Collaborative RCE Tool Library - Monitoring Tools (including sub-categories)

Tool Updated: HookShark

Thu, 02 Sep 2010 17:57:06 GMT

Listed in categories: Usermode Hook Detection Tools

Most recent version:
BETA 0.9

Most recent release date:
September 1, 2010

Description:
HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user.

Currently implemented hook detection:

* - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)
* - Other custom patches [...]
* - VTable Hooks
* - IAT and EAT Hooks
* - Relocation Hooks
* - Hardware Breakpoints
* - PAGE_GAURD Candidates

FAQ

Why is IAT-Scanning / Hook-Scanning so slow? There are faster tools.
=====================================================================

That's because other tools suck. They just walk the IAT Entrys and look for addresses that are out of the module bounds. Thats bollocks. The callback function of the hook, or a redirection (JMP) could be planted well within the module bounds, and there you have a stealth IAT Hook, which HookShark recognizes as "IAT - Local".
And HookShark scans EVERY IAT-Table of EVERY Module. Unlike some other tools, which just examine the main process module.

And HookShark does not only check for hooks in exported/known functions. No, byte by byte of disk/memory image is compared, and even one-byte-patches are revealed. That is only for read-only code-sections though.

What the hell is all that crap? So many patches WTF?
======================================================

HookShark looks for differences between the disk image and the scanned memory. There might be cases where you are just looking at a packed module. To counter these false positives, there is an option to filter patches, which are bigger than n-bytes. (Look in the GlobalOptions Tab)

Sometimes after i scanned a process and want to scan another one and it crashes.
=================================================================================

Yeah, i hate when that happens. I have no idea why. If i get my lazy ass on the debugger i try to check it out. Until then, just restart HookShark.

The mnemonics of patched instructions are wrongly displayed.
============================================================

That's because HookShark just cant do a thorough analysis like IDA does for every module in this short time-span. The alignment of instructions is guessed and heuristically computed.

Tool Added: Pokas x86 Emulator for Generic Unpacking

Sun, 18 Jul 2010 16:32:01 GMT

Listed in categories: Assembler IDE Tools, Assemblers, Automated Unpackers, Debuggers, Disassembler Libraries, Disassemblers, OEP Finders, PE Executable Editors, Programming Libraries, Tracers, Unpacking Tools, Virtual Machines, X86 Disassembler Libraries, X86 Emulators, X86 Sandboxes

Most recent version:
1.0.0.0

Most recent release date:
July 18, 2010

Description:
Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon ith the help of your feedback.

It still doesn't support multithreading and doesn't support Linux ELF executables.
It's still working only on windows but the Linux version will be available soon.

you can download it from https://sourceforge.net/projects/x86emu/

AmrThabet
amr.thabet_*at*_student.alx.edu.eg

Tool Updated: WinApiOverride

Tue, 13 Jul 2010 18:55:31 GMT

Listed in categories: .NET Tracers, API Monitoring Tools, COM Monitoring Tools

Most recent version:
5.4.4

Most recent release date:
July 7, 2010

Description:
WinAPIOverride32 is an advanced api monitoring software.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- Double and float results are logged
- Preserve registers, floating stack and LastError
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- All is is done like modules : you can log or override independently for any function

Tool Updated: DotNET Tracer

Sun, 13 Jun 2010 12:52:02 GMT

Listed in categories: .NET Tracers

Most recent version:
0.9

Most recent release date:
May 15, 2010

Description:
This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

I hope it's useful and as always bug reports are welcome.

Tool Updated: SandboxDiff

Thu, 13 May 2010 11:49:54 GMT

Listed in categories: File Monitoring Tools, File System Diff Tools, Install Monitoring Tools, Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools

Most recent version:
2.0

Most recent release date:
May 13, 2010

Description:
'SandboxDiff' allows tracking changes in Registry and Files when using 'Sandboxie' (an amazing application created by Ronen Tzur).

All Registry entries and File system created/modified by a program sandboxed (or any action sandboxed) are monitored and listed with SandboxDiff.

Very useful when users want (before to install an application) to know all changes made by the installer in Registry and File system.

Tool Updated: Conditional Branch Logger

Sun, 21 Mar 2010 14:25:06 GMT

Listed in categories: Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers

Most recent version:
1.0

Most recent release date:
June 13, 2007

Description:
Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints.

Tool Updated: Radare

Thu, 04 Mar 2010 17:37:43 GMT

Listed in categories: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

Most recent version:
1.5

Most recent release date:
December 13, 2009

Description:
<nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net

Tool Updated: ERESI Framework

Sat, 06 Feb 2010 10:30:34 GMT

Listed in categories: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers

Most recent version:
0.82b2

Most recent release date:
September 13, 2009

Description:
The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.

Tool Updated: APIScan

Thu, 28 Jan 2010 00:04:56 GMT

Listed in categories: API Monitoring Tools, Dependency Analyzer Tools

Most recent version:
2.2

Most recent release date:
April 28, 2007

Description:
APIScan is a simple tool to gather a list of APIs that a target process uses.

You can use this list in an initial analysis to help determine a target's
general operating nature. Also can be used to help determine patch/update changes by doing a WinDiff on a "before" and "after" dump.

There are similar tools, often more robust (like "Dependency Walker"), but
most of these just parse the target IAT ("Import Address Table") alone.
APIScan catches dynamically/delayed loaded modules too; and dumps them as a simple list.
============================================================

Example dump for a module:
Code:

Library Flags Function
====================================
-- COMCTL32.DLL
[I...] ImageList_Add
[I...] ImageList_Create
[I...] ImageList_Destroy
[I.O.] InitCommonControls
[.D..] InitCommonControlsEx
[.D.F] ImNotHere
...
...

Explanation:
APIScan saw that "COMCTL32.DLL" is loaded both as an import via the IAT, plus it caught it being loaded dynamically for "InitCommonControlsEx".
That's the 'D' flag in "[.D.F] InitCommonControlsEx". The 'F' in "[.D.F] ImNotHere" means that that the application failed in one or more attempt to dynamically load (from the 'D') "ImNotHere", since this export doesn't exist in "COMCTL32.DLL". In "[I.O.] InitCommonControls", the 'I' tells us this API is in the IAT, and the 'O' tells us it was by "ordinal".
Note, you can have both 'I' and 'D' flags since an application (as well as 'O', and 'F', if there is a 'D') can have it both in it's IAT and loaded it dynamicly (with "GetProcAddress()").

Changes:
--------
2.2: Got rid of the index numbers around the DLL and API dumps, that made WinDiff'ing a mess.

TODO:
1. Add intra-module support.
API scan could parse the IATs of modules/DLLs and optionally filter out GetProcAddress() calls made within modules for better focus.
2. Optional real time output to DBGVIEW.

Tool Updated: Echo Mirage

Wed, 20 Jan 2010 14:16:26 GMT

Listed in categories: API Monitoring Tools, Network Monitoring Tools

Most recent version:
1.2

Most recent release date:
December 16, 2006

Description:
Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified.

Windows encryption and OpenSSL functions are also hooked so that plain text of data being sent and received over an encrypted session is also available.

Traffic can be intercepted in real-time, or manipulated with regular expressions and action scripts.

Tool Updated: Kernel Detective

Mon, 07 Dec 2009 01:58:35 GMT

Listed in categories: Hook Detection Tools, Kernel Hook Detection Tools, Kernel Tools, Malware Analysis Tools

Most recent version:
1.3.1

Most recent release date:
December 06, 2009

Description:
Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD !

Supported NT versions :
XP/Vista/SEVEN

Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.

Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes.

Detect hidden and suspicious threads in system and allow user to forcely terminate them .

Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module.

Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle.

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess.

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.

Tool Added: Buster Sandbox Analyzer

Mon, 07 Dec 2009 01:55:12 GMT

Listed in categories: File Monitoring Tools, File System Diff Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools, X86 Sandboxes

Most recent version:
1.03

Most recent release date:
December 07, 2009

Description:
Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of sandboxed processes and the changes made to system and then evaluate if they are malware suspicious.

The changes made to system can be of several types: file system changes, registry changes and port changes.

A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information.

Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.

Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.

From all these changes we will obtain necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications.

Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur.

Even if Buster Sandbox Analyzer´s main goal is to consider if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.

Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.

All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed.

Tool Updated: Sandboxie

Mon, 07 Dec 2009 01:54:02 GMT

Listed in categories: File Monitoring Tools, File System Diff Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools, X86 Sandboxes

Most recent version:
3.42

Most recent release date:
December 1, 2009

Description:
Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

You can also access all the changes that were made during the program execution.

Tool Added: TEMU

Mon, 07 Dec 2009 01:33:04 GMT

Listed in categories: Memory Data Tracing Tools

Most recent version:
1.0

Most recent release date:
November 24, 2009

Description:
Whole-system dynamic taint analysis platform, in the form of a QEMU extension.

The BitBlaze infrastructure provides a component, called TEMU, for dynamic binary analysis. TEMU is built upon a whole-system emulator, QEMU, and provides the following functionality:

* Dynamic taint analysis. TEMU is able to perform whole-system dynamic taint analysis. Marking certain information sources (e.g., keystrokes, network inputs, reads for certain memory locations, and function call outputs) as tainted, TEMU keeps track of the tainted information propagating in the system. This feature also provides a plug-in environment for dynamic symbolic execution, in which symbolic values are marked as tainted, and concrete values as untainted.
* OS awareness. Information about OS-level abstractions like processes and files is important for many kinds of analysis. Using knowledge of the guest operating system (Windows XP or Linux), TEMU can determine what process and module is currently executing, what API calls have been invoked (with their arguments), and what disk locations belong to which files.
* In-depth behavioral analysis. TEMU is able to understand how an analyzed binary interacts with the environment, such as what API calls are invoked, and what outstanding memory locations are accessed. By marking the inputs as tainted (i.e., symbolic), TEMU provides insights about how outputs are formulated from inputs.

Tool Updated: Regshot Unicode

Tue, 10 Nov 2009 06:46:09 GMT

Listed in categories: Registry Diff Tools, Registry Monitoring Tools

Most recent version:
2.0.1.68 Unicode

Most recent release date:
November 9, 2009

Description:
Regshot is a small, free and open source (GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2. In addition, you can also specify folders (with sub filders) to be scanned for changes as well.

Tool Updated: Filter Monitor

Tue, 20 Oct 2009 21:33:29 GMT

Listed in categories: Kernel Filter Monitoring Tools

Most recent version:
1.1.0

Most recent release date:
October 20, 2009

Description:
This utility can list kernel mode filters and also unregister them. Monitored filters are, for instance, registry filters, create process and thread notifications. FilterMon comes both for x64 and x86 and it should work on all Windows systems from Vista RTM to Windows 7 RTM. However, I only tested it on Windows 7 RTM on x64 and I can't guarantee that it will work on future versions of Windows as it relies heavily on system internals.

As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that's why I wrote this little utility which monitors some key filters.

Since I haven't signed the driver of my utility, you have to press F8 at boot time and then select the "Disable Driver Signature Enforcement" option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.

Tool Updated: Process Monitor

Sat, 19 Sep 2009 12:30:27 GMT

Listed in categories: File Monitoring Tools, Process Monitoring Tools, Registry Monitoring Tools

Most recent version:
2.7

Most recent release date:
September 18, 2009

Description:
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Tool Updated: GMER

Tue, 15 Sep 2009 21:44:21 GMT

Listed in categories: Kernel Hook Detection Tools

Most recent version:
1.0.15.15087

Most recent release date:
September 15, 2009

Description:
GMER is an application that detects and removes rootkits .

It scans for:
* Hidden processes
* Hidden threads
* Hidden modules
* Hidden services
* Hidden files
* Hidden Alternate Data Streams
* Hidden registry keys
* Drivers hooking SSDT
* Drivers hooking IDT
* Drivers hooking IRP calls
* Inline hooks

GMER also allows to monitor the following system functions:
* Processes creating
* Drivers loading
* Libraries loading
* File functions
* Registry entries
* TCP/IP connections

GMER runs on Windows NT/W2K/XP/VISTA

Tool Added: TR

Sun, 30 Aug 2009 23:08:03 GMT

Listed in categories: 16 bit and DOS Tracers

Most recent version:
2.52

Most recent release date:
November 30, 1998

Description:
Advanced tracer for 16 bit x86 code (DOS programs).

From readme:

If you have used DEBUG, SYMDEB, TD (Turbo Debugger), CV (CodeView) or SoftICE, you should try TR which has more powerful functions than debuggers mentioned above.

TR(tracer) is a debugger based on the CPU simulation technology.

The main features are:

1. Interpret Mode

=================

TR runs a program by interpreting its code just like a REAL Intel CPU

would, step by step. TR understands every CPU opcode and will give the

correct result, without INT1, INT3, DR0-DR8, or protected mode.

Theoretically, TR will never be found by any program which is

traced, and you can never find a program which can't be traced :-)

Traditional debuggers or tracers have too many shortages:

(1) Using INT1 and the Trap Flag

Because they use INT1 and TF to step the program, so it's easy

to cheat and detect it!

(2) Using INT3

These debuggers insert INT3(CCh) into the program's code after every

instruction. If the program destroys the INT3 vector or tests

itself, the tracer would not work well :-(

(3) SoftICE doesn't use above two methods, but uses 386 hardware

interrupts instead. SoftICE is very strong but so easy to be

found :(

Overall, traditional debuggers & tracers trace the program using standard

tracing methods which can be found in INTEL's CPU manual. They could

only trace those programs which haven't any anti-debug code. If the

program won't cooperate, they all cannot work well :-( But TR will

trace all the programs that the CPU can deal with, even another TR

session.

On the other hand, traditional debuggers or tracers simply insert a

breakpoint into the program and wait until they catch the control back.

They don't know whether they will get control back or what the program

intends to do. TR runs the program in interpret mode, it controls all

things absolutely. Just because of that, TR can set more and more

complex breakpoints.

Interpret Run is the main difference between TR and all other

debuggers, and this is also why TR has a higher performance.

2.Batch File

============

Although batch is not a new word to you, you can find no one using it

in a debugger. In TR, you can put all your commands in a text file and

use it just like you execute a DOS batch file. TR as well has a special

batch file named "AUTORUN.TR". Just like its name, this file can be

executed automatically every time you start TR.

3.Magic Offset

==============

Everyone is used to the "G 100" command which means run and stop at

address CS:100. In general, debuggers do it like this: insert a

breakpoint(INT3/CC) at CS:100 and GO the program. When the CPU meets

the INT3, the program will be stopped. So, the debuggers can only set a

breakpoint at current CS and offset 100. But not TR! TR can stop the

program at every offset 100! What does this mean? It means when IP=100,

the program will be stopped! We call this Magic Offset. Hmm, what's the

use? Too many! Think by yourself :-) One simplest and direct usage is

use "G 100" you can *UNPACK* all .COM files!

4.Assembly Language Command

===========================

It's a good idea that you can use ASM opcode in your debug environment.

You can accomplish your wish in TR! You may use either "R AX 001A" or

"MOV AX, 001A". Both do the same thing. Remember, all assembly opcode

can be used in TR, e.g. "CLI", "MOV [WORD 1234], 4567", "IN AL,21"...

5.Add Comments During Tracing

=============================

"CALL 7FDE" is not good compared to "CALL OPEN_FILE". But most tracers

must face such opcodes. Even if you have known what the procedure

would do, you could only write it down on paper. Now TR can write

your comments directly into the program and saved them into another file

automatically. From now on all programs are easy for understand. TR will

as well display comments for most INT21 function calls automatically for

you.

6.Automatic Jump

================

Many protectors use lots of JMP codes to make the decryptor of their

protection unreadable. In most situations, you can only see some JMPs in

the code window. At the target address, in general, you can't see the

correct disassemble opcode because the protect programs likely insert

some DATA in front of that address, so, it's difficult to understand

these programs. With the Automatic Jump feature, TR displays the correct

code at the JMP address in code window instead of displaying a "JMP

xxxx". This way you can see the correct codes sequence but not lots of

jumps: the code is easy to read!

7.Log

=====

TR could save all CS:IP on interpret-run. This makes it possible to

analyse the program easily. If the program exits with an error, you can

find the problem by backtracing your LOG. Command 'LOGPRO' can get all

the key opcode program run. The program will have no secret after you

LOG it. Refer to the commands LOG, LOGS, VLOG and LOGPRO.

8.Write EXE file from memory

============================

You can find many universal unpackers on the net, but what would you do

if they tell you "I can't unpack it"? Unpack functions should be in

debuggers. TR's MKEXE function let you make EXE file easy!

9.Various Complex breakpoints, One-time breakpoints

===================================================

All other debuggers' breakpoints are what INTEL prepared. They cannot

fit the need of modern trace technology. TR has many revolutionary

breakpoints:

(1) BP conditions

Conditional break-point. ex.:

BP IP>4000

BP ah=2 dl=80 ch>30

(2) BPINT intnum [conditions]

Interrupt break-point.

(3) BPXB bytes [conditions]

Break-point if ??? code is encountered. For example, "MOV AX,????"

is assembled in HEX "B8????", so you can use

BPXB b8

to break on all "mov ax,????" opcodes. Other examples:

BPXB cd ;all interrupt

BPXB 33 c0 ;xor ax,ax

(4) BPREG REG''

Tool Updated: Process Hacker

Sat, 22 Aug 2009 13:51:09 GMT

Listed in categories: Malware Analysis Tools, Process Monitoring Tools

Most recent version:
1.4

Most recent release date:
August 22, 2009

Description:
Process Hacker is a feature-packed tool for manipulating processes and services on your computer.

Key features of Process Hacker:
- A simple, customizable tree view with highlighting showing you the processes running on your computer.

- Detailed performance graphs.

- A complete list of services and full control over them (start, stop, pause, resume and delete).

- A list of network connections.

- Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, ...

- Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few).

- Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU.

- Easy DLL injection and unloading - simply right-click a process and select "Inject DLL" to inject and right-click a module and select "Unload" to unload!

- Many more features...