From Collaborative RCE Tool Library

Jump to: navigation, search

Categorized by Target Type


Tool name: .netshrink
Rating: 5.0 (1 vote)
Author: Bartosz Wójcik                        
Website: https://www.pelock.com/products/netshrink
Current version: 2.7
Last updated: July 2, 2016
Direct D/L link: https://www.pelock.com/download/netshrink.exe
License type: Shareware
Description: .netshrink is an exe packer (aka executable compressor). It means it can take your Windows or Linux .NET application executable file, compress it, add unpacking code to the output file while leaving it fully functional but with decreased size.

.netshrink uses LZMA compression algorithm to achieve maximum compression ratios.

With .netshrink you can password protect your applications, it will be impossible to run it without the proper password.

Password protection uses verification based on SHA256 hash function and 256 bit AES / Rijndael encryption.

With .netshrink you can also bind multiple DLL libraries to the output file so you can redistribute your application as a standalone file

Version history

v2.7

* Strong-Name Signing added
* Digital Code Signing added (support for double signatures, compatible with Windows 10)

v2.6

* Cecil library updated to the latest version
* .netshrink's main executable and setup file digitally signed
* default expiration date added for the compressed applications in demo mode (7 days)
* minor GUI improvements

v2.5

* .NET 4.5 detection added
* .NET Framework detection improved
* .NET 4.x loader bugs removed Drag&Drop bugs removed

v2.4

* detection of the .NET Framework (using native loader)
* command line parameters parsing fixed
* known issues section added to the help file
* minor bugs fixed

v2.3
* project files support added
* list of locally stored passwords added
* fixed bugs with handling x64 applications

v2.2
* original assembly CPU architecture preservation
* running compressed assemblies from the UNC paths fixed

v2.1
* virtual DLL libraries binding to the output executable file
* detection of cracking and unpacking tools
* backup file creation
* original assembly name, copyright and company information preservation

v2.01
* detection of already compressed applications
* minor bugs fixed

v2.0
* resources preservation (all resources, including icons, manifests etc.)
* compression of command line executables
* support added for .NET Framework 3.0, 3.5 and 4.0
* .NET Framework auto detection
* updated password query dialogs
* enter password from the command line for protected files
* minor bugs fixed
* help file updated to .chm format

v1.0
* first public release
Also listed in: .NET Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AdmiralDebilitate
Rating: 5.0 (1 vote)
Author: Admiral                        
Website: http://www.ring3circus.com/downloads/admiraldebilitate
Current version: 0.2
Last updated: June 16, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: AdmiralDebilitate is a tool for removing .NET strong name signing, particularly suited for large projects consisting of multiple nested dependencies. The interface is fairly simple: open up all relevant executables simultaneously (or all PEs if late-binding is in use) and ‘mark’ those that are to be modified. AdmiralDebilitate will determine the minimal area of the dependency tree that requires fixing and execute things appropriately. Any mismatching references will be listed in the ‘Problem Areas’ pane. Please report any bugs, after reading the following list of notes and caveats:

* All dependencies on mscorlib and System.* are ignored. I don’t see why this should be a problem, but bear it in mind if something isn’t working.
* Only exe and dll files are supported.
* The tool searches only the current folder for DLLs referenced by the seeding assemblies. If the system is relying on environment variables being set or suchlike, then AdmiralDebilitate will probably fail to load all the assemblies. A workaround is to temporarily place all the files in the same directory.

Updates:

* 17/06/08 - A silly little fencepost error was causing problems with assemblies having AssemblyRef as their last table. That’s fixed in version 0.2.


Thanks go out to Dan Pistelli, without whose .NET specification this wouldn’t have happened.
Also listed in: .NET Signature Changers, .NET Signature Removers, Dependency Analyzer Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COM VfTable Dumper
Rating: 5.0 (1 vote)
Author: Ronnie Johndas                        
Website: N/A
Current version: 1.0
Last updated: February 2, 2010
Direct D/L link: Locally archived copy
License type: GPL
Description: This parses the TLB info and gets method addresses in the registered interfaces of the COM component.
Also listed in: COM Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Class Informer
Rating: 5.0 (1 vote)
Author: Sirmabus                        
Website: http://www.macromonkey.com/bb/viewforum.php?f=65
Current version: 1.02
Last updated: March 28, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

See also screenshot example of vftable info set by plug-in below.
Also listed in: COM Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExeInfo PE
Rating: 5.0 (1 vote)
Author: A.S.L.                        
Website: http://www.exeinfo.xn.pl
Current version: 0.0.5.0 ( 1015 / 67 - x64 signatures )
Last updated: April 12, 2018
Direct D/L link: Locally archived copy
License type: Free
Description: Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,cab,msi,bzip,
GFX :bmp/jpg/png/gif,
Colored Disassembler,
Delphi Form viewer ,
.Zlib unpacker v1.2.8 ,
.NET exe info
Send sha256 to virustotal.com
Internal detector for non executable files.
Included EXTERNAL : userDB.txt - 4524 Signatures.
included : Ext_detector - v4.9.0 ( 490 non exe signatures )
Also listed in: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Deobfuscation Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fenris
Rating: 5.0 (1 vote)
Author: lcamtuf                        
Website: http://lcamtuf.coredump.cx/fenris
Current version: 0.07-m2 build 3245
Last updated: July 11, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are:

* Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.

* libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.

* Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.

* nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).

* Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).

* ...and some other companion utilities.
Also listed in: Reverse Engineering Frameworks, Linux Disassemblers, Linux Debuggers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Pro
Rating: 5.0 (6 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hex-rays.com/idapro
Current version: 6.1
Last updated: April 8, 2011
Direct D/L link: http://95.211.133.202/files/idademo_windows60.exe
License type: Commercial
Description: The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows or on Linux. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.

There is also a free (crippled) version available (IDA Pro Free). See its own entry in the library for more info.

As of January 7, 2007, the official IDA Pro website moved from the old URL (http://www.datarescue.com/idabase) to the one listed above.
Also listed in: .NET Disassemblers, Disassemblers, IPhone Tools, Linux Debuggers, Linux Disassemblers, Mobile Platform Debuggers, Mobile Platform Disassemblers, Ring 3 Debuggers, Symbian Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (2 votes)
Author: pancake                        
Website: http://www.radare.org
Current version: 2.0.0
Last updated: October 10, 2017
Direct D/L link: http://bin.rada.re/radare2-w32-2.0.0.zip
License type: LGPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with 6502, 8051, arc, arm64, avr, brainfuck, whitespace, malbolge, cr16, dcpu16, ebc, gameboy, h8300, tms320, nios2, x86, x86_64, mips, arm, snes, sparc, csr, m68k, powerpc, dalvik and java.

The main program is 'r2' a commandline hexadecimal editor with support for debugging, disassembling, analyzing structures, searching data, analyzing code and support for scripting with bindings for Python, NodeJS, Perl, Ruby, Go, PHP, Vala, Java, Lua, OCaml.

Radare comes with the unix phylosophy in mind. Each module, plugin, tool performs a specific task and each command can be piped to another to extend its functionality. Also, it treats everything as a file: processes, sockets, files, debugger sessions, libraries, etc.. Everything is mapped on a virtual address space that can be configured to map multiple files on it and segment it.

If you are interested or feel attracted by the project join us in the #radare channel at irc.freenode.net.

See website for more details.
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rebel.NET
Rating: 5.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/rebelnet.php
Current version: 1.6.0.1
Last updated: September 3, 2010
Direct D/L link: http://ntcore.com/files/RebelDotNET.zip
License type: Free
Description: Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams.

It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header.

The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly.

Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file.

All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed.

Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.
Also listed in: .NET Code Injection Tools, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reflector for .NET
Rating: 5.0 (1 vote)
Author: Lutz Roeder (current owner Red Gate Software)                        
Website: http://www.reflector.net/
Current version: 7.7
Last updated: July 18, 2009
Direct D/L link: http://shop.reflector.net/download
License type: Free until 6.8.2.5
Description: From website:

"Reflector is a very powerful class browser, explorer, analyzer and documentation viewer for .NET. Reflector allows to easily view, navigate, search, decompile and analyze .NET assemblies in C#, Visual Basic and IL."

This is one of the most powerful .NET decompilers that you can't buy - just download :)
Many of the popular commercial tools achieving the same goal "suddenly" got a boost when this masterpiece of work saw a daylights (and besides that those are commercial, still have hard time with obfuscators).

Just give it a try, it will last literally five minutes - load some well known assembly of yours, choose target .NET language (!) and let'em work. Then compare it with the original.

You'll surely not forget this one.
Also listed in: .NET Decompilers, .NET Disassemblers, Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reflexil
Rating: 5.0 (1 vote)
Author: Sebastien Lebreton                        
Website: http://reflexil.net
Current version: 1.2
Last updated: March 7, 2011
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, a great tool for .NET developers. Reflexil is using Mono.Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection.
Also listed in: .NET Disassemblers, .NET Executable Editors, .NET MSIL Dumpers, .NET Signature Changers, .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rohitab API Monitor
Rating: 5.0 (1 vote)
Author: Rohitab Batra                        
Website: http://www.rohitab.com/apimonitor
Current version: v2 (Alpha-r13) (and old stable 1.5b)
Last updated: March 14, 2013
Direct D/L link: Locally archived copy
License type: Freeware
Description: API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.

* Supports monitoring of 32-bit and 64-bit applications and services
* API Definitions for over 15,000 API’s from 200 DLL’s and over 17,000 methods from 1,800+ COM Interfaces (Shell, Web Browser, DirectShow, DirectSound, DirectX, Direct2D, DirectWrite, Windows Imaging Component, Debugger Engine, MAPI etc)
* Decode and display 2000 different structures and unions, 1000+ Enumerated data types, 800+ flags. Buffers and arrays within structures can also be viewed
* Display input and output buffers
* Call Tree display which shows the hierarchy of API calls
* Decode Parameters and Return Values
* Control the target application by setting breakpoints on API calls
* Instant monitoring of any API from any DLL without requiring any definitions
* Memory Editor that lets you view, edit and allocate memory in any process
* Dynamic Call Filtering capabilities which allows you to hide or show API calls based on a certain criteria
* Supports monitoring of COM Interfaces
* Decode error codes and display friendly messages by calling an appropriate error function to retrieve additional information about the error
* Capture and view the call stack for each API call
* Custom DLL Monitoring - Supports creating definitions for any DLL or COM Interface
* Support for filtering calls by threads
* Displays the duration for each API call
* Process detection and notification
Also listed in: API Monitoring Tools, COM Monitoring Tools, File Monitoring Tools, Memory Dumpers, Memory Patchers, Monitoring Tools, Network Monitoring Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: whoknows NET patcher
Rating: 5.0 (1 vote)
Author: whoknows                        
Website: http://portal.b-at-s.info/download.php?view.448
Current version: 0.7
Last updated: January 2, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: The purpose of this utility is to make something like dUP for NET assemblies.
also patches the target and resign it to user machine.
Also you can save and load Projects.
Also listed in: .NET Patcher Generators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinApiOverride
Rating: 5.0 (3 votes)
Author: Jacquelin POTIER                        
Website: http://jacquelin.potier.free.fr/winapioverride32/
Current version: 6.6.3
Last updated: March 27, 2018
Direct D/L link: Locally archived copy
License type: Free for non commercial use (temporary closed sources due to abuse)
Description: WinAPIOverride is an advanced api monitoring software for 32 and 64 bits processes.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- You can hook hardware and software exceptions
- Double and float results are logged
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- User types (enum, struct and union) and user defines are supported
- All is is done like modules : you can log or override independently for any function
- A library is provided for developers who intend to build their one hooking software
Also listed in: .NET Tracers, API Monitoring Tools, COM Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFF Explorer
Rating: 4.8 (4 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: 7.9
Last updated: August 2, 2010
Direct D/L link: http://www.ntcore.com/Files/CFF_Explorer.zip
License type: Freeware
Description: The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!
Also listed in: .NET Executable Editors, PE Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
Rating: 4.4 (5 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: III (DC20121111)
Last updated: November 11, 2012
Direct D/L link: http://www.ntcore.com/files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COMView
Rating: 4.0 (1 vote)
Author: japheth                        
Website: http://www.japheth.de/COMView.html
Current version: 2.9.12
Last updated: February 25, 2011
Direct D/L link: http://www.japheth.de/Download/COMView.zip
License type: Free
Description: COMView is a tool for viewing and handling Windows COM (Component Objects Model) things.
It is intended to be used by programers, although it might also be useful for experienced end users.
The following functions are included:

shows COM related entries in the registry
build in registry editor to modify these entries
consistency check of COM related registry information
shows type library information
can generate assembly include files (Masm style) from type libraries
"dispatch helper" assembly includes (Masm) may be generated to simplify using IDispatch and events.
COM objects can be created and interfaces exposed are shown
OLE container is implemented allowing to view and test OLE/activeX controls
object properties may be edited and methods be executed.
object model exposed by an application/control may be walked.
may connect to source interfaces and display events

Please note: to get benefits from using COMView it is expected to be familiar with COM basics, there is no tutorial included in COMView.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: EDB Linux Debugger
Rating: 4.0 (2 votes)
Author: Evan Teran                        
Website: http://codef00.com/projects#debugger
Current version: 0.9.20
Last updated: January 15, 2014
Direct D/L link: http://codef00.com/projects/debugger-0.9.20.tgz
License type: GPL
Description: Features
* Intuitive GUI interface
* The usual debugging operations (step-into/step-over/run/break)
* Conditional breakpoints
* Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
* Basic instruction analysis
* View/Dump memory regions
* Effective address inspection
* The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
* Importing of symbol maps
* Plugins
o Search for binary strings
o Code Bookmarks
o Breakpoint management
o Check for updates
o Environment variable viewer
o Heap block enumeration
o Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan)
o Open file enumeration
o Reference finder
o String searching (like strings command in *nix)

One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature.
Also listed in: Debuggers, Linux Debuggers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET DeObfuscator
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11810
Current version: 0.5
Last updated: June 11, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: This is a tool to deobfuscate names only in Assemblies, It doesn't deobfuscate control-flow.

This tool is supposed to make our life easier when exploring in Reflector, so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only.

What this tool does is that it renames Classes and other member of assembly like Procedures and Fucntion into more understandable names for easier analysis, for example it renames a Class of type Form to "Class10_Form" instead of "xhfkd9oekfpklgpf" as we see in assemblies obfuscated with xenocode or any other obfuscator, I didn't want it to release it at first, but when I added type detection to renaming process it became more useful.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Generic Unpacker
Rating: 0.0 (0 votes)
Author: Ntoskrnl                        
Website: http://ntcore.com/netunpack.php
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/NETUnpack.zip
License type:
Description: This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it's very simple, it might turn useful having it: otherwise you have to unpack manually, which is also very easy.
Also listed in: .NET Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Hook Library
Rating: 0.0 (0 votes)
Author: shokshok                        
Website: http://dotnethook.sourceforge.net
Current version: 2.1
Last updated: May 30, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: .Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it.

The download contains detailed documentation about how it works and what it is.

I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies).
Also listed in: .NET Code Injection Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Methods Parser
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://portal.b-at-s.info/download.php?view.463
Current version: 0.2
Last updated: July 19, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: A simple tool to analyze the "Methods" metadata table.
It has a good error and invalid data handling code so it will open most weird files.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET PE Alignments resizer
Rating: 0.0 (0 votes)
Author: yaroved                        
Website: http://emicrox.net
Current version: *
Last updated: January 14, 2011
Direct D/L link: http://emicrox.net/source/uper.zip
License type: Free
Description: .NET PE Alignments resize`r

change FileAlignment/SectionAlignment, resize image data

and recalculate the appropriate references

For

x86:

http://emicrox.net/source/uper.zip

x64:

    / Will be added on January, 18th /

http://emicrox.net/utils.asp
Also listed in: .NET Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Anathema .NET Instrumentation Tool
Rating: 0.0 (0 votes)
Author: Antonio "s4tan" Parata                        
Website: http://www.phrack.org/papers/dotnet_instrumentation.html
Current version:
Last updated: January 11, 2018
Direct D/L link: Locally archived copy
License type: Open Source
Description: |=-----------------------------------------------------------------------=|
|=--------=[ .NET Instrumentation via MSIL bytecode injection ]=---------=|
|=-----------------------------------------------------------------------=|
|=----------=[ by Antonio "s4tan" Parata <aparata@gmail.com>]=-----------=|
|=-----------------------------------------------------------------------=|


1 - Introduction
2 - CLR environment
2.1 - Basic concepts
2.1.1 - Metadata tables
2.1.2 - Metadata token
2.1.3 - MSIL bytecode
2.2 - Execution environment
3 - JIT compiler
3.1 - The compileMethod
3.2 - Hooking the compileMethod
4 - .NET Instrumentation
4.1 - MSIL injection strategy
4.2 - Resolving the method handle
4.3 - Implementing a trampoline via the calli instruction
4.4 - Crafting a dynamic method
4.5 - Invoking the user defined code
4.6 - Fixing the SEH table
5 - Real world examples
5.1 - Web application password stealer
5.2 - Malware inspection
6 - Conclusion
7 - References
8 - Source Code


--[ 1 - Introduction

In this article we will explore the internals of the .NET framework with
the purpose of providing an innovative method to instrument .NET programs
at runtime.

Actually, there are several libraries that allow to instrument .NET
programs; most of them install a hook in the code generated after compiling
a given method, or by modifying the Assembly and saving back the result of
the modification.

Microsoft also provides a profile API in order to instrument the execution
of a given program. However the API must be activated before executing the
program by setting specific environment variables.

Our goal is to instrument the program at runtime by leaving the Assembly
binary untouched; all this by using a high level .NET language. As we will
see, this is done by injecting additional MSIL code just before the target
method is compiled.


--[ 2 - CLR environment

Before describing in depth how to inject additional MSIL code in a method,
it is necessary to provide some basic concepts as on how the .NET framework
works and which are its basic components.

We will only describe the concepts that are relevant to our purpose.


---[ 2.1 - Basic concepts

A .NET binary is typically called Assembly (even if it doesn't contain any
assembly code). It is a self-describing structure, meaning that inside an
Assembly you will find all the necessary information to execute it (for
more information on this subject see [01]).

As we will shortly see, all this information can be accessed by using
reflection. Reflection allows us to have a full picture of which types and
methods are defined inside the Assembly. We can also have access to the
names and types of the parameters passed to a specific method. The only
missing information are the names of the local variables, but as we will
see this is not a problem at all.


----[ 2.1.1 - Metadata tables

All the above mentioned information is stored inside tables called
Metadata tables.

The following list taken from [02] shows the index and names of all the
existing tables:

00 - Module 01 - TypeRef 02 - TypeDef
04 - Field 06 - MethodDef 08 - Param
09 - InterfaceImpl 10 - MemberRef 11 - Constant
12 - CustomAttribute 13 - FieldMarshal 14 - DeclSecurity
15 - ClassLayout 16 - FieldLayout 17 - StandAloneSig
18 - EventMap 20 - Event 21 - PropertyMap
23 - Property 24 - MethodSemantics 25 - MethodImpl
26 - ModuleRef 27 - TypeSpec 28 - ImplMap
29 - FieldRVA 32 - Assembly 33 - AssemblyProcessor
34 - AssemblyOS 35 - AssemblyRef 36 - AssemblyRefProcessor
37 - AssemblyRefOS 38 - File 39 - ExportedType
40 - ManifestResource 41 - NestedClass 42 - GenericParam
44 - GenericParamConstraint

Each table is composed of a variable number of rows. The size of a row
depends on the kind of table and can contain a reference to other Metadata
tables.

Those tables are referenced by the Metadata token, a notion that is
described in the next paragraph.


----[ 2.1.2 - Metadata token

The Metadata token (or token for short) is a fundamental concept in the CLR
framework. A token allows you to reference a given table at a given index.
It is a 4-byte value, composed of two parts [08]: a table index and the
RID.

The table index is the topmost byte wich points to a table. A RID is a
3-byte record identifier pointing in the table, which starts at offset one.

As an example, let's consider the following Metadata token:

(06)00000F

0x06 is the number of the referenced table, which in this case is
MethodDef. The last three bytes are the RID, that in this case has a value
of 0x0F.


----[ 2.1.3 - MSIL bytecode

When we write a program in a .NET high level language, the compiler will
translate this code into an intermediate representation called MSIL or as
defined in the ECMA-335 [03] CIL, which stands for Common Intermediate
Language.

By installing Visual Studio you will also install a very handy utility
called ILDasm, that allows you to disassemble an Assembly by displaying the
MSIL code and other useful information.

As an example let try to compile the following C# source code:

------#------#------#------<START CODE>------#------#------#------
public class TestClass
{
private String _message;

public TestClass(String txt)
{
this._message = txt;
}

private String FormatMessage()
{
return "Hello " + this._message;
}

public void SayHello()
{
var message = this.FormatMessage();
Console.WriteLine(message);
}
}
------#------#------#------<END CODE>------#------#------#------

The result of the compilation is an Assembly with three methods:
.ctor : void(string), FormatMessage : string() and SayHello : void().

Let's try to display the MSIL code of the SayHello method:

------#------#------#------<START CODE>------#------#------#------
.method public hidebysig instance void SayHello() cil managed
// SIG: 20 00 01
{
// Method begins at RVA 0x21f8
// Code size 16 (0x10)
.maxstack 1
.locals init ([0] string message)
IL_0000: /* 00 | */ nop
IL_0001: /* 02 | */ ldarg.0
IL_0002: /* 28 | (06)00000F */
call instance string MockLibrary.TestClass::FormatMessage()
IL_0007: /* 0A | */ stloc.0
IL_0008: /* 06 | */ ldloc.0
IL_0009: /* 28 | (0A)000014 */
call void [mscorlib]System.Console::WriteLine(string)
IL_000e: /* 00 | */ nop
IL_000f: /* 2A | */ ret
} // end of method TestClass::SayHello
------#------#------#------<END CODE>------#------#------#------

For each instruction we can see the associated MSIL byte values. It is
interesting to see that the code doesn't contain any reference to unmanaged
memory but only to metadata tokens.

The two call instructions reference two different tables, due to the
FormatMessage method being implemented in the current Assembly and the
WriteLine method implemented in an external Assembly.

If we take a look at the list of tables presented in 2.1.1 we can see that
the Metadata token (0A)000014 references the table 0x0A which is the
MemberRef table, index 0x14 which is WriteLine. Instead the token
(06)00000F references the table 0x06 which is the MethodDef table, index
0x0F which is FormatMessage.


---[ 2.2 - Execution environment

The CLR execution environment is very strict and forbids any kind of
dangerous operation. If we compare it with the unmanaged world where we
were able to jump in the middle of an instruction to confuse the
disassembler, to create all kinds of opaque instructions or to jump to any
valid address, we will discover a sad truth: everything is forbidden.

The CLR is a stack based machine. This means that there is no concept of
registers and every parameter is pushed on the stack in order to be passed
to other functions. When we exit a method, the stack must be empty or at
least contain the value that should be returned.

As already said, everything is based on the definition of the Metadata
token. If we try to invoke a call with an invalid token we will receive a
fatal exception. This poses a serious problem for our goal, since we cannot
call methods that are not referenced by the original Assembly.


--[ 3 - JIT compiler

When a method is executed we have two different scenarios. The first one is
when the method is already compiled, in this case the code just jumps to
the compiled unmanaged code. The second scenario is when the method isn't
yet compiled, in this case the code jumps to a stub that will call the
exported method compileMethod, defined in corjit.h [04], in order to
compile and then execute the method.


---[ 3.1 - The compileMethod

Let's analyze this interesting method a bit more. The signature of
compileMethod is the following:

virtual CorJitResult __stdcall compileMethod (
ICorJitInfo *comp, /* IN */
struct CORINFO_METHOD_INFO *info, /* IN */
unsigned /* code:CorJitFlag */ flags, /* IN */
BYTE **nativeEntry, /* OUT */
ULONG *nativeSizeOfCode /* OUT */
) = 0;

The most interesting structure is the CORINFO_METHOD_INFO
which is defined in corinfo.h [05] and has the following format:

struct CORINFO_METHOD_INFO
{
CORINFO_METHOD_HANDLE ftn;
CORINFO_MODULE_HANDLE scope;
BYTE * ILCode;
unsigned ILCodeSize;
unsigned maxStack;
unsigned EHcount;
CorInfoOptions options;
CorInfoRegionKind regionKind;
CORINFO_SIG_INFO args;
CORINFO_SIG_INFO locals;
};

For our purpose the most important field is the ILCode byte pointer. It
points to a buffer which contains the MSIL bytecode. By modifying this
buffer we are able to alter the method execution flow.

As a side note, this method is also extensively used by .NET obfuscators.
In fact we can read the following comment in the source code:

Note: Obfuscators that are hacking the JIT depend on this method having
__stdcall calling convention

An obfuscator typically encrypts the MSIL bytecode of a method, then when
the method is bound to be executed they decrypt the bytecode and pass this
value as byte pointer instead of the encrypted one. This also explains why
if we open it in ILDasm or with a decompiler we receive back an error. How
can they know when a method is going to be called? This is pretty easy,
the code in charge for the replacement process is placed inside the type
constructor. This specific constructor is invoked only once: before a new
object of that specific type is created.


---[ 3.2 - Hooking the compileMethod

Since the compileMethod is exported by the Clrjit.dll (or from mscorjit.dll
for older .NET versions), we can easily install a hook to intercept all the
requests for compilation. The following F# pseudo-code shows how to do
this:

------#------#------#------<START CODE>------#------#------#------
[<DllImport(
"Clrjit.dll",
CallingConvention = CallingConvention.StdCall, PreserveSig = true)
>]
extern IntPtr getJit()

[<DllImport("kernel32.dll", SetLastError = true)>]
extern Boolean VirtualProtect(
IntPtr lpAddress,
UInt32 dwSize,
Protection flNewProtect,
UInt32& lpflOldProtect)

let pVTable = getJit()
_pCompileMethod <- Marshal.ReadIntPtr(pVTable)

// make memory writable
let mutable oldProtection = uint32 0
if not <| VirtualProtect(
_pCompileMethod,
uint32 IntPtr.Size,
Protection.PAGE_EXECUTE_READWRITE,
&oldProtection)
then
Environment.Exit(-1)

let protection = Enum.Parse(
typeof<Protection>,
oldProtection.ToString()) :?> Protection

// save original compile method
_realCompileMethod <-
Some (Marshal.GetDelegateForFunctionPointer(
Marshal.ReadIntPtr(_pCompileMethod),
typeof<CompileMethodDeclaration>) :?> CompileMethodDeclaration
)
RuntimeHelpers.PrepareDelegate(_realCompileMethod.Value)
RuntimeHelpers.PrepareDelegate(_hookedCompileMethodDelegate)

// install compileMethod hook
Marshal.WriteIntPtr(
_pCompileMethod,
Marshal.GetFunctionPointerForDelegate(_hookedCompileMethodDelegate)
)

// repristinate memory protection flags
VirtualProtect(
_pCompileMethod,
uint32 IntPtr.Size,
protection,
&oldProtection
) |> ignore
------#------#------#------<END CODE>------#------#------#------

When we modify the MSIL code we must pay attention to the stack size. Our
framework needs some stack space in order to work and if the method that is
going to be compiled doesn't need any local variables, we will receive an
exception at runtime. In order to fix this problem it is enough to modify
the maxStack variable of CORINFO_METHOD_INFO structure before writing it
back.


--[ 4 - .NET Instrumentation

Now it is time to modify the MSIL buffer of our method of choice and
redirect the flow to our code. As we will see this is not a smooth process
and we need to take care of numerous aspects.


---[ 4.1 - MSIL injection strategy

In order to invoke our code the process that we will follow is composed of
the following steps:

1. Install a trampoline at the beginning of the code. This
trampoline will call a dynamically defined method.

2. Define a dynamic method that will have a specific method signature.

3. Construct an array of objects that will contain the parameters
passed to the method.

4. Invoke a dispatcher function which will load our Assembly
and will finally call our code by passing a handle to the original
method and an array of objects representing the method parameters.

In the end the structure that we are going to create will follow the path
defined in the following diagram:

| ... |
| ... | +---------------+
| Trampoline |----> | |
| Original MSIL | | Dynamic |
| ... | | Method |---------+
| ... | | | |
+---------------+ v
+---------------+
| |
| Framework |
| Dispatcher |
| |
+---------------+
|
+----------+
|
v
+---------------+
| |
| User |
| Code Monitor |
| |
+---------------+


---[ 4.2 - Resolving the method handle

As we will see in the next paragraph, it is necessary to resolve the handle
of the method that will be compiled in order to obtain the needed
information via reflection. I have found a method to resolve it, it is not
very elegant but it works :P.

The following F# pseudo-code will show you how to resolve a method handle
given the CorMethodInfo structure:

------#------#------#------<START CODE>------#------#------#------
let getMethodInfoFromModule(
methodInfo: CorMethodInfo,
assemblyModule: Module) =
let mutable info: FilteredMethod option = None
try
// dirty trick, is there a
// better way to know the module of the compiled method?
let mPtr =
assemblyModule.ModuleHandle.GetType()
.GetField("m_ptr",
BindingFlags.NonPublic ||| BindingFlags.Instance)
let mPtrValue = mPtr.GetValue(assemblyModule.ModuleHandle)
let mpData =
mPtrValue.GetType()
.GetField("m_pData",
BindingFlags.NonPublic ||| BindingFlags.Instance)

if mpData <> null then
let mpDataValue = mpData.GetValue(mPtrValue) :?> IntPtr
if mpDataValue = methodInfo.ModuleHandle then
// module found, get method name
let tokenNum =
Marshal.ReadInt16(nativeint(methodInfo.MethodHandle))
let token = (0x06000000 + int32 tokenNum)
let methodBase = assemblyModule.ResolveMethod(token)

if methodBase.DeclaringType <> null &&
isMonitoredMethod(methodBase) then
let mutable numOfParameters =
methodBase.GetParameters() |> Seq.length
if not methodBase.IsStatic then
// take into account the this parameter
numOfParameters <- numOfParameters + 1

// compose the result info
info <- Some {
TokenNum = tokenNum
NumOfArgumentsToPushInTheStack = numOfParameters
Method = methodBase
IsConstructor = methodBase :? ConstructorInfo
Filter = this
}
with _ -> ()
info
------#------#------#------<END CODE>------#------#------#------

This method must be invoked for each module of all loaded Assemblies.

Now that we have a MethodBase object, we can use it to extract the needed
information, like the number of accepted parameters and their types.


---[ 4.3 - Implementing a trampoline via the calli instruction

Our first obstacle is to create a MSIL bytecode that can invoke an
arbitrary function. Among all the available OpCodes, the one of interest
for us is the calli instruction [06] (beware of its usage, as it makes our
code unverifiable).

From the MSDN page we can read that:

"The method entry pointer is assumed to be a specific pointer to native
code (of the target machine) that can be legitimately called with the
arguments described by the calling convention (a metadata token for a
stand-alone signature). Such a pointer can be created using the Ldftn or
Ldvirtftn instructions, or passed in from native code."

Nice, we can specify an arbitrary pointer to native code. The only
difficulty is that we cannot use the Ldftn or Ldvirtftn since they need a
metadata token, and we cannot specify this value. Not too bad, since from
the Ldftn documentation we can read that [07]:

"Pushes an unmanaged pointer (type native int) to the native code
implementing a specific method onto the evaluation stack."

So, if we have an unmanaged pointer we can simulate the Ldftn with a simple
Ldc_I4 instruction (supposing that we are operating on a 32 bit
environment) [09].

Unfortunately now we have another, even bigger, problem. The calli
instruction needs a callSiteDescr. From [08] we can read that:

"<token> - referred to callSiteDescr - must be a valid StandAloneSig".

The StandAloneSig is the table number 17. As I have already said we cannot
specify this Metadata token (since it probably doesn't exist in the table).

I have played a bit with the calli instruction in order to see if it
accepts also other kinds of Metadata tokens. In the end I discovered that
it also accepts a token from one of the following tables: TypeSpec, Field
and MethodDef.

For our purpose, the MethodDef table is the most interesting one, since we
can fake a valid MethodDef token by creating a DynamicMethod (more on this
later). We can now close the circle by using the calli instruction and
modifying the metadata token in order to specify a MethodDef.

We will use the MethodBase object that we obtained in the previous step in
order to know how many parameters the method accepts and push them in the
stack before invoking calli.

The following F# pseudo-code shows how to build the calli instruction:

------#------#------#------<START CODE>------#------#------#------
// load all arguments on the stack
for i=0 to filteredMethod.NumOfArgumentsToPushInTheStack-1 do
ilGenerator.Emit(OpCodes.Ldarg, i)

// emit calli instruction with a pointer to the dynamic method,
// the token used by the calli is not important as I'll modify it soon
ilGenerator.Emit(OpCodes.Ldc_I4, functionAddress)
ilGenerator.EmitCalli(
OpCodes.Calli,
CallingConvention.StdCall,
dispatcherMethod.ReturnType,
dispatcherArgs)

// this index allow to modify the right byte
let patchOffset = ilGenerator.ILOffset - 4
ilGenerator.Emit(OpCodes.Nop)

// check if I have to pop the return value
match filteredMethod.Method with
| :? MethodInfo as mi ->
if mi.ReturnType <> typeof<System.Void> then
ilGenerator.Emit(OpCodes.Pop)
| _ -> ()

// end method
ilGenerator.Emit(OpCodes.Ret)
------#------#------#------<END CODE>------#------#------#------

The functionAddress variable contains the native pointer of our dynamic
method. One last step is to patch the calli Metadata token with a MethodDef
token whose value we know to be correct. As value we will use the token of
the method that it is being compiled.

The following F# pseudo-code show how to modify the MSIL bytecode at the
right offset:

------#------#------#------<START CODE>------#------#------#------
// craft MethodDef metadata token index
let b1 = (filteredMethod.TokenNum &&& int16 0xFF00) >>> 8
let b2 = filteredMethod.TokenNum &&& int16 0xFF

// calli instruction accept 0x11 as table index (StandAloneSig),
// but seems that also other tables are allowed.
// In particular the following ones seem to be accepted as
// valid: TypeSpec, Field and Method (most important)
trampolineMsil.[patchOffset] <- byte b2
trampolineMsil.[patchOffset+1] <- byte b1
trampolineMsil.[patchOffset + 3] <- 6uy // 6(0x6): MethodDef Table
------#------#------#------<END CODE>------#------#------#------

Since this step is a bit complex let's try to summarize our actions:

1. We use the calli instruction to invoke an arbitrary method by specifying
a native address pointer.

2. We modify the calli metadata token by specifying a MethodDef token and
not a StandAloneSig token.

3. We pass as Metadata token value the token of the method currently
compiled. This kind of token describes the method that must be called.

Our next step is to be sure that the method invoked by calli satisfies the
information contained in the referenced Metadata token.


---[ 4.4 - Crafting a dynamic method

We now have to create the dynamic method that satisfies the information
provided by the token passed to the calli instruction. From [10] we can
read that:

"The method descriptor is a metadata token that indicates the method to
call and the number, type, and order of the arguments that have been placed
on the stack to be passed to that method as well as the calling convention
to be used."

So, in order to create a method that satisfies the signature of the method
referenced by the token we will use a very powerful .NET capability, which
allows us to define dynamic method. This step allows the following:

1. Create a method that has the same signature of the method that will be
compiled. This will guarantee that the information carried by the
metadata token is legit.

2. We are now in a situation where we can specify a valid metadata
token, since the new dynamic type is created in the current execution
environment.

This dynamic method will call another method (a dispatcher) that accepts
two arguments: a string representing the location of the Assembly to load
(more on this later) and an array of objects which contains the arguments
passed to the method.

In creating this method you have to pay attention when creating the objects
array, since in .NET not everything is an object.

The following F# pseudo-code creates the dynamic method with the right
signature:

------#------#------#------<START CODE>------#------#------#------
let argumentTypes = [|
if not filteredMethod.Method.IsStatic then
yield typeof<Object>
yield!
filteredMethod.Method.GetParameters()
|> Array.map(fun p -> p.ParameterType)
|]

let dynamicType =
_dynamicModule.DefineType(
filteredMethod.Method.Name + "_Type" + string(!_index))
let dynamicMethod =
dynamicType.DefineMethod(
dynamicMethodName,
MethodAttributes.Static |||
MethodAttributes.HideBySig |||
MethodAttributes.Public,
CallingConventions.Standard,
typeof<System.Void>,
argumentTypes
)
------#------#------#------<END CODE>------#------#------#------

We can now proceed with the creation of the method body. We need to pay
attention to two facts: ValueType parameters must be boxed, and Enum
parameters must be converted to another form (after some trials and errors
I found that Int32 is a good compromise).

------#------#------#------<START CODE>------#------#------#------
// push the location of the Assembly to load containing the monitors
let assemblyLocation =
if filteredMethod.Filter.Invoker <> null
then filteredMethod.Filter.Invoker.Assembly.Location
else String.Empty
ilGenerator.Emit(OpCodes.Ldstr, assemblyLocation)

// get the parameter types
let parameters =
filteredMethod.Method.GetParameters()
|> Seq.map(fun pi -> pi.ParameterType)
|> Seq.toList

// create argv array
ilGenerator.Emit(OpCodes.Ldc_I4,
filteredMethod.NumOfArgumentsToPushInTheStack)
ilGenerator.Emit(OpCodes.Newarr, typeof<Object>)

// fill the argv array
for i=0 to filteredMethod.NumOfArgumentsToPushInTheStack-1 do
ilGenerator.Emit(OpCodes.Dup)
ilGenerator.Emit(OpCodes.Ldc_I4, i)
ilGenerator.Emit(OpCodes.Ldarg, i)

// check if I have to box the value
if filteredMethod.Method.IsStatic || i > 0 then
// this check is necessary becasue the
// GetParameters method doesn't consider the 'this' pointer
let paramIndex = if filteredMethod.Method.IsStatic then i else i - 1
if parameters.[paramIndex].IsEnum then
// consider all enum as Int32 type to avoid access problems
ilGenerator.Emit(OpCodes.Box, typeof<Int32>)

elif parameters.[paramIndex].IsValueType then
// all value types must be boxed
ilGenerator.Emit(OpCodes.Box, parameters.[paramIndex])

// store the element in the array
ilGenerator.Emit(OpCodes.Stelem_Ref)

// emit call to dispatchCallback
let dispatchCallbackMethod =
Type.GetType("ES.Anathema.Runtime.Dispatcher")
.GetMethod("dispatchCallback", BindingFlags.Static ||| BindingFlags.Public)
ilGenerator.EmitCall(OpCodes.Call, dispatchCallbackMethod, null)

ilGenerator.Emit(OpCodes.Ret)
------#------#------#------<END CODE>------#------#------#------

The call will end up invoking a framework method that is in charge for the
dispatch of the call to the user defined code.


---[ 4.5 - Invoking the user defined code

In order to make the code easy to extend, we can implement a mechanism that
will load a user defined Assembly and invoke a specific method. In this way
we have an architecture that resembles that of a plugin-based architecture.
We call these plugins: monitors. Each monitor can be configured in order to
intercept a specific method.

In order to locate the monitors we will use the software design paradigm
"convention over configuration", which implies that all classes whose name
ends in "Monitor" are loaded.

This last method is very simple, it just retrieves the MethodBase object
from the stack in order to pass it to the monitor and finally invoke it.
The assemblyLocation parameter is the one that specifies where the user
defined Assembly is located.

------#------#------#------<START CODE>------#------#------#------
let dispatchCallback(assemblyLocation: String, argv: Object array) =
if File.Exists(assemblyLocation) then
let callingMethod =
try
// retrieve the calling method from the stack trace
let stackTrace = new StackTrace()
let frames = stackTrace.GetFrames()
frames.[2].GetMethod()
with _ -> null

// invoke all the monitors, we use "convention over configuration"
let bytes = File.ReadAllBytes(assemblyLocation)
for t in Assembly.Load(bytes).GetTypes() do
try
if t.Name.EndsWith("Monitor") && not t.IsAbstract then
let monitorConstructor =
t.GetConstructor([|
typeof<MethodBase>;
typeof<Object array>|])
if monitorConstructor <> null then
monitorConstructor.Invoke([|callingMethod; argv|]) |> ignore
with _ -> ()
------#------#------#------<END CODE>------#------#------#------


---[ 4.6 - Fixing the SEH table

We are near the end, we have modified the MSIL bytecode, we have created a
dynamic method and a trampoline. The final step is to write back the
CORINFO_METHOD_INFO structure and call the real compileMethod.
Unfortunately by doing so you will soon receive a runtime error when you
try to instrument a method that uses a try/catch clause.

This is due to the fact that the creation of the trampoline has made the
SEH table invalid. This table contains information on the portions of code
that are inside try/catch clauses. From [11] we can see that by adding
additional MSIL code, the properties TryOffset and HandlerOffset will
assume an invalid value.

This table is located after the IL Code, as shown in the following
diagram:

+--------------------+
| |
| Fat Header |
| |
+--------------------+
| |
| |
| IL Code |
| |
| |
+--------------------+
| |
| SEH Table |
| |
+--------------------+

We also have a confirmation from the source code, in fact in corhlpr.cpp
([12]) we can see that the SEH table is added to the outBuff variable after
that was already filled with the IL code.

So, to get the address of the SEH table it is enough to add to the IlCode
pointer, located in the CorMethodInfo structure, the length of the MSIL
code.

Before showing the code that does that we have to take into account that
the SEH Table can be of two different types: FAT or SMALL. What changes is
only the dimensions of its fields. So fixing this table it is just a matter
of locating it and enumerating each clause to fix their values.

The following F# pseudo-code does exactly this:

------#------#------#------<START CODE>------#------#------#------
let fixEHClausesIfNecessary(
methodInfo: CorMethodInfo,
methodBase: MethodBase,
additionalCodeLength: Int32) =
let clauses = methodBase.GetMethodBody().ExceptionHandlingClauses
if clauses.Count > 0 then
// locate SEH table
let codeSizeAligned =
if (int32 methodInfo.IlCodeSize) % 4 = 0 then 0
else 4 - (int32 methodInfo.IlCodeSize) % 4
let mutable startEHClauses =
methodInfo.IlCode +
new IntPtr(int32 methodInfo.IlCodeSize + codeSizeAligned)

let kind = Marshal.ReadByte(startEHClauses)
// try to identify FAT header
let isFat = (int32 kind &&& 0x40) <> 0

// it is always plus 3 because even if it is small it is
// padded with two bytes. See: Expert .NET 2.0 IL Assembler p. 296
startEHClauses <- startEHClauses + new IntPtr(4)

for i=0 to clauses.Count-1 do
if isFat then
let ehFatClausePointer =
box(startEHClauses.ToPointer())
 :?> nativeptr<CorILMethodSectEhFat>
let mutable ehFatClause = NativePtr.read(ehFatClausePointer)

// modify the offset value
ehFatClause.HandlerOffset <-
ehFatClause.HandlerOffset + uint32 additionalCodeLength
ehFatClause.TryOffset <-
ehFatClause.TryOffset + uint32 additionalCodeLength

// write back the result
let mutable oldProtection = uint32 0
let memSize = Marshal.SizeOf(typeof<CorILMethodSectEhFat>)
if not <| VirtualProtect(
startEHClauses,
uint32 memSize,
Protection.PAGE_READWRITE,
&oldProtection) then
Environment.Exit(-1)

let protection = Enum.Parse(
typeof<Protection>,
oldProtection.ToString()) :?> Protection
NativePtr.write ehFatClausePointer ehFatClause

// repristinate memory protection flags
VirtualProtect(
startEHClauses,
uint32 memSize,
protection,
&oldProtection) |> ignore

// go to next clause
startEHClauses <- startEHClauses + new IntPtr(memSize)
else
//... do same as above but for small size table
------#------#------#------<END CODE>------#------#------#------

Once we have fixed this table we can finally invoke the real compileMethod.


--[ 5 - Real world examples

The code presented is part of a project called Anathema that will allow you
to easily instrument .NET programs. Let's try to use the framework by
instrumenting a web application in order to steal the user passwords and to
instrument a real world malware in order to log all method calls.


---[ 5.1 - Web application password stealer

Let's see how we can use this instrumentation method in order to implement
a password stealer for a web application. For our demo we will use a very
popular .NET web server called Suave ([13]). We will write the web
application in F# and the password stealer as a C# console application, in
this way we can instrument the interesting method before it is compiled. In
the other case we have to force the .NET runtime to recompile the method in
order to apply the instrumentation (see [14] for a possible approach).

The web application is very simple and contains only a form; its HTML code
is shown below:

------#------#------#------<START CODE>------#------#------#------
<h1>-= Secure Web Shop Login =-</h1>
<form method="POST" action="/login">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="Login"></td>
</tr>
</table>
</form>
------#------#------#------<END CODE>------#------#------#------

The F# code in charge for the authentication is the following:

------#------#------#------<START CODE>------#------#------#------
let private _accounts = [
("admin", BCrypt.HashPassword("admin"))
("guest", BCrypt.HashPassword("guest"))
]

let private authenticate(username: String, password: String) =
_accounts
|> List.exists(fun (user, hash) ->
let usernameMatch = user.Equals(username, StringComparison.Ordinal)
let passwordMatch = BCrypt.Verify(password, hash)
usernameMatch && passwordMatch
)

let private doLogin(ctx: HttpContext) =
match (tryGetParameter(ctx, "username"), tryGetParameter(ctx, "password")) with
| (Some username, Some password) when authenticate(username, password) ->
OK "Authentication successfully executed!" ctx
| _ -> OK "Wrong username/password combination" ctx
------#------#------#------<END CODE>------#------#------#------

So, the best way to intercept passwords is the 'authenticate' method. We
will start by creating a class in charge of printing the received password,
this is done by creating the following simple class:

------#------#------#------<START CODE>------#------#------#------
class PasswordStealerMonitor
{
public PasswordStealerMonitor(MethodBase m, object[] args)
{
Console.WriteLine(
"[!] Username: '{0}', Password: '{1}'",
args[0],
args[1]);
}
}
------#------#------#------<END CODE>------#------#------#------

Now, the final step is to instrument the application, this is done using
the following code:

------#------#------#------<START CODE>------#------#------#------
// create runtime
var runtime = new RuntimeDispatcher();
var hook = new Hook(runtime.CompileMethod);
var authenticateMethod = GetAuthenticateMethod();
runtime.AddFilter(
typeof(PasswordStealerMonitor),
"SecureWebShop.Program.authenticate");

// apply hook
var jitHook = new JitHook();
jitHook.InstallHook(hook);
jitHook.Start();

// start the real web application
SecureWebShop.Program.main(new String[] { });
------#------#------#------<END CODE>------#------#------#------

Once the web application is run and we try to login, we will see the
following output in the console:

-= Secure Web Shop =-
Start web server on 127.0.0.1:8080
[14:45:49 INF] Smooth! Suave listener started in 631.728 with binding 127.0.0.1:8080
[!] Username: 's4tan', Password: 'wrong_password'
[!] Username: 'admin', Password: 'admin'


---[ 5.2 - Malware inspection

Let's consider a sample of the Hawkeye malware, written in .NET, with the
following MD5 hash: 130efba199b389ab71a374bf95be2304.

The sample contains two levels of packing. We could trace the packers but
let's focus on the main payload (MD5: 97d74c20f5d148ed68e45dad0122d3b5).
When the main payload is launched the following method calls are logged:

c:\>MLogger.exe malware.exe
[+] Debugger.My.MyApplication.Main(Args: System.String[]) : System.Void
[+] Debugger.My.MyProject..cctor()
[...]
[+] Debugger.My.MyProject.get_Application() : Debugger.My.MyApplication
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyApplication..ctor()
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyProject+MyForms..ctor()
[+] Debugger.Debugger..ctor()
[+] Debugger.Clipboard..ctor()
[+] Debugger.Clipboard.add_Changed(obj: Debugger.Clipboard+ChangedEventHandler)
 : System.Void
[+] Debugger.My.Resources.Resources.get_CMemoryExecute() : System.Byte[]
[+] Debugger.My.Resources.Resources.get_ResourceManager() :
System.Resources.ResourceManager
[+] Debugger.Debugger.InitializeComponent() : System.Void
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[+] Debugger.Debugger.Decrypt(
encryptedBytes: System.String, secretKey: System.String) : System.String
[+] Debugger.Debugger.getAlgorithm(secretKey: System.String) :
System.Security.Cryptography.RijndaelManaged
[...]
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.Debugger.GetInternalIP() : System.String
[+] Debugger.Debugger.GetExternalIP() : System.String
[+] Debugger.Debugger.GetBetween(
Source: System.String, Before: System.String, After: System.String) : System.String
[+] Debugger.Debugger.GetAntiVirus() : System.String
[+] Debugger.Debugger.GetFirewall() : System.String
[+] Debugger.Debugger.unHide() : System.Void
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyComputer..ctor()
[+] Debugger.Debugger.unhidden(path: System.String) : System.Void
[...]
[+] Debugger.My.Resources.Resources.get_mailpv() : System.Byte[]
[+] Debugger.My.Resources.Resources.get_ResourceManager() :
System.Resources.ResourceManager
[+] Debugger.Debugger.HookKeyboard() : System.Void
[+] Debugger.Clipboard.Install() : System.Void
[+] Debugger.My.MyProject+ThreadSafeObjectProvider`1.get_GetInstance() : T
[+] Debugger.My.MyComputer..ctor()
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.Debugger.IsConnectedToInternet() : System.Boolean
[+] Debugger.My.MyProject.get_Computer() : Debugger.My.MyComputer
[...]


--[ 6 - Conclusion

Instrumenting a .NET program via MSIL bytecode injection is a pretty useful
technique that allows you to have full control of method invocation by
using a high level .NET language.

As we have seen, doing so requires a lot of attention and knowledge of the
internal workings of the CLR, but in the end the outcome is worth the
trouble.


--[ 7 - References

[01] Metadata and Self-Describing Components - https://goo.gl/bbSG7p
[02] The .NET File Format - http://www.ntcore.com/files/dotnetformat.htm
[03] Standard ECMA-335 - https://goo.gl/J9kko6
[04] corjit.h - https://goo.gl/J68Poi
[05] corinfo.h - https://goo.gl/G31KHP
[06] OpCodes.Calli Field - https://goo.gl/D7ug93
[07] OpCodes.Ldftn Field - https://goo.gl/sHzz1S
[08] Expert .NET 2.0 IL Assembler - https://goo.gl/3LKLSW
[09] OpCodes.Ldc_I4 Field - https://goo.gl/qEW2Lx
[10] OpCodes.Call Field - https://goo.gl/29rqZk
[11] ExceptionHandlingClause Class - https://goo.gl/bjLqSv
[12] corhlpr.cpp - https://goo.gl/DDVKgH
[13] Suave web server - https://suave.io/
[14] .NET CLR Injection - https://goo.gl/nryxYB
Also listed in: .NET Code Injection Tools, .NET Tracers, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bad Net Opcodes Finder
Rating: 0.0 (0 votes)
Author: whoknows                        
Website: http://portal.b-at-s.info/download.php?view.439
Current version: 0.6 beta
Last updated: December 18, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: A tool used to fix a nasty anti-decompiler trick, the trick is based on using invalid opcodes to make the decompilation process impossible with tools like Reflector.
So you can use this tool to kill these nasty invalid opcodes and see the code again in Reflector, You will find a small video which explains how to use this tool.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bastard
Rating: 0.0 (0 votes)
Author:                         
Website: http://bastard.sourceforge.net
Current version: 0.16
Last updated: 2002
Direct D/L link: N/A
License type: Free / Open Source
Description: The Bastard is a disassembler -- or, more appropriately, a disassembly environment. The idea is that you have an interpreter, much as you would in Perl or Python, which allows you to load files, disassemble them, dump the disassembly, write/run macros, and various other operations. The x86 instruction disassembler written for this project has been packaged seperately as libdisasm, and is intended to be used in other open source projects.

This interpreter can be used interactively, it can be fed commands via STDIN [just like a scripting interpreter], and it can be communicated with via a pair of FIFOs. Now, on top of this any number of UI front ends can be stacked -- ncurses console front ends, Gtk X front-ends, Tk front ends, etc. It is the reponsibility of the front-ends to display the information obtained by querying the disassembler, supplying syntax highlighting, displaying strings, xrefs, etc; however the disassembler will retain all of this information, do all of the 'brute' processing, and will provide any of the information when requested.

The bastard currently runs on x86 Linux and FreeBSD [CVS version]. It can disassemble x86 ELF, a.out, and PE files as well as flat binary files [.com, .bin].
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burndump
Rating: 0.0 (0 votes)
Author: ByteRage                        
Website: http://www.securiteam.com/tools/5BP0H0U7PQ.html
Current version: 1.0
Last updated: July 13, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burndump is a LKM that strips off the TESO Burneye protection from encrypted executables. You must be able to run the executable. When the program is unwrapped, you do not need the host-fingerprint or the password anymore and the ELF file can be reverse engineered without the Burneye anti-debugger tricks.
Also listed in: Linux Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burneye
Rating: 1.0 (1 vote)
Author: TESO                        
Website: https://teso.scene.at/releases.php
Current version: 1.0.1
Last updated: December 24, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burneye ELF encryption program, with full source and docs.
Also listed in: Packers, Linux Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COMRaider
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://sandsprite.com/blogs/index.php?uid=7&pid=185
Current version:
Last updated: November 8, 2006
Direct D/L link: https://github.com/dzzie/COMRaider/raw/master/COMRaider_Setup.exe
License type: Free
Description: Update: This tool is no longer available through the iDefense website. The author has made a copy available through github.

COMRaider is a tool designed to fuzz COM Object Interfaces. It can also extract information about them and their interfaces etc.

Features include:

* Capability to easily enumerate safe for scripting objects
* Ability to scan for COM objects by path, filename, or guid
* Integrated type library viewer
* Integrated debugger to monitor exceptions, close windows,log api
* External vbs script allows you to easily edit fuzzer permutations
* Built in webserver to test exploits on the fly
* Enumerate and view controls with killbit set
* Distributed auditing mode to allow entire teams to work together
* Ability to upload crash files to central server for group analysis
* Automation tools allowing you to easily fuzz multiple libraries, individual classes, or specific functions.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CSharpFuscator
Rating: 0.0 (0 votes)
Author: papanyquiL                        
Website: http://portal.b-at-s.info/news.php
Current version: 1.0
Last updated: June 24, 2009
Direct D/L link: http://portal.b-at-s.info/request.php?275
License type: Free
Description: The CSharpFuscator tool scrambles .NET source code to make it very difficult to understand or reverse-engineer. This provides significant protection for source code intellectual property, and even provides protection against the all-too-disassembly of .NET object code.
Also listed in: .NET Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CoClassSyms
Rating: 0.0 (0 votes)
Author: Matt Pietrek                        
Website: http://www.microsoft.com/msj/0399/comtype/comtype.aspx
Current version: 1.0
Last updated: March 1999
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: "CoClass" in the "CoClassSyms" name refers to the TKIND_COCLASS entries in the typelib from which the symbols are created. CoClassSyms is a command-line program that operates on executable files containing a type library. This can be an .OCX or some other DLL such as MSHTML.DLL (which is a core component of Microsoft Internet Explorer).

The output from CoClassSyms is either a .MAP or .DBG file. The code included with this article only supports .MAP file generation. However, if you drop in the DLL from this month's Under the Hood column, CoClassSyms generates a .DBG file instead. In either case, the output file has the same root file name as the input executable. Thus, running CoClassSyms on MSHTML.DLL creates MSHTML.MAP or MSHTML.DBG.

Regardless of whether you make a .MAP or .DBG file, you'll no doubt want to get the debugger to recognize and load the symbol information. If you generate a .DBG file, make sure it is in the same directory as the associated executable. In my experience, the Visual Studio 6.0 debugger automatically loads the .DBG file as needed. Using WinDBG, I had to explicitly load the .DBG file in the command window. I wasn't able to get Visual Studio 5.0 to load the .DBG file, but I couldn't determine the cause of the problem.

If everything goes well and the debugger loads your generated .DBG file, you should be able to set breakpoints by name on the methods. (Hint: you may want to first generate a .MAP file to get an idea of the available method names.) Of course, since you likely don't have source code for the executable, you'll be in the assembly language view when the breakpoints hit. You should also see method names in the call stack.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Damn Vulnerable Linux
Rating: 0.0 (0 votes)
Author: Zero                        
Website: http://www.DamnVulnerableLinux.org
Current version: Damn Vulnerable Linux 1.5 (Infectious Disease)
Last updated: January 26, 2009
Direct D/L link: http://www.computerdefense.org/dvl/DVL_1.5_Infectious_Disease.iso
License type: Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
Description: Release date: 01/26/2009. Fixed many bugs (e.g. wrong postgres path), added several tools.

This release contains 99% of all available Linux RCE tools!

Damn Vulnerable Linux (DVL) is a Linux-based tool for IT-Security. Damn Vulnerable Linux (DVL) is highly integrated into the community project crackmes.de (http://www.crackmes.de) and is frequently updated with new community provided lessons. Damn Vulnerable Linux (DVL) is your place either to get the latest Damn Vulnerable Linux (DVL) distribution, to get new lessons, or to submit own lessons based on the Damn Vulnerable Linux (DVL) training system.

The constant website for Damn Vulnerable Linux (DVL) is located at http://www.damnvulnerablelinux.org . Damn Vulnerable Linux (DVL) is for educational purposes only!

Actually, it is a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. As well it can be run within virtual machine environments, such as qemu or vmware. There is no need to install a virtual machine if you use the embedded option. Its sole purpose in life is to put as many security tools at your disposal with as much training options as it can. It contains a huge ammount of lessons including lesson description - and solutions if the level has been solved by a community member at crackmes.de.

Damn Vulnerable Linux (DVL) is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. Damn Vulnerable Linux (DVL) assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, it's best you stop playing with this system.
Also listed in: Linux Tools, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: de4dot
Rating: 0.0 (0 votes)
Author: 0xd4d                        
Website: https://bitbucket.org/0xd4d/de4dot/
Current version: 2.0.3
Last updated: January 12, 2013
Direct D/L link: https://bitbucket.org/0xd4d/de4dot/downloads
License type: GPLv3
Description: de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.

Features:
-Inline methods. Some obfuscators move small parts of a method to another static method and calls it.
-Decrypt strings statically or dynamically
-Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
-Decrypt methods statically or dynamically
-Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
-Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
-Devirtualize virtualized code
-Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
-Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
-Remove tamper detection code
-Remove anti-debug code
-Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
-Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
-Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
-Removes most/all junk classes added by the obfuscator.
-Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
-Restore the types of method parameters and fields

Supported obfuscators/packers:
Agile.NET (aka CliSecure)
Babel.NET
CodeFort
CodeVeil
CodeWall
CryptoObfuscator
DeepSea Obfuscator
Dotfuscator
.NET Reactor
Eazfuscator.NET
Goliath.NET
ILProtector
MaxtoCode
MPRESS
Rummage
Skater.NET
SmartAssembly
Spices.Net
Xenocode
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Deblector
Rating: 0.0 (0 votes)
Author: Felice Pollano, Matthew Yee                        
Website: http://www.codeplex.com/deblector
Current version: 1.1
Last updated: March 1, 2010
Direct D/L link: http://www.codeplex.com/Project/Download/FileDownload.aspx?ProjectName=deblector&DownloadId=18153
License type: Free / Open Source
Description: Plug-in for .NET Reflector that allows you to debug .NET processes from within .NET Reflector.
Also listed in: .NET Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detect It Easy
Rating: 0.0 (0 votes)
Author: Hors                        
Website: http://ntinfo.biz
Current version: 1.01
Last updated: March 23, 2016
Direct D/L link: https://www.dropbox.com/s/h3sjlmhgcx7qfx2/DIE_1.01_win.zip?dl=1
License type: Free (both for commercial and non-commercial usage) and open source
Description: Detect it Easy

Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn\'t cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version (“DIE”), Lite version (“DIEL”) and console version (“DIEC”). All the three use the same signatures, which are located in the folder “db”. If you open this folder, nested sub-folders will be found (“Binary”, “PE” and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:

• MSDOS executable files MS-DOS

• PE executable files Windows

• ELF executable files Linux

• MACH executable files Mac OS

• Text files

• Binary all other files
Also listed in: .NET Packers, Compiler Identifiers, Entropy Analyzers, Exe Analyzers, Linux Tools, Mac OS Tools, PE EXE Signature Tools, PE Executable Editors, Packer Identifiers, Tool Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DisasMSIL
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/Files/disasmsil.htm
Current version: 1.0
Last updated: April 30, 2008
Direct D/L link: http://ntcore.com/Files/disasmsil/DisasMSIL.zip
License type: Free / Open source
Description: DisasMSIL is a free/open disasm engine for the Microsoft Intermediate Language (MSIL). You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

Note: Don't rely on the ECMA specification (Partition III: Common Language Infrastructure), since it's incomplete. Some new opcodes were introduced with the .NET Framework 2.0.
Also listed in: .NET Disassembler Libraries
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dot Net String Decoder
Rating: 0.0 (0 votes)
Author: DARKER                        
Website: http://progress-tools.x10.mx/dnsd.html
Current version: 1.10
Last updated: April 17, 2013
Direct D/L link: http://progress-tools.x10.mx/dnsd.zip
License type: Freeware
Description: Description:
Program can list or decrypt strings used in .NET executable based on user decryption plugins and rebuild new assembly with decoded strings. Method names, control flow etc. are unchanged in assembly!

Features:
- List all strings that are used in .NET executable
- Generic search for decoding function like: DecodeFunction(Byval Coded_String as String) As String
- Decrypt strings based on your own plugin
- Very simple plugin interface (C#, VB.NET)
- Preview of string decryption (checking results)
- Rebuild application with decoded strings (removing decoding function)
- Explorer with all methods for fast navigation
- Export method tree to text file
- Fast string extraction
- Very good and easy searching
- Export strings to text file for further processing
- DisAssemble selected method
- Instruction coloring for fast navigation (Strings, Numbers, Calls, Jumps)
- See real file offset and opcode bytes
- Jump from opcode to file with hexeditor (patching)
Also listed in: .NET Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotFuckScator v1.3
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: v1.3
Last updated: May 9, 2009
Direct D/L link: http://reteam.org/tools/tf35.zip
License type: Free
Description: DotFuckScator.V1.3

DotFuckScator is a reversing engineering tool used to remove string encryption
from dotfuscator protected files

If the original file was strong name signed DotFuckScator will create a new keypair
and re-sign the file with this pair, be carefull since file depending on this file will
need to be edited manualy to support the new strong name signature.
You can use RE-Sign for this and the editor of your choice

Also if you like the file re-signed with a specific key place your key in the same
folder as the file you are about to process and rename it to DotFuckScator.snk
now DotFuckScator will use this key for the re-sign process.

Hope this tool is of any use

Changes:
* v1.1 has a minor bugfix that prevented some strings from proper decrypting
* v1.2 small bugfix in re-signing, added indicator to show the amount of
strings decrypted so far
* v1.3 Fixed royal fuck-up in string decryption code replacement function
meaning the output will now run after string decryption removal ;x
Also listed in: .NET Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotNET Tracer
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11859
Current version: 1.1
Last updated: February 15, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

This version can handle all .net assemblies from 2.0 up to 4.0.

I hope it's useful and as always bug reports are welcome.
Also listed in: .NET Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNet Protector Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Fonctions.aspx
Current version: 5.5.3972
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotnetprotector5/dotNetProtectorX86.msi
License type: Commercial (with full featured trial)
Description: dotNet Protector is a powerful .NET code protection system that prevents your assemblies from being decompiled. With dotNet Protector, your application is not simply obfuscated, but method bodies are encrypted. EXE DLL, ASPNET and SQL assemblies can be protected. You can protect a whole application (main exe, referenced dlls) in a single executable. Your .NET code will run entirely from memory, without temporary disk storage.

Protection can be done interactively with an intuitive graphical interface, or automated, using the command-line functionalities of dotNet Protector.

dotNet Protector includes a powerful hardware sensitive anti-piracy system and extensions to help you develop your own software activation system. dotNet Protector is self-protected and uses its internal software activation system.
Also listed in: .NET Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNet Sniffer Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 2.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetSnifferWin32.msi
License type: Free
Description: dotNet Sniffer 2 uses the .NET profiler API to save assemblies loaded from memory. Once a module is handled by the .NET Framework, dotNet Sniffer saves it to disc if it was loaded from memory. Some tools are changing the module (decrypt methods ...) after loading; dotNet Sniffer allows you to save the module again during the execution of the first method (JIT). The profiler will be active only for the process to start; installing dotNet Sniffer will not affect the performance of other .NET programs. dotNet Sniffer 2 is available for 32-bit and 64-bit processors. 64-bit versions also install the 32-bit profiler and can save indifferently 32-bit and 64-bit processes. If you use 64-bit Windows, install only the 64-bit version suitable for your processor.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNetTools Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8. 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetToolsWin32.msi
License type: Free
Description: dotNet Tools is a freeware suite that includes dotNet Sniffer, PvLog DeObfuscator and PvLog LicenseManagerKiller. dotNet Sniffer uses the .NET profiler API to save assemblies loaded from memory. PvLog Deobfuscator is a MSIL code optimizer that makes more readable obfuscated code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly.
Also listed in: .NET Deobfuscation Tools, .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotNetasploit
Rating: 0.0 (0 votes)
Author: Jon McCoy                        
Website: http://digitalbodyguard.com/DotNetasploit.html
Current version: 2.5
Last updated: August 2010
Direct D/L link: Locally archived copy
License type: Free
Description: DotNetasploit is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion.
Also listed in: .NET Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotPeek
Rating: 0.0 (0 votes)
Author: Jetbrains                        
Website: http://www.jetbrains.com/decompiler/
Current version: 1.4
Last updated: April 8, 2015
Direct D/L link: http://download.jetbrains.com/resharper/dotPeek32_1.4.exe
License type: Free
Description: A free replacement of Reflector

- Decompiling .NET 1.0-4.5 assemblies to C#
- Support for .dll, .exe, .zip, .vsix, .nupkg, and .winmd files
- Quick jump to a type, assembly, symbol, or type member
- Effortless navigation to symbol declarations, implementations, derived and base symbols, and more
- Accurate search for symbol usages with advanced presentation of search results
- Overview of inheritance chains
- Support for downloading code from source servers
- Syntax highlighting
- Complete keyboard support
Also listed in: .NET Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dotnet IL Editor (DILE)
Rating: 0.0 (0 votes)
Author: zsozsop                        
Website: http://sourceforge.net/projects/dile
Current version: 0.2.6
Last updated: September 30, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Dotnet IL Editor (DILE) is an editor program which helps modifying .NET assemblies. It is intended to be able to disassemble .NET assemblies, modify the IL code, recompile it and run inside a debugger.
Also listed in: .NET Debuggers, .NET Disassemblers, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dumbassembly
Rating: 0.0 (0 votes)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?13739-smartassembly-protection-analysis-unpacker-(with-source)
Current version: 0.5.8
Last updated: January 14, 2012
Direct D/L link: http://www.mediafire.com/?lunow30hx22wao1
License type: Open source
Description: DumbAssembly is an automatic unpacker for the RedGate SmartAssembly .NET protector. It supports versions of SmartAssembly up to 6.5.1 and removes the following protections:
* Code flow obfuscation
* Import obfuscation
* String encryption
* Resource encryption
* Assembly embedding and encryption
* Tamper detection

If the input assembly was signed, the unpacked assembly is automatically re-signed with a randomly generated (or manually specified) strong name key pair.

All occurrences of the original public key or public key token in the binary are replaced by the new ones.

The archive contains binaries and the complete source code.
Also listed in: .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ERESI Framework
Rating: 0.0 (0 votes)
Author: The ERESI Project                        
Website: http://www.eresi-project.org
Current version: 0.82b2
Last updated: September 13, 2009
Direct D/L link: N/A
License type: Free / Open Source
Description: The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.
Also listed in: Code Injection Tools, Linux Debuggers, Linux Disassemblers, Reverse Engineering Frameworks, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUID-Finder
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/repositories/users/Sirmabus
Current version: 1.0b
Last updated: January 17, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A GUID/UUID finding/fixing IDA plug-in.

The COM side of RE'ing (at least with "dead listing") can be pretty elusive.
With this you can at least partially glean what interfaces and classes a target is
using.

This plug-in scans the IDB for class and interfaces GUIDs and creates the matching
structure with label. IDA can find these on it's own, but it often misses them, so
this can fill in the gap.
Plus this plug-in allows you to easily add custom declarations, and is handy to do
a general audit for such GUIDs.

This is based Frank Boldewin's IDA Python script that you can find here:
http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames
or off his home page:
http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip

It's a great utility, I found me self using it regularly. But I wanted one that
wasn't dependant on IDA Python, and one that might be a bit faster.
I've made some enhancements too (see below).

Some interesting reading:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
http://en.wikipedia.org/wiki/UUID

[How to run it]
Just invoke it using your selected IDA hot-key, or from "Edit->Plugins".
Normally you will want to keep the ""Skip code segments for speed"" check box checked,
because it can make a big difference in the run time. With unchecked, code segments are
also scanned. You'll want to scan the code to if the target is a Delphi, or others where
data tends to be code/.text segment, or if you just want to be more thorough.

It might take some time to scan everything depending on the size of the IDB your computer,
etc..

When it's done, you should see a list of interfaces and classes in the IDA log window.
If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on
the line and IDA will jump to it.


[How it works]
1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt".
A little enhancement here over Frank's format, you can have blank lines and have
comments prefixed with '#' (first char, whole line only. Not a very forgiving parser).

In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib")
to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs
plus all the ones to be found in VS2005 libraries along with DirectX 9.1,.

There could be more explicitly created in header (.h/.hpp) files but have yet to make
a utility to parse them.

If you want to add custom GUID defines (from 3rd party software, etc.), just edit
these text files manually.

2. After it loads in the defs, the plug-in iterates through all segments in your currently
open IDB. By default it will skip code/".text" segments, and import/export segments for
speed. Usually you find GUIDs in the ".rdata", and ".data" segments.

I originally intended to sort all the GUIDs by similarity and search with partial wild
cards for speed. If you take a look at the GUID defs you will see that many GUIDs share
common numbers that often differ only be the least significant digits ("Data4").
At least in theory, searching for groups wild cards should make searching faster.
Maybe next version..


[Known problems/issues/limitations]
1. If a given GUID 16byte def just so happens to match something that is not really a GUID,
the plug-in will try to convert it to one regardless (another reason not to run it
over code sections). So far I have not found this to be much of issue, although it could
be. Could add a confirm dialog for each to let the user decide.

2. Some GUID set operations will fail. This is usually because something is bad/wrong at the
particular address; like a partial code def, or incorrect xref.
The plug-in will display most of these errors in the IDA log window for manual correction.

3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull?
Also listed in: COM Debugging Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Guid Scanner
Rating: 0.0 (0 votes)
Author: ajron                        
Website: http://ajron.vtools.pl/en/guidscanner.html
Current version: build 101114
Last updated: November 14, 2010
Direct D/L link: http://vtools.pl/pliki/scan4g.rar
License type: Free
Description: This tool scans PE files (exe, dll, etc.) for Globally Unique IDentifiers (Classes and Interfaces) in 16-bytes binary form. The results can be copied to the clipboard or saved as a script for the IDA disassembler and applied in the IDA database.

Usage:
scan4g.exe [path]
Also listed in: COM Debugging Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HT Editor
Rating: 0.0 (0 votes)
Author: Stefan Weyergraf (steveman), Sebastian Biallas (seppel)                        
Website: http://hte.sourceforge.net/
Current version: 2.0.21
Last updated: November 20, 2012
Direct D/L link: http://hte.sourceforge.net/downloads.html
License type: GPL2
Description: General features

Supported file formats
common object file format (COFF/XCOFF32)
- header
- image with code/data analyser (x86)

executable and linkable format (ELF)
- header
- section headers
- program headers
- symbol tables
- image with code/data analyser (x86, AMD64, IA-64, Alpha, PowerPC, ARM) and relocations

linear executables (LE)
- header
- VxD descriptor
- object table
- page table
- image with code/data analyser (x86)
- auto-relocation layer (only internal refs for now)

standard dos executables (MZ)
- header
- relocations
- image (disassembly only)

new executables (NE)
- header
- segments
- names
- entrypoints
- image with code/data analyser (x86)
- auto-relocation layer (pretty complete)

portable executables (PE32, PE64)
- header
- import section
- delay-import section
- export section
- resources
- image with code/data analyser (x86, AMD64, PowerPC, IA-64, Alpha, ARM)
- preliminary support for .net executables

java class files (CLASS)
- header
- image with code/data analyser (java bytecode disassembler)

Mach exe/link format (MachO)
- header
- image with code/data analyser (x86, AMD64, PowerPC, ARM)

X-Box executable (XBE)
- header
- imports
- image with code/data analyser (x86)

Flat (FLT)
- header
- image with data analyser (no disassembler yet)

PowerPC executable format (PEF)
- header
- imports - image with code/data analyser (PowerPC)

Still some to be implemented (M$-OBJ, ARCH, LX)

Code & Data Analyser
- finds branch sources and destinations recursively
- finds procedure entries
- creates labels based on this information
- creates xref information
- allows to interactively analyse unexplored code (press 'c')
- allows to create/rename/delete labels (press 'n')
- allows to create/edit comments (press '#')

Target systems
- DJGPP
- GNU/Linux
- FreeBSD
- Win32
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ILSpy
Rating: 0.0 (0 votes)
Author: David Srbecky                        
Website: http://wiki.sharpdevelop.net/ILSpy.ashx
Current version: 1.0.0.729
Last updated: April 12, 2011
Direct D/L link: http://build.sharpdevelop.net/BuildArtefacts/#ILSpy
License type: Open-source
Description: ILSpy is the open-source .NET assembly browser and decompiler.

Development started after Red Gate announced that the free version of .NET Reflector would cease to exist by end of February 2011.

ILSpy Features:

Assembly browsing
IL Disassembly
Decompilation to C#
Supports lambdas and 'yield return'
Saving of resources
Search for types/methods/properties (substring)
Hyperlink-based type/method/property navigation
Base/Derived types navigation
Navigation history
BAML to XAML decompiler
Save Assembly as C# Project
Find usage of field/method
Extensibile via plugins (MEF)
Also listed in: .NET Decompilers, .NET Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: lida
Rating: 0.0 (0 votes)
Author: Mario Schallner                        
Website: http://lida.sourceforge.net
Current version: 00.03.00
Last updated: December 5, 2004
Direct D/L link: N/A
License type: Free / Open Source
Description: lida is basically a disassembler and code analysis tool. It uses the bastards libdisasm for single opcode decoding (see http://bastard.sourceforge.net/libdisasm.html). It allows interactive control over the generated deadlisting via commands and builtin tools.


Short Overview of (planned) features:

* ELF, RAW file disassembly (generating stringtable, symboltable, crossreferences, ... )
* trace execution flow of binary
* work with symbolic names: interactive naming of functions, labels, commenting of code
* scan for known anti-debugging, anti-disassembling techniques
* scan for user defined code sequences
* integrated patcher
* integrated cryptoanalyzer
* handy ("intelligent") browsing
* openssl support (customizeable "init values", apply to programs datablocks)


Why lida?

The project lida was initiated because of the lack of handy reverse engineering software for linux. Therefore it is designed to (and should) fit several needs of some typical reverse-engineering sessions.
lida addresses people who like to work on deadlistings, and should be especially useful for people with previous experience in windows reverse engineering. lida should be a good "entry point" for examining the "new targets".
A typical use is to run it while debugging your program and comment the deadlisting / name functions with the information gathered.

So basically it is a disassembler. Why another one? :)

Many disassemblers out there use the output of objdump - lida tries a more serious approach. The several limitations of objdump (see 3.1) are broken by using libdisasm (thx to HCUNIX!), and by tracing the execution flow of the program.
Further, by having the control over the disassembly - more features can be included. Everybody who has already worked on some deadlisting will immediate feel a need to work interactive with the code - and be able to change it.
Therefore lida will have an integrated patcher, resolves symbolic names, provides the ability to comment the code, serves efficient browsing methods, ...
The more exotic features of lida should be on the analysis side. The code can be scanned for custom sequences, known antidebugging techniques, known encryption algorithms, ... also you will be able to directly work with the programs data and for example pass it to several customizable en-/decryption routines.
This of course only makes limited sense as it is not a debugger. Tough often I really missed this functionality.
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Linice
Rating: 0.0 (0 votes)
Author: Goran Devic                        
Website: http://www.linice.com
Current version: 2.6
Last updated: July 28, 2005
Direct D/L link: Locally archived copy
License type: GPL
Description: What is Linice?

Linice is an Intel x86-based, Linux source-level kernel debugger with the look and feel of SoftIce for MS Windows.

Linice is designed to be used by the people who have SoftIce experience. Linice provides a major subset of SoftIce commands, and adds a few new ones. For that reason the documentation describing individual commands is not provided. There are a number of good resources on the Web that describe all SoftIce commands (Google "SoftIce" keyword.)

What can I use it for?

You can use Linice to debug a kernel module or a user application. You can also debug a Linux kernel. Kernel does not need to be recompiled or patched in any way. The debugger proper loads as a module into the running kernel and supports debugging using the following devices:
local VGA frame buffer
X-Window
remote serial terminal
monochrome monitor

You can break into a running kernel at any time by a hotkey. Place breakpoints, single step, watch variables etc. Multiple international keyboard layouts are supported.
Also listed in: Linux Debuggers, Ring 0 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MSIL Dumper
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11809
Current version: 0.4
Last updated: December 12, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799
Also listed in: .NET MSIL Dumpers, .NET Tracers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MetaPuck
Rating: 0.0 (0 votes)
Author: y0da                        
Website: http://y0da.cjb.net
Current version: 1.0
Last updated: 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: MetaPuck is a tool to spy the information, being hidden in the MetaData block inside the CLR (Common Language Runtime) Portable Executeable images of the .NET framework, and displays it in a well overlookable TreeView. It also parses .NET "typelibs". Included full source code.
Also listed in: COM Debugging Tools, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: NetAsm
Rating: 0.0 (0 votes)
Author: Alexandre Mutel                        
Website: http://www.codeplex.com/netasm
Current version: 1.0
Last updated: July 25, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: NetAsm provides a hook to the .NET JIT compiler and enables to inject your own native code in replacement of the default CLR JIT compilation. With this library, it is possible, at runtime, to inject x86 assembler code in CLR methods with the speed of a pure CLR method call and without the cost of Interop/PInvoke calls.

NetAsm can be used to integrate optimized native code using CPU extended instructions (SSE,MMX) into your managed code. The NetAsmDemo sample provides two benchmarks that unveil the power of using native code injection with NetAsm.

For more information about NetAsm, code injection techniques and recommendations, please consult the NetAsm-UserGuide.
Also listed in: .NET Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OLE RE Tools
Rating: 0.0 (0 votes)
Author: Joe Stewart                        
Website: http://www.openrce.org/articles/full_view/17
Current version: 1.0
Last updated: September 12, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Some utils to assist in reverse-engineering OLE applications.
Use on Win32 may require addition of BINMODE.

guidextract.pl - find and label OLE GUIDs in an executable
guids.txt - list of GUIDs and interface names from my registry
reg2guidlist.pl - make your own guids.list from a registry export file
listmethods.pl - list interface methods and offsets in Vtbl
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OLE/COM Object Viewer (OLEview)
Rating: 0.0 (0 votes)
Author: Microsoft                        
Website: http://www.microsoft.com/downloads/details.aspx?familyid=5233b70d-d9b2-4cb5-aeb6-45664be858b6
Current version: 1.00.0.1
Last updated: October 18, 2000
Direct D/L link: N/A
License type: Free
Description: Browses, configures, and tests Microsoft Component Object Model classes installed on a computer.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: oStudio - Live Tuning
Rating: 0.0 (0 votes)
Author: Objectis                        
Website: http://www.objectis-software.com/product/ostudio-live-tuning-live-debugging-functional-tests/
Current version: 1.3
Last updated: January 17, 2014
Direct D/L link: http://www.objectis-software.com/download-ostudio-2013/
License type: Free
Description: Accelerates the integration, testing and development phase by a factor of 2 to 10, in one easy-to-use application.
oStudio - Live Tuning brings a new development and real time debugging method. It's easy to connect embedded systems, automation and .NET applications to oStudio - Live Tuning, and to interact with them LIVE!

Traditional step by step debugging techniques are now history. A system doesn’t need to be halted to verify and validate its behavior anymore! This method, called live debugging, consists of observing and interacting with a real-time system while it’s still running. oStudio – Live Tuning is a new generation of debugger. It regroups new debugging tools for embedded systems and the machine industry with automated testing.
Also listed in: .NET Debuggers, .NET Tools, .NET Tracers, API Monitoring Tools, COM Debugging Tools, COM Monitoring Tools, Debug Output Monitoring Tools, Debuggers, FPGA Tools, Microcontroller Tools, Non-Intrusive Debuggers, Visual Basic Debuggers, Visual Basic Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PEBrowse Professional
Rating: 0.0 (0 votes)
Author: SmidgeonSoft                        
Website: http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
Current version: 10.1.5
Last updated: April 14, 2011
Direct D/L link: http://www.smidgeonsoft.com/download/PEBrowseV10_1_5.zip
License type: Free
Description: PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.)

With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu.

While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as:

* Module entry-point
* Exports (if any)
* Debug-symbols (if a valid PDB, i.e., program database file, is present)
* Imported API references
* Relocation addresses
* Internal functions/subroutines
* Any valid address inside of the module

Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays.

PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files.

PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code.

Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped.
Also listed in: .NET Disassemblers, .NET Tools, COM Tools, Delphi Tools, Disassemblers, Exe Analyzers, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PPEE (puppy)
Rating: 0.0 (0 votes)
Author: Zaderostam                        
Website: https://www.mzrst.com/
Current version: 1.12
Last updated: August 17, 2018
Direct D/L link: https://www.mzrst.com/puppy/PPEE(puppy)%201.12.zip
License type: Free
Description: This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
Two companion plugins are also provided. FileInfo, to query the file in the well-known malware repositories and take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on. YaraPlugin, to test Yara rules against opened file.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!

Features:


Both PE32 and PE64 support
Examine YARA rules against opened file
Virustotal and OPSWAT's Metadefender query report
Statically analyze windows native and .Net executables
Robust Parsing of exe, dll, sys, scr, drv, cpl, ocx and more
Parse Rich Header
Edit almost every data structure
Easily dump sections, resources and .Net assembly directories
Entropy and MD5 calculation of the sections and resource items
View strings including URL, Registry, Suspicious, ... embedded in files
Resolve ordinal to name in imported APIs
Detect common resource types
Extract artifacts remained in PE file
Anomaly detection
Right-click for Copy, Search in web, Whois and dump
Built in hex editor
Explorer context menu integration
Descriptive information for data members
Refresh, Save and Save as menu commands
Drag and drop support
List view columns can sort data in an appropriate way
Open file from command line
Checksum validation
Plugin enabled


Feel free to use it ;)
Also listed in: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, Malware Analysis Tools, PE Executable Editors, Relocation Tools, String Finders
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Phoenix Protector
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/phoenix.php
Current version: 1.8.0.1
Last updated: June 2, 2008
Direct D/L link: http://ntcore.com/Files/Phoenix_Protector.msi
License type: Free
Description: The Phoenix Protector was created to protect .NET assemblies and it's the ideal solution for every .NET developer, due to its support of every kind of project and compatibility with every version of the .NET framework. It has all common obfuscation features to secure your code. It provides obfuscation features like Name, String and Control Flow Obfuscation. The last feature is particularly important since it prevents the .NET assembly from being decompiled into an understandable language. The Name Obfuscation is provided with an exclusion list.

I first wrote the core of the Phoenix Protector for a company when I was 19. That project didn't work out for internal reasons not related to the quality of the product itself. I then wrote the Phoenix Protector, which was basically a new GUI for the now improved core. However, during the years (one has to consider that I was quite young when I developed the .NET obfuscator) I became ever more conscious that I didn't want to spend my life writing protections and also that I was not convinced by protections for the .NET technology in the first place. That's partly why I wrote Rebel.NET. By combining Rebel.NET with the DisasMSIL engine it is very easy to write a code obfuscator for .NET assemblies. The only thing which would be missing is name obfuscation and string encryption, which are even easier as protections. That's why I'm releasing the Phoenix Protector for free: nowadays, writing a commercial obfuscator doesn't make much sense to me. The code obfuscation provided by the Phoenix Protector is quite good when compared to other commercial obfuscators. I noticed that most obfuscators provide a very easy to reverse code obfuscation scheme. I'm not saying that the Phoenix Protector's code obfuscation can't be reversed. Every .NET code obfuscation scheme can be reversed somehow and the rebuilding task becomes very easy through Rebel.NET.
Also listed in: .NET Packers, Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PvLog DeObfuscator Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/DeObfuscatorWin32.zip
License type: Free
Description: PvLog Deobfuscator is a MSIL code optimizer. One side effect of the optimizer is that it can make more readable obfuscated code. PvLog DeObfuscator can also rename the types and names of members to further improve readability. This tool does not require installation: you just need to run the executable. DeObfuscator is also available in 32 and 64 bit, but we recommend you use the version that corresponds to the architecture of the assembly to optimize. The assembly generated by Deobfusctator may not always run because of protective measures implemented in the assembly (protection against code modification), but should be able to load in reflector. NOTE: the attribute that prevents ILDASM is not removed by DeObfuscator... but it could !
Also listed in: .NET Deobfuscation Tools, .NET Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PvLog LicenseManagerKiller Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/LicenseManagerKillerWin32.zip
License type: Free
Description: The purpose of PvLog LicenseManagerKiller is to warn against the inefficiency of managing licenses in 100% managed code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly. This tool is rudimentary and releases only most naive protections, but you can imagine that PvLog DeObfuscator and Reflector would allow a determined attacker to remove more sophisticated license controls.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RE-Sign
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 0.1
Last updated: March 20, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: RE-Sign is a tool to help u re-sign .NET assemblys with your own StrongName key,
and no need todo any manual patching anymore and no need to have sn.exe installed
If u don't have a StrongName keypair file u do need sn.exe to generate one,
but i will include a keypair file generator in the next version.
Also listed in: .NET Signature Changers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: REDasm
Rating: 0.0 (0 votes)
Author: Dax                        
Website: https://github.com/REDasmOrg/REDasm
Current version: Nightly
Last updated:
Direct D/L link: https://github.com/REDasmOrg/REDasm-Builds
License type: GPL2
Description: REDasm is a crossplatform, interactive, multiarchitecture disassembler written in C++ with Qt5 framework.
its core is light and it can be extended in order to support new instructions and file formats.
In the future, Python scripting will be supported.
Also listed in: Disassemblers, Linux Disassemblers, Visual Basic Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: REZiriz
Rating: 0.0 (0 votes)
Author: LibX                        
Website: http://www.reteam.org/tools.html
Current version: 2.0
Last updated: August 28, 2007
Direct D/L link: http://www.reteam.org/tools/tf33.zip
License type: Free
Description: REZiriz is a unpacker for Eziriz .NET Reactor > v3.1.x.x

Also added support to remove NecroBits protection that prevents
the decompilation of unpacked assemblys
And support to unpack v3.3.1.1 of Eziriz .NET Reactor

Unpacker features:
---------------------------
[*] Unpacking Eziriz .NET Reactor v3.3.1.1
[*] Unpacking Eziriz .NET Reactor v3.3.0.1
[*] Unpacking Eziriz .NET Reactor v3.2.4.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.6
[*] Unpacking Eziriz .NET Reactor v3.2.0.0
[*] Unpacking Eziriz .NET Reactor v3.1.0.0

[*] Versions < v3.1.0.0 are not supported

[*] Added NecroBit Protection Remover
Also listed in: Automated Unpackers, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Resourcer for .NET
Rating: 0.0 (0 votes)
Author: Lutz Roeder                        
Website: http://www.aisto.com/roeder/dotnet/
Current version: 1.0
Last updated:
Direct D/L link: N/A
License type: Free
Description: Resourcer is an editor for .resources binaries and .resX XML file formats used with the .NET platform. Resourcer allows editing of name/string pairs, import of bitmaps/icons and and merging of resources from different sources.
Also listed in: .NET Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SNSRemover
Rating: 0.0 (0 votes)
Author: Ntoskrnl                        
Website: http://www.ntcore.com/utilities.php
Current version: 1.0
Last updated: November 29, 2005
Direct D/L link: http://www.ntcore.com/Files/SNSRemover.zip
License type: Free
Description: This tool removes the Strong Name Signature from .NET Assemblies.
Also listed in: .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Skpd
Rating: 0.0 (0 votes)
Author: Albert Sellarès                        
Website: https://www.wekk.net
Current version: 1.3
Last updated: 13/07/2009
Direct D/L link: https://www.wekk.net/code/attachments/download/1/skpd.tar.gz
License type: none yet
Description: <nowiki>Skpd is a process dumper for x86 and x64 ELF binaries

Features:

static binaries.
dynamic binaries.
compressed files (at least upx)
elfuck encrypted.
32 and 64 bits support.
Generates an ELF file from a running process.
If the original file was encrypted, the new one will not.
i386, x86_64, MIPSEL platforms

Usage:

./skpd {-p pid
Also listed in: Linux Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strong Name Helper
Rating: 0.0 (0 votes)
Author: whoknows                        
Website: N/A
Current version: 0.9 beta
Last updated: November 02, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Purpose of util is to help you with the boring EXE/DLL strong name validation tied....
Also listed in: .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strong Name Remove
Rating: 0.0 (0 votes)
Author: Andrea Bertolotto                        
Website: http://www.codeproject.com/KB/security/StrongNameRemove20.aspx
Current version: 2.1.0.0
Last updated: July 19, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Good application for removing strong name signatures in .NET executables.
Also listed in: .NET Signature Removers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Telerik JustDecompile
Rating: 0.0 (0 votes)
Author: Telerik                        
Website: http://www.telerik.com/
Current version: 2014.1.225.0
Last updated:
Direct D/L link: http://www.telerik.com/downloads/productfiles/bgkht/JustDecompile_2014.1.225.0.msi
License type: Developer Licence is Free
Description: An alternative to Reflector and IlSpy.
JustDecompile is .NET assembly browser and decompiler.

- Fast code navigation
- Create Visual Studio projects
- Extract resources from assemblies
- Easy assembly management
- Zip file distribution
- Visual Studio Extension - decompile referenced assemblies
- Visual Studio inline decompilation (through JustCode)
- Command line support
- Integrate with Windows Explorer Context Menu
- SL XAP decompilation from URL
- Open API (extensible)
- Edit assemblies with Reflexil
- Deobfuscate with de4dot
- C#5 (WinRT) support
- APPX and WinMD support
Also listed in: .NET Decompilers, .NET Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TypeLib Browser
Rating: 0.0 (0 votes)
Author: José Roca                        
Website: http://www.com.it-berater.org/typelib_browser.htm
Current version: 2.05
Last updated: July 18, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: The TypeLib Browser is a tool designed to let you to examine the contents of COM servers and ActiveX controls and to provide alternate ways to use them or to give workarounds to features still not available in the Power Basic compilers, such events sink.

Besides letting you to inspect all the information available in the typelibs, it generates wrapper functions that use direct VTable calls.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Valgrind
Rating: 0.0 (0 votes)
Author:                         
Website: http://valgrind.org
Current version: 3.2.3
Last updated: January 29, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.

The Valgrind distribution currently includes four tools: a memory error detector, a cache (time) profiler, a call-graph profiler, and a heap (space) profiler. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux.
Also listed in: Code Injection Tools, Linux Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Wintruder
Rating: 0.0 (0 votes)
Author: FutureVision                        
Website: http://mitglied.lycos.de/wintruder/wintruder.zip
Current version: 1.0.0.1
Last updated: October 17, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Wintruder is an extendable debugger for Windows 9x and Windows XP.
By default, it includes debug interfaces for:
- Win32 Debug API
- Intel x86
- Microsoft VisualBasic p-code
- Virtual Dos Machine (XP only)
- Win32 Stealth (XP only)
- Intel x86
- Microsoft VisualBasic p-code
- Virtual Dos Machine
- Microsoft .Net (.Net 1.0 and up)
- .Net CIL

You can use Wintruder for free. For more information read license.txt. If this file does not exist, type wintruder.exe -l


This version of Wintruder is a development snapshot and far from being a final release.

Most important limitations:
- You may encounter several bugs and deficiencies.
- The use of debug information is limited to bare function definitions.
- The native .Net debugger is missing.
- The script engine is not really working.
- Much, much more…

By the way:
- The DiaDbg plug-in requires the Microsoft Debug Interface Access library. (msdia80.dll, msdia71.dll or msdia20.dll)
- To be more precise: None of the libraries Wintruder is bound to is included in this distribution.
Also listed in: .NET Debuggers, Ring 3 Debuggers, Visual Basic Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


...

There were too many (recursive) child objects of this category to display them all, please use the sub categories below to increase the detail of your search criteria!


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 18 subcategories to this category.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views