Collaborative RCE Tool Library - Tool Extensions (including sub-categories)

Tool Updated: IDA Stealth

Sun, 15 Nov 2009 23:45:08 GMT

Listed in categories: IDA Extensions, Tool Hiding Tools

Most recent version:
1.1

Most recent release date:
November 15, 2009

Description:
IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.

Tool Updated: CodeDoctor

Thu, 12 Nov 2009 16:24:49 GMT

Listed in categories: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools

Most recent version:
0.90

Most recent release date:
November 12, 2009

Description:
<nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B

Tool Updated: TurboDiff

Thu, 15 Oct 2009 14:25:10 GMT

Listed in categories: Executable Diff Tools, IDA Extensions

Most recent version:
1.01

Most recent release date:
October 14, 2009

Description:
Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

Tool Updated: Plugins Manager

Tue, 22 Sep 2009 03:09:33 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.2.0.0

Most recent release date:
September 20, 2009

Description:
A simple plugin for OllyDBG 1.10 to manage its other loaded plugins.

Features:
+ Ease of use:
Takes a simple double click to toggle the state of a plugin from Enabled to Disabled. The action can be also achieved
through a drop down menu.

+ Directly compatible with major OllyDBG customized editions:
Directly supported by OllyICE, OllySnD, OllyDRX, DeFixed ...
No need for any patching work (as long as OllyDBG.exe exists)

--------------------------------------------------------------

Tool Updated: SiDAg

Mon, 31 Aug 2009 16:01:12 GMT

Listed in categories: IDA Signature Creation Tools

Most recent version:
1.0

Most recent release date:
August 31, 2009

Description:
The is a GUI tool that helps beginners making IDA signatures from Obj files/ librarries and PAT files.

Tool Updated: IceStealth

Fri, 28 Aug 2009 01:41:26 GMT

Listed in categories: SoftICE Extensions, Tool Hiding Tools

Most recent version:
1.69

Most recent release date:
August 28, 2009

Description:
IceStealth is a SoftICE hiding tool, that should protect from:

CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find SoftICE with these methods
NtQueryDirectoryObject
NtQueryObject
OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
UnhandledExceptionFilter (2 Options)
SEH BPM Protection
BPM Protection
NtQuerySystemInformation
int 41 killed + DPL 0
int 1 DPL 0
Basic Registry Protection (if ever needed)
(RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyA, RegOpenKeyW)
SaveDisk Protection

Tool Updated: MemoryDump

Tue, 11 Aug 2009 10:19:47 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
0.9a

Most recent release date:
August 10, 2009

Description:
Plugin is intended to save/load bytes from momory dump window of the process in
various forms. In the dump window right click and select 'Memory Dump' in the popup menu
pick your choice.

Possible choices are:

- Load Dump
Allows to fill process' memory with data from a file. (Be sure what you are
doing, overwriting the process memory may cause you a lot of trouble.)

- Save Dump
Copies selected bytes from dump into a file.

- Clipboard(Text)
Copies selected bytes from dump into a clipboard (text only).

- Delphi/Pascal Table
Generates table of selected bytes which can be easily used in Delphi/Pascal

- C/C++ Table
Generates table of selected bytes which can be easily used in C/C++

- ASM Table
Generates table of selected bytes which can be easily used in Assembler
(MASM Tested)

- Visual Basic Table
Generates table of selected bytes which can be easily used in Visual Basic

- Range Dump (ALT+R)
Dumps Range of defined bytes by:

- Lenght : Tick End Address/Lenght
- End Address : Untick End Address/Lenght

Xor Dump With: Self-explanatory

Button with [<] symbol enters address of last byte clicked(not selected) in the dump,
it's more convenient than entering addresses manually.

- Xor Selection
Xors Selection and shows dumped data in Olly's window. This window cannot be used
for another byte manipulation with plugin because dump is created in your Win's
temporary folder and not in memory.

- Quick Dump (ALT+Q)
Allows quickly select and dump data, mark the start(SHIFT+1) and the end(SHIFT+2) of
the block in dump window, then just press (ALT+Q).

Tool Updated: FullDisasm

Sun, 02 Aug 2009 17:51:26 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
2.5

Most recent release date:
August 2, 2009

Description:
This plugin replaces the default OllyDbg disassembly routine with an engine which supports MMX, FPU, SSE, SSE2, SSE3, SSSE3, SSE4.1 and SSE4.2 instructions and undocumented instructions called "aliases". Displays processor support for these technologies. Allows disassembling globally or only on selected lines in Masm, Nasm ,GoAsm syntax and AT&T Syntax. Available as a plugin for OllyDbg or Immunity Debugger.

Tool Updated: IDA Inject

Sun, 19 Jul 2009 05:01:34 GMT

Listed in categories: Code Injection Tools, IDA Extensions

Most recent version:
1.0.3

Most recent release date:
July 18, 2008

Description:
This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.

Tool Updated: Hexer Plugin - Calculating the entropy of a file

Mon, 06 Jul 2009 00:34:39 GMT

Listed in categories: Entropy Analyzers, Hex Editors, Hexer Extensions

Most recent version:
1.4.0

Most recent release date:
July 1, 2008

Description:
I finally got around to write an example plugin for my hex editor Hexer to show how simple it is to extend Hexer according to your own needs. The Java plugin I am going to present calculates the entropy of files according to the method presented on Ero Carrera's blog. The plugin adds a new tab containing a line chart and a button to the File Statistics dialog. When the user clicks the button, the entropy of the active file (that is the file in the last active hex window) is calculated and shown in the line chart. The screenshot below shows the entropy distribution of Notepad.exe.

You can download the source file of the plugin here. The archive contains the source file EntropyCalculator.java as well as two class files which were created by compiling the source file using Java 1.6. To install the plugin, simply copy the two class files to the plugins directory of your Hexer installation. Since the plugin uses the JFreeChart library to display the graph it is also necessary to get the files jcommon-1.0.12.jar and jfreechart-1.0.9.jar from the JFreeChart package. Copy those files into the jars directory of your Hexer installation.

At the beginning of the source file the methods getDescription(), getGuid(), getName(), and init() are implemented. These methods must be implemented by all classes that implement the Hexer plugin interface IPlugin. The first three methods return the name, the description, and the GUID of the plugin. These values are necessary for plugin management. The init() method is called once by Hexer when the plugin is loaded for the first time. Its parameter of type IPluginInterface can be used by the plugin to interact with Hexer.

Afterwards the necessary methods of the IStatsPlugin plugin are implemented. This interface must be implemented by all plugins that want to extend the File Statistics dialog. The method getStatsDescription() returns the description of the file statistic as displayed in the tab header of the File Statistics dialog ("Entropy" in this case). The method getStatsComponent() returns the component that is used to display the calculated file statistic in the File Statistics dialog. For the Entropy Calculator plugin we only need the line chart and the button.

That's all that is necessary to extend the Hexer File Statistics dialog. The remaining methods are used to calculate and display the entropy. They are basically a direct Python-to-Java conversion of the code from Ero Carrera's blog. The only difference is that I averaged the entropies of larger files to make sure that the dataset is small enough for the line chart component to handle.

If you do not want to extend the File Statistics dialog but prefer to have your own Entropy dialog you can simply modify the plugin. Just implement the interface IPlugin instead of IStatsPlugin, add a menu to the Hexer main menu in the init() method, and create the dialog when the menu is clicked.

Tool Updated: BinDiff

Sat, 13 Jun 2009 10:14:36 GMT

Listed in categories: Executable Diff Tools, IDA Extensions

Most recent version:
2.1

Most recent release date:
2009

Description:
A very powerful executable file diffing tool, in the form of an IDA Pro plugin.

Tool Added: IDAAPIHelp

Thu, 04 Jun 2009 20:13:26 GMT

Listed in categories: IDA Extensions

Most recent version:
0.3

Most recent release date:
October 17, 2006

Description:
IDAAPIHelp is a small IDAPython script, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile.

Tool Added: MFC42Ord2FuncNames

Thu, 04 Jun 2009 20:09:38 GMT

Listed in categories: IDA Extensions

Most recent version:

Most recent release date:
June 03, 2007

Description:
MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details.

Tool Added: ClassAndInterfaceToNames

Thu, 04 Jun 2009 20:06:28 GMT

Listed in categories: IDA Extensions

Most recent version:

Most recent release date:
June 16, 2007

Description:
This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA

Tool Added: VtablesStructuresFromPSDK2003R2

Thu, 04 Jun 2009 20:03:55 GMT

Listed in categories: IDA Extensions

Most recent version:

Most recent release date:
July 16, 2007

Description:
This small IDAPython script includes all vtable structures that can be found in the files of the Microsoft PSDK 2003-R2. After running the script in IDA it adds these vtable structures to an IDB file. This will save time while reconstructing COM code.

Tool Updated: Class Informer

Sat, 25 Apr 2009 15:55:13 GMT

Listed in categories: COM Tools, IDA Extensions

Most recent version:
1.01

Most recent release date:
April 2, 2009

Description:
Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

See also screenshot example of vftable info set by plug-in below.

Tool Updated: SnD Crypto Scanner (Olly/Immunity Plugin)

Mon, 30 Mar 2009 17:43:51 GMT

Listed in categories: Crypto Tools, OllyDbg Extensions

Most recent version:
0.5 (beta)

Most recent release date:
March 30, 2008

Description:
A scanner for crypto signatures as an Olly/Immunity Plugin:

(Following text from the forum thread)
Been coding this for a while and now kinda got bored with it so releasing it as a beta. Sure I'll go back to it again later... just need to do something else now.

Hopefully you will find this useful - the advantage of having it as a plugin means that breakpoints can easily be set where required, and signatures can be located quickly.

Setting Breakpoints:
The buttons try and use a little bit (not much :P) intelligence when setting breakpoints. In the data section, "hardware on access" or "memory access" breakpoints are set on the specific VA referenced. In the code section, a 'hardware on execution' breakpoint is set at the beginning of the disassembled line the referenced dword is on. Hope that makes a little sense :)

Limitations:
Signatures are either made up of dwords or byte sequences. This gives 2 main weaknesses:
- some algorithms use similar dwords, distinguishing between them is not always simple.
- the algorithm finds the first instance of a given dword in a signature. If you have code which has multiple algorithms which use some of the same dwords, the referenced VA will always point to the first instance in the file.

Without doing some in depth analysis, its impossible to determine which algorithm uses a specific instance of a dword. This tool is therefore only going to make analysis a little easier, not do it for you.

Future Development:
Currently the plugin uses the plugin API to get the current file name and then reads it into allocated memory. It does not read memory inside Olly. This means packed files will need to be unpacked and the unpacked instance debugged. In future I plan to give an option to either scan the file or memory (perhaps even a specified memory range).

If you have an idea for development, want to add signatures or just want to tell me how crap this is, please go for it :)

Tool Updated: OllyBkmrX

Sun, 29 Mar 2009 10:47:36 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.0.0.3

Most recent release date:
March 28, 2009

Description:
Ollydbg bookmarking plugin

Tool Updated: IDACompare

Fri, 06 Mar 2009 09:20:11 GMT

Listed in categories: Executable Diff Tools, IDA Extensions

Most recent version:
5.4

Most recent release date:
March 5, 2009

Description:
IDACompare is a plugin designed to compare and match up equivalent functions across two IDA databases. IDACompare was primarily designed for analyzing changes across malcode variants, it should also find good use when conducting patch analysis.

Once function matches have been made, names can be ported across disassemblies, or sequentially renamed in both.

Project also implements a signature scanner, letting you build your own listing of known functions.

Tool Added: AttachExtended

Wed, 04 Mar 2009 20:49:27 GMT

Listed in categories: OllyDbg Extensions

Most recent version:

Most recent release date:
March 4, 2009

Description:
This is a really small plugin that I have written for improving attach feature of OllyDbg.
With this plugin,you can attach to process by identifing its PID directly,not only selecting process list. In addition,you can find PID of process by dragging a small cursor on each window(This can be used on some protection which remove process from process list like GameGuard).

Please let me know about Bugs, and your suggestions for more process attaching options.