

to cheat and detect it!

(2) Using INT3

These debuggers insert INT3(CCh) into the program's code after every

instruction. If the program destroys the INT3 vector or tests

itself, the tracer would not work well :-(

(3) SoftICE doesn't use above two methods, but uses 386 hardware

interrupts instead. SoftICE is very strong but so easy to be

found :(

Overall, traditional debuggers & tracers trace the program using standard

tracing methods which can be found in INTEL's CPU manual. They could

only trace those programs which haven't any anti-debug code. If the

program won't cooperate, they all cannot work well :-( But TR will

trace all the programs that the CPU can deal with, even another TR

session.

On the other hand, traditional debuggers or tracers simply insert a

breakpoint into the program and wait until they catch the control back.

They don't know whether they will get control back or what the program

intends to do. TR runs the program in interpret mode, it controls all

things absolutely. Just because of that, TR can set more and more

complex breakpoints.

Interpret Run is the main difference between TR and all other

debuggers, and this is also why TR has a higher performance.

2.Batch File

============

Although batch is not a new word to you, you can find no one using it

in a debugger. In TR, you can put all your commands in a text file and

use it just like you execute a DOS batch file. TR as well has a special

batch file named "AUTORUN.TR". Just like its name, this file can be

executed automatically every time you start TR.

3.Magic Offset

==============

Everyone is used to the "G 100" command which means run and stop at

address CS:100. In general, debuggers do it like this: insert a

breakpoint(INT3/CC) at CS:100 and GO the program. When the CPU meets

the INT3, the program will be stopped. So, the debuggers can only set a

breakpoint at current CS and offset 100. But not TR! TR can stop the

program at every offset 100! What does this mean? It means when IP=100,

the program will be stopped! We call this Magic Offset. Hmm, what's the

use? Too many! Think by yourself :-) One simplest and direct usage is

use "G 100" you can *UNPACK* all .COM files!

4.Assembly Language Command

===========================

It's a good idea that you can use ASM opcode in your debug environment.

You can accomplish your wish in TR! You may use either "R AX 001A" or

"MOV AX, 001A". Both do the same thing. Remember, all assembly opcode

can be used in TR, e.g. "CLI", "MOV [WORD 1234], 4567", "IN AL,21"...

5.Add Comments During Tracing

=============================

"CALL 7FDE" is not good compared to "CALL OPEN_FILE". But most tracers

must face such opcodes. Even if you have known what the procedure

would do, you could only write it down on paper. Now TR can write

your comments directly into the program and saved them into another file

automatically. From now on all programs are easy for understand. TR will

as well display comments for most INT21 function calls automatically for

you.

6.Automatic Jump

================

Many protectors use lots of JMP codes to make the decryptor of their

protection unreadable. In most situations, you can only see some JMPs in

the code window. At the target address, in general, you can't see the

correct disassemble opcode because the protect programs likely insert

some DATA in front of that address, so, it's difficult to understand

these programs. With the Automatic Jump feature, TR displays the correct

code at the JMP address in code window instead of displaying a "JMP

xxxx". This way you can see the correct codes sequence but not lots of

jumps: the code is easy to read!

7.Log

=====

TR could save all CS:IP on interpret-run. This makes it possible to

analyse the program easily. If the program exits with an error, you can

find the problem by backtracing your LOG. Command 'LOGPRO' can get all

the key opcode program run. The program will have no secret after you

LOG it. Refer to the commands LOG, LOGS, VLOG and LOGPRO.

8.Write EXE file from memory

============================

You can find many universal unpackers on the net, but what would you do

if they tell you "I can't unpack it"? Unpack functions should be in

debuggers. TR's MKEXE function let you make EXE file easy!

9.Various Complex breakpoints, One-time breakpoints

===================================================

All other debuggers' breakpoints are what INTEL prepared. They cannot

fit the need of modern trace technology. TR has many revolutionary

breakpoints:

(1) BP conditions

Conditional break-point. ex.:

BP IP>4000

BP ah=2 dl=80 ch>30

(2) BPINT intnum [conditions]

Interrupt break-point.

(3) BPXB bytes [conditions]

Break-point if ??? code is encountered. For example, "MOV AX,????"

is assembled in HEX "B8????", so you can use

BPXB b8

to break on all "mov ax,????" opcodes. Other examples:

BPXB cd ;all interrupt

BPXB 33 c0 ;xor ax,ax

(4) BPREG REG''

Tool Updated: Process Hacker

2009-08-22T13:51:09Z

Listed in categories: Malware Analysis Tools, Process Monitoring Tools

Most recent version:
1.4

Most recent release date:
August 22, 2009

Description:
Process Hacker is a feature-packed tool for manipulating processes and services on your computer.

Key features of Process Hacker:
- A simple, customizable tree view with highlighting showing you the processes running on your computer.

- Detailed performance graphs.

- A complete list of services and full control over them (start, stop, pause, resume and delete).

- A list of network connections.

- Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, ...

- Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few).

- Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU.

- Easy DLL injection and unloading - simply right-click a process and select "Inject DLL" to inject and right-click a module and select "Unload" to unload!

- Many more features...

Tool Updated: Memory Hacking Software

2009-08-14T20:32:08Z

Listed in categories: Code Coverage Tools, Memory Data Tracing Tools, Memory Search Tools, Trainer Generators

Most recent version:
5.009

Most recent release date:
August 14, 2009

Description:
Highly advanced software for memory search/analysis and trainer creation. Recommended!

MHS 5.005 (bundle):
Bundle includes MHS.exe, zlib1.dll, MHS Help.chm, and ChangeLog.txt.

Features:
* Fastest Searching
-- Data-Type Search
-- Pointer Search
-- String Search (ASCII, Unicode, Hex Bytes, Wildcard, Regular Expressions)
-- Group Search (Includes Pattern Matching)
-- Expression Search (Extremely Flexible)
-- Script Search (The Ultimate in Custom Searching)

* Debugger
-- Very Stable
-- Customizable Breakpoints

* Disassembler

* Code Filter
-- Easiest Way to Find Functions

* Auto-Hack

* Auto-Assembler
-- 90% Same Language/Syntax as in Cheat Engine

* DLL Injector
-- Injects any DLL into the Target Process
-- Uninject Later, Automatically or Manually
-- Remotely Call ANY Functions in the Injected DLL(s), Regardless of Calling Convention, Return Type, or Number of Parameters

* Integrated Script Language
-- IDE/Compiler Built-In
-- Syntax Matches C; No Learning Curve
-- Compiled for Fast Execution
-- Full API
-- Includes Features Specially for Hacking

* Real-Time Hex Editor
-- Fully Featured Real-Time Hex Editor for Both RAM and Files
-- Allows Browsing of Kernel RAM

* Kernel Driver
-- Allows Bypassing Anti-Cheat Systems
-- Allows Reading/Writing of Kernel RAM

* Converter

* RAM Watcher

* Memory Allocator
-- Allocates Memory in the Target Process

Tool Updated: Wireshark

2009-07-20T22:01:23Z

Listed in categories: Network Sniffers

Most recent version:
1.2.1

Most recent release date:
July 20, 2009

Description:
Wireshark (previously Ethereal) is the world's foremost network protocol analyzer, and is the standard in many industries.

It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development.

Wireshark has a rich feature set which includes the following:

* Hundreds of protocols are supported, with more being added all the time
* Live capture and offline analysis are supported
* Standard three-pane packet browser
* Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
* The most powerful display filters in the industry
* Rich VoIP analysis
* Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
* Capture files compressed with gzip can be decompressed on the fly
* Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
* Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
* Coloring rules can be applied to the packet list, which eases analysis
* Output can be exported to XML, PostScript®, CSV, or plain text

Tool Updated: Syscall Lister

2009-07-19T05:11:45Z

Listed in categories: SysCall Monitoring Tools

Most recent version:

Most recent release date:
July 18, 2007

Description:
This program enumerates all NT kernel system calls and matches them with native API functions using dbghelp and MS symbols (internet connection is required to download these symbols).

It uses kernel mode driver to access arbitrary memory locations, like System Service Descriptor Tables.

Tool Updated: Process Lasso

2009-07-19T05:11:12Z

Listed in categories: Process Monitoring Tools

Most recent version:
3.62