From Collaborative RCE Tool Library
Categorized by Tool Type
| Tool name: | radare |
| ||
|---|---|---|---|---|
| Author: | pancake | |||
| Website: | http://radare.nopcode.org | |||
| Current version: | 0.9.9 | |||
| Last updated: | September 2, 2008 | |||
| Direct D/L link: | http://radare.nopcode.org/get/radare-0.9.9.tar.gz | |||
| License type: | GPL | |||
| Description: | The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc. The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls. The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary. The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java. The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so). The debugger is mainly developed on linux and {Net|Free|Open}BSD on 32 and 64 bits on Intel x86 but it has support for linux-ARM, linux-MIPS, and Windows support is in mind too. Latest work on the debugger makes aims to make it work on MacOSX and Solaris/OpenSolaris for sparc, powerpc and intel. But there are IO plugins for debugging windows and DOS applications via wine and dosemu. Initial gxemul support gives us the possibility to also debug ARM, MIPS, SPARC, .. binaries. There are some internal commands to handle memory maps, mount a syscall proxy, inject code, patch data, dump user data sections, step-back, syscall tracing, hardware DRx register manipulation, conditional watchpoints with expressions, signalling manipulation, syscall injection and very early threading support.. Data structures can be parsed with hand-written C programs called as extensions from radare. So the hexadecimal editor comes with a set of views for different bases and print formats like URL-encoding, binary, octal, shellcode, C string-like, which is really useful for developing shellcodes. Python, LUA and perl scripting facilities with an API to manage the core, the debugger, code analysis, tracing facilities, handle metadata, etc.. There's a minimal GUI frontend written in C that interacts directly with an VTE running radare. But I plan to write a new native frontend written in Vala. Current development plugins are: * ewf: EnCase (R) forensic disk images and more * malloc: anonymous memory buffers * mmap: mapping files on memory * shm: shared memory access * socket: socket stream access * winedbg: WineDebugger interface ( winedbg://./program.exe ) * haret: Remotely read WindowsCE memory ( haret://host:port ) * ptrace: Debugs or attach to a process ( dbg://file or pid://PID ) * sysproxy: Connects to a remote syscallproxy server * remote: TCP IO ( listen://:port or connect://host:port ) * gdb: Debugs or attach to a process using gdb (gdb://file, gdb://PID, gdb://host:port) * w32: posix to native w32 api io * posix: plain posix file access The tools provided around the core are: * radare: command line hexadecimal editor with IO plugin extensions * rabin: get info from ELF/MZ/PE/MACHO/CLASS files * rasc: shellcode generator and tester (outputs in raw, hexpairs or C) * rasm: in line assembler/disassembler for multiple archs * radiff: binary diffing utilities for raw files, binaries, data blocks, etc * xrefs: find crossed references on raw images for ppc, arm and x86 * hasher: calculate different algorithms over data blocks of a file or stream * rsc: command line helpers written in shellscript or perl * javasm: minimalistic java assembler/disassembler/classdumper * xc: cmdline multiple radix numeric conversor FMI see the mailing list Have fun! | |||
| Also listed in: | .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Rebel.NET |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://ntcore.com/rebelnet.php | |||
| Current version: | 1.0.0.1 | |||
| Last updated: | April 25, 2008 | |||
| Direct D/L link: | http://ntcore.com/Files/RebelDotNET.zip | |||
| License type: | Free | |||
| Description: | Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams. It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header. The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly. Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file. All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed. Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms. | |||
| Also listed in: | .NET Code Injection Tools, .NET Executable Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | xADT eXtensible Anti-Debug Tester |
| ||
|---|---|---|---|---|
| Author: | Shub-Nigurrath | |||
| Website: | http://arteam.accessroot.com | |||
| Current version: | 1.3 | |||
| Last updated: | November 5, 2007 | |||
| Direct D/L link: | http://arteam.accessroot.com/releases.html?fid=33 | |||
| License type: | Free | |||
| Description: | The tool is thought to be an unique extensible platform for integrating all the anti-debugging tricks you might see around, using an unique extensible interface you also might easily extend using plugins. The tool is useful to test the hiding features of the debugging tools and custom loaders as well as the hiding of any other reversing tool: see how well they're hidden or not. The second advantage is to finally have an unique testing program and to not have hundreds of spare tiny programs. The easiness of adding new external tests, writing new plugins is also one important feature, which finally frees the author of new anti-debugging tools to concentrate on the logic of the test without having to spend a single second on its user's interface. Do you think your Olly is well hidden? Try this tool from Olly and all the possible hiding tools around, up to today there's always one test which detects Olly! Version 1.3 includes several plugins contributed by different authors as well as sources of sample plugins in Delphi, C, ASM. | |||
| Also listed in: | Anti Debug Test Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CFF Explorer |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://www.ntcore.com/exsuite.php | |||
| Current version: | 7.4.0.1 | |||
| Last updated: | June 11, 2008 | |||
| Direct D/L link: | http://www.ntcore.com/Files/CFF_Explorer.zip | |||
| License type: | Freeware | |||
| Description: | The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface. Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format. Also includes a cool new scripting engine! | |||
| Also listed in: | .NET Executable Editors, PE Executable Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Explorer Suite |
| ||
|---|---|---|---|---|
| Author: | Daniel Pistelli | |||
| Website: | http://ntcore.com/exsuite.php | |||
| Current version: | III | |||
| Last updated: | June 11, 2008 | |||
| Direct D/L link: | http://ntcore.com/Files/ExplorerSuite.exe | |||
| License type: | Free | |||
| Description: | A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium. Features: * Process Viewer * Windows Viewer * PE and Memory Dumper * Full support for PE32/64 * Special fields description and modification (.NET supported) * PE Utilities * PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer) * View and modification of .NET internal structures * Resource Editor (full support for Windows Vista icons) * Support in the Resource Editor for .NET resources (dumpable as well) * Hex Editor * Import Adder * PE integrity checks * Extension support * Visual Studio Extensions Wizard * Powerful scripting language * Dependency Walker * Quick Disassembler (x86, x64) * Name Unmangler * Extension support * File Scanner * Directory Scanner * Deep Scan method * Recursive Scan method * Multiple results * Report generation * Signatures Manager * Signatures Updater * Signatures Collisions Checker * Signatures Retriever | |||
| Also listed in: | .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DeDe |
| ||
|---|---|---|---|---|
| Author: | DaFixer | |||
| Website: | http://dafixer.cjb.net | |||
| Current version: | 3.50.04 (build 1635) | |||
| Last updated: | June 25, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | DeDe is a very fast application that allows you to analyze executables compiled with Delphi 2,3,4,5,6,7, C++ Builder, Kylix and Kol, and gives you the following: · All .dfm files of the target. You will be able to open and edit them with Delphi. · All published methods in well commented ASM code with references to strings, imported function calls, classes methods calls, components in the unit, Try-Except and Try-Finally blocks. (By default DeDe retrieves only the published methods sources, but you may also process another procedure in a executable if you know the RVA offset using the Tools|Disassemble Proc menu.) · A lot of additional information the files. · You can create a Delphi project folder with all dfm, pas, dpr files. Note: pas files contains the mentioned above well commented ASM code. They can not be recompiled ! You can also: · View the PE Header of all PE Files and change/edit the sections flags. · Use the opcode-to-asm tool for translating intel opcode to assembler. · Use RVA-to-PhysOffset tool for fast converting physical and RVA addresses. · Use the DCU Dumper (view dcu2int.txt for more details) to retrieve near to pascal code of your DCU files. · Use BPL(DPL) Dumper to see BPL exports and create symbol files to use with DeDe disassembler. · Disassemble a target EXE directly from memory in case of a packed exe. ------------ NOTE: The original site seems to be gone (or at least DeDe seems to be gone from it), and the locally archived copy here in this CRCETL entry is not the version with source code included. If someone has a copy of the version with source included, or a version higher than 3.50.02 build 1619 (which is the one we have locally archived, even though at least 3.50.04 build 1635 exists), please upload it here! | |||
| Also listed in: | Decompilers, Delphi Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Ultimate Hooking Engine |
| ||
|---|---|---|---|---|
| Author: | deroko of ARTeam | |||
| Website: | http://deroko.phearless.org | |||
| Current version: | ||||
| Last updated: | August 10, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Engine allows anyone to hook APIs very easily using their hooking dll. Each hooking dll might have 3 types of exports: 1. prefixed HOOK 2. prefixed Detoured 3. hookmain (optional) 1. Whenever you want to hook some API you will put this kind of export: HOOK_kernel32_GetModuleHandleA HOOK_user32_MessageBoxA Also note that inline hook will point to this procedure so this procedure will have all of your code responsible for certain API. 2. To be able to call original API from your hook you should export also this variable (in C/C++ it will be function pointer): Note how variables are prefixed with "Detoured_" Detoured_GetModuleHandleA Detoured_MessageBoxA Here is one example from C/C++ code: extern "C" __declspec(dllexport) HMODULE (__stdcall *Detoured_GetModuleHandleA)(LPCTSTR modulename) = NULL; extern "C" HMODULE __declspec(dllexport) __stdcall HOOK_kernel32_GetModuleHandleA(LPCTSTR modulename){ return Detoured_GetModuleHandleA(modulename); } Note also that this is optional, if you don't need to call orignal proc, then you don't need this export. Note that when working with MSVC2005 it will always screw export name for procedures while function pointers are properly exported, so add this line to your .def file: HOOK_kernel32_GetModuleHandleA = _HOOK_kernel32_GetModuleHandleA@4 Detoured_GetModuleHandleA 3. hookmain hookmain is export which has this prototype: void __stdcall hookmain(); This procedure will be called before program jumps to entrypoint of target, here you may add some extra code, it isn't very useful and all initialization you may perfrom in DllEntry, but I leave this here just in case that you want to start your own tracer before code jmps to entrypoint. At least that's why I'm using it. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | .NET Hook Library |
| ||
|---|---|---|---|---|
| Author: | shokshok | |||
| Website: | http://dotnethook.sourceforge.net | |||
| Current version: | 2.1 | |||
| Last updated: | May 30, 2002 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | .Net Hook Library is a library (with a sample tool) to manipulate functions in a .NET Assembly. It allows for insertion of arbitrary code at the beginning of each function called in a .NET assembly (whether executable or assembly). Also provides code that reads through metadata and dumps information on it. The download contains detailed documentation about how it works and what it is. I'm in the process of converting this from an executable to a library. That way, existing applications can use it to modify the .NET binaries (a.k.a assemblies). | |||
| Also listed in: | .NET Code Injection Tools, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | AQtime |
| ||
|---|---|---|---|---|
| Author: | AutomatedQA, Corp. | |||
| Website: | http://automatedqa.com/products/aqtime/index.asp | |||
| Current version: | 5.40 | |||
| Last updated: | January 11, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Commercial (with demo) | |||
| Description: | This tool does reportedly not work at all without having the source code for the analyzed program, which sadly makes it relatively useless for reversing purposes. See the following for more info: http://www.woodmann.com/forum/showthread.php?t=11306 ----------------------------- AQtime is AutomatedQA's award-winning performance profiling and memory and resource debugging toolset for Microsoft, Borland, Intel, Compaq and GNU compilers. The latest version of AQtime, AQtime 5, includes dozens of productivity tools that help you easily isolate and eliminate all performance issues and memory/resource leaks within your code by generating comprehensive and detailed reports for your .NET and Windows applications. AQtime supports .NET 1.0, 1.1, 2.0, 3.0 applications and Windows 32- and 64-bit applications. AQtime is built with one key objective - to help you completely understand how your programs perform during execution. Using its integrated set of performance and debugging profilers, AQtime collects crucial performance and memory/resource allocation information at runtime and delivers it to you both in summarized and detailed forms, with all of the tools you need to begin the optimization process. This is all done without modifying the application's source code! | |||
| Also listed in: | Code Coverage Tools, Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Anti Olly Tester |
| ||
|---|---|---|---|---|
| Author: | Shub-nigurrath | |||
| Website: | http://arteam.accessroot.com/releases/ | |||
| Current version: | 1.0 | |||
| Last updated: | August 25, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds. Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg. Detects Debugging programs through different methods all connected to the execution environment. * Method 1: see if one of the currently running processes' Windows name is blacklisted or not * Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted * Method 3: tests the processes paths and see if it is blacklisted * Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklistof process and words * Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has oneblacklisted word * Method 6: test export directory of the running processes, if there's something connected with Olly. * Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist * Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any contains blacklisted words (either UNICODE or ASCII) The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around. The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests. The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick. Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex". | |||
| Also listed in: | Anti Debug Test Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Boomerang |
| ||
|---|---|---|---|---|
| Author: | The Boomerang Decompiler Project | |||
| Website: | http://boomerang.sourceforge.net/ | |||
| Current version: | 0.3.1 | |||
| Last updated: | 2006 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | A general, open source, retargetable decompiler of machine code programs. This project is an attempt to develop a real decompiler for machine code programs through the open source community. A decompiler takes as input an executable file, and attempts to create a high level, compilable, possibly even maintainable source file that does the same thing. It is therefore the opposite of a compiler, which takes a source file and makes an executable. However, a general decompiler does not attempt to reverse every action of the decompiler, rather it transforms the input program repeatedly until the result is high level source code. It therefore won't recreate the original source file, probably nothing like it. It does not matter if the executable file has symbols or not, or was compiled from any particular language. (However, declarative languages like ML are not considered.) The intent is to create a retargetable decompiler (i.e. one that can decompile different types of machine code files with modest effort, e.g. X86-windows, sparc-solaris, etc). It was also intended to be highly modular, so that different parts of the decompiler can be replaced with experimental modules. It was intended to eventually become interactive, a la IDA Pro, because some things (not just variable names and comments, though these are obviously very important) require expert intervention. Whether the interactivity belongs in the decompiler or in a separate tool remains unclear. By transforming the semantics of individual instructions, and using powerful techniques such as Static Single Assignment dataflow analysis, Boomerang should be (largely) independent of the exact behaviour of the compiler that happened to be used. Optimisation should not affect the results. Hence, the goal is a general decompiler. | |||
| Also listed in: | Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CFSearch |
| ||
|---|---|---|---|---|
| Author: | Sirmabus | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=11306&page=2 | |||
| Current version: | 1.0A | |||
| Last updated: | February 15, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Extremely cool tracer tool that makes use of the "single step on branch", LBR ("last branch recording") features of current processors. Not released yet, but we're awaiting it with great anticipation! | |||
| Also listed in: | Tracers, Code Coverage Tools, Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CHimpREC |
| ||
|---|---|---|---|---|
| Author: | Sébastien Doucet (TiGa) | |||
| Website: | http://www.iitac.org | |||
| Current version: | ReCon Edition | |||
| Last updated: | June 23rd, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Freeware | |||
| Description: | CHimpREC: The Cheap Imports Reconstructor by TiGa of ARTeam IITAC (http://www.iitac.org) This is the 32/64-bit imports rebuilder that I introduced at ReCon 2008 in Montreal. Made for the best compatibility with WoW64 on x64-based Windows XP or Vista. This is the same version that was used at the conference. The first official release will come soon. +Features The first universal 64-bit imports rebuilder 32-bit version included Interface similar to ImpREC Integrated 32/64-bit process dumper IAT AutoSearch from ImageBase or OEP Unshuffle thunks function Manual imports editor -Limitations No plugin support yet No AutoTrace feature No disassembler The Visual Studio 2005 SP1 redistributable package might be necessary too: x86: http://www.microsoft.com/downloads/details.aspx?familyid=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en x64: http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en | |||
| Also listed in: | Dump Fixers, IAT Restore Tools, Import Editors, Process Dumpers, Unpacking Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CHook |
| ||
|---|---|---|---|---|
| Author: | Darawk | |||
| Website: | N/A | |||
| Current version: | ||||
| Last updated: | October 16, 2005 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | This is my hooking library that performs a variety of different types of hooks: - IAT hooking - EAT hooking - Debug register hooking - Thread-safe jmp patch hooking using a length-disassembler engine and a code thunk that masks the problem of jumping back to the original function. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Coddec |
| ||
|---|---|---|---|---|
| Author: | Dr Bolsen | |||
| Website: | http://drbolsen.wordpress.com/2008/07/14/coddec-released | |||
| Current version: | ||||
| Last updated: | July 14, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Decompiler for Blackberry executables (COD files), includes source. | |||
| Also listed in: | BlackBerry Tools, Mobile Platform Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CodeAnalyst Performance Analyzer |
| ||
|---|---|---|---|---|
| Author: | AMD | |||
| Website: | http://developer.amd.com/tools/codeanalystwindows/Pages/default.aspx | |||
| Current version: | 2.76 | |||
| Last updated: | November 19, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | This tool works without having any source code or debug information for the analyzed program, which makes it very good for reversing purposes. See the following for more info: http://www.woodmann.com/forum/showthread.php?t=11306 ----------------------------- The AMD CodeAnalyst Performance Analyzer is a suite of powerful tools that analyzes software performance on AMD microprocessors. These tools are designed to support Microsoft® Windows XP®, Windows 2003 and Vista® distribution on x86 and AMD64 architectures. Although most users will choose the Graphical User Interface, the profiler is also offered as a command line utility to facilitate the use in batch files. * System-Wide Profiling : CodeAnalyst is designed to profile the performance of binary modules, including user mode application modules and kernel mode driver modules. Timer-Based Profiling and Event-Based Profiling collect data from multiple processors in a multi-processor system. * Timer-Based Profiling (TBP) : o The application to be optimized is run at full speed on the system that is running CodeAnalyst. EIP samples are collected at predetermined intervals and can be used to identify possible bottlenecks, execution penalties, or optimization opportunities. o On APIC enabled systems, the finest time resolution is 0.1ms and 1.0ms non-APIC enabled systems. * Event-Based Profiling (EBP) : CodeAnalyst EBP is designed to profile the hardware performance events on AMD Athlon™, AMD Athlon™ XP, AMD Opteron™, AMD Athlon™ 64 and AMD “Barcelona” (AMD Family 10h). With event multiplexing technique, CodeAnalyst EBP is able to profile more than 4 events simultaneously. * Instruction-Based Sampling (IBS) : Instruction-based Sampling is a new performance measurement technique supported by AMD Barcelona (Family 10h) processors. IBS has these advantages: o IBS precisely associates hardware event information with the instructions that cause the events. A data cache miss, for example, is associated with the AMD64 instruction performing the memory read or write operation that caused the miss. o IBS collects a wide range of hardware event information in a single measurement run. o IBS collects new information such as retire delay and data cache miss latency. * Call Stack Sampling (CSS) : Combining with TBP or EBP, Call Stack Sampling is able to collect data on caller-callee relationship on the hotspots. * Pipeline Simulation : Used during the second stage of an optimization effort to find the causes of bottlenecks. During simulation, application execution is first traced, and then simulated on a selected target processor. The detailed data on the execution of each instruction takes into account the previous instructions executed and the state of the processor caches. Simulation only supports single processor execution. Pipeline Simulation supports the simulation of 32-bit code on: o AMD Athlon™ XP processor o AMD Opteron™ processor o AMD Athlon™ 64 processor Pipeline Simulation also supports the simulation of 64-bit code on: o AMD Opteron™ processor o AMD Athlon™ 64 processor * Thread Profile : CodeAnalyst thread profiling views show the thread chart and non-local memory access. * Post Process : CodeAnalyst shows sample distribution without module debug information. o Interpret performance measurements rather than display raw performance data o Flexible view configuration and management --------------- This tool reportedly only works for AMD processors, while its Intel counterpart is the VTune Performance Analyzer. | |||
| Also listed in: | Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Codename ASLAN (4514N) |
| ||
|---|---|---|---|---|
| Author: | Piotr Bania | |||
| Website: | http://www.piotrbania.com/all/4514N/ | |||
| Current version: | (not yet released) | |||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | I'm currently working on my masterpiece project (school project), a first gui oriented and the most advanced integrating-metamorphic engine so far. Integration engine allows user to integrate any code to any PE binary file (x86 processors), including device drivers etc. etc. 4514N engine can rebuild all the PE structure, internal offsets (jumps,refferences), any type of PE sections relocs, imports, exports, resources...), moreover it even can keep the align of variables. Integration means that firstly target file is disassembled to pieces (it creates a chain which connects the body of target file), then we move that chain, we do everything we want (i call this step InverseKinematics, just because i'm an 3d graphics hobbyst) and then we compile the chain again. Such horrible modified application runs perfectly, moreover it is almost impossible to disinfect the modified target. So tell me, do you want to compile a rootkit inside of yours ndis.sys? :) I don't want to speak much about the metamorphic engine since it is not 100% ready yet. But the main thing you should know it is mostly based on the emulation process (and as far as i know it is the first metamorphic engine which does so), and many of the muation states are based on the Automaton Theory (which inspired me a lot). Lets consider the rest of the features as an future surprise :) | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Comrade's PE Tools |
| ||
|---|---|---|---|---|
| Author: | Comrade | |||
| Website: | http://comrade.ownz.com/projects/petools.html | |||
| Current version: | ||||
| Last updated: | July 31, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | * Inject Tool Inject is a tool that injects a DLL into a running process. Its command-line usage is as follows: 1. Inject C:\hook.dll into pid 1234: inject.exe 1234 C:\hook.dll 2. Inject C:\hook.dll into process notepad.exe (if multiple notepads are running, then whichever one is picked is undefined): inject.exe -p *notepad.exe C:\hook.dll 3. Inject C:\hook.dll into running process C:\myprogram.exe: inject.exe -p C:\myprogram.exe C:\hook.dll 4. Inject C:\hook.dll into process with a window named "Untitled - Notepad": inject.exe -w "Untitled - Notepad" C:\hook.dll 5. Inject C:\hook.dll into process with a window class Notepad: inject.exe -c Notepad C:\hook.dll Note that in all uses, you should specify the full path to the injected DLL. * Loader Tool Loader is a tool that injects a DLL before launching a process. Its command-line usage is as follows: 1. Load notepad.exe and inject C:\hook.dll into it: loader.exe notepad.exe C:\hook.dll Note that you should specify the full path to the injected DLL. * Patch Tool Patch is a tool that adds a new section to the executable. The new section becomes the new entrypoint, and contains code to load a particular DLL, and then jump back to the original entrypoint. This can be used to create static patches that behave similar to the Loader tool. The tool's command-line usage is as follows: 1. Patch original.exe to load C:\hook.dll before execution; save the patched executable to patched.exe: patch.exe original.exe patched.exe C:\hook.dll * Reimport Tool Reimport is a tool that redirects certain entries of an executable's import table to another DLL. For example, running reimport.exe game.exe newgame.exe nocd.dll kernel32.dll::GetDriveTypeA kernel32.dll::CreateFileA kernel32.dll::GetVolumeInformation will create a copy of game.exe into newgame.exe, with the above 3 API functions rerouted to nocd.dll, instead of kernel32.dll. That means newgame.exe would import GetDriveTypeA, CreateFileA, and GetVolumeInformation from nocd.dll instead of kernel32.dll. | |||
| Also listed in: | Code Injection Tools, Import Editors, PE Executable Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Conditional Branch Logger |
| ||
|---|---|---|---|---|
| Author: | Blabberer / dELTA / Kayaker | |||
| Website: | N/A | |||
| Current version: | 1.0 | |||
| Last updated: | June13, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints. | |||
| Also listed in: | Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DE Decompiler |
| ||
|---|---|---|---|---|
| Author: | GPcH Soft | |||
| Website: | http://www.de-decompiler.com | |||
| Current version: | 2.0 (updated) | |||
| Last updated: | March 2, 2008 | |||
| Direct D/L link: | http://www.de-decompiler.com/files/de_decompiler_lite.zip | |||
| License type: | Commercial (with demo) | |||
| Description: | DE Decompiler is the unique solution for decompiling the Delphi generated programs (EXE, DLL, OCX). As you know the Delphi programs is the native win32 executable files. DE Decompiler restores most parts of the compiled code and helps you to recover most parts of the lost sources. It contans the powerful disassembler which supports Pentium Pro commands including MMX and SSE extensions. Also it has a useful smart assembler code emulation engine. The build-in disassembler allows you to disassemble a lots of functions and represents it in semi-decompiled mode. DE Decompiler has a wonderful code analyzer which makes your work easy and fast. In addition to all it can search for all the API function's calls and the string references in the disassembled code and comment them out for analyzed strings. If you lost your source codes - DE Decompiler save your time and helps you to restore it. In general, DE Decompiler is the ideal tool for analyzing programs and it is perfect if you lose your source code and need to partially restore the project. | |||
| Also listed in: | Decompilers, Delphi Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DLL Injection Framework |
| ||
|---|---|---|---|---|
| Author: | Admiral | |||
| Website: | http://www.ring3circus.com/downloads/dll-injection-framework | |||
| Current version: | 1.0 | |||
| Last updated: | December 20, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | The process of remote function hooking via a DLL is notoriously messy, so I’ve tried to encapsulate as much of the mess as possible into a C++ class. Here’s an example of some client code that injects a DLL into Windows Calculator, then installs two hooks (one by name and another by address): ----------------------------------------------------------------- // Create the injection object DLLInjection injection("E:/Temp/HookDLL.dll"); // Find Calc.exe by its window DWORD process_id = injection.GetProcessIDFromWindow( "SciCalc", "Calculator"); // Inject the DLL HMODULE remote_module = injection.InjectDLL(process_id); // Hook a DLL function (User32!SetWindowTextW) HDLLHOOK swtw_hook = injection.InstallDLLHook( "C:/Windows/System32/User32.dll", "SetWindowTextW", "SetWindowTextHookW"); // Hook a function manually (Calc!0100F3CF) HDLLHOOK manual_hook = injection.InstallCodeHook( reinterpret_cast (0×0100F3CF), “SomeOtherHook”); // Remove the hooks injection.RemoveHook(swtw_hook); injection.RemoveHook(manual_hook); ----------------------------------------------------------------- Testing has been limited so don’t be surprised to find bugs. If you do find any, please report them. | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Desquirr - Decompiler Plugin for IDA Pro |
| ||
|---|---|---|---|---|
| Author: | David Eriksson | |||
| Website: | http://desquirr.sourceforge.net/desquirr/ | |||
| Current version: | 20070130 (desquirr-20070130-bin-ida_v5_0.zip) | |||
| Last updated: | November 13, 2003 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Desquirr is a decompiler plugin for IDA Pro. Desquirr currently consists of a little more than 5000 lines of C++ code, not counting empty lines or lines beginning with comments Read the Master Thesis at http://desquirr.sourceforge.net/desquirr/desquirr_master_thesis.pdf | |||
| Also listed in: | IDA Extensions, Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DetourXS |
| ||
|---|---|---|---|---|
| Author: | Sinner | |||
| Website: | http://forum.gamedeception.net/showthread.php?t=10649 | |||
| Current version: | 1.0 | |||
| Last updated: | June 16, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | DetourXS is a library for function detouring. Example usage code: --------------------------------------------------------- #include <detourxs.h> typedef DWORD (WINAPI* tGetTickCount)(void); tGetTickCount oGetTickCount; DWORD WINAPI hGetTickCount(void) { printf("GetTickCount hooked!"); return oGetTickCount(); } // To create the detour oGetTickCount = (tGetTickCount) DetourCreate("kernel32.dll", "GetTickCount", hGetTickCount, DETOUR_TYPE_JMP); // ...Or an address oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP); // ...You can also specify the detour len oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP, 5); // To remove the detour DetourRemove(oGetTickCount); --------------------------------------------------------- | |||
| Also listed in: | Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Detours |
| ||
|---|---|---|---|---|
| Author: | Microsoft | |||
| Website: | http://research.microsoft.com/sn/detours | |||
| Current version: | 2.1 | |||
| Last updated: | 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code. Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary. Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software. We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry. Detours 2.1 is now available. Detours 2.1 includes the following new features: * Complete documentation of the Detours API. * Transactional model for attaching and detaching detours. * Support for updating peer threads when attaching or detaching detours. * Unification of dynamic and static detours into a single API. * Support for detection of detoured processes. * Significant robustness improvements in APIs that start a process with a DLL containing detour functions. * New APIs to copy payloads into target processes. * Support for 64-bit code on x64 and IA64 processors (available in Professional edition only). * Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7). | |||
| Also listed in: | API Monitoring Tools, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DevPartner Studio |
| ||
|---|---|---|---|---|
| Author: | Compuware | |||
| Website: | http://www.compuware.com/products/devpartner/studio.htm | |||
| Current version: | 8.2 | |||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Commercial (with trial) | |||
| Description: | This tool does reportedly not work at all without having the source code for the analyzed program, which sadly makes it relatively useless for reversing purposes. See the following for more info: http://www.woodmann.com/forum/showthread.php?t=11306 ----------------------------- Performance Analysis: --------------------- DevPartner Studio performance analysis takes you where few profiling tools can go, to the individual line of source code to identify and analyze slow code and performance bottlenecks line by line. Using DevPartner Studio performance profiling, you can: * profile Visual C++, Visual Basic, .NET, C#, VBScript and JScript code from top to bottom * trace running applications and differentiate between application and operating system calls, all through an intuitive user interface * isolate performance bottlenecks in single and multi-tiered applications at machine, process, component or source line levels * receive recommendations and corrective actions from one key source—DevPartner Studio. Code Coverage Analysis: ----------------------- No more relying on relatively subjective reports to test code. DevPartner Studio Professional Edition code coverage analysis tells you how much code was tested, how well it tested and what was never tested at all. You get the answers you need to focus testing where it's needed most, whether it's code check-in, unit testing, integration testing or final release. To zero-in on untested code for you, DevPartner Studio: * captures and combines testing sessions for applications, components and web pages * traces both .NET and native code across users, languages and application tiers * pinpoints the portions of an application left unexecuted during one or more tests * merges sessions to present a clear picture of testing progress over time. | |||
| Also listed in: | Profiler Tools, Code Coverage Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Direct3D Hooking | |
|---|