Collaborative RCE Tool Library - Tracers (including sub-categories)

Tool Updated: Radare

Wed, 04 Nov 2009 09:18:47 GMT

Listed in categories: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

Most recent version:
1.4.1

Most recent release date:
November 3, 2009

Description:
<nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net

Tool Added: TR

Sun, 30 Aug 2009 23:08:03 GMT

Listed in categories: 16 bit and DOS Tracers

Most recent version:
2.52

Most recent release date:
November 30, 1998

Description:
Advanced tracer for 16 bit x86 code (DOS programs).

From readme:

If you have used DEBUG, SYMDEB, TD (Turbo Debugger), CV (CodeView) or SoftICE, you should try TR which has more powerful functions than debuggers mentioned above.

TR(tracer) is a debugger based on the CPU simulation technology.

The main features are:

1. Interpret Mode

=================

TR runs a program by interpreting its code just like a REAL Intel CPU

would, step by step. TR understands every CPU opcode and will give the

correct result, without INT1, INT3, DR0-DR8, or protected mode.

Theoretically, TR will never be found by any program which is

traced, and you can never find a program which can't be traced :-)

Traditional debuggers or tracers have too many shortages:

(1) Using INT1 and the Trap Flag

Because they use INT1 and TF to step the program, so it's easy

to cheat and detect it!

(2) Using INT3

These debuggers insert INT3(CCh) into the program's code after every

instruction. If the program destroys the INT3 vector or tests

itself, the tracer would not work well :-(

(3) SoftICE doesn't use above two methods, but uses 386 hardware

interrupts instead. SoftICE is very strong but so easy to be

found :(

Overall, traditional debuggers & tracers trace the program using standard

tracing methods which can be found in INTEL's CPU manual. They could

only trace those programs which haven't any anti-debug code. If the

program won't cooperate, they all cannot work well :-( But TR will

trace all the programs that the CPU can deal with, even another TR

session.

On the other hand, traditional debuggers or tracers simply insert a

breakpoint into the program and wait until they catch the control back.

They don't know whether they will get control back or what the program

intends to do. TR runs the program in interpret mode, it controls all

things absolutely. Just because of that, TR can set more and more

complex breakpoints.

Interpret Run is the main difference between TR and all other

debuggers, and this is also why TR has a higher performance.

2.Batch File

============

Although batch is not a new word to you, you can find no one using it

in a debugger. In TR, you can put all your commands in a text file and

use it just like you execute a DOS batch file. TR as well has a special

batch file named "AUTORUN.TR". Just like its name, this file can be

executed automatically every time you start TR.

3.Magic Offset

==============

Everyone is used to the "G 100" command which means run and stop at

address CS:100. In general, debuggers do it like this: insert a

breakpoint(INT3/CC) at CS:100 and GO the program. When the CPU meets

the INT3, the program will be stopped. So, the debuggers can only set a

breakpoint at current CS and offset 100. But not TR! TR can stop the

program at every offset 100! What does this mean? It means when IP=100,

the program will be stopped! We call this Magic Offset. Hmm, what's the

use? Too many! Think by yourself :-) One simplest and direct usage is

use "G 100" you can *UNPACK* all .COM files!

4.Assembly Language Command

===========================

It's a good idea that you can use ASM opcode in your debug environment.

You can accomplish your wish in TR! You may use either "R AX 001A" or

"MOV AX, 001A". Both do the same thing. Remember, all assembly opcode

can be used in TR, e.g. "CLI", "MOV [WORD 1234], 4567", "IN AL,21"...

5.Add Comments During Tracing

=============================

"CALL 7FDE" is not good compared to "CALL OPEN_FILE". But most tracers

must face such opcodes. Even if you have known what the procedure

would do, you could only write it down on paper. Now TR can write

your comments directly into the program and saved them into another file

automatically. From now on all programs are easy for understand. TR will

as well display comments for most INT21 function calls automatically for

you.

6.Automatic Jump

================

Many protectors use lots of JMP codes to make the decryptor of their

protection unreadable. In most situations, you can only see some JMPs in

the code window. At the target address, in general, you can't see the

correct disassemble opcode because the protect programs likely insert

some DATA in front of that address, so, it's difficult to understand

these programs. With the Automatic Jump feature, TR displays the correct

code at the JMP address in code window instead of displaying a "JMP

xxxx". This way you can see the correct codes sequence but not lots of

jumps: the code is easy to read!

7.Log

=====

TR could save all CS:IP on interpret-run. This makes it possible to

analyse the program easily. If the program exits with an error, you can

find the problem by backtracing your LOG. Command 'LOGPRO' can get all

the key opcode program run. The program will have no secret after you

LOG it. Refer to the commands LOG, LOGS, VLOG and LOGPRO.

8.Write EXE file from memory

============================

You can find many universal unpackers on the net, but what would you do

if they tell you "I can't unpack it"? Unpack functions should be in

debuggers. TR's MKEXE function let you make EXE file easy!

9.Various Complex breakpoints, One-time breakpoints

===================================================

All other debuggers' breakpoints are what INTEL prepared. They cannot

fit the need of modern trace technology. TR has many revolutionary

breakpoints:

(1) BP conditions

Conditional break-point. ex.:

BP IP>4000

BP ah=2 dl=80 ch>30

(2) BPINT intnum [conditions]

Interrupt break-point.

(3) BPXB bytes [conditions]

Break-point if ??? code is encountered. For example, "MOV AX,????"

is assembled in HEX "B8????", so you can use

BPXB b8

to break on all "mov ax,????" opcodes. Other examples:

BPXB cd ;all interrupt

BPXB 33 c0 ;xor ax,ax

(4) BPREG REG''

Tool Updated: WinApiOverride

Sun, 19 Jul 2009 05:08:24 GMT

Listed in categories: .NET Tracers, API Monitoring Tools, COM Monitoring Tools

Most recent version:
5.1.11

Most recent release date:
July 18, 2009

Description:
WinAPIOverride32 is an advanced api monitoring software.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- Double and float results are logged
- Preserve registers, floating stack and LastError
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- All is is done like modules : you can log or override independently for any function

Tool Updated: DotNET Tracer

Wed, 17 Jun 2009 00:27:47 GMT

Listed in categories: .NET Tracers

Most recent version:
0.6

Most recent release date:
June 15, 2009

Description:
This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

I hope it's useful and as always bug reports are welcome.

Tool Added: XTracer

Wed, 17 Jun 2009 00:08:44 GMT

Listed in categories: OEP Finders, Tracers

Most recent version:
1.0

Most recent release date:
May 25, 2009

Description:
xtracer is TLB memory tracer. It tries to locate first break in code section of traced process using split TLB which is available in intel architecture.
This code can be used to locate OEP of traced process easily. Currently only 1st break is reported, but you may modify code to handle more breaks as that's not a problem at all if you go trough ring3 program which actually controls driver. You may expect to get very good and fast results no matter which protection you are tracing. Time needed to locate OEP is equal to the time needed to execute protection layer without debugger, nor any tracer.

I hope that you will enjoy this fine release from ARTeam, as we only try to bring quality releases to the RCE community. Of course, full source is included for learning purposes (code and tool released under GPL 3.0).

Code can be customized to handle various scenarios. Eg. add more breaks on code sections, hooking more some native calls to keep control of almost every allocated buffers, but that's up to the user to implement if he needs it.

To use this code simply type:

xtracer.exe <applicaton to trace>

wait a little bit. Also note that you must have internet connection as code is using my SymbolFinder class to locate some symbols from ntoskrnl.exe which makes this code compatible with windows versions from win2k to Vista SP1.

Tool Updated: Generic tracer

Mon, 25 May 2009 23:44:23 GMT

Listed in categories: API Monitoring Tools, Monitoring Tools, Tracers

Most recent version:
0.1

Most recent release date:
May 24, 2009

Description:
generic tracer - extremely simple win32 tracer

* Main features:

1) Setting breakpoint at any function, monitoring its arguments and return value.
2) Monitoring global variables access.

In a way, it is a kind strace utility.

Significant differences vs strace are:

1) gt is Win32 only.
2) Breakpoints not just system calls, but any function.
3) Only 4 breakpoints, because of x86 architecture limitation.
4) Usage of Oracle .SYM files: ORACLE_HOME should be defined in environment.

Tool Updated: MSIL Dumper

Tue, 30 Dec 2008 00:04:33 GMT

Listed in categories: .NET MSIL Dumpers, .NET Tracers, Tracers

Most recent version:
0.4

Most recent release date:
December 12, 2008

Description:
The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799

Tool Updated: Conditional Branch Logger

Sun, 02 Nov 2008 04:56:19 GMT

Listed in categories: Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers

Most recent version:
1.0

Most recent release date:
June13, 2007

Description:
Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints.

Tool Updated: PIN

Thu, 24 Apr 2008 09:56:45 GMT

Listed in categories: Code Injection Tools, Profiler Tools, Tracers

Most recent version:
2.3 (rev 18525)

Most recent release date:
April 10, 2008

Description:
Pin is a tool for the dynamic instrumentation of programs. It supports Linux binary executables for Intel (R) Xscale (R), IA-32, IA-32E (64 bit x86), and Itanium (R) processors. It also allow instrumentation of Windows programs on IA-32 and Intel (R) 64 processors

Pin was designed to provide functionality similar to the popular ATOM toolkit for Compaq's Tru64 Unix on Alpha, i.e. arbitrary code (written in C or C++) can be injected at arbitrary places in the executable. Unlike Atom, Pin does not instrument an executable statically by rewriting it, but rather adds the code dynamically while the executable is running. This also makes it possible to attach Pin to an already running process.

Pin provides a rich API that abstracts away the underlying instruction set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template.

Tool Added: HBGary Inspector

Fri, 15 Feb 2008 22:04:53 GMT

Listed in categories: Code Coverage Tools, Memory Data Tracing Tools, Tracers

Most recent version:
2.0

Most recent release date:

Description:
HBGary Inspector speeds team reverse engineering of software binaries. Inspector integrates dynamic runtime tracing with dataflow and static code analysis. Captured test data is recorded in a team-member shared database for further analysis with automated scripts and interactive graphing.

Packed, obfuscated, and self-modifying malware binaries resist static disassembly. Anti-debugging tricks hinder runtime analysis. However, malware must unpack and de-obfuscate itself to execute. Inspector defeats many anti-debugging tricks and recovers true program instructions and live memory evidence as malware operates. Dynamic analysis provides accurate information about malware behavior.

HBGary Inspector can trace data buffers and packets as they propagate in memory, saving countless hours and days of work for the Reverse Engineer. Complex control flow paths are mapped with interactive navigation graphs. Runtime code coverage is indicated and measured. Inspector is extensible with an exposed application program interface (API) and a powerful scripting system for analysis automation.

Tool Added: CFSearch

Fri, 15 Feb 2008 21:09:39 GMT

Listed in categories: Code Coverage Tools, Profiler Tools, Tracers

Most recent version:
1.0A

Most recent release date:
February 15, 2008

Description:
Extremely cool tracer tool that makes use of the "single step on branch", LBR ("last branch recording") features of current processors.

Not released yet, but we're awaiting it with great anticipation!

Tool Updated: Process Stalker

Tue, 12 Feb 2008 13:10:25 GMT

Listed in categories: Code Coverage Tools, Tracers

Most recent version:
1.1

Most recent release date:
July 13, 2005

Description:
Process Stalking is a term coined to describe the combined process of run-time profiling, state mapping and tracing. Consisting of a series of tools and scripts the goal of a successful stalk is to provide the reverse engineer with an intuitive visual interface to filtered, meaningful, run-time block-level trace data.

The Process Stalker suite is broken into three main components; an IDA Pro plug-in, a stand alone tracing tool and a series of Python scripts for instrumenting intermediary and GML graph files. The generated GML graph definitions were designed for usage with a freely available interactive graph visualization tool.

Data instrumentation is accomplished through a series of Python utilities built on top of a fully documented custom API. Binaries, source code and in-depth documentation are available in the bundled archive. An indepth article was written and released on OpenRCE.org detailing step by step usage of Process Stalker, the article is a good starting point for understanding the basics behind the tool set.

Manual:
http://pedram.redhive.com/process_stalking_manual/

API docs:
http://pedram.redhive.com/process_stalking_manual/ps_api_docs/

Tool Added: Float Tracer

Wed, 30 Jan 2008 13:44:57 GMT

Listed in categories: Tracers

Most recent version:
0.0.1

Most recent release date:
January 28, 2008

Description:
The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers, and so on :)

Tool Updated: Dream of every reverser

Sun, 30 Dec 2007 00:53:54 GMT

Listed in categories: Technical PoC Tools, Tracers

Most recent version:
public

Most recent release date:
May 6, 2007

Description:
Engine used to perfrom stealth memory trace of a target.
Public version only supports tracing of the eip in certain
range. To compile source you will need DDK.

It supports MP and win2k/winxp. Systems running KAV are
not supported as KAV installs hook in SwapContext which
is essential for this tracer.

Technical aspects:
1. Hooks int 0e and int 01
2. Hooks SwapContext
3. Installs ProcessNotifyRoutine

Due to the nature of paged memory in r3, there are 2
ways of tracing: using U/S flag, and using P bit in
PTE. Both cases are handled and supports PAE and nonPAE
addressing modes. Role of SwapContext is to set breaks on
given range when traced process is about to execute.
Role of notify routine is to stop tracer if traced
program exits by any chance during tracing.

When good range is hit, tracer will automaticaly stop
and you will see in DebugView or DbgMon when EIP is in
good range.

Tool Added: Fenris

Fri, 07 Dec 2007 09:12:28 GMT

Listed in categories: Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers

Most recent version:
0.07-m2 build 3245

Most recent release date:
July 11, 2004

Description:
Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are:

* Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.

* libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.

* Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.

* nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).

* Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).

* ...and some other companion utilities.

Tool Added: ERESI Framework

Thu, 06 Dec 2007 19:59:29 GMT

Listed in categories: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers

Most recent version:
0.8a23

Most recent release date:
November 30, 2007

Description:
The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.