Collaborative RCE Tool Library - RCE Tools (including sub-categories)

Tool Updated: HookShark

2010-09-02T17:57:06Z

Listed in categories: Usermode Hook Detection Tools

Most recent version:
BETA 0.9

Most recent release date:
September 1, 2010

Description:
HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user.

Currently implemented hook detection:

* - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)
* - Other custom patches [...]
* - VTable Hooks
* - IAT and EAT Hooks
* - Relocation Hooks
* - Hardware Breakpoints
* - PAGE_GAURD Candidates

FAQ

Why is IAT-Scanning / Hook-Scanning so slow? There are faster tools.
=====================================================================

That's because other tools suck. They just walk the IAT Entrys and look for addresses that are out of the module bounds. Thats bollocks. The callback function of the hook, or a redirection (JMP) could be planted well within the module bounds, and there you have a stealth IAT Hook, which HookShark recognizes as "IAT - Local".
And HookShark scans EVERY IAT-Table of EVERY Module. Unlike some other tools, which just examine the main process module.

And HookShark does not only check for hooks in exported/known functions. No, byte by byte of disk/memory image is compared, and even one-byte-patches are revealed. That is only for read-only code-sections though.

What the hell is all that crap? So many patches WTF?
======================================================

HookShark looks for differences between the disk image and the scanned memory. There might be cases where you are just looking at a packed module. To counter these false positives, there is an option to filter patches, which are bigger than n-bytes. (Look in the GlobalOptions Tab)

Sometimes after i scanned a process and want to scan another one and it crashes.
=================================================================================

Yeah, i hate when that happens. I have no idea why. If i get my lazy ass on the debugger i try to check it out. Until then, just restart HookShark.

The mnemonics of patched instructions are wrongly displayed.
============================================================

That's because HookShark just cant do a thorough analysis like IDA does for every module in this short time-span. The alignment of instructions is guessed and heuristically computed.

Tool Updated: Keygener Assistant

2010-08-28T00:41:06Z

Listed in categories: Crypto Tools

Most recent version:
Keygener Assistant v1.5

Most recent release date:
August 25, 2010

Description:

Descreption :
-------------
Keygener Assistant is a Full tool that combines several functions
to facilitate the task and save time during the analysis of an algorithm

-------------------------------------------------------------------------

Operations :
------------

+ BigNumbers Calculator
+ Conversion & Encoding
+ Hashing & CheckSum Calculator
+ Cryptography Operations
+ Hash & Crypto detector
+ System Information & System outils

Functions :
-----------

Encoding :
---------------------------------
Base2 Encode (String to Binary)
Base2 Decode (Binary to String)
Base10 Encode (String to Decimal)
Base10 Decode (Decimal to String)
Base16 Encode (String to Hex)
Base16 Decode (Hex to String)
Base32 Encode (String to Base32)
Base32 Decode (Base32 to String)
Base64 Encode (String to Base64)
Base64 Decode (Base64 to String)
--------------------------------

CheckSums :
--------------------------------
Adler32
CRC-5
CRC-8
CRC8/Dallas-1-Wire
CRC-8/I-CODE
CRC-11
CRC-15
CRC-16
CRC-16/ATOM
CRC-16/AUG-2-CITT
CRC-16/AUG-CITT
CRC-16/BT-CHIP
CRC-16/BUYPASS
CRC-16/CITT
CRC-16/DNP
CRC-16/I-CODE
CRC-16/MCRF4XX
CRC-16/USB
CRC-16/KERMIT
CRC-16/MODBUS
CRC-16/R
CRC-16/X-25
CRC-16/X-KERMIT
CRC-16/ZMODEM'
CRC24/PGP
CRC-24/FLEXRAY-A
CRC-24/FLEXRAY-B
CRC32
CRC32b
CRC32/C
CRC-32/POSIX
CRC-32/JAMCRC
CRC-32/XFER
CRC64
XOR-16
XOR-32
--------------------------------

Hashes :
--------------------------------
eDonkey/eMule
GOST
MD2
MD4
MD5
Haval-128 (Rounds 3/4/5)
Haval-160 (Rounds 3/4/5)
Haval-192 (Rounds 3/4/5)
Haval-224 (Rounds 3/4/5)
Haval-256 (Rounds 3/4/5)
Tiger-128 (Rounds 3/4/5)
Tiger-160 (Rounds 3/4/5)
Tiger-192 (Rounds 3/4/5)
Tiger-192
Panama
RIPEMD-128
RIPEMD-160
RIPEMD-256
RIPEMD-320
Sapphire II-128
Sapphire II-160
Sapphire II-192
Sapphire II-224
Sapphire II-256
Sapphire II-288
Sapphire II-320
Snefru-128
Snefru-256
Square
SHA-0
SHA-1
SAH-224
SAH-256
SAH-384
SAH-512
Whirlpool 0
Whirlpool 1
Whirlpool 512
--------------------------------

Symmetric Crypto :
--------------------------------
1Des
3Des
Blowfish
IDEA
ICE
ICE2
Thin ICE
Misty1
RC2
RC4
RC5
RC6
Tea
xTea
xxTea
Skipjack
Cast 128
Cast 256
Mars
Serpent
Rijndael
TwoFish
--------------------------------

Asymmetric Crypto :
--------------------------------
RSA
ElGamal
--------------------------------

What's New in This Release:
-------------------------------------------------------------------------

Added File Hashing Function
Added more base converting for RSA & Elgamal
Added automatic converting between bases in BigNumbers Calculator
Added the ability to choose between several skins
Update Conversion & Encoding Function
Updated ElGamal Encrypt/Decrypt
Updated Hash & Crypto detector
Updated System Information
Various fixed crashes, and bugs.

-------------------------------------------------------------------------

Tool Updated: WinAppDbg (Python module)

2010-08-24T13:04:26Z

Listed in categories: Debugger Libraries, Debuggers, Ring 3 Debuggers

Most recent version:
1.4

Most recent release date:
August 24, 2010

Description:
The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

Tool Updated: IDA Stealth

2010-08-23T21:32:22Z

Listed in categories: IDA Extensions, Tool Hiding Tools

Most recent version:
1.3.1

Most recent release date:
August 23, 2010

Description:
IDAStealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.

Tool Added: JWasm

2010-08-20T21:36:39Z

Listed in categories: Assemblers

Most recent version:
2.03b

Most recent release date:
August 8, 2010

Description:
JWasm is a free MASM-compatible assembler with these features:

* native support for output formats Intel OMF, MS Coff (32- and 64-bit), Elf (32-and 64-bit), Bin and DOS MZ.
* precompiled JWasm binaries are available for DOS, Windows and Linux. For OS/2 and FreeBSD, makefiles are supplied.
* Instructions up to SSE4.2 are supported.
* JWasm is written in C. The source is portable and has successfully been tested with Open Watcom, MS VC, GCC and more.
* As far as programming for Windows is concerned, JWasm can be used with both Win32Inc and Masm32. Since v2.01, it will also work with Sven B. Schreiber's ancient WALK32.
* C header files can be converted to include files for JWasm with h2incX.
* JWasm's source code is released under the Sybase Open Watcom Public License, which allows free commercial and non-commercial use.

Tool Added: DotNetasploit

2010-08-17T01:40:27Z

Listed in categories: .NET Code Injection Tools

Most recent version:
2.5

Most recent release date:
August 2010

Description:
DotNetasploit is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion.

Tool Updated: IceStealth

2010-07-31T19:15:51Z

Listed in categories: SoftICE Extensions, Tool Hiding Tools

Most recent version:
1.72

Most recent release date:
July 31, 2010

Description:
IceStealth is a SoftICE hiding tool, that should protect from:

CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find SoftICE with these methods
NtQueryDirectoryObject
NtQueryObject
OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
UnhandledExceptionFilter (2 Options)
SEH BPM Protection
BPM Protection
NtQuerySystemInformation
int 41 killed + DPL 0
int 1 DPL 0
Basic Registry Protection (if ever needed)
(RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyA, RegOpenKeyW)
SaveDisk Protection

Tool Added: Jsunpack

2010-07-25T23:06:39Z

Listed in categories: Javascript Unpackers

Most recent version:
0.3.2c

Most recent release date:
June 2, 2010

Description:
A Generic JavaScript Unpacker.

jsunpack emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities.

It accepts many different types of input:

* PDF files - samples/sample-pdf.file
* Packet Captures - samples/sample-http-exploit.pcap
* HTML files
* JavaScript files
* SWF files

Tool Added: Unsign

2010-07-19T19:30:26Z

Listed in categories: IPhone Tools, Needs New Category

Most recent version:

Most recent release date:
July 18, 2010

Description:
Remove code signing from Mach-O and Universal Binary files.

This program removes the LC_CODE_SIGNATURE load command and
zeroes out the signature in the __LINKEDIT section.

----

This needs the new category Apple / Mac / OS X or similar (iPhone is a specialized OS X version).

Tool Added: .NET Methods Parser

2010-07-18T22:27:24Z

Listed in categories: .NET Deobfuscation Tools

Most recent version:
0.2

Most recent release date:
July 19, 2010

Description:
A simple tool to analyze the "Methods" metadata table.
It has a good error and invalid data handling code so it will open most weird files.

Tool Updated: FUU (Faster Universal Unpacker)

2010-07-18T22:22:18Z

Listed in categories: Unpacking Tools

Most recent version:
0.1.1b

Most recent release date:
July 14, 2010

Description:
FUU (Faster Universal Unpacker) is a GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc.

The GUI was designed using RadASM and MASM. Every plugin included in the official release was written in ASM using MASM.

The core of every plugin use TitanEngine SDK from ReversingLabs under the hood, this help to the developer to write plugins very easy and very fast without the need to worry about some repetitive and boring functions like dump, fix the iat, add sections, etc. You can develop a plugin for FUU in a very easy way using TitanEngine.

Also, FUU include some extra tools like:

* Generic OEP Finder
* Cryto Signature Detector
* Generic Unpacker
* Signatures Detector (by marcianito at gmail dot com)

Generic OEP Finder, Cryto Signature Detector and Generic Unpacker are from PEiD's team.

FUU (Faster Universal Unpacker) is a GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc.

Version 0.1 Beta

Plugins
UPX Unpacker for UPX v1.x - 3.x (DLL and EXE - x86)
BeRoExEPacker Unpacker (EXE - x86)
FSG Unpacker for v1.x - 2.x (EXE - x86)
ASPack Unpacker for ASPack 2.x (EXE - x86)

Tools
Generic OEP Finder (GenOEP.dll)
Crytp Signatures Detector (kanal.dll)
Generic Unpacker

Tool Added: Pokas x86 Emulator for Generic Unpacking

2010-07-18T16:32:01Z

Listed in categories: Assembler IDE Tools, Assemblers, Automated Unpackers, Debuggers, Disassembler Libraries, Disassemblers, OEP Finders, PE Executable Editors, Programming Libraries, Tracers, Unpacking Tools, Virtual Machines, X86 Disassembler Libraries, X86 Emulators, X86 Sandboxes

Most recent version:
1.0.0.0

Most recent release date:
July 18, 2010

Description:
Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.

It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

But it does contain bugs and it still in the beta version. It surely will be fixed soon ith the help of your feedback.

It still doesn't support multithreading and doesn't support Linux ELF executables.
It's still working only on windows but the Linux version will be available soon.

you can download it from https://sourceforge.net/projects/x86emu/

AmrThabet
amr.thabet_*at*_student.alx.edu.eg

Tool Added: Javassist

2010-07-13T19:33:16Z

Listed in categories: Java Code Injection Tools, Java Executable Editors & Patchers

Most recent version:
3.12.0.GA

Most recent release date:
April 16, 2010

Description:
Javassist (Java Programming Assistant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java; it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it. Unlike other similar bytecode editors, Javassist provides two levels of API: source level and bytecode level. If the users use the source-level API, they can edit a class file without knowledge of the specifications of the Java bytecode. The whole API is designed with only the vocabulary of the Java language. You can even specify inserted bytecode in the form of source text; Javassist compiles it on the fly. On the other hand, the bytecode-level API allows the users to directly edit a class file as other editors.

Aspect Oriented Programming: Javassist can be a good tool for adding new methods into a class and for inserting before/after/around advice at the both caller and callee sides.

Reflection: One of applications of Javassist is runtime reflection; Javassist enables Java programs to use a metaobject that controls method calls on base-level objects. No specialized compiler or virtual machine are needed.

Tool Updated: Java Decompiler

2010-07-13T19:23:49Z

Listed in categories: Java Decompilers

Most recent version:
0.3.2

Most recent release date:
March 20, 2010

Description:
The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions.

JD-Core is a freeware library that reconstructs Java source code from one or more “.class” files. JD-Core may be used to recover lost source code and explore the source of Java runtime libraries. New features of Java 5, such as annotations, generics or type “enum”, are supported. JD-GUI and JD-Eclipse include JD-Core library.

JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.

JD-Eclipse is a plug-in for the Eclipse platform. It allows you to display all the Java sources during your debugging process, even if you do not have them all.

JD-Core, JD-GUI and JD-Eclipse are free for non-commercial use. This means that JD-Core, JD-GUI and JD-Eclipse shall not be included or embedded into commercial software products. Nevertheless, these projects may be freely used for personal needs in a commercial or non-commercial environments.

Tool Updated: WinApiOverride

2010-07-13T18:55:31Z

Listed in categories: .NET Tracers, API Monitoring Tools, COM Monitoring Tools

Most recent version:
5.4.4

Most recent release date:
July 7, 2010

Description:
WinAPIOverride32 is an advanced api monitoring software.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- Double and float results are logged
- Preserve registers, floating stack and LastError
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- All is is done like modules : you can log or override independently for any function

Tool Updated: Quick Unpack

2010-07-10T18:22:38Z

Listed in categories: Automated Unpackers

Most recent version:
2.2

Most recent release date:
July 14, 2009

Description:
The program is intended for fast (in a few seconds) unpacking of packers and simple protectors.

Quick Unpack tries to bypass all possible scramblers/obfuscators and restores redirected import. From the version 1.0 the opportunity of unpacking dll is added. From the version 2.0 the attach process feature added which allows to use Quick Unpack as a dumper and import recoverer. Scripts are also supported from version 2.0 which allows unpacking of more complicated protections. This makes Quick Unpack a unique software product which has no similar analogues in the world!

Use force unpacking tick. When the application is run QuickUnpack waits for the OEP breakpoint to trigger. But sometimes this breakpoint may be triggered several times but only the last one is the correct OEP. Using ForceMode option solves this problem. With this option after the application is run QuickUnpack counts breapoint hits and dumps the application only at the last stop. For DLL-files this option is always ticked and allows to restore relocs.

Tool Updated: LordPE

2010-06-29T01:09:27Z

Listed in categories: Dump Fixers, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers

Most recent version:
1.41 (Deluxe b)

Most recent release date:
September 30, 2009

Description:
LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...

Tool Updated: OfficeMalScanner

2010-06-17T09:51:08Z

Listed in categories: Code Ripping Tools, Data Search and Extraction Tools

Most recent version:
v0.51

Most recent release date:
February 5, 2010

Description:
OfficeMalScanner v0.51 is a Ms Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. Found files are being extracted to disk. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis. The "inflate" feature extracts Ms Office 2007 documents into a directory and marks potentially malicious files. Also included in this package is a tool called MalHost-Setup, some kind of MS Office runtime emulation environment to debug shellcode in malicious documents in realtime.

Tool Updated: DotNET Tracer

2010-06-13T12:52:02Z

Listed in categories: .NET Tracers

Most recent version:
0.9

Most recent release date:
May 15, 2010

Description:
This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

I hope it's useful and as always bug reports are welcome.

Tool Added: Patchdiff2

2010-06-10T15:58:02Z

Listed in categories: Diff Tools, Executable Diff Tools, IDA Extensions

Most recent version:
2.0.8

Most recent release date:
June 10, 2010

Description:
PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.6). The plugin can perform the following tasks:

- Display the list of identical functions
- Display the list of matched functions
- Display the list of unmatched functions (with the CRC)
- Display a flow graph for identical and matched functions

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs. Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.