From Collaborative RCE Tool Library

Jump to: navigation, search

Categorized by Target Type


Tool name: EDB Linux Debugger
Rating: 5.0 (1 vote)
Author: Evan Teran                        
Website: http://www.codef00.com/projects.php#Debugger
Current version: 0.9.4
Last updated: August 13, 2008
Direct D/L link: http://www.codef00.com/projects/debugger-0.9.4.tgz
License type: Free / Open Source
Description: Features
* Intuitive GUI interface
* The usual debugging operations (step-into/step-over/run/break)
* Conditional breakpoints
* Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
* Basic instruction analysis
* View/Dump memory regions
* Effective address inspection
* The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
* Importing of symbol maps
* Plugins
o Search for binary strings
o Code Bookmarks
o Breakpoint management
o Check for updates
o Environment variable viewer
o Heap block enumeration
o Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan)
o Open file enumeration
o Reference finder
o String searching (like strings command in *nix)

One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature.
Also listed in: Debuggers, Linux Debuggers, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Pro
Rating: 5.0 (4 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hex-rays.com/idapro
Current version: 5.3
Last updated: July 14, 2008
Direct D/L link: N/A
License type: Commercial
Description: The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows or on Linux. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.

There is also a free (crippled) version available (IDA Pro Free). See its own entry in the library for more info.

As of January 7, 2007, the official IDA Pro website moved from the old URL (http://www.datarescue.com/idabase) to the one listed above.
Also listed in: .NET Disassemblers, Disassemblers, IPhone Tools, Linux Debuggers, Linux Disassemblers, Mobile Platform Debuggers, Mobile Platform Disassemblers, Ring 3 Debuggers, Symbian Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (1 vote)
Author: pancake                        
Website: http://radare.nopcode.org
Current version: 0.9.9
Last updated: September 2, 2008
Direct D/L link: http://radare.nopcode.org/get/radare-0.9.9.tar.gz
License type: GPL
Description: The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net|Free|Open}BSD on 32 and 64 bits on Intel x86 but it has support for linux-ARM, linux-MIPS, and Windows support is in mind too. Latest work on the debugger makes aims to make it work on MacOSX and Solaris/OpenSolaris for sparc, powerpc and intel.

But there are IO plugins for debugging windows and DOS applications via wine and dosemu. Initial gxemul support gives us the possibility to also debug ARM, MIPS, SPARC, .. binaries.

There are some internal commands to handle memory maps, mount a syscall proxy, inject code, patch data, dump user data sections, step-back, syscall tracing, hardware DRx register manipulation, conditional watchpoints with expressions, signalling manipulation, syscall injection and very early threading support..

Data structures can be parsed with hand-written C programs called as extensions from radare. So the hexadecimal editor comes with a set of views for different bases and print formats like URL-encoding, binary, octal, shellcode, C string-like, which is really useful for developing shellcodes.

Python, LUA and perl scripting facilities with an API to manage the core, the debugger, code analysis, tracing facilities, handle metadata, etc..

There's a minimal GUI frontend written in C that interacts directly with an VTE running radare. But I plan to write a new native frontend written in Vala.

Current development plugins are:

* ewf: EnCase (R) forensic disk images and more
* malloc: anonymous memory buffers
* mmap: mapping files on memory
* shm: shared memory access
* socket: socket stream access
* winedbg: WineDebugger interface ( winedbg://./program.exe )
* haret: Remotely read WindowsCE memory ( haret://host:port )
* ptrace: Debugs or attach to a process ( dbg://file or pid://PID )
* sysproxy: Connects to a remote syscallproxy server
* remote: TCP IO ( listen://:port or connect://host:port )
* gdb: Debugs or attach to a process using gdb (gdb://file, gdb://PID, gdb://host:port)
* w32: posix to native w32 api io
* posix: plain posix file access

The tools provided around the core are:

* radare: command line hexadecimal editor with IO plugin extensions
* rabin: get info from ELF/MZ/PE/MACHO/CLASS files
* rasc: shellcode generator and tester (outputs in raw, hexpairs or C)
* rasm: in line assembler/disassembler for multiple archs
* radiff: binary diffing utilities for raw files, binaries, data blocks, etc
* xrefs: find crossed references on raw images for ppc, arm and x86
* hasher: calculate different algorithms over data blocks of a file or stream
* rsc: command line helpers written in shellscript or perl
* javasm: minimalistic java assembler/disassembler/classdumper
* xc: cmdline multiple radix numeric conversor

FMI see the mailing list

Have fun!
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rebel.NET
Rating: 5.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/rebelnet.php
Current version: 1.0.0.1
Last updated: April 25, 2008
Direct D/L link: http://ntcore.com/Files/RebelDotNET.zip
License type: Free
Description: Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams.

It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header.

The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly.

Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file.

All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed.

Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.
Also listed in: .NET Code Injection Tools, .NET Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFF Explorer
  • Currently4.6666666666667/5
  • 1
  • 2
  • 3
  • 4
  • 5
Rating: 4.7 (3 votes)
Author: Daniel Pistelli                        
Website: http://www.ntcore.com/exsuite.php
Current version: 7.4.0.1
Last updated: June 11, 2008
Direct D/L link: http://www.ntcore.com/Files/CFF_Explorer.zip
License type: Freeware
Description: The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!
Also listed in: .NET Executable Editors, PE Executable Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Explorer Suite
  • Currently4.3333333333333/5
  • 1
  • 2
  • 3
  • 4
  • 5
Rating: 4.3 (3 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/exsuite.php
Current version: III
Last updated: June 11, 2008
Direct D/L link: http://ntcore.com/Files/ExplorerSuite.exe
License type: Free
Description: A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever
Also listed in: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET DeObfuscator
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11810
Current version: 0.5
Last updated: June 11, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: This is a tool to deobfuscate names only in Assemblies, It doesn't deobfuscate control-flow.

This tool is supposed to make our life easier when exploring in Reflector, so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only.

What this tool does is that it renames Classes and other member of assembly like Procedures and Fucntion into more understandable names for easier analysis, for example it renames a Class of type Form to "Class10_Form" instead of "xhfkd9oekfpklgpf" as we see in assemblies obfuscated with xenocode or any other obfuscator, I didn't want it to release it at first, but when I added type detection to renaming process it became more useful.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Generic Unpacker
Rating: 0.0 (0 votes)
Author: Ntoskrnl                        
Website: http://ntcore.com/netunpack.php
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/NETUnpack.zip
License type:
Description: This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it's very simple, it might turn useful having it: otherwise you have to unpack manually, which is also very easy.
Also listed in: .NET Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Hook Library
Rating: 0.0 (0 votes)
Author: shokshok                        
Website: http://dotnethook.sourceforge.net
Current version: 2.1
Last updated: May 30, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: .Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it.

The download contains detailed documentation about how it works and what it is.

I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies).
Also listed in: .NET Code Injection Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AdmiralDebilitate
Rating: 0.0 (0 votes)
Author: Admiral                        
Website: http://www.ring3circus.com/downloads/admiraldebilitate
Current version: 0.2
Last updated: June 16, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: AdmiralDebilitate is a tool for removing .NET strong name signing, particularly suited for large projects consisting of multiple nested dependencies. The interface is fairly simple: open up all relevant executables simultaneously (or all PEs if late-binding is in use) and ‘mark’ those that are to be modified. AdmiralDebilitate will determine the minimal area of the dependency tree that requires fixing and execute things appropriately. Any mismatching references will be listed in the ‘Problem Areas’ pane. Please report any bugs, after reading the following list of notes and caveats:

* All dependencies on mscorlib and System.* are ignored. I don’t see why this should be a problem, but bear it in mind if something isn’t working.
* Only exe and dll files are supported.
* The tool searches only the current folder for DLLs referenced by the seeding assemblies. If the system is relying on environment variables being set or suchlike, then AdmiralDebilitate will probably fail to load all the assemblies. A workaround is to temporarily place all the files in the same directory.

Updates:

* 17/06/08 - A silly little fencepost error was causing problems with assemblies having AssemblyRef as their last table. That’s fixed in version 0.2.


Thanks go out to Dan Pistelli, without whose .NET specification this wouldn’t have happened.
Also listed in: .NET Signature Changers, .NET Signature Removers, Dependency Analyzer Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: All-Seeing Eye
Rating: 0.0 (0 votes)
Author: Fortego Security                        
Website: http://www.fortego.com/en/ase.html
Current version: 0.7.1
Last updated: 2007
Direct D/L link: http://www.fortego.com/resources/ase071.zip
License type: Free
Description: Tool for automated diff-style checking of many sensitive system areas that malware and other programs often try to modify silently. Like Tripwire on speed.
Also listed in: File System Diff Tools, Install Monitoring Tools, Registry Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BCEL
Rating: 0.0 (0 votes)
Author: The Apache Jakarta Project                        
Website: http://jakarta.apache.org/bcel
Current version: 5.2
Last updated: June 6, 2006
Direct D/L link: N/A
License type: Free / Open Source
Description: The Byte Code Engineering Library is intended to give users a convenient possibility to analyze, create, and manipulate (binary) Java class files (those ending with .class). Classes are represented by objects which contain all the symbolic information of the given class: methods, fields and byte code instructions, in particular.

Such objects can be read from an existing file, be transformed by a program (e.g. a class loader at run-time) and dumped to a file again. An even more interesting application is the creation of classes from scratch at run-time. The Byte Code Engineering Library (BCEL) may be also useful if you want to learn about the Java Virtual Machine (JVM) and the format of Java .class files.

BCEL contains a byte code verifier named JustIce, which usually gives you much better information about what's wrong with your code than the standard JVM message.

BCEL is already being used successfully in several projects such as compilers, optimizers, obsfuscators, code generators and analysis tools. Unfortunately there hasn't been much development going on over the past few years.
Also listed in: Java Disassembler Libraries
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bastard
Rating: 0.0 (0 votes)
Author:                         
Website: http://bastard.sourceforge.net
Current version: 0.16
Last updated: 2002
Direct D/L link: N/A
License type: Free / Open Source
Description: The Bastard is a disassembler -- or, more appropriately, a disassembly environment. The idea is that you have an interpreter, much as you would in Perl or Python, which allows you to load files, disassemble them, dump the disassembly, write/run macros, and various other operations. The x86 instruction disassembler written for this project has been packaged seperately as libdisasm, and is intended to be used in other open source projects.

This interpreter can be used interactively, it can be fed commands via STDIN [just like a scripting interpreter], and it can be communicated with via a pair of FIFOs. Now, on top of this any number of UI front ends can be stacked -- ncurses console front ends, Gtk X front-ends, Tk front ends, etc. It is the reponsibility of the front-ends to display the information obtained by querying the disassembler, supplying syntax highlighting, displaying strings, xrefs, etc; however the disassembler will retain all of this information, do all of the 'brute' processing, and will provide any of the information when requested.

The bastard currently runs on x86 Linux and FreeBSD [CVS version]. It can disassemble x86 ELF, a.out, and PE files as well as flat binary files [.com, .bin].
Also listed in: Disassemblers, Linux Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burndump
Rating: 0.0 (0 votes)
Author: ByteRage                        
Website: http://www.securiteam.com/tools/5BP0H0U7PQ.html
Current version: 1.0
Last updated: July 13, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burndump is a LKM that strips off the TESO Burneye protection from encrypted executables. You must be able to run the executable. When the program is unwrapped, you do not need the host-fingerprint or the password anymore and the ELF file can be reverse engineered without the Burneye anti-debugger tricks.
Also listed in: Linux Unpackers, Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Burneye
Rating: 1.0 (1 vote)
Author: TESO                        
Website: https://teso.scene.at/releases.php
Current version: 1.0.1
Last updated: December 24, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Burneye ELF encryption program, with full source and docs.
Also listed in: Packers, Linux Packers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COMRaider
Rating: 0.0 (0 votes)
Author: David Zimmer                        
Website: http://labs.idefense.com/software/fuzzing.php#more_comraider
Current version:
Last updated: November 8, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: COMRaider is a tool designed to fuzz COM Object Interfaces. It can also extract information about them and their interfaces etc.

Features include:

* Capability to easily enumerate safe for scripting objects
* Ability to scan for COM objects by path, filename, or guid
* Integrated type library viewer
* Integrated debugger to monitor exceptions, close windows,log api
* External vbs script allows you to easily edit fuzzer permutations
* Built in webserver to test exploits on the fly
* Enumerate and view controls with killbit set
* Distributed auditing mode to allow entire teams to work together
* Ability to upload crash files to central server for group analysis
* Automation tools allowing you to easily fuzz multiple libraries, individual classes, or specific functions.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: COMView
Rating: 4.0 (1 vote)
Author: japheth                        
Website: http://www.japheth.de/COMView.html
Current version: 2.98
Last updated: July 2007
Direct D/L link: http://www.japheth.de/Download/COMView.zip
License type: Free
Description: COMView is a tool for viewing and handling COM (Component Objects Model) things.
It is intended to be used by programers, although it might also be useful for experienced end users.
The following functions are included:

* Shows COM related entries in the registry
* Build in registry editor to modify these entries
* Consistency check of COM related registry information
* Shows type library information
* Can generate ASM include files from type libraries
* "Dispatch helper" ASM includes may be generated to simplify using IDispatch and events.
* COM objects can be created and interfaces exposed are shown
* OLE container is implemented allowing to view and test OLE/ActiveX controls
* Object properties may be edited and methods be executed.
* Object model exposed by an application/control may be walked.
* May connect to source interfaces and display events

Please note: to get benefits from using COMView it is expected to be familiar with COM basics, there is no tutorial included in COMView.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CoClassSyms
Rating: 0.0 (0 votes)
Author: Matt Pietrek                        
Website: http://www.microsoft.com/msj/0399/comtype/comtype.aspx
Current version: 1.0
Last updated: March 1999
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: "CoClass" in the "CoClassSyms" name refers to the TKIND_COCLASS entries in the typelib from which the symbols are created. CoClassSyms is a command-line program that operates on executable files containing a type library. This can be an .OCX or some other DLL such as MSHTML.DLL (which is a core component of Microsoft Internet Explorer).

The output from CoClassSyms is either a .MAP or .DBG file. The code included with this article only supports .MAP file generation. However, if you drop in the DLL from this month's Under the Hood column, CoClassSyms generates a .DBG file instead. In either case, the output file has the same root file name as the input executable. Thus, running CoClassSyms on MSHTML.DLL creates MSHTML.MAP or MSHTML.DBG.

Regardless of whether you make a .MAP or .DBG file, you'll no doubt want to get the debugger to recognize and load the symbol information. If you generate a .DBG file, make sure it is in the same directory as the associated executable. In my experience, the Visual Studio 6.0 debugger automatically loads the .DBG file as needed. Using WinDBG, I had to explicitly load the .DBG file in the command window. I wasn't able to get Visual Studio 5.0 to load the .DBG file, but I couldn't determine the cause of the problem.

If everything goes well and the debugger loads your generated .DBG file, you should be able to set breakpoints by name on the methods. (Hint: you may want to first generate a .MAP file to get an idea of the available method names.) Of course, since you likely don't have source code for the executable, you'll be in the assembly language view when the breakpoints hit. You should also see method names in the call stack.
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Copy Protection in Modern Microcontrollers (paper)
Rating: 0.0 (0 votes)
Author: Sergei P. Skorobogatov                        
Website: http://www.cl.cam.ac.uk/~sps32/mcu_lock.html
Current version:
Last updated: 2004
Direct D/L link: N/A
License type:
Description: Paper that provides and overview of copy protection reliability in modern microcontrollers. Shown that ordinary microcontrollers do not provide essential protection against unauthorized access and copying. Worked out classification for attack methods by threat. Discussed possible defense technologies.
Also listed in: Microcontroller Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Corso
Rating: 0.0 (0 votes)
Author: Cata                        
Website: N/A
Current version: 7.01
Last updated: 13.08.2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: Corso handle Foxpro files: repair & split
Also listed in: FoxPro Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: D3DLookingGlass
Rating: 0.0 (0 votes)
Author: Admiral                        
Website: http://www.ring3circus.com/gameprogramming/d3dlookingglass-v01
Current version: 0.1
Last updated: May 5, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: The topic of debugging full-screen Direct3D applications came up a little while ago. If you’ve ever tried it on a single-monitor setup (or even multi-monitor if the app wasn’t designed to handle it) then you’ll know how much of a pain it is. Windows just can’t handle focus being stolen from a suspended exclusive-mode program. The solution’s exactly what you’d expect - to intercept the relevant window- and device-creation calls and coax the debuggee into running in a window. This works, but fiddling with the calls manually each time you restart the process quickly gets boring. So here’s my first attempt at a generic solution.

D3DLookingGlass is a DLL which, if injected into a Direct3D process early enough, will make sure that all video devices are created in windowed mode, allowing the hosting process to coexist with a debugger without any bother. If you can inject this DLL into the target process before the first call to CreateWindow, then everything should go smoothly. I think. Any later than this and your mileage may vary.

I’ve also written a ‘loader’ program that installs the DLL as a system-wide CBT hook, so that you don’t need to inject it manually. This kind of worked for my limited set of test-cases, but there seems to be no Windows-hooks method of injecting a DLL globally and beating the call to CreateWindow. Windows installs the DLL containing the hook at the latest possible moment for its function, and I can find no type of hook that needs to be around before a window is created. I’d love for somebody to prove me wrong (or suggest another way to install the DLL system-wide), but by the looks of things, my loader is of limited use.

In particular, I recall a situation where the game (Call Of Duty 4 Demo, I think) creates a non-overlapped window, which works fine for full-screen mode, but causes problems when you try force the device to bind as windowed. This will still be a problem unless the call to CreateWindow can be intercepted (and a well-formed window induced), which means that D3DLookingGlassLoader will struggle. Confirmation would be nice.

Here’s the small-print:

* The DLL hooks CreateWindowExW and ShowWindow in its DLLMain. I think this is kosher in terms of loader-lock, but it’s obviously not too cool with regard to system stability. Especially if it’s being installed in every running process. If d3d9.dll isn’t found in the address-space then the hooks fall straight through, so that shouldn’t be too much of a problem. But if it is found then all attempts to create or show (or hide) a window will be overridden - possibly to the demise of the process if it’s doing anything but the basic behaviour. So in all cases, watch out, and make sure you aren’t running anything important in the background (in particular, I’ve noticed that it doesn’t play nice with Firefox).
* The loader uses a system-wide hook, and you hate system-wide hooks. I trust that anybody who needs this tool has some degree of technical expertise and is aware of the stability concerns inherent in installing somebody else’s barely-tested system-wide hook.
* This was harder to put together than I anticipated, and that’s probably evident from the slightly shabby code. Again, I intend for this only to be used for debugging purposes, so you’ll have to forgive me for the sub-production-quality code.
* Despite my focus on Direct3D, I’m not really a gamer and I don’t actually have any commercial games installed on this machine. So I only got a chance to test this against my own programs. Obviously, there are several ways to skin the metaphorical Direct3D-initialisation cat, so please leave a comment when you find a game that this chokes on.
Also listed in: DirectX Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DESkey Analysis
Rating: 0.0 (0 votes)
Author: Sab & xor37h                        
Website: N/A
Current version:
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Very good analysis / documentation of DESkey, its PRNGs and inner workings, including some code.
Also listed in: DESkey Dongle Tools, Dongle Crypto Solver Tools, Dongle Documentation
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DXWnd
Rating: 0.0 (0 votes)
Author: Nightwolve                        
Website: N/A
Current version: 1.20
Last updated:
Direct D/L link: Locally archived copy
License type: Freeware
Description: Quote from readme:

"Want to force a game or application into windowed mode that doesn't support it through its own interface? Now you can, to an extent. Results will vary depending on how your DirectX application was written."

DirectX (D3D) applications are usually written to use full screen mode for their display. This makes debugging and target analysis difficult due to specific DirectX considerations. DXWnd attempts to force a D3D app to use windowed mode, making it much easier for reversers to work with.

This app can't always force a full screen D3D app into windowed mode, however it is quick and easy to try. If this tool fails for you it's still perfectly possible to manually force windowed mode in your target. Search the Woodmann forum for further information.
Also listed in: DirectX Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Damn Vulnerable Linux
Rating: 0.0 (0 votes)
Author: Zero                        
Website: http://www.DamnVulnerableLinux.org
Current version: Strychnine+E605 1.4
Last updated: February 2008
Direct D/L link: http://www.computerdefense.org/dvl/DVL_Strychnine_E605_1_4.iso
License type: Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
Description: This release contains 99% of all available Linux RCE tools!

Damn Vulnerable Linux (DVL) is a Linux-based tool for IT-Security. Damn Vulnerable Linux (DVL) is highly integrated into the community project crackmes.de (http://www.crackmes.de) and is frequently updated with new community provided lessons. Damn Vulnerable Linux (DVL) is your place either to get the latest Damn Vulnerable Linux (DVL) distribution, to get new lessons, or to submit own lessons based on the Damn Vulnerable Linux (DVL) training system.

The constant website for Damn Vulnerable Linux (DVL) is located at http://www.damnvulnerablelinux.org . Damn Vulnerable Linux (DVL) is for educational purposes only!

Actually, it is a perverted Linux distribution made to be as insecure as possible. It is collection of IT-Security tools. Additional it includes a fullscaled lesson based environment for Attack & Defense on/for IT systems for self-study or teaching activities during university lectures. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. As well it can be run within virtual machine environments, such as qemu or vmware. There is no need to install a virtual machine if you use the embedded option. Its sole purpose in life is to put as many security tools at your disposal with as much training options as it can. It contains a huge ammount of lessons including lesson description - and solutions if the level has been solved by a community member at crackmes.de.

Damn Vulnerable Linux (DVL) is meant to be used by both novice and professional security personnel but is not ideal for the Linux uninitiated. Damn Vulnerable Linux (DVL) assumes you know the basics of Linux as most of your work will be done from the command line. If you are completely new to Linux, it's best you stop playing with this system.
Also listed in: Linux Tools, Reverse Engineering Frameworks
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Deblector
Rating: 0.0 (0 votes)
Author: Felice Pollano, Matthew Yee                        
Website: http://www.codeplex.com/deblector
Current version: 1.0
Last updated: August 31, 2007
Direct D/L link: http://www.codeplex.com/Project/Download/FileDownload.aspx?ProjectName=deblector&DownloadId=18153
License type: Free / Open Source
Description: Plug-in for .NET Reflector that allows you to debug .NET processes from within .NET Reflector.
Also listed in: .NET Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Direct3D Hooking
Rating: 5.0 (1 vote)
Author: Admiral                        
Website: http://www.ring3circus.com/downloads/direct3d-hooking
Current version: 1.1
Last updated: November 27, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A sample for hooking a Direct3D 9 program and drawing on its viewport. Translating this to Direct3D 8 should be trivial.

Notes:

* Vista support added with version 1.1
* This is not safe for 64-bit consumption, though that should be obvious.
* While there’s no reason it can’t be made to work with Unicode, I’ve written everything in ASCII, for simplicity.
* By default, the DLL will increase its own reference count to prevent it being unloaded prior to termination of the host process. This is because there is a small risk of the DLL being unloaded by one thread, while a hooked function in another returns to the now dead memory. I figured that it’s best to waste a little bit of everybody’s memory than to crash unnecessarily.
* The d3d9.dll function addresses (and prologues) are hard-coded, or at least their offsets are. While this may look very unprofessional and rather risky, I can assure you that it’s quite safe. The alternative would be to hack up some virtual-function tables and that’s a whole other story for a whole other post.
* You may notice that the compiled DLL is dependent upon D3DX. This isn’t necessary for the hook itself, but I used ID3DXFont in my example for demonstrative purposes. The only reason I mention this is that there is no way to guarantee the existence of any D3DX DLLs on a DirectX 9 machine, and distributing them yourself is in violation of the DirectX Runtime EULA. So if you happen to need to distribute this code, you’ll either need to carry the huge runtime installer around, or avoid using D3DX altogether.
* The soft-hooks used here will cause problems with PunkBuster if applied to any of its monitored functions. If you need to do this then you’ll have to be a bit cleverer.
* The source assumes that the graphics device will never become invalid. If you suspect that this isn’t the case (which will be true for any full-screen game at a minimum) then you’ll need to add the appropriate sanity checks (see IDirect3DDevice9::TestCooperativeLevel) before attempting to render anything, lest you want to crash and burn.
Also listed in: DirectX Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DisasMSIL
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/Files/disasmsil.htm
Current version: 1.0
Last updated: April 30, 2008
Direct D/L link: http://ntcore.com/Files/disasmsil/DisasMSIL.zip
License type: Free / Open source
Description: DisasMSIL is a free/open disasm engine for the Microsoft Intermediate Language (MSIL). You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

Note: Don't rely on the ECMA specification (Partition III: Common Language Infrastructure), since it's incomplete. Some new opcodes were introduced with the .NET Framework 2.0.
Also listed in: .NET Disassembler Libraries