From Collaborative RCE Tool Library

Jump to: navigation, search

New or Updated Items - RCE Tools (including sub-categories)

RSS feed If you want to keep track of all these updates automatically, simply use this RSS feed instead!

Tool Added: SyserStealth

At: 2019-07-14 00:19:22

Listed in categories: Tool Hiding Tools

Most recent version:

Most recent release date:
January 11, 2015

older tool what never got released and i recently updated it a bit

it might be to old now target was windows xp

Tool Updated: IceStealth

At: 2019-07-05 13:13:59

Listed in categories: SoftICE Extensions, Tool Hiding Tools

Most recent version:

Most recent release date:
July 7, 2019

IceStealth is a SoftICE hiding tool, that should protect from:

CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find SoftICE with these methods
OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
UnhandledExceptionFilter (2 Options)
SEH BPM Protection
BPM Protection
int 41 killed + DPL 0
int 1 DPL 0
Basic Registry Protection (if ever needed)
(RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyA, RegOpenKeyW)
SaveDisk Protection

Also Improvements To NTICE

Tool Updated: BeaEngine

At: 2019-06-21 13:42:52

Listed in categories: X64 Disassembler Libraries, X86 Disassembler Libraries

Most recent version:

Most recent release date:
June 21, 2019

BeaEngine is a multi-plateform library coded in C (ISO99). It contains actually one function called "Disasm" which allows to disassemble any instruction from the intel instructions set for processors 32 bits and 64 bits. You can use this lib with following languages : C#, C, Python, Delphi, PureBasic, masm32, masm64, GoAsm32, GoAsm64, Nasm, Fasm, WinDev. You can use it in ring3 or ring0 because it doesn't use the windows API. The package you can download here contains the lib, the source code under LPGL3 license and examples including headers for C programmers, C#, masm, nasm, fasm ,GoAsm Python, Delphi, PureBasic, WinDev ones.

Tool Updated: REDasm

At: 2019-05-23 22:12:06

Listed in categories: Disassemblers, Linux Disassemblers, Visual Basic Decompilers

Most recent version:

Most recent release date:
May 23, 2019

REDasm is an interactive, multiarchitecture disassembler written in modern C++11 using Qt5 as UI Framework.
Its core is modular and it can be easily extended in order to support new file formats and instruction sets.
You can hack and improve REDasm without any issues and limitations.

Runs on Windows and Linux.

Tool Updated: ExeInfo PE

At: 2019-05-16 20:29:25

Listed in categories: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Deobfuscation Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers

Most recent version: ( 1040 / 76 - x64 signatures )

Most recent release date:
February 9, 2019

Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,cab,msi,bzip,
GFX :bmp/jpg/png/gif,
Colored Disassembler,
Delphi Form viewer ,
.Zlib unpacker v1.2.8 ,
.NET exe info
Send sha256 to
Internal detector for non executable files.
Included EXTERNAL : userDB.txt - 4524 Signatures.
included : Ext_detector - v5.2.0 ( 490 non exe signatures )

Tool Updated: PPEE (puppy)

At: 2018-08-18 12:15:31

Listed in categories: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, Malware Analysis Tools, PE Executable Editors, Relocation Tools, String Finders

Most recent version:

Most recent release date:
August 17, 2018

This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
Two companion plugins are also provided. FileInfo, to query the file in the well-known malware repositories and take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on. YaraPlugin, to test Yara rules against opened file.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!


Both PE32 and PE64 support
Examine YARA rules against opened file
Virustotal and OPSWAT's Metadefender query report
Statically analyze windows native and .Net executables
Robust Parsing of exe, dll, sys, scr, drv, cpl, ocx and more
Parse Rich Header
Edit almost every data structure
Easily dump sections, resources and .Net assembly directories
Entropy and MD5 calculation of the sections and resource items
View strings including URL, Registry, Suspicious, ... embedded in files
Resolve ordinal to name in imported APIs
Detect common resource types
Extract artifacts remained in PE file
Anomaly detection
Right-click for Copy, Search in web, Whois and dump
Built in hex editor
Explorer context menu integration
Descriptive information for data members
Refresh, Save and Save as menu commands
Drag and drop support
List view columns can sort data in an appropriate way
Open file from command line
Checksum validation
Plugin enabled

Feel free to use it ;)

Tool Updated: XVolkolak

At: 2018-07-13 08:30:34

Listed in categories: Automated Unpackers, Exe Analyzers, Packer Identifiers, Unpacking Tools, X86 Emulators, X86 Sandboxes

Most recent version:

Most recent release date:
July 12, 2018

Xvolkolak is an unpacker emulator.
Unlike programs of this type, it does not use DebugAPI and other features of the operating system. Everything is emulated. You can safely unpack malware for further investigation without the risk of damaging the system.
All machine instructions are not executed on a real processor, so unpacking occurs regardless of the processor type and the operating system.
It is possible to unpack 64 bit files on 32 operating systems.
This build emulates the processors intel x86 and AMD64.
It supports unpacking 32 and 64 bit Windows executable files.

Due to its capabilities, with the correct manual setting, the program engine can be used to unpack almost any packer / protector.
However, this version of the program works in a fully automatic mode and can only unpack simple non-commercial unpackers such as:

(Win) Upack
and some others

Tool Updated: Rohitab API Monitor

At: 2018-06-15 21:56:31

Listed in categories: API Monitoring Tools, COM Monitoring Tools, File Monitoring Tools, Memory Dumpers, Memory Patchers, Monitoring Tools, Network Monitoring Tools, Registry Monitoring Tools

Most recent version:
v2 (Alpha-r13) (and old stable 1.5b)

Most recent release date:
March 14, 2013

API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.

* Supports monitoring of 32-bit and 64-bit applications and services
* API Definitions for over 15,000 API’s from 200 DLL’s and over 17,000 methods from 1,800+ COM Interfaces (Shell, Web Browser, DirectShow, DirectSound, DirectX, Direct2D, DirectWrite, Windows Imaging Component, Debugger Engine, MAPI etc)
* Decode and display 2000 different structures and unions, 1000+ Enumerated data types, 800+ flags. Buffers and arrays within structures can also be viewed
* Display input and output buffers
* Call Tree display which shows the hierarchy of API calls
* Decode Parameters and Return Values
* Control the target application by setting breakpoints on API calls
* Instant monitoring of any API from any DLL without requiring any definitions
* Memory Editor that lets you view, edit and allocate memory in any process
* Dynamic Call Filtering capabilities which allows you to hide or show API calls based on a certain criteria
* Supports monitoring of COM Interfaces
* Decode error codes and display friendly messages by calling an appropriate error function to retrieve additional information about the error
* Capture and view the call stack for each API call
* Custom DLL Monitoring - Supports creating definitions for any DLL or COM Interface
* Support for filtering calls by threads
* Displays the duration for each API call
* Process detection and notification

Tool Updated: DynLogger

At: 2018-06-15 21:00:15

Listed in categories: API Monitoring Tools

Most recent version:

Most recent release date:
April 14, 2008

DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application. It also logs the loaded modules.

Download the x64 version of DynLogger only if the process is not an x86 process. In all other cases download the x86 version.

I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.

Tool Updated: SpyStudio

At: 2018-06-15 20:57:55

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:

Most recent release date:
November 17, 2015

SpyStudio is a powerful application that simplifies the code execution interception operations, also called "hooking". Users can now easily monitor and gain control over processes in their systems, to really know what is happening in the Operating System and it's applications.

With SpyStudio you can monitor and intercept API calls at any time, change its parameters, and resume execution.

SpyStudio uses the Deviare API technology to intercept functions' calls, this allows the user to monitor and hook applications in real time.
Deviare is a very complex technology, that can be used through the most simple interfaces.

This useful application provides the ability to break process execution and inspect the function's parameters at any level, and even change its values.

* Hooks any module of any application.

* Understands almost any function's parameters. Every defined data structures and types in windows.h are supported.

* Break on monitor: Break application's code execution, watch and modify function's parameters.

* Integrated Python shell: Now allows to execute Python scripts and handle hooks!

* Some of the modules included on the database are:


Tool Updated: Scdbg

At: 2018-06-15 20:50:47

Listed in categories: API Monitoring Tools, Automated Unpackers, Debuggers, Malware Analysis Tools, Monitoring Tools, Needs New Category

Most recent version:

Most recent release date:
March 30, 2012

scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.

Additions include:
100+ new api hooks, 5 new dlls, interactive debug shell, memory dumping, rebuilt PEB, SEH support, support for file format exploits, support for return address scanners, memory monitor, report mode, dump mode, easily human readable outputs, log after xx capabilities, directory mode, inline analysis of process injection shellcode and more...

Builds are available for Windows (native), Cygwin, and *nix variants.

See tool web page for more details.

New catagory Request: Shellcode Analysis

While other categories describe functions of this tool, its a really specialized niche field.
Not many people know specialized tools exist for it, a category of its own (probably
within the Malcode Analysis section?) would help people find it. I can think of two other applications to link into this new section. (libemu and sclog) and maybe shellcode_2_exe

Tool Updated: Pin

At: 2018-06-15 20:49:14

Listed in categories: API Monitoring Tools, Code Injection Tools, Programming Libraries, Reverse Engineering Frameworks

Most recent version:

Most recent release date:
February 11, 2018

Pin is a dynamic binary instrumentation framework for the IA-32, x86-64 and MIC instruction-set architectures that enables the creation of dynamic program analysis tools. Some tools built with Pin are VTune Amplifier XE, Inspector XE, Advisor XE and SDE. The tools created using Pin, called Pintools, can be used to perform program analysis on user space applications on Linux, Windows and OS X*. As a dynamic binary instrumentation tool, instrumentation is performed at run time on the compiled binary files. Thus, it requires no recompiling of source code and can support instrumenting programs that dynamically generate code.

Pin provides a rich API that abstracts away the underlying instruction-set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin was originally created as a tool for computer architecture analysis, but its flexible API and an active community (called "Pinheads") have created a diverse set of tools for security, emulation and parallel program analysis.

Tool Updated: Malcode Analysis Pack

At: 2018-06-15 20:43:55

Listed in categories: API Monitoring Tools, Import Editors, Malware Analysis Tools, Network Sniffers, Network Tools, Process Monitoring Tools, Reverse Engineering Frameworks, TCP Proxy Tools

Most recent version:

Most recent release date:
May 5, 2012

Update: This is no longer available through the iDefense website. An updated package has been made available by the author.

The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 5 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes
• finddll - scan processes for loaded dll by name
• Virustotal - virus reports for single and bulk hash lookups. Explorer integration

Tool Updated: SysAnalyzer

At: 2018-06-15 20:38:54

Listed in categories: API Monitoring Tools, Disk Monitoring Tools, File Monitoring Tools, Install Monitoring Tools, Memory Dumpers, Network Monitoring Tools, Registry Monitoring Tools

Most recent version:

Most recent release date:
March 21, 2011

Update: This tool is no longer available for download through the iDefense website. An updated installer has been made available by the author.

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

* Running Processes
* Open Ports
* Loaded Drivers
* Injected Libraries
* Key Registry Changes
* APIs called by a target process
* File Modifications
* HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

* Create a memory dump of target process
* parse memory dump for strings
* parse strings output for exe, reg, and url references
* scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package.

Tool Updated: WinApiOverride

At: 2018-06-15 20:34:23

Listed in categories: .NET Tracers, API Monitoring Tools, COM Monitoring Tools

Most recent version:

Most recent release date:
March 27, 2018

WinAPIOverride is an advanced api monitoring software for 32 and 64 bits processes.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- You can hook hardware and software exceptions
- Double and float results are logged
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- User types (enum, struct and union) and user defines are supported
- All is is done like modules : you can log or override independently for any function
- A library is provided for developers who intend to build their one hooking software

Tool Updated: Bytecode Viewer

At: 2018-06-03 22:20:17

Listed in categories: Java Decompilers

Most recent version:
2.9.11 (JRE 8, 9 & 10)

Most recent release date:
March 26, 2018


* Easy to use yet extremely effective.

* Written to run on Java 7, supports Java 8.

* Compile Decompiled Java classes with Ranino Compiler.

* Quickly decompile classes using JD-Core.

* Easily edit APKs via Smali/Baksmali integration.

* Java Decompiling with five different decompilers (DJ-GUI/Core, Procyon, CFR, Fernflower and Krakatau).

* Bytecode Decompiling with CFIDE.

* Android APK integrated with Dex2Jar.

* Securely launch Java applications and insert hooks via EZ-Injection.

* Scan for malicious code with the Malicious Code Scanner plugin.

* Export as DEX, Jar, Class, Zip or Java Source File.

* Open Android APKs, Android DEX, Java Class Files and Java Jars.

* Extensively configurable, over 100+ settings!

* Works seamlessly with all Operating Systems.

* Integrate BCV into Windows by installing it, it'll associate all .class, .dex and .apk to open with BCV.

* View Jar & APK Resources with ease by APKTool.jar integration.

* 100% free and open sourced under GPL v3 CopyLeft.

Tool Added: JD-GUI

At: 2018-04-18 22:19:51

Listed in categories: Java Decompilers

Most recent version:

Most recent release date:
March 25, 2018

JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.

Tool Updated: GUnPacker

At: 2018-04-15 20:54:23

Listed in categories: Automated Unpackers

Most recent version:

Most recent release date:
February 23, 1997

Generic unpacker supporting packers below

ACProtect 1.09, 1.32, 1.41, 2.0
AHPack 0.1
ASPack 102b, 105b, 1061, 107b, 1082, 1083, 1084, 2000, 2001, 21, 211c, 211d, 211r, 212, 212b212r
ASProtect 1.1, 1.2, 1.23RC1, 1.33, 1.35, 1.40, SKE.2.11, SKE.2.1, SKE.2.2,,
Alloy 4.1, 4.3
alexprot 1.0b2
Beria 0.07
Bero 1
BJFNT 1.2, 1.3
Cexe 10a, 10b
DragonArmor 1
DBpe 2.33
EPPort 0.3
eXe32Pack 1.42
EXECrypt 1
eXeStealth 2.75a, 2.76, 2.64, 2.73, 2.76, 3.16
ExeSax 0.9.1
eXPressor, 1.3
FengYue'Dll unknow
FSG 1.33, 2.0, fsg2.0bart, fsg2.0dulek
GHF Protector v1.0
Krypton 0.2, 0.3, 0.4, 0.5
Hmimys Packer UnKown
JDProtect 0.9, 1.01, 2.0
KByS unknow
MaskPE 1.6, 1.7, 2.0
MEW 11, 1.0/1.2, mew10, mew11_1.2, mew11_1.2_2, mew5
molebox 2.61, 2.65
morphine 2.7
MKFpack 1
Mpress UnKown
Mucki 1
neolite 2
nsapck 2.3, 2.4, 3.1
Packman UnKown
PCShrink 0.71
PC-Guard v5.0, 4.06c
PE Cryptor 1.5
PEBundle 2.3, 2.44, 3.0, 3.2
PE-Armor 0.46, 0.49, 0.75, 0.765
PECompact 1.x
PEDiminisher 0.1
PELock 1.06
PEncrypt 4
pepack 0.99, 1.0
PELockNt 2.01, 2.03, 2.04
PEtite 1.2, 1.3, 1.4, 2.2, 2.3
PKlite32 1.1
PolyCryptA UnKown
peshield 0.2b2
PESpin 0.3, 0.7, 1.1, 1.3
PEX 0.99
PolyCrypt PE 1.42
RLPack 1.1, 1.6, 1.7, 1.8
Rubbish 2
ShrinkWrap 1.4
SDProtector 1.12, 1.16
SLVc0deprotector 0.61, 1.12
SimplePack 1.0, 1.1, 1.2
SoftSentry 3.0
Stealth PE 1.01, 2.1
Stone's PE Encryptor 1.13
SVKP 1.11, 1.32, 1.43
teLock 0.42, 0.51, 0.60, 0.70, 0.71, 0.80, 0.85, 0.90, 0.92, 0.95, 0.96, 0.98, 0.99
Upc All
Upack 0.1, 0.11, 0.12, 0.20, 0.21, 0.22, 0.23, 0.24, 0.25, 0.26, 0.27, 0.29, 0.30, 0.31, 0.32, 0.33, 0.34, 0.35, 0.36, 0.37, 0.38, 0.39, 0.399″
UPolyX 0.2, 0.5
UPX 0.51, 0.60, 0.61, 0.62, 0.71, 0.72, 0.80, 0.81, 0.82, 0.83, 0.84, 0.896, 1.0w, 1.03, 1.04, 1.25w, 2.0w, 2.02, 2.03, 3.03, UPX-Scrambler RC1.x
V2Packer 0.02
VisualProtect 2.57
Vprotector 1.2
WindCrypt 1.0
wwpack32 v1.20, v1.11, v1.12
WinKript 1
yoda's cryptor v1.1, v1.2
yoda's Protector v1.02, v1.03.2, v1.03.3, v1.0b

Tool Updated: SandboxDiff

At: 2018-03-10 14:15:31

Listed in categories: File Monitoring Tools, File System Diff Tools, Install Monitoring Tools, Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools

Most recent version:

Most recent release date:
January 10, 2011

'SandboxDiff' allows tracking changes in Registry and Files when using 'Sandboxie' (an amazing application created by Ronen Tzur).

All Registry entries and File system created/modified by a program sandboxed (or any action sandboxed) are monitored and listed with SandboxDiff.

Very useful when users want (before to install an application) to know all changes made by the installer in Registry and File system.

Tool Updated: Solar Assembler (SolAsm)

At: 2018-03-08 22:14:31

Listed in categories: Assemblers

Most recent version:

Most recent release date:
February 5, 2018

SOLAR Assembler is a modern multipass macro assembler that can compile 16/32/64 bits code and runs on Windows, Linux, MacOSX and Solar_OS.

A few Features:
•Fast on huge and complex projects: 350.000 lines per second
•Can directly generate PE32/64, Binary 16/32/64, DLL32/64
•Can output OMF32, COFF32/64, ELF32/64 and MachO32 OBJ
•    Can encode 16/32/64 ASM code 
•     Strong recursive and nested MACRO system
•     Includes a rich set of High Level primitives:
•         .IF .ELSEIF .ELSE .ENDIF with AND/OR/NOT multiple conditions
•         INVOKE with ADDR support
•         .REPEAT .UNTIL
•         #if, #ifdef, #if_used, #else
•        does not need PROTO, checks PROC arguments 
•     Includes mini in memory resource compiler
•     Emits Listing in standard text format
•     Emits Debug Output in COFF format and an easy to read text format
•     Multiplatform, runs on:
•        WIn95, Win98, Windows XP, VISTA, Windows 7 32 and 64 bits
•         Mac OS X 
•         Unix / Linux and other unix like OSes that can link with an ELF libc
•         Solar OS 
•     It is fully written in ASM, Compiles itself
•     Compiles huge and complex ASM projects like:
•         Solar OS
•         Hostile Encounter RTS Game 
•     Has a rich manual and a set of samples to get you started