Collaborative RCE Tool Library - PE Executable Editors (including sub-categories)

Tool Added: DotNetasploit

2010-08-17T01:40:27Z

Listed in categories: .NET Code Injection Tools

Most recent version:
2.5

Most recent release date:
August 2010

Description:
DotNetasploit is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion.

Tool Added: Pokas x86 Emulator for Generic Unpacking

2010-07-18T16:32:01Z

Listed in categories: Assembler IDE Tools, Assemblers, Automated Unpackers, Debuggers, Disassembler Libraries, Disassemblers, OEP Finders, PE Executable Editors, Programming Libraries, Tracers, Unpacking Tools, Virtual Machines, X86 Disassembler Libraries, X86 Emulators, X86 Sandboxes

Most recent version:
1.0.0.0

Most recent release date:
July 18, 2010

Description:
Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon ith the help of your feedback.

It still doesn't support multithreading and doesn't support Linux ELF executables.
It's still working only on windows but the Linux version will be available soon.

you can download it from https://sourceforge.net/projects/x86emu/

AmrThabet
amr.thabet_*at*_student.alx.edu.eg

Tool Added: Javassist

2010-07-13T19:33:16Z

Listed in categories: Java Code Injection Tools, Java Executable Editors & Patchers

Most recent version:
3.12.0.GA

Most recent release date:
April 16, 2010

Description:
Javassist (Java Programming Assistant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java; it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it. Unlike other similar bytecode editors, Javassist provides two levels of API: source level and bytecode level. If the users use the source-level API, they can edit a class file without knowledge of the specifications of the Java bytecode. The whole API is designed with only the vocabulary of the Java language. You can even specify inserted bytecode in the form of source text; Javassist compiles it on the fly. On the other hand, the bytecode-level API allows the users to directly edit a class file as other editors.

Aspect Oriented Programming: Javassist can be a good tool for adding new methods into a class and for inserting before/after/around advice at the both caller and callee sides.

Reflection: One of applications of Javassist is runtime reflection; Javassist enables Java programs to use a metaobject that controls method calls on base-level objects. No specialized compiler or virtual machine are needed.

Tool Updated: LordPE

2010-06-29T01:09:27Z

Listed in categories: Dump Fixers, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers

Most recent version:
1.41 (Deluxe b)

Most recent release date:
September 30, 2009

Description:
LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...

Tool Updated: THYloadergen

2010-05-30T18:58:57Z

Listed in categories: Code Injection Tools, Loader Generators, Memory Patchers, Patch Packaging Tools, Patcher Generators

Most recent version:
0.6

Most recent release date:
March 6, 2010

Description:
features:
* memory patch packed targets (except process redirected ones, like armadillo debugblocker)
* patch:VA (patch at a virtual address)
* patch:SnR (patch by search&replace)
* hookAPI (specify an API call that is executed after target is fully unpacked. hit count can be specified)
* hookVA (specify a VA that is executed after target is fully unpacked. hit count can be specified)
* wnd (specify a window that is created after target is fully unpacked)
* inject a dll into the process to have the possibility to include more complex stuff than the patching provided. (no live injecting, as this is a loader)
* optional splash screen at startup (pic can be specified, aswell as the transparency)

veyl/THY, MAR/2010

Tool Updated: PE Explorer

2010-03-04T18:40:33Z

Listed in categories: Disassemblers, PE Executable Editors, Resource Editors

Most recent version:
1.99 R6 (silent update)

Most recent release date:
October 14, 2009

Description:
PE Explorer provides powerful tools for disassembly and inspection of unknown binaries, modifying the properties of executable files and customizing and translating their resources. Use this product to do reverse engineering, analyze the procedures and libraries an executable uses.

Features include:

* Working with PE files - exe, dll, sys, drv, bpl, dpl, cpl, ocx and more.
* The ability to open a broken or packed file in Safe mode.
* Support for custom plug-ins to perform any startup processing.
* Collecting the full information contained in the file header.
* Checksum computing and modification.
* Review and editing Data Directories.
* Review of all the sections and info about their location and size.
* Review of contents of section as Raw Data - up to 16 view windows.
* Extracting and deleting sections.
* Section header recalculation.
* Section Editor to modify and repair the damaged section headers.
* Resource Editor to view and modify almost any kind of resources.
* Saving changes to disk as a new file image.
* Full info on exported and imported functions. Review of contents of the base relocation table.
* Quick Function Syntax Lookup. Syntax Description Editor.
* Source code and package information analyzer. Dependency Scanner.
* Built-in Disassembler.
* Customize GUI elements of your favorite Windows programs
* Special support for Delphi applications
* Automatic UPX and Upack unpacking

See multiple screenshots at: http://www.heaventools.com/scrshots.htm

Tool Updated: Stud PE

2010-03-04T18:36:21Z

Listed in categories: Import Editors, PE Executable Editors, Resource Editors

Most recent version:
2.6.0.5

Most recent release date:
October 31, 2009

Description:
Stud_PE The Portable Executables Viewer/Editor (32/64 bit PE files)

Features:
* View/edit PE basic Header information (DOS also):
- Header structures to hexeditor;
* View/edit Section Table:
- Add new section;
* View/edit Directory Table:
- Import/Export Table viewer;
- Import adder;
- Resource viewer/editor (save/replace ico/cur/bmp);
PE Scanner (PEiD sig database):
- 400 packers/protectors/compilers;
* Task viewer/dumper/killer;
* PEHeader/Binary file compare;
* RVA to RAW to RVA;
* Drag'nDrop shell menu integration;
* Basic HexEditor;
* Process region dumper/viewer;

Tool Updated: Radare

2010-03-04T17:37:43Z

Listed in categories: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

Most recent version:
1.5

Most recent release date:
December 13, 2009

Description:
<nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net

Tool Updated: Hiew

2010-03-04T17:18:13Z

Listed in categories: Disassemblers, Hex Editors, PE Executable Editors

Most recent version:
8.10

Most recent release date:
February 24, 2010

Description:
* view and edit files of any length in text, hex, and decode modes
* x86-64 disassembler & assembler
* physical & logical drive view & edit
* support for NE, LE, LX, PE/PE32+ and little-endian ELF/ELF64 executable formats
* support for Netware Loadable Modules like NLM, DSK, LAN,...
* following direct call/jmp instructions in any executable file with one touch
* pattern search in disassembler
* built-in simple 64bit decrypt/crypt system
* built-in powerful 64bit calculator
* block operations: read, write, fill, copy, move, insert, delete, crypt
* multifile search and replace
* keyboard macros
* unicode support
* Hiew Extrenal Module (HEM) support
* ArmV6 disassembler

Tool Updated: DynamoRIO

2010-02-09T18:12:27Z

Listed in categories: Code Coverage Tools, Code Injection Tools, Debugger Libraries, Disassembler Libraries, Profiler Tools

Most recent version:
1.50.0.1

Most recent release date:
December 29, 2009

Description:
DynamoRIO is a runtime code manipulation system that supports code transformations on any part of a program, while it executes. DynamoRIO exports an interface for building dynamic tools for a wide variety of uses: program analysis and understanding, profiling, instrumentation, optimization, translation, etc. Unlike many dynamic tool systems, DynamoRIO is not limited to insertion of callouts/trampolines and allows arbitrary modifications to application instructions via a powerful IA-32/AMD64 instruction manipulation library. DynamoRIO provides efficient, transparent, and comprehensive manipulation of unmodified applications running on stock operating systems (Windows or Linux) and commodity IA-32 and AMD64 hardware.

Previous description:

The DynamoRIO Collaboration - Dynamo from Hewlett-Packard Laboratories + RIO (Runtime Introspection and Optimization) from MIT's Laboratory for Computer Science.

The DynamoRIO dynamic code modification system, joint work between Hewlett-Packard and MIT, is being released as a binary package with an interface for both dynamic instrumentation and optimization. The system is based on Dynamo from Hewlett-Packard Laboratories. It operates on unmodified native binaries and requires no special hardware or operating system support. It is implemented for both IA-32 Windows and Linux, and is capable of running large desktop applications.

The system's release was announced at a PLDI tutorial on June 16, 2002, titled "On the Run - Building Dynamic Program Modifiers for Optimization, Introspection and Security." Here is the tutorial abstract:

In the new world of software, which heavily utilizes dynamic class loading, DLLs and interconnected components, the power and reach of static analysis is diminishing. An exciting new paradigm of dynamic program optimization, improving the performance of a program while it is being executed, is emerging. In this tutorial, we will describe intricacies of building a dynamic optimizer, explore novel application areas such as program introspection and security, and provide details of building your own dynamic code modifier using DynamoRIO. DynamoRIO, a joint development between HP Labs and MIT, is a powerful dynamic code modification infrastructure capable of running existing binaries such as Microsoft Office Suite. It runs on both Windows and Linux environments. We are offering a free release of DynamoRIO for non-commercial use. A copy of the DynamoRIO release, which includes the binary and a powerful API, will be provided to the attendees.

Tool Updated: ERESI Framework

2010-02-06T10:30:34Z

Listed in categories: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers

Most recent version:
0.82b2

Most recent release date:
September 13, 2009

Description:
The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.

Tool Updated: Marxio File Checksum Verifier

2010-01-09T20:38:07Z

Listed in categories: Executable CRC Calculators

Most recent version:
1.6.2

Most recent release date:
December 29, 2009

Description:
Portable file checksum verifier that allows you to calculate many file checksums (hashes) and compare them with original one. Thanks to its simplicity and portability, it aims to be a portable, versatile and "must have" tool for dealing with single files and their checksums - to calculate, compare and verify them.

Marxio FCV supports major checksum types:
- CRC32,
- MD4,
- MD5,
- SHA1,
- SHA-256,
- SHA-384,
- SHA-512,
- RIPEMD-128,
- RIPEMD-160,
- HAVAL 256,
- TIGER 192.

"Drag and drop" function - all you need to to is to drag a file from Windows Explorer onto the form to calculate selected checksum type.

Context menu - optional integration with Explorer context menu with Your custom text and defined selected checksum to calculate

Compare checksums - with other selected checksum.

Large files support - with size over 32 GB.

Very fast - calculate 4 GB large DVD file/image in 2 minutes using md5 algorithm.

Portable version - one-file program, just one executable file.

Interface - simple, eye friendly with mini-form available.

Keyboard shortcuts - as much handy shortcuts as possible, even for copy and paste checksum from clipboard

Save checksum to file - checksum and filename.

History - save all calculated checksums to file.

Additional settings - stay-on-top, save windows position and last used checksum type, show mini-form, show hashes in upper or lowercase, break function, high contrast themes support, log file, snap to edge - all are configurable.

Frequent updates - new releases published even a week !

Vision difficulties - this application provides support for users with vision difficulties (vision impairment) - tries to respect Windows skins and color schemas.

Marxio FCV is a clean software. It does not contain any adverts. It does not integrate with Windows (unless user requested) and does not install any additional software nor it has spying mechanisms.

If you haven't found the function in this tool you looked for, I can develop it.

Note,
Marxio FCV target is to quickly calculate and verify ONE file and one checksum, not more. It's not any limit but this application works this way. Other application is being developed for calculating more files.

Tool Updated: CodeDoctor

2009-11-12T16:24:49Z

Listed in categories: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools

Most recent version:
0.90

Most recent release date:
November 12, 2009

Description:
<nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B

Tool Updated: CFF Explorer

2009-11-10T18:26:13Z

Listed in categories: .NET Executable Editors, PE Executable Editors

Most recent version:
7.4.0.1

Most recent release date:
November 10, 2009

Description:
The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!

Tool Updated: ReloX

2009-08-23T21:48:22Z

Listed in categories: Relocation Tools

Most recent version:
1.0

Most recent release date:
August 23, 2009

Description:
The only relocation tool worth its bytes. Perfect for that 'final step' in unpacking those pesky dynamic link libraries.

{ from included readme.txt }

ReloX v1.0 * by MackT/uCF2000 in 2003

Disclaimer:
-----------
This program may crash, or in a worse case it may even reboot your computer, so please use it with caution. (Do not run it 3 hours into an unsaved coding session for example)

I am *NOT* responsible for any damage caused by the use of it.

Purpose:
--------
ReloX is a Win32 relocations rebuilder. It will create a .reloc section from different
based images.

What does it need?
------------------
- At least 2 different based images of a module. The more you have images, the more
your relocations will be reliable.

How does it work?
-----------------
1) - Select the first based image with the "..." button on the "Original" line.

The imagebase will be put automatically. If it is not right, modify it.

2) - Select the second based image with the "..." button on the "Compare to" line.

The imagebase will be put automatically. If it is not right, modify it.

3) - Click on "Select Sections" to select all sections which contain code for
comparison (default is all).

4) - Click on "Compare" to start comparison between the modules.

The result will be in the list control.

5) - If you have other based images, redo the same thing from 2) for all of them

6) - Click on "Fix PE Module" to select a pe file and fix with the new ".reloc" section.

(no backup needed just like ImpREC(tm))

Limitations
-----------
- It will only support 32 bits relocations of type (3).
(IMAGE_REL_BASED_HIGHLOW : The fixup applies the delta to the 32-bit field at Offset)

Thanks to
---------
Muffin and Snacker for testing.

Greetings to
------------
Michelle Branch, Jackie Chan and Jet Li.

Tool Updated: Explorer Suite

2009-08-19T15:45:19Z

Listed in categories: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors

Most recent version:
III

Most recent release date:
August 19, 2009

Description:
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever

Tool Updated: Dotnet IL Editor (DILE)

2009-08-09T13:13:28Z

Listed in categories: .NET Debuggers, .NET Disassemblers, .NET Executable Editors

Most recent version:
0.2.6

Most recent release date:
September 30, 2007

Description:
Dotnet IL Editor (DILE) is an editor program which helps modifying .NET assemblies. It is intended to be able to disassemble .NET assemblies, modify the IL code, recompile it and run inside a debugger.

Tool Updated: IDA Inject

2009-07-19T05:01:34Z

Listed in categories: Code Injection Tools, IDA Extensions

Most recent version:
1.0.3

Most recent release date:
July 18, 2008

Description:
This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.

Tool Updated: Detours

2009-07-18T21:01:22Z

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:
2.1.216

Most recent release date:
November 10, 2008

Description:
Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

Detours 2.1 is now available. Detours 2.1 includes the following new features:

* Complete documentation of the Detours API.
* Transactional model for attaching and detaching detours.
* Support for updating peer threads when attaching or detaching detours.
* Unification of dynamic and static detours into a single API.
* Support for detection of detoured processes.
* Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
* New APIs to copy payloads into target processes.
* Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
* Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).

Tool Added: Code Snippet Creator (Iczelion)

2009-06-17T11:54:13Z

Listed in categories: Code Injection Tools, Code Snippet Creators

Most recent version:
1.05 (build 2)

Most recent release date:
January 13, 2001

Description:
Code Snippet Creator is designed specifically for advanced crackers/assembly programmers who want to create custom code snippets in assembly language.

The features of this utility:
· Can generate code snippets and save them as binary files
· Support both TASM and MASM
· Provide simple integrated PE editor to edit the target file you want to patch
· Can patch the code snippet into a target PE file both as a new section and as an addition to an existing section (or PE header)
· You can use ANY functions that the target imports in your snippet! This utility will fix the calls for you.