From Collaborative RCE Tool Library

Jump to: navigation, search

Monitoring Tools


Tool name: All-Seeing Eye
Rating: 5.0 (1 vote)
Author: Fortego Security                        
Website: http://www.fortego.com/en/ase.html
Current version: 0.7.1
Last updated: 2007
Direct D/L link: http://www.fortego.com/resources/ase071.zip
License type: Free
Description: Tool for automated diff-style checking of many sensitive system areas that malware and other programs often try to modify silently. Like Tripwire on speed.
Also listed in: File System Diff Tools, Install Monitoring Tools, Registry Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Detours
Rating: 5.0 (1 vote)
Author: Microsoft                        
Website: http://research.microsoft.com/sn/detours
Current version: 2.1.216
Last updated: November 10, 2008
Direct D/L link: http://ftp.research.microsoft.com/downloads/d36340fb-4d3c-4ddd-bf5b-1db25d03713d/DetoursExpress.msi
License type: Free
Description: Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

Detours 2.1 is now available. Detours 2.1 includes the following new features:

* Complete documentation of the Detours API.
* Transactional model for attaching and detaching detours.
* Support for updating peer threads when attaching or detaching detours.
* Unification of dynamic and static detours into a single API.
* Support for detection of detoured processes.
* Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
* New APIs to copy payloads into target processes.
* Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
* Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DongleKnack
Rating: 5.0 (1 vote)
Author: H. Haftmann                        
Website: http://www-user.tu-chemnitz.de/~heha/
Current version: 2.00
Last updated:
Direct D/L link: Locally archived copy
License type: Freeware & Source (TASM, Pascal)
Description: This tools logs all traffic on the parallel port on ring 0 level by using a dynamic VxD.
Thus it works on all Win9x related Windows (Win3x, Win9x and Win2K).

The dynamic VxD either modifies the IOPM (IO Permission Map) or traps the port by setting a Debug Register on its address. To use the Debug Register method you need at least a Pentium processor.
If you have logged all port traffic, you can replay the log file port traffic and thus emulate the Dongle.
The log file is not compressed and it can be used to understand the dongle routines in the application you want to crack.

Be sure you check the source if you're interessted in Win9x system programming.
Also listed in: Dongle Dumper Tools, Dongle Emulation Tools, Parallel Comm Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fenris
Rating: 5.0 (1 vote)
Author: lcamtuf                        
Website: http://lcamtuf.coredump.cx/fenris
Current version: 0.07-m2 build 3245
Last updated: July 11, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are:

* Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.

* libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler.

* Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure.

* nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development).

* Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface).

* ...and some other companion utilities.
Also listed in: Reverse Engineering Frameworks, Linux Disassemblers, Linux Debuggers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Kernel Detective
Rating: 5.0 (2 votes)
Author: GamingMaster -AT4RE                        
Website: http://www.at4re.com
Current version: 1.3.0
Last updated: June 20, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD !

Supported NT versions :
XP/Vista


Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.


Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes.

Detect hidden and suspicious threads in system and allow user to forcely terminate them .

Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module.

Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle.

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess.

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.
Also listed in: Hook Detection Tools, Kernel Hook Detection Tools, Kernel Tools, Malware Analysis Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Memory Hacking Software
Rating: 5.0 (2 votes)
Author: L. Spiro                        
Website: http://www.memoryhacking.com
Current version: 5.009
Last updated: August 14, 2009
Direct D/L link: http://mhs.mpcforum.com/MHS5.009.rar
License type: Free
Description: Highly advanced software for memory search/analysis and trainer creation. Recommended!

MHS 5.005 (bundle):
Bundle includes MHS.exe, zlib1.dll, MHS Help.chm, and ChangeLog.txt.


Features:
* Fastest Searching
-- Data-Type Search
-- Pointer Search
-- String Search (ASCII, Unicode, Hex Bytes, Wildcard, Regular Expressions)
-- Group Search (Includes Pattern Matching)
-- Expression Search (Extremely Flexible)
-- Script Search (The Ultimate in Custom Searching)

* Debugger
-- Very Stable
-- Customizable Breakpoints

* Disassembler

* Code Filter
-- Easiest Way to Find Functions

* Auto-Hack

* Auto-Assembler
-- 90% Same Language/Syntax as in Cheat Engine

* DLL Injector
-- Injects any DLL into the Target Process
-- Uninject Later, Automatically or Manually
-- Remotely Call ANY Functions in the Injected DLL(s), Regardless of Calling Convention, Return Type, or Number of Parameters

* Integrated Script Language
-- IDE/Compiler Built-In
-- Syntax Matches C; No Learning Curve
-- Compiled for Fast Execution
-- Full API
-- Includes Features Specially for Hacking

* Real-Time Hex Editor
-- Fully Featured Real-Time Hex Editor for Both RAM and Files
-- Allows Browsing of Kernel RAM

* Kernel Driver
-- Allows Bypassing Anti-Cheat Systems
-- Allows Reading/Writing of Kernel RAM

* Converter

* RAM Watcher

* Memory Allocator
-- Allocates Memory in the Target Process
Also listed in: Code Coverage Tools, Memory Data Tracing Tools, Memory Search Tools, Trainer Generators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: oSpy
Rating: 5.0 (1 vote)
Author: Ole Andre Vadla Ravnaas                        
Website: http://code.google.com/p/ospy
Current version: 1.9.8
Last updated: July 18, 2009
Direct D/L link: http://ospy.googlecode.com/files/oSpy-1.9.8.zip
License type: Free / Open Source
Description: oSpy is a tool which aids in reverse-engineering software running on the Windows platform. With the amount of proprietary systems that exist today (synchronization protocols, instant messaging, etc.), the amount of work required to keep up when developing interoperable solutions will quickly become a big burden when limited to traditional techniques.

However, when the sniffing is done on the API level it allows a much more fine-grained view of what's going on. Seeing return-addresses for each recv/send call (for example), can prove useful when you want to look at the processing code at that spot in a debugger or static analysis tool. And if an application uses encrypted communication it's easy to intercept these calls as well. oSpy already intercepts one such API, and is the API used by MSN Messenger, Google Talk, etc. for encrypting/decrypting HTTPS data.

Another neat feature is when wanting to see how an application behaves when in a firewalled environment. Normally you would have to simulate such an environment by configuring firewalls etc., which not only is time-consuming, but might also cripple the rest of the applications you've got running. oSpy solves this problem by a feature called softwalling which allows you to set rules based on the type of function-call, the return-address, local/remote address/port, etc., and lets you choose which error to signal back to the application when the rule matches. This way you can make the application think that for example a connect() timed out, connection was refused, there was no route to host, etc.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Explorer
Rating: 5.0 (2 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
Current version: 11.33
Last updated: February 4, 2009
Direct D/L link: http://download.sysinternals.com/Files/ProcessExplorer.zip
License type: Free
Description: The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
Also listed in: Process Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Hacker
Rating: 5.0 (1 vote)
Author: wj32                        
Website: http://processhacker.sourceforge.net
Current version: 1.4
Last updated: August 22, 2009
Direct D/L link: http://downloads.sourceforge.net/project/processhacker/processhacker/processhacker-1.4/processhacker-1.4-bin.zip
License type: Open Source (GNU General Public License)
Description: Process Hacker is a feature-packed tool for manipulating processes and services on your computer.

Key features of Process Hacker:
- A simple, customizable tree view with highlighting showing you the processes running on your computer.

- Detailed performance graphs.

- A complete list of services and full control over them (start, stop, pause, resume and delete).

- A list of network connections.

- Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, ...

- Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few).

- Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU.

- Easy DLL injection and unloading - simply right-click a process and select "Inject DLL" to inject and right-click a module and select "Unload" to unload!

- Many more features...
Also listed in: Malware Analysis Tools, Process Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: radare
Rating: 5.0 (1 vote)
Author: pancake                        
Website: http://www.radare.org
Current version: 1.4.1
Last updated: November 3, 2009
Direct D/L link: http://radare.nopcode.org/get/radare-1.4.1.tar.gz
License type: GPL
Description: <nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net
Also listed in: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SysAnalyzer
Rating: 5.0 (1 vote)
Author: David Zimmer (iDefense Labs)                        
Website: http://labs.idefense.com/files/labs/releases/previews/SysAnalyzer/
Current version:
Last updated: January 19, 2007
Direct D/L link: http://labs.idefense.com/software/download/?downloadID=15
License type: GPL2
Description: SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

* Running Processes
* Open Ports
* Loaded Drivers
* Injected Libraries
* Key Registry Changes
* APIs called by a target process
* File Modifications
* HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

* Create a memory dump of target process
* parse memory dump for strings
* parse strings output for exe, reg, and url references
* scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package.
Also listed in: Disk Monitoring Tools, Registry Monitoring Tools, Network Monitoring Tools, Install Monitoring Tools, API Monitoring Tools, File Monitoring Tools, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TCPView
Rating: 5.0 (1 vote)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
Current version: 2.54
Last updated: March 17, 2009
Direct D/L link: http://download.sysinternals.com/Files/TcpView.zip
License type: Free
Description: TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
Also listed in: Network Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: tcpdump
Rating: 5.0 (2 votes)
Author: The Tcpdump team                        
Website: http://www.tcpdump.org/
Current version: 4.0.0
Last updated: July 18, 2009
Direct D/L link: http://www.tcpdump.org/release/tcpdump-4.0.0.tar.gz
License type: BSD
Description: From wikipedia's entry for tcpdump:

tcpdump is a common computer network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by Van Jacobson, Craig Leres and Steven McCanne who were, at the time, working in the Lawrence Berkeley Laboratory Network Research Group.

Distributed under a permissive free software licence, tcpdump is free software.

Tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets.

There is also a port of tcpdump for Windows called WinDump; this uses WinPcap, which is a port of libpcap to Windows.

In some Unix-like operating systems, a user must have superuser privileges to use tcpdump because the packet capturing mechanisms on those systems require elevated privileges. However, the -Z option may be used to drop privileges to a specific unprivileged user after capturing has been set up. In other Unix-like operating systems, the packet capturing mechanism can be configured to allow non-privileged users to use it; if that is done, superuser privileges are not required.

The user may optionally apply a BPF-based filter to limit the number of packets seen by tcpdump; this renders the output more usable on networks with a high volume of traffic.
Also listed in: Network Sniffers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Wireshark
Rating: 5.0 (4 votes)
Author: Gerald Combs                        
Website: http://www.wireshark.org
Current version: 1.2.1
Last updated: July 20, 2009
Direct D/L link: http://www.wireshark.org/download/win32/wireshark-win32-1.2.1.exe
License type: Free / Open Source
Description: Wireshark (previously Ethereal) is the world's foremost network protocol analyzer, and is the standard in many industries.

It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development.

Wireshark has a rich feature set which includes the following:

* Hundreds of protocols are supported, with more being added all the time
* Live capture and offline analysis are supported
* Standard three-pane packet browser
* Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
* The most powerful display filters in the industry
* Rich VoIP analysis
* Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
* Capture files compressed with gzip can be decompressed on the fly
* Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
* Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
* Coloring rules can be applied to the packet list, which eases analysis
* Output can be exported to XML, PostScript®, CSV, or plain text
Also listed in: Network Sniffers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ADInsight
Rating: 4.0 (1 vote)
Author: Bryce Cogswell & Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/utilities/adinsight.mspx
Current version: 1.01
Last updated: November 20, 2007
Direct D/L link: N/A
License type: Free
Description: ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use its detailed tracing of Active Directory client-server communications to solve Windows authentication, Exchange, DNS, and other problems.

ADInsight uses DLL injection techniques to intercept calls that applications make in the Wldap32.dll library, which is the standard library underlying Active Directory APIs such ldap and ADSI. Unlike network monitoring tools, ADInsight intercepts and interprets all client-side APIs, including those that do not result in transmission to a server. ADInsight monitors any process into which it can load it’s tracing DLL, which means that it does not require administrative permissions, however, if run with administrative rights, it will also monitor system processes, including windows services.

AD Insight works on Windows 2000 and higher.
Also listed in: Active Directory Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DebugView
Rating: 4.0 (1 vote)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/Miscellaneous/DebugView.mspx
Current version: 4.76
Last updated: October 16, 2008
Direct D/L link: N/A
License type: Free
Description: DebugView is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP. It is capable of displaying both kernel-mode and Win32 debug output, so you don't need a debugger to catch the debug output your applications or device drivers generate, nor do you need to modify your applications or drivers to use non-standard debug output APIs.
Also listed in: Debug Output Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DynLogger
Rating: 4.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/dynlogger.php
Current version: 1.1.0.1
Last updated: April 14, 2008
Direct D/L link: http://ntcore.com/Files/DynLogger_x86.zip
License type: Free
Description: DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application. It also logs the loaded modules.

Download the x64 version of DynLogger only if the process is not an x86 process. In all other cases download the x86 version.

I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Memoryze
Rating: 4.0 (1 vote)
Author: Mandiant                        
Website: http://www.mandiant.com/software/memoryze.htm
Current version:
Last updated:
Direct D/L link: N/A
License type: Free
Description: MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.

MANDIANT Memoryze can:

* image the full range of system memory (not reliant on API calls).
* image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
* image a specified driver or all drivers loaded in memory to disk.
* enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
o report all open handles in a process (for example, all files, registry keys, etc.).
o list the virtual address space of a given process including:
+ displaying all loaded DLLs.
+ displaying all allocated portions of the heap and execution stack.
o list all network sockets that the process has open, including any hidden by rootkits.
o output all strings in memory on a per process basis.
* identify all drivers loaded in memory, including those hidden by rootkits.
* report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
* identify all loaded kernel modules by walking a linked list.
* identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.
Also listed in: Kernel Hook Detection Tools, Memory Dumpers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Auto Debug
Rating: 3.5 (2 votes)
Author:                         
Website: http://www.autodebug.com
Current version: 4.3
Last updated: 2007
Direct D/L link: N/A
License type: Shareware
Description: Auto Debug software is an API monitor tool which can automatic trace all APIs and ActiveX interface to input and output parameters. After setting the API which you want to monitor easily, this application will auto trace the target program and monitor the function of inputting and outputting calling. It analysises PDB files automatic while monitoring any DLL and ActiveX interface.

Different from others apispy or API monitor tools, Auto Debug software doesn't need the user to develop any DLL or hook DLL. It's easy to use --- Only setting the APIs which we want to monitor with ON, once the target application running and calling these APIs, it will monitor their parameters of inputting and outputting automaticly! Don't need to develop any DLL, once installing the software, we can start to monitor APIs NOW!

If we have the API prototype(often from the .h file), we can build the PDB file without origin source easily. For example, we can found a sample for generating comdlg32.dll PDB file at ($InstallPath\PDBsample). --- (need Professional Version, it also generates over 30 windows system DLL's PDB files in the Professional Version).

News: Auto Debug for Windows x64 version is available.

Features

It doesn't need to rebuild the source code while monitoring inputting parameters and outputting results of the traced APIs in the target program automaticly, only monitoring the input and output of APIs.

* Source Code level monitor.(new in Professional V4.1).
* Automatic analysis parameter type with PDB files.(new in V4.0). Support for Visual Studio 2005, Visual Studio .NET 2003 and Visual C++ 6.0.
* Very easy to generate PDB files without source code if you know the api prototype.(new in Professional V4.0).
* Tracing your application with release version.
* The best API monitor tool.
* Tracing Release version with mapfile.
* Supporting Debug version and Release version, not need source code.
* Supporting tracing COM Interface.
* Supporting multithread.
* Not need to know the prototype of the functions.
* Not only trace for exported APIs, but also be effect for undocumented APIs.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: APIScan
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/forums/posts/456
Current version: 2.2
Last updated: April 28, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: APIScan is a simple tool to gather a list of APIs that a target process uses.

You can use this list in an initial analysis to help determine a target's
general operating nature. Also can be used to help determine patch/update changes by doing a WinDiff on a "before" and "after" dump.

There are similar tools, often more robust (like "Dependency Walker"), but
most of these just parse the target IAT ("Import Address Table") alone.
APIScan catches dynamically/delayed loaded modules too; and dumps them as a simple list.
============================================================

Example dump for a module:
Code:

Library Flags Function
====================================
-- COMCTL32.DLL
[I...] ImageList_Add
[I...] ImageList_Create
[I...] ImageList_Destroy
[I.O.] InitCommonControls
[.D..] InitCommonControlsEx
[.D.F] ImNotHere
...
...

Explanation:
APIScan saw that "COMCTL32.DLL" is loaded both as an import via the IAT, plus it caught it being loaded dynamically for "InitCommonControlsEx".
That's the 'D' flag in "[.D.F] InitCommonControlsEx". The 'F' in "[.D.F] ImNotHere" means that that the application failed in one or more attempt to dynamically load (from the 'D') "ImNotHere", since this export doesn't exist in "COMCTL32.DLL". In "[I.O.] InitCommonControls", the 'I' tells us this API is in the IAT, and the 'O' tells us it was by "ordinal".
Note, you can have both 'I' and 'D' flags since an application (as well as 'O', and 'F', if there is a 'D') can have it both in it's IAT and loaded it dynamicly (with "GetProcAddress()").

Changes:
--------
2.2 Got rid of the index numbers around the DLL and API dumps, that made WinDiff'ing a mess.


TODO:
1. Add intra-module support.
API scan could parse the IATs of modules/DLLs and optionally filter out GetProcAddress() calls made within modules for better focus.
2. Optional real time output to DBGVIEW.
Also listed in: API Monitoring Tools, Dependency Analyzer Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BoundsChecker
Rating: 0.0 (0 votes)
Author: Compuware                        
Website: http://www.compuware.com/products/devpartner/visualc.htm
Current version:
Last updated:
Direct D/L link: N/A
License type: Commercial
Description: Among many things, BoundsChecker is actually a pretty decent API monitor/logger.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bus Hound
Rating: 0.0 (0 votes)
Author: Perisoft                        
Website: http://www.perisoft.net/bushound/index.htm
Current version: 6.01
Last updated:
Direct D/L link: N/A
License type: Free + commercial version
Description: Bus Hound is the premier software bus analyzer for capturing I/O, protocol, and performance measurements. Bus Hound can also be used to build and submit commands to devices including bus resets, from a graphical interface.

Power User Features:
· Capture megabytes of I/O at a time
· View I/O on screen in real time
· Trigger on conditions
· Build and submit custom commands
· Issue bus and device resets
· Capture the system startup process
· View low level protocol including SCSI sense data and SMART commands
· View microsecond resolution timing
· Drag and drop captured data to other applications or save it to a zip file
· Capture isochronous and control transfers
· View IRPs and other device driver packets

Bus Support
USB 1.0 & 2.0
SCSI & ATAPI
IDE & SATA
FireWire, 1394a/b
Bluetooth
Fibre Channel
iSCSI, SAS
PC Card, PCMCIA
serial port
parallel port
ps/2 ports
...and more

OS Support
32-bit and 64-bit
Windows 2008
Windows Vista
Windows 2003
Windows XP
Windows XP Embedded
Windows 2000
Windows NT 4.0
Windows Me
Windows 98
Windows 95

Device Support
DVD, CD, Blu-ray
Hard drives, tape drives
Removable drives
Web Cams, Cameras
Mice, Keyboards, HID
Printers, Scanners
Speakers, Modems
...and everything else!
Also listed in: Bus Monitoring Tools, USB Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: busTRACE
Rating: 0.0 (0 votes)
Author: busTRACE Technologies                        
Website: http://www.bustrace.com
Current version: 8.0.047
Last updated: June 15, 2009
Direct D/L link: N/A
License type: Commercial
Description: busTRACE 8.0 is a comprehensive bus and device analysis tool in use by leading system OEMs, peripheral OEMs, software developers, USB developers, and storage developers all over the world. busTRACE 7.0 provides a suite of applications designed to help you perform advanced bus and device analysis.

* Capture I/O Activity
- Capture I/O activity on local or remote computers
- Allow remote busTRACE users to capture I/O activity

* Generate I/O Activity
- Send a single CDB to a storage device
- Send a sequence of CDBs to a storage device
- Perform a read/write/compare stress test
- View ATA/ATAPI Identify information

* Simulate Device Faults
- Simulate a failure on one or more specified devices

* Additional Tools
- View Device Command Descriptor Blocks
- View Device Sense Codes
- CD/DVD Exclusive Access Status
Also listed in: Bus Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CFSearch
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11306&page=2
Current version: 1.0A
Last updated: February 15, 2008
Direct D/L link: N/A
License type: Free
Description: Extremely cool tracer tool that makes use of the "single step on branch", LBR ("last branch recording") features of current processors.

Not released yet, but we're awaiting it with great anticipation!
Also listed in: Tracers, Code Coverage Tools, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Cheat 'O Matic
Rating: 1.0 (1 vote)
Author: Nick Shaffner                        
Website: http://www.geocities.com/TimesSquare/Dungeon/5633
Current version: 0.99a
Last updated: 1997
Direct D/L link: http://bunnzy.oldgamemusic.com/files/extras/apps/cheatomatic099.zip
License type: Freeware
Description: Cheat 'O Matic is an EXTREMELY easy to use UNIVERSAL cheating program designed to allow you to automatically cheat on ANY game (or other program) that will run on Windows '95, '98 and 'NT (including DOS, Windows 3.1, Windows '95, Windows '98 and Windows 'NT games) - as the game actually runs! Additionally, Cheat 'O Matic allows you to cheat on programs that don't have cheat codes, or in completely different ways that cheat codes may not exist for, and perhaps the game's programmers never intended
Also listed in: Memory Data Tracing Tools, Memory Search Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Conditional Branch Logger
Rating: 0.0 (0 votes)
Author: Blabberer / dELTA / Kayaker                        
Website: N/A
Current version: 1.0
Last updated: June13, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints.
Also listed in: Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DiskMon
Rating: 0.0 (0 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/FileAndDisk/Diskmon.mspx
Current version: 2.01
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: DiskMon is an application that logs and displays all hard disk activity on a Windows system. You can also minimize DiskMon to your system tray where it acts as a disk light, presenting a green icon when there is disk-read activity and a red icon when there is disk-write activity.
Also listed in: Disk Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DotNET Tracer
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11859
Current version: 0.6
Last updated: June 15, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background.

1- Select the assembly you want to analyze
2- Set the Events Mask, i.e Events you want to catch
3- Click "Start"

I hope it's useful and as always bug reports are welcome.
Also listed in: .NET Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dream of every reverser
Rating: 0.0 (0 votes)
Author: deroko of ARTeam                        
Website: http://deroko.phearless.org
Current version: public
Last updated: May 6, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Engine used to perfrom stealth memory trace of a target.
Public version only supports tracing of the eip in certain
range. To compile source you will need DDK.

It supports MP and win2k/winxp. Systems running KAV are
not supported as KAV installs hook in SwapContext which
is essential for this tracer.

Technical aspects:
1. Hooks int 0e and int 01
2. Hooks SwapContext
3. Installs ProcessNotifyRoutine

Due to the nature of paged memory in r3, there are 2
ways of tracing: using U/S flag, and using P bit in
PTE. Both cases are handled and supports PAE and nonPAE
addressing modes. Role of SwapContext is to set breaks on
given range when traced process is about to execute.
Role of notify routine is to stop tracer if traced
program exits by any chance during tracing.

When good range is hit, tracer will automaticaly stop
and you will see in DebugView or DbgMon when EIP is in
good range.
Also listed in: Technical PoC Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ERESI Framework
Rating: 0.0 (0 votes)
Author: The ERESI Project                        
Website: http://www.eresi-project.org
Current version: 0.8a23
Last updated: November 30, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

The ERESI framework includes:

* The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files.
* The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace).
* The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps.
* The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language.
* The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet).

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

* libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based.
* libe2dbg : the embedded debugger library which operates from inside the debuggee program.
* libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands.
* libmjollnir : the code fingerprinting and graph manipulation library.
* librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library.
* libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs.
* libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types.
Also listed in: Reverse Engineering Frameworks, Linux Debuggers, Linux Disassemblers, Tracers, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Export Log
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://deroko.phearless.org
Current version: 1.0
Last updated: September 15, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Program for runtime logging of used/imported external functions (i.e. in other DLLs) in target modules/processes.
Also listed in: API Monitoring Tools, Dependency Analyzer Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FastSystemCallHook
Rating: 0.0 (0 votes)
Author: Darawk                        
Website: N/A
Current version:
Last updated: April 5, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A snippet of code which is a KiFastSystemCall hook I wrote that hooks all user-mode APIs by replacing the SYSENTER MSR. It works also on multi-processor systems and should be easy to extend into a fully functional library if you want to.
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FileMon
Rating: 0.0 (0 votes)
Author: Mark Russinovich and Bryce Cogswell                        
Website: http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx
Current version: 7.04
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters.

Note:
Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x.
Also listed in: File Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Filter Monitor
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/filtermon.php
Current version: 1.1.0
Last updated: October 20, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: This utility can list kernel mode filters and also unregister them. Monitored filters are, for instance, registry filters, create process and thread notifications. FilterMon comes both for x64 and x86 and it should work on all Windows systems from Vista RTM to Windows 7 RTM. However, I only tested it on Windows 7 RTM on x64 and I can't guarantee that it will work on future versions of Windows as it relies heavily on system internals.

As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that's why I wrote this little utility which monitors some key filters.

Since I haven't signed the driver of my utility, you have to press F8 at boot time and then select the "Disable Driver Signature Enforcement" option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.
Also listed in: Kernel Filter Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Flayer
Rating: 0.0 (0 votes)
Author: Will Drewry & Tavis Ormandy                        
Website: http://code.google.com/p/flayer
Current version: 0.0.1
Last updated: August 9, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Flayer is a tool for dynamically exposing application innards for security testing and analysis. It is implemented on the dynamic binary instrumentation framework Valgrind and its memory error detection plug-in, Memcheck . This paper focuses on the implementation of Flayer, its supporting libraries, and their application to software security.

Flayer provides tainted, or marked, data flow analysis and instrumentation mechanisms for arbitrarily altering that flow. Flayer improves upon prior taint tracing tools with bit-precision. Taint propagation calculations are performed for each value-creating memory or register operation. These calculations are embedded in the target application's running code using dynamic instrumentation. The same technique has been employed to allow the user to control the outcome of conditional jumps and step over function calls.

Flayer's functionality provides a robust foundation for the implementation of security tools and techniques. For example, an effective fault injection testing technique and an automation library, LibFlayer. Alongside these contributions, it explores techniques for vulnerability patch analysis and guided source code auditing.

Flayer finds errors in real software. In the past year, its use has yielded the expedient discovery of flaws in security critical software including OpenSSH and OpenSSL.

See full paper at:
http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry_html

And getting-started information at:
http://code.google.com/p/flayer/wiki/GettingStarted
Also listed in: Memory Data Tracing Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Float Tracer
Rating: 0.0 (0 votes)
Author: j00ru                        
Website: http://vexillium.org/?sec
Current version: 0.0.1
Last updated: January 28, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc.
It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers, and so on :)
Also listed in: Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fport
Rating: 0.0 (0 votes)
Author: Foundstone, Inc.                        
Website: http://www.foundstone.com/us/resources/proddesc/fport.htm
Current version: 2.0
Last updated: 2002
Direct D/L link: Locally archived copy
License type: Free
Description: fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.

Usage:

C:\>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
212 services -> 1026 UDP C:\WINNT\system32\services.exe

The program contains five (5) switches. The switches may be utilized using either a '/'
or a '-' preceding the switch. The switches are;

Usage:
/? usage help
/p sort by port
/a sort by application
/i sort by pid
/ap sort by application path

fport supports Windows NT4, Windows 2000 and Windows XP
Also listed in: Network Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GMER
Rating: 0.0 (0 votes)
Author: Przemyslaw Gmerek                        
Website: http://www.gmer.net
Current version: 1.0.15.15087
Last updated: September 15, 2009
Direct D/L link: http://www.gmer.net/gmer.zip
License type: Free
Description: GMER is an application that detects and removes rootkits .

It scans for:
* Hidden processes
* Hidden threads
* Hidden modules
* Hidden services
* Hidden files
* Hidden Alternate Data Streams
* Hidden registry keys
* Drivers hooking SSDT
* Drivers hooking IDT
* Drivers hooking IRP calls
* Inline hooks


GMER also allows to monitor the following system functions:
* Processes creating
* Drivers loading
* Libraries loading
* File functions
* Registry entries
* TCP/IP connections

GMER runs on Windows NT/W2K/XP/VISTA
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: generic tracer
Rating: 0.0 (0 votes)
Author: Dennis Yurichev                        
Website: http://conus.info/gt
Current version: 0.1
Last updated: May 24, 2009
Direct D/L link: http://conus.info/gt/gt01.zip
License type: Free
Description: generic tracer - extremely simple win32 tracer

* Main features:

1) Setting breakpoint at any function, monitoring its arguments and return value.
2) Monitoring global variables access.

In a way, it is a kind strace utility.

Significant differences vs strace are:

1) gt is Win32 only.
2) Breakpoints not just system calls, but any function.
3) Only 4 breakpoints, because of x86 architecture limitation.
4) Usage of Oracle .SYM files: ORACLE_HOME should be defined in environment.
Also listed in: API Monitoring Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HBGary Inspector
Rating: 0.0 (0 votes)
Author: HBGary                        
Website: http://www.hbgary.com/inspector_v2.shtml
Current version: 2.0
Last updated:
Direct D/L link: N/A
License type: Commercial
Description: HBGary Inspector speeds team reverse engineering of software binaries. Inspector integrates dynamic runtime tracing with dataflow and static code analysis. Captured test data is recorded in a team-member shared database for further analysis with automated scripts and interactive graphing.

Packed, obfuscated, and self-modifying malware binaries resist static disassembly. Anti-debugging tricks hinder runtime analysis. However, malware must unpack and de-obfuscate itself to execute. Inspector defeats many anti-debugging tricks and recovers true program instructions and live memory evidence as malware operates. Dynamic analysis provides accurate information about malware behavior.

HBGary Inspector can trace data buffers and packets as they propagate in memory, saving countless hours and days of work for the Reverse Engineer. Complex control flow paths are mapped with interactive navigation graphs. Runtime code coverage is indicated and measured. Inspector is extensible with an exposed application program interface (API) and a powerful scripting system for analysis automation.
Also listed in: Tracers, Code Coverage Tools, Memory Data Tracing Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HookShark
Rating: 0.0 (0 votes)
Author: DeepBlueSea                        
Website: http://home.arcor.de/neotracer/hookshark.html
Current version:
Last updated: September 22, 2008
Direct D/L link: http://home.arcor.de/neotracer/HookShark.rar
License type: Free
Description: HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user. The detailed report about the type of patch is not 100% reliable and can be wrong. HookShark makes many assumptions and guesses during analysis and report, because of the nature of assembly. In some cases we can't theoretically determine with 100% accuracy whether a block of bytes is data or code. We also can not determine where the next instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But even then not all execution paths are necessarily covered. Yes, even IDA has problems with this in extreme cases.

Currently implemented hook detection:

* - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)
* - Other custom patches [...]
* - IAT and EAT Hooks
* - Relocation Hooks
* - Hardware Breakpoints

Planned hook detection:

* - PAGE_GUARD Hooks
* - PEB LdrList Hooks
* - TrapFlag Usage "Hooks"
Also listed in: Usermode Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IRPTrace
Rating: 0.0 (0 votes)
Author: APSoft                        
Website: http://www.tssc.de/products/tools/irptrace/default.htm
Current version: 1.00.007
Last updated: September 18, 2005
Direct D/L link: N/A
License type: Commercial
Description: IrpTrace is a tool that watches I/O request packages (IRP) sent to kernel-mode driver(s) of Windows NT 4.0, Windows 2000 or Windows XP. Information about IRP requests can be sent to remote debugger and/or saved to a file. The collected information is available for instantaneous or deferred analysis, which makes this tool indispensable for debugging and support of device drivers.

Debug and support drivers

If a driver causes system crash or hangs at processing of an IRP, IrpTrace can help to locate buggy handler by information sent to remote debugger or output window of terminal application. Usually developers insert debug messages to locate crash point. Advantage of IrpTrace in that that: a) it can do it for non-debug version of drivers; b) developer can save time using for writing debug code.

If a driver forgets to complete an IRP request, it can cause various problems (up to system hang or blue screen). The list of not completed IRP requests can be determined using IrpTrace.

Windows 2000/XP build a stack of physical, filter and functional devices for each PnP device. Your software for a PnP device can malfunction due to a third-party software installed on the computer. IrpTrace can help you to locate such kind of problems.
Investigate interaction of software components

In some cases developer need to investigate communication protocol of existing software (driver - application, driver - driver). If protocol is a sequence of I/O requests (for example, device control, internal device control, read and write requests), IrpTrace can help to do it.

The list of I/O requests IrpTrace will watch for can be specified by:

* Name of driver that is owner of IRP request target device
* Name of target device
* Name of module which is sending IRP request
* Name / ID of PnP device

Information about IRP request includes:

* Name of request
* Name and address of target device
* Completion status
* Address of code that sent the request
* IRQL, process name and ID of thread that sent the request
* Address of procedure that completed request
* Detailed information about input and output parameters of request (if any)
Also listed in: Driver & IRP Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: KaKeeware Application Monitor (KAM)
Rating: 0.0 (0 votes)
Author: KaKeeware                        
Website: http://www.kakeeware.com/i_kam.php
Current version: 1.32
Last updated: May 24, 2007
Direct D/L link: http://www.kakeeware.com/download.php?f=kam.exe
License type: Freeware
Description: KaKeeware Application Monitor is a very small API monitor that allows the user to monitor the APIs called by the given application. KAM supports 5577 different APIs as for now.

KAM works as an API spy that may help the developers and localization engineers to find the bugs in the release versions of the software. It can be also used by malware analysts to check which APIs are used by the sample they analyse.
The executable file is packed with Upack.
Since v1.04, KAM can rerieve object names (filenames, registry keys) and shows them on UI instead of handles, making the listing more readable. 1.10 shows more information about monitored APIs. 1.20 added groups to APIs window and added support for command line for monitored program. 1.21 hopefully fixes the problem with some XP versions. 1.30 introduces a lot of new APIs (now it's over 5000!). 1.31 finally conquers Vista. 1.32 adds some APIs (as per request :).

Please be aware that some AV programs may flag kam.exe as malicious. This is a problem known as FP (False Positive). kam.exe is not malicious and it doesn't contain any malicious code.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: KernelSpy
Rating: 0.0 (0 votes)
Author: Anton Bassov                        
Website: http://www.codeproject.com/system/kernelspying.asp
Current version: 1.0
Last updated: April 22, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: After having published my article about process-wide API spying, I received plenty of encouraging messages - readers have generally accepted my model of hooking function calls. In this article, we will extend our model to kernel- mode spying, and hook the API calls that are made by our target device driver. We will also introduce a brand-new way of communication between the kernel-mode driver and the user-mode application - instead of using system services, we will implement our own mini-version of Asynchronous Procedure Calls. This task is not as complicated as it may seem - in fact, it is just shockingly easy. Windows flat memory model offers us plenty of exciting opportunities - the only thing we need is a sense of adventure (plus a good knowledge of assembly language, of course). All tips and tricks, described in this article, are 100% of my own design - you would not find anything more or less similar to these tricks anywhere.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LSOF
Rating: 0.0 (0 votes)
Author: Victor A. Abell                        
Website: http://people.freebsd.org/~abe/
Current version:
Last updated:
Direct D/L link: N/A
License type: Free / Open Source
Description: The lsof (LiSt Open Files) diagnostic and forensics tool lists information about any files that are open by processes currently running on the system. It can also list communications sockets open by each process.
Also listed in: File Monitoring Tools, Network Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: LordCHEAT
Rating: 0.0 (0 votes)
Author: Rudy Rooroh                        
Website: http://www.geocities.com/asmfreesoft
Current version: 1.2.6
Last updated: July 18, 2009
Direct D/L link: http://www.geocities.com/asmfreesoft/LordCHEAT126.zip
License type: Freeware
Description: - Small & Powerfull Game Trainer
- Save & Load memory using simple script
- Read/Write memory using Hex Editor
- Support 16/32 bit Windows games, macromedia flash games, *emulator, etc
- Support Pointer to Pointer
- Support Plugins
- Memory monitor
- Can run under windows 98 up to *Vista
- etc.
Also listed in: Memory Data Tracing Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MSIL Dumper
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11809
Current version: 0.4
Last updated: December 12, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799
Also listed in: .NET MSIL Dumpers, .NET Tracers, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malcode Analysis Pack
Rating: 0.0 (0 votes)
Author: David Zimmer (iDefense Labs)                        
Website: http://labs.idefense.com/files/labs/releases/previews/map/
Current version:
Last updated: November 13, 2006
Direct D/L link: http://labs.idefense.com/software/download/?downloadID=8
License type: GPL2
Description: The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 4 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes
Also listed in: Malware Analysis Tools, Network Tools, Process Monitoring Tools, TCP Proxy Tools, Network Sniffers, Import Editors, Reverse Engineering Frameworks, API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PIN
Rating: 0.0 (0 votes)
Author: Intel                        
Website: http://rogue.colorado.edu/pin
Current version: 2.3 (rev 18525)
Last updated: April 10, 2008
Direct D/L link: N/A
License type: Free / Open source
Description: Pin is a tool for the dynamic instrumentation of programs. It supports Linux binary executables for Intel (R) Xscale (R), IA-32, IA-32E (64 bit x86), and Itanium (R) processors. It also allow instrumentation of Windows programs on IA-32 and Intel (R) 64 processors

Pin was designed to provide functionality similar to the popular ATOM toolkit for Compaq's Tru64 Unix on Alpha, i.e. arbitrary code (written in C or C++) can be injected at arbitrary places in the executable. Unlike Atom, Pin does not instrument an executable statically by rewriting it, but rather adds the code dynamically while the executable is running. This also makes it possible to attach Pin to an already running process.

Pin provides a rich API that abstracts away the underlying instruction set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template.
Also listed in: Code Injection Tools, Profiler Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PIX with callstack patch
Rating: 0.0 (0 votes)
Author: arc_                        
Website: http://www.woodmann.com/forum/showthread.php?t=12696
Current version:
Last updated: July 3, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: MSDN describes the DirectX tool "PIX" as follows (at http://msdn.microsoft.com/en-us/library/bb173085(VS.85).aspx):
"PIX is a debugging and analysis tool that captures detailed information from a Direct3D application as it executes. PIX can be configured to gather data, such as the list of Direct3D APIs called, timing information, mesh vertices before and after transformations, screenshots, and select statistics. PIX can also be used for debugging vertex and pixel shaders, including setting breakpoints and stepping through shader code."

Thus, a highly useful tool right from the MS DirectX SDK for e.g. finding the cause of a rendering problem: for any captured frame, you can click through the executed DX API functions and see how the frame is being built up, eventually finding out what part is to blame.

But what about reversing a closed source application's renderer? PIX does not store a call stack; it merely logs *what* DX functions are called, but not from *where*. Therefore it is not very useful for reversing by default.

I didn't want to let such a great tool go to waste. After some reversing work I ended up patching PIX to log and show (part of) the call stack for each DirectX call that the target program makes. Each call stack entry has both the virtual address and the module name.

Example usage of the resulting modified tool is finding out about and messing with a game's renderer, or more simply locating the HUD rendering code and quickly finding the data that it represents (e.g. health, money) rather than having to resort to memory scanning.
Also listed in: API Monitoring Tools, DirectX Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Pipetrace
Rating: 0.0 (0 votes)
Author: Toolcrypt Group                        
Website: http://www.toolcrypt.org/tools/pipetrace/index.html
Current version:
Last updated:
Direct D/L link: http://www.toolcrypt.org/tools/pipetrace/pipetrace.zip
License type: Free
Description: Pipestrace is a console to trace / view Named Pipe creation and deletion. Changes are tracked by using FindFirstChangeNotification. Pipetrace has been tested on Win2K
Also listed in: Named Pipe Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Portmon
Rating: 0.0 (0 votes)
Author: Mark Russinovich                        
Website: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Portmon.mspx
Current version: 3.02
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: Portmon is a utility that monitors and displays all serial and parallel port activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use ports, or tracking down problems in system or application configurations.
Also listed in: Parallel Comm Monitoring Tools, Serial Comm Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Lasso
Rating: 0.0 (0 votes)
Author: Jeremy Collake                        
Website: http://www.bitsum.com/prolasso.php
Current version: 3.62
Last updated: July 18, 2009
Direct D/L link: http://www.bitsum.com/files/prolasso.zip
License type: Free
Description: Process Lasso is a unique new technology intended to automatically adjust the allocation of CPU cycles so that system responsiveness is improved in high-load situations. It does this by dynamically temporarily lowering the priorities of processes that are consuming too many CPU cycles, there-by giving other processes a chance to run if they are in need. This is useful for both single and multi-core processors. No longer will a single process be able to bring your system to a virtual stall.

In addition, Process Lasso offers capabilities such as default process priorities, termination of disallowed processes, and logging of processes executed.
Supporting users are able to download all past and future builds of Process Lasso and have are given a specially labelled version of Process Lasso
Also listed in: Process Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Monitor
Rating: 0.0 (0 votes)
Author: Mark Russinovich and Bryce Cogswell                        
Website: http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx
Current version: 2.7
Last updated: September 18, 2009
Direct D/L link: http://download.sysinternals.com/Files/ProcessMonitor.zip
License type: Free
Description: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Also listed in: File Monitoring Tools, Process Monitoring Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Process Stalker
Rating: 0.0 (0 votes)
Author: Pedram Amini                        
Website: http://www.openrce.org/downloads/details/171
Current version: 1.1
Last updated: July 13, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Process Stalking is a term coined to describe the combined process of run-time profiling, state mapping and tracing. Consisting of a series of tools and scripts the goal of a successful stalk is to provide the reverse engineer with an intuitive visual interface to filtered, meaningful, run-time block-level trace data.

The Process Stalker suite is broken into three main components; an IDA Pro plug-in, a stand alone tracing tool and a series of Python scripts for instrumenting intermediary and GML graph files. The generated GML graph definitions were designed for usage with a freely available interactive graph visualization tool.

Data instrumentation is accomplished through a series of Python utilities built on top of a fully documented custom API. Binaries, source code and in-depth documentation are available in the bundled archive. An indepth article was written and released on OpenRCE.org detailing step by step usage of Process Stalker, the article is a good starting point for understanding the basics behind the tool set.

Manual:
http://pedram.redhive.com/process_stalking_manual/

API docs:
http://pedram.redhive.com/process_stalking_manual/ps_api_docs/
Also listed in: Tracers, Code Coverage Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RAIDE
Rating: 0.0 (0 votes)
Author: petersilberman                        
Website: http://www.rootkit.com/project.php?id=33
Current version: Beta 1
Last updated: August 6, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool. RAIDE offers unique features like process dumping/firewall identification etc.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RegMon
Rating: 0.0 (0 votes)
Author: Mark Russinovich and Bryce Cogswell                        
Website: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Regmon.mspx
Current version: 7.04
Last updated: November 1, 2006
Direct D/L link: N/A
License type: Free
Description: Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you'll see how the values and keys changed.

Note: Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x.
Also listed in: Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RegShot
Rating: 0.0 (0 votes)
Author:                         
Website: http://regshot.sourceforge.net/
Current version: 1.82
Last updated: November 3, 2007
Direct D/L link: http://heanet.dl.sourceforge.net/sourceforge/regshot/regshot_1.8.2_src_bin.zip
License type: Free / Open Source
Description: Regshot is a small,free and open-source(GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2. In addition, you can also specify folders (with sub filders) to be scanned for changes as well.
Also listed in: Registry Diff Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Regshot Unicode
Rating: 0.0 (0 votes)
Author: Handle                        
Website: http://regshot.ru/
Current version: 2.0.1.66
Last updated: January 21, 2009
Direct D/L link: N/A
License type: Free / Open Source
Description: Regshot is a small, free and open source (GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2. In addition, you can also specify folders (with sub filders) to be scanned for changes as well.
Also listed in: Registry Diff Tools, Registry Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rohitab API Monitor
Rating: 0.0 (0 votes)
Author: Rohitab                        
Website: http://www.rohitab.com/apimonitor/index.html
Current version: 1.5
Last updated: January 7, 2001
Direct D/L link: http://www.rohitab.com/apimonitor/apimonitor.msi
License type: Freeware
Description: API Monitor is a software that monitors and displays API calls made by applications. Its a powerful tool for seeing how Windows and other applications work or tracking down problems that you have in your own applications.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rootkit Unhooker
Rating: 0.0 (0 votes)
Author: EP_X0FF / DiabloNova                        
Website: http://www.rootkit.com/newsread.php?newsid=902
Current version: 3.8.342.554
Last updated: Sep 21, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Rootkit Unhooker LE (RkU) is an advanced rootkit detection/removal utility, designed specially for advanced users and IT professionals. It runs under 32bit Windows 2000, Windows XP, Windows 2003 Server and Windows Vista.

The project was discontinued when it was bought up by Microsoft in November 2007.

Project continued by DiabloNova.
Last announcement:
http://www.rootkit.com/blog.php?newsid=912
Direct D/L:
http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SDT Cleaner
Rating: 0.0 (0 votes)
Author: Nahuel C. Riva                        
Website: http://oss.coresecurity.com/projects/sdtcleaner.html
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks.

* The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls.
* This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SSDT Revealer
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2007/03/20/tool-system-service-descriptor-table-revealer/
Current version: 1.0
Last updated: March 20, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This is little tool I’ve coded some times ago. The name says it all, it reveals System Service Dispatch Table showing possible hooks over one or more functions. It was born as a part of a more complex tool, which is still unfinished.. SSDT revealer is nothing special but could come in handy.

The program has been developed under Win-XP. It should run on other OSs but I really don’t know. Again, it’s a personal program and I didn’t spend nights and nights trying to find one or more bug, when a bug occours I fix it. If you find a bug or something else, please, don’t hesitate to contact me.
Also listed in: Kernel Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SniffUSB
Rating: 0.0 (0 votes)
Author: Thomas F. Divine / Benoit Papillault                        
Website: http://www.pcausa.com/Utilities/UsbSnoop
Current version: 2.0.0006
Last updated: February 23, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Overview

SniffUSB 2.0 is a minor update to the predecessor SniffUSB 1.8 by Benoit Papillault.

The purpose of this release is actually to update Benoit's prior work to allow it to be built under newer development tools. In particular:
* The SniffUSB application is built under Microsoft Visual Studio 2005.
* The UsbSnoop driver is built under the Windows Vista Driver Kit (WDK 6000)

Benoit deserves quite a bit of credit because his V1.8 application and driver ported to these newer tools with very little effort.

Thanks, Benoit!

This release does not fix any bugs from Benoit's V1.8 release and does not offer any new functionality.

After making the initial port of the UsbSnoop driver to WDK 6000 (which went smoothly...) I did make additional modifications to the driver code. Most of these were to make the code more readable - at least to me.

The V2.0 UsbSnoop driver changes included:
* Fixed a small number of PreFast warnings.
* Replaced deprecated functions with newer preferred functions.
* Now use lookaside lists for repetitive fixed-size allocations.
* Removed dead code.
* Simplified some code paths.
* Reorganized code and renamed variables and functions to suit my tastes.
* Replaced driver core dispatch template with that of the WDK 6000 filter.cpp sample driver.

In addition I removed some functionality:
* SniffUSB 2.0 does NOT support Windows 98/ME
* SniffUSB 2.0 does NOT support Windows 2000

I did very little work on the SniffUSB MFC application. Changes that I did make include:
* Replaced some deprecated functions with newer preferred functions.
* Fixed some complier warnings.
* Revised the folder organization for compiler and linker output.
* Added x64 configurations.
* Fixed "Present" indication. (V2.0.0004)
* Improved display refresh control. (V2.0.0004)
* Control whether devices that are not present are listed. (V2.0.0004)
* Added "Uninstall All" button. (V2.0.0005)
* Added mechanism to pause/resume logging. (V2.0.0006)
* Added mechanism to allow the log file to be closed and deleted reliably. (V2.0.0006)

SniffUSB 2.0 now supports only Windows XP and higher.

Benoit's original SniffUSB V1.8 source and executables can be found at the URL:

http://benoit.papillault.free.fr/usbsnoop/
Also listed in: USB Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SpiderPig
Rating: 0.0 (0 votes)
Author: Piotr Bania                        
Website: http://piotrbania.com/all/spiderpig/
Current version: (not yet released)
Last updated:
Direct D/L link: N/A
License type:
Description: Main idea of SpiderPig is to trace a specified memory region (or specified register value), and also be able to trace all the childs regions that were created by refferencing to previously traced regions. So whenever a previously traced memory region will be refferenced or any other memory region which bases on previously traced memory region will be created, SpiderPig will snort it.

SpiderPig is a project created for performing and visualizing data flow analysis of a selected binary program. SpiderPig was created in the purpose of providing a tool which would be able to help vulnerability and security researchers with tracing and analyzing any necessary data and it's further propagation. Such tasks are very often crucial in the vulnerability discovering/identifying process and typically require a lot of time consuming manual work. The initial concept is pretty old, the first pseudo usable version was created initialy for Immunity Debugger Plugin Contest back in the 2007 just to be frozen few days after. I have reactivated the project while having the last months of holidays (arround September 2008) and I have decided to write a little paper about it (which was finished arround November 2008). Since i switched for another research at the moment the SpiderPig research is practically frozen since the time paper was made. As you probably realize history of this project is kinda a nutty. Anyway enjoy or erm not enjoy.
Also listed in: Memory Data Tracing Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SpyStudio
Rating: 0.0 (0 votes)
Author: Nektra                        
Website: http://www.nektra.com/products/spystudio
Current version: 1.0.0b
Last updated: February 2008
Direct D/L link: http://www.nektra.com/products/spystudio/spystudio.exe
License type: Free
Description: SpyStudio is a powerful application that simplifies the code execution interception operations, also called "hooking". Users can now easily monitor and gain control over processes in their systems, to really know what is happening in the Operating System and it's applications.

With SpyStudio you can monitor and intercept API calls at any time, change its parameters, and resume execution.

SpyStudio uses the Deviare API technology to intercept functions' calls, this allows the user to monitor and hook applications in real time.
Deviare is a very complex technology, that can be used through the most simple interfaces.

This useful application provides the ability to break process execution and inspect the function's parameters at any level, and even change its values.

* Hooks any module of any application.

* Understands almost any function's parameters. Every defined data structures and types in windows.h are supported.

* Break on monitor: Break application's code execution, watch and modify function's parameters.

* Integrated Python shell: Now allows to execute Python scripts and handle hooks!

* Some of the modules included on the database are:

Advapi32.dll
Gdi32.dll
Kernel32.dll
Ntdll.dll
User32.dll
Shell32.dll
Wininet.dll
Also listed in: API Monitoring Tools, Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strace for NT
Rating: 0.0 (0 votes)
Author: Bindview Security Research                        
Website: http://razor.bindview.com/tools
Current version: 0.3
Last updated: October 21, 2003
Direct D/L link: Locally archived copy
License type: Free
Description: Strace for NT is a debugging/investigation utility for examining the NT system calls made by a process. It is meant to be used like the strace (or truss) on linux and other unix OSes.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Strace for NT (with anti anti debug patch)
Rating: 0.0 (0 votes)
Author: Shub-nigurrath / Bindview Security Research                        
Website: http://arteam.accessroot.com/releases
Current version: 1.1a
Last updated: July 25, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Modified version of Strace NT, with advanced antiantidebugging option to hide it to most packers.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Syscall Lister
Rating: 0.0 (0 votes)
Author: Omega Red                        
Website: http://omeg.pl/
Current version:
Last updated: July 18, 2007
Direct D/L link: bin_Syscall_Lister_2007-10-20_23.59__SysCall_32_and_64.zip
License type: Free
Description: This program enumerates all NT kernel system calls and matches them with native API functions using dbghelp and MS symbols (internet connection is required to download these symbols).

It uses kernel mode driver to access arbitrary memory locations, like System Service Descriptor Tables.
Also listed in: SysCall Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: System Virginity Verifier
Rating: 0.0 (0 votes)
Author: Joanna Rutkowska                        
Website: http://www.invisiblethings.org/code.html
Current version: 2.3
Last updated: February 27, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Joanna Rutswoka provides on her site (invisiblethings.org) interesting papers and tools about rootkits since a few years and is a well known contributors on the official rootkit web site.

SYSTEM VIRGINITY VERIFIER or SVV is very interesting because it checks the system for malicious hooking and also checks the integrity of code section modules directly in memory.

After the verification, SVV notifies the user with five level of infection or seriousness:


-level 0: 100% Virgin (not expected to ocuur in the wild);
-level 1: Seems ok;
-level 2: Innocent hooking detected;
-level 3: Very suspected but may be a false positive;
-level 4: compromised.

The final verdict uses a color codification from blue to deepred.
Resource: the SVV powerpoint presentation (available at invisiblethings.org).

It's important to note that many softwares can interfere with the verdict: antivirus such as Kaspersky, desktop intrusion systems which operate at a low level like AntiHook, ProcessGuard and so on.

SVV in action:

After rebooting the PC in the diagnose mode, SVV gives its first verdict:


Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>svv check /m
module ntoskrnl.exe [0x804d7000 - 0x806ebf80]: 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :90
verdict = 1

0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb()
file  :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dc04a 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :00
verdict = 1

0x804df16a 1 byte(s): exclusion filter: single byte modification
file  :05
memory :06
verdict = 1

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 1
0 - BLUE
--> 1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED

Nothing suspected was detected.

Level 1/Green: this a good news for a beginning.

Now let's hook some windows APIs and let's see the new verdict:

Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>svv check /m
ntoskrnl.exe (804d7000 - 806ebf80)... module ntoskrnl.exe [0x804d7000 - 0x806ebf80]:
0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :90
verdict = 1

0x804dc032 18 byte(s): exclusion filter: KeFlushCurrentTb()
file  :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dc04a 1 byte(s): exclusion filter: single byte modification
file  :c3
memory :00
verdict = 1


0x804df16a 1 byte(s): exclusion filter: single byte modification
file  :05
memory :06
verdict = 1


0x804e72c4 [ExAllocatePoolWithQuotaTag()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dbfc)
address 0xbab1dbfc is inside TRACE.SYS module [0xbab1a000-0xbab26000]
target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON
2TRACE.SYS
file  :8b ff 55 8b ec 51
memory :ff 25 fc db b1 ba
verdict = 2

0x804eb321 [ExAllocatePoolWithTagPriority()+0] 6 byte(s): JMPing code (jmp to: 0xbab1dba4)
address 0xbab1dba4 is inside TRACE.SYS module [0xbab1a000-0xbab26000]
target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON
2TRACE.SYS
file  :8b ff 55 8b ec 53
memory :ff 25 a4 db b1 ba
verdict = 2

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 2
0 - BLUE
1 - GREEN
--> 2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED

Nothing suspected was detected.
Also listed in: Kernel Hook Detection Tools, Usermode Hook Detection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TR
Rating: 0.0 (0 votes)
Author: Liu Taotao                        
Website: N/A
Current version: 2.52
Last updated: November 30, 1998
Direct D/L link: Locally archived copy
License type: Shareware
Description: Advanced tracer for 16 bit x86 code (DOS programs).

From readme:

If you have used DEBUG, SYMDEB, TD (Turbo Debugger), CV (CodeView) or SoftICE, you should try TR which has more powerful functions than debuggers mentioned above.

TR(tracer) is a debugger based on the CPU simulation technology.

The main features are:

1. Interpret Mode

=================



TR runs a program by interpreting its code just like a REAL Intel CPU

would, step by step. TR understands every CPU opcode and will give the

correct result, without INT1, INT3, DR0-DR8, or protected mode.

Theoretically, TR will never be found by any program which is

traced, and you can never find a program which can't be traced :-)





Traditional debuggers or tracers have too many shortages:



(1) Using INT1 and the Trap Flag



Because they use INT1 and TF to step the program, so it's easy

to cheat and detect it!



(2) Using INT3



These debuggers insert INT3(CCh) into the program's code after every

instruction. If the program destroys the INT3 vector or tests

itself, the tracer would not work well :-(



(3) SoftICE doesn't use above two methods, but uses 386 hardware

interrupts instead. SoftICE is very strong but so easy to be

found :(



Overall, traditional debuggers & tracers trace the program using standard

tracing methods which can be found in INTEL's CPU manual. They could

only trace those programs which haven't any anti-debug code. If the

program won't cooperate, they all cannot work well :-( But TR will

trace all the programs that the CPU can deal with, even another TR

session.



On the other hand, traditional debuggers or tracers simply insert a

breakpoint into the program and wait until they catch the control back.

They don't know whether they will get control back or what the program

intends to do. TR runs the program in interpret mode, it controls all

things absolutely. Just because of that, TR can set more and more

complex breakpoints.



Interpret Run is the main difference between TR and all other

debuggers, and this is also why TR has a higher performance.



2.Batch File

============



Although batch is not a new word to you, you can find no one using it

in a debugger. In TR, you can put all your commands in a text file and

use it just like you execute a DOS batch file. TR as well has a special

batch file named "AUTORUN.TR". Just like its name, this file can be

executed automatically every time you start TR.



3.Magic Offset

==============



Everyone is used to the "G 100" command which means run and stop at

address CS:100. In general, debuggers do it like this: insert a

breakpoint(INT3/CC) at CS:100 and GO the program. When the CPU meets

the INT3, the program will be stopped. So, the debuggers can only set a

breakpoint at current CS and offset 100. But not TR! TR can stop the

program at every offset 100! What does this mean? It means when IP=100,

the program will be stopped! We call this Magic Offset. Hmm, what's the

use? Too many! Think by yourself :-) One simplest and direct usage is

use "G 100" you can *UNPACK* all .COM files!



4.Assembly Language Command

===========================



It's a good idea that you can use ASM opcode in your debug environment.

You can accomplish your wish in TR! You may use either "R AX 001A" or

"MOV AX, 001A". Both do the same thing. Remember, all assembly opcode

can be used in TR, e.g. "CLI", "MOV [WORD 1234], 4567", "IN AL,21"...





5.Add Comments During Tracing

=============================



"CALL 7FDE" is not good compared to "CALL OPEN_FILE". But most tracers

must face such opcodes. Even if you have known what the procedure

would do, you could only write it down on paper. Now TR can write

your comments directly into the program and saved them into another file

automatically. From now on all programs are easy for understand. TR will

as well display comments for most INT21 function calls automatically for

you.



6.Automatic Jump

================



Many protectors use lots of JMP codes to make the decryptor of their

protection unreadable. In most situations, you can only see some JMPs in

the code window. At the target address, in general, you can't see the

correct disassemble opcode because the protect programs likely insert

some DATA in front of that address, so, it's difficult to understand

these programs. With the Automatic Jump feature, TR displays the correct

code at the JMP address in code window instead of displaying a "JMP

xxxx". This way you can see the correct codes sequence but not lots of

jumps: the code is easy to read!





7.Log

=====



TR could save all CS:IP on interpret-run. This makes it possible to

analyse the program easily. If the program exits with an error, you can

find the problem by backtracing your LOG. Command 'LOGPRO' can get all

the key opcode program run. The program will have no secret after you

LOG it. Refer to the commands LOG, LOGS, VLOG and LOGPRO.



8.Write EXE file from memory

============================



You can find many universal unpackers on the net, but what would you do

if they tell you "I can't unpack it"? Unpack functions should be in

debuggers. TR's MKEXE function let you make EXE file easy!



9.Various Complex breakpoints, One-time breakpoints

===================================================



All other debuggers' breakpoints are what INTEL prepared. They cannot

fit the need of modern trace technology. TR has many revolutionary

breakpoints:



(1) BP conditions

Conditional break-point. ex.:



BP IP>4000

BP ah=2 dl=80 ch>30



(2) BPINT intnum [conditions]

Interrupt break-point.



(3) BPXB bytes [conditions]

Break-point if ??? code is encountered. For example, "MOV AX,????"

is assembled in HEX "B8????", so you can use



BPXB b8



to break on all "mov ax,????" opcodes. Other examples:



BPXB cd  ;all interrupt

BPXB 33 c0  ;xor ax,ax



(4) BPREG REG|SEG [conditions]

Break if the given register changes. You can use



BPREG cs



to get all code segment changes (jmp far,retf...). As well, you can

use something like



BPREG cs ax=0 es=#  ;# means PSP seg



to get the kernel of a shelled program.



(5) BPM [seg:]offset

Break if specified memory is accessed.



BPM 20



will stop at 'mov ax,[20]'.



(6) BPW SEG:OFFSET

Break-point if memory changes. Some opcode's changing memory

could only be found by repeatedly compare.



(7) BPIO port [conditions]



(8) BPKNL [count]

Break-point to find new program kernel.



The most important is: if you only use one break-point onetime,

you can change the break-point command 'BP???' to 'GO???' to run.

By using this one-time break-point, you need not to set any

break-point.



These break-point function make it more and more easy to track a

program. You need not to do any hard work!



TR is a real tracing, tracking, debug program. We have DEBUG,SYMDEB,

TD,CV,S-ICE, but they are all not such real tracing debug programs.

DEBUG & SYMDEB aren't, because I think a real debug software should

be full-screen. TD cannot process command line input. No mouse

clicks could replace a command line like 'F CS:DX,DX+CX 00'. In

DEBUG you can use 'L 100 0 0 1' to check floopy boot, and use

'L 400' or 'W 400' to load a program to memory or write memory to

file. In SYMDEB you could use '>' to save the unassemble result.

All these useful functions cannot be found in another debug program.

I think TD & CV are not standalone debug programs. They just debug

their C program. S-ICE is great! But it looks like that 386CPU's

debug function is for S-ICE, and that S-ICE is just a demo of this

function. Only TR does what you think, rises 9 great new ideals in

tracing technology, for the first time make TRACING an easy job.

TR is a real tracing debug program!
Also listed in: 16 bit and DOS Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: USBTrace
Rating: 0.0 (0 votes)
Author: SysNucleus                        
Website: http://www.sysnucleus.com
Current version: 2.3.9
Last updated: June 11, 2009
Direct D/L link: N/A
License type: Commercial with trial
Description: USBTrace is an easy to use and powerful USB analyzer. USBTrace can monitor USB transactions at host controllers, hubs and devices. This is a 100% software product. USBTrace supports Windows 2000, Windows XP, Windows 2003 Server and Windows Vista operating systems and works with USB 1.x and 2.0 (low, full and high speed) host controllers, hubs and devices.

Supports Device Class Decoding. (New)
HID, Hub, Video, Audio, Mass Storage, Bluetooth,
Still Image Capture, Vendor Specific, WUSB HWA Printer, CDC, Smart Card (CCID)

Complete Enumeration Monitoring.
Monitors all USB requests exchanged during device enumeration. Does not use filter drivers.

Search / Filter / Trigger / Export.
Search captured data. Filter out unwanted data.
Set trigger points. Export captured data.

Background/Continuous capturing.
For high performance/non stop capture sessions.

Performance Statistics. (New)
Detailed performance analysis for your device/driver.

Detailed Device Information
USB descriptors (Device, Hub, Configuration, Interface, Endpoint, class specific, IAD, String), Windows enumeration info.
Also listed in: USB Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Win32 API Monitor
Rating: 0.0 (0 votes)
Author: N/A                        
Website: http://www.apimonitor.com
Current version: 1.3.1
Last updated: March 24, 2009
Direct D/L link: http://www.apimonitor.com/download/APIMonitorTrial.exe
License type: Shareware
Description: API Monitor is a software that allows you to spy and display Win32 API calls made by applications. It can trace any exported APIs and display wide range of information, including function name, call sequence, input and output parameters, function return value and more. A useful developer tool for seeing how win32 applications work and learn their tricks.

Main Features
Trace any exported APIs- Including win32 APIs and other 3rd-Party APIs, unnecessary to know the prototype of the functions.
Display wide range of information, including function name, call sequence, input and output parameters, function return value, GetLastError code and more.
Predefine 82 DLLs and nearly 4000 APIs' prototype.
Filter Profiles are a powerful way of storing your favorite monitor settings for use in other sessions. API Monitor preset 27 API Filter Profiler, including Handles and Objects, Dynamic-Link Libraries, Event Log, Pipes and Mailslots, Debugging, Windows Classes, COMM, Application Related, Shell, Dialog Boxes, File System, Services Related, Remote Access Service, Memory Management, Print Related, Windows, Registry, Processes and Threads, File IO, WinInet, Windows Sockets, Multimedia API, Windows GUI, Network Management, WinNT Security, Access Control Functions.
Allow content to be viewed and exported-Log content can be viewed within API Monitor, and exported to another application or saved to a file.
Support debug version and release version with no modifications to the target application.
Support Unicode and ANSI APIs.
Monitor Running Process-Spy APIs in a background or console process that is already running.
Support multithread.
Display API calls originating from ActiveX controls and COM objects instanced by an application.
MS Excel® style data filtering, customize filter criteria against any data item.
Automatic click-sorting against an unlimited number of columns, descending or ascending.
Automatic data grouping - an extremely powerful data viewing and manipulation metaphor.
Automatic runtime column selection - easily customize the columns visible on-screen with intuitive drag and drop.
Instant Online MSDN Help - This feature allows you to view online MSDN context-sensitive help for the currently selected API.
Also listed in: API Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinApiOverride
Rating: 0.0 (0 votes)
Author: Jacquelin POTIER                        
Website: http://jacquelin.potier.free.fr/winapioverride32/
Current version: 5.1.11
Last updated: July 18, 2009
Direct D/L link: http://jacquelin.potier.free.fr/exe/winapioverride32_bin.zip
License type: Free / Open Source (GPL v2)
Description: WinAPIOverride32 is an advanced api monitoring software.
You can monitor and/or override any function of a process.
This can be done for API functions or executable internal functions.

It tries to fill the gap between classical API monitoring softwares and debuggers.
It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.
Main differences between other API monitoring softwares :
- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll
- You can hook functions inside the target process not only API
- You can hook asm functions with parameters passed through registers
- Double and float results are logged
- Preserve registers, floating stack and LastError
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers
- You can call functions which are inside the remote processes
- Can hook COM OLE and ActiveX interfaces
- All is is done like modules : you can log or override independently for any function
Also listed in: .NET Tracers, API Monitoring Tools, COM Monitoring Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Winalysis
Rating: 0.0 (0 votes)
Author:                         
Website: http://www.winalysis.com
Current version: 3.1
Last updated: January 13, 2006
Direct D/L link: Locally archived copy
License type: Shareware
Description: Winalysis is a software application that can help you manage change on computers running Windows. The program can:

Make compressed Snapshots of local and remote computer configurations. Test for changes from snapshots at any time.

Monitor for changes to files, the registry, users, groups, security policies, services, shares, scheduled jobs, the system environment and more.

Monitor remote computers from a central location. There is no need to install Winalysis on the remote machines.

Restore files and/or the registry from compressed snapshots with the ability to undo a restore at any time.
Also listed in: Install Monitoring Tools, System Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: xTracer
Rating: 0.0 (0 votes)
Author: deroko                        
Website: http://www.accessroot.com/arteam/site/download.php?view.309
Current version: 1.0
Last updated: May 25, 2009
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: xtracer is TLB memory tracer. It tries to locate first break in code section of traced process using split TLB which is available in intel architecture.
This code can be used to locate OEP of traced process easily. Currently only 1st break is reported, but you may modify code to handle more breaks as that's not a problem at all if you go trough ring3 program which actually controls driver. You may expect to get very good and fast results no matter which protection you are tracing. Time needed to locate OEP is equal to the time needed to execute protection layer without debugger, nor any tracer.

I hope that you will enjoy this fine release from ARTeam, as we only try to bring quality releases to the RCE community. Of course, full source is included for learning purposes (code and tool released under GPL 3.0).

Code can be customized to handle various scenarios. Eg. add more breaks on code sections, hooking more some native calls to keep control of almost every allocated buffers, but that's up to the user to implement if he needs it.

To use this code simply type:

xtracer.exe <applicaton to trace>

wait a little bit. Also note that you must have internet connection as code is using my SymbolFinder class to locate some symbols from ntoskrnl.exe which makes this code compatible with windows versions from win2k to Vista SP1.
Also listed in: OEP Finders, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


...

There were too many (recursive) child objects of this category to display them all, please use the sub categories below to increase the detail of your search criteria!


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools"



Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (176)
   Categorized by Tool Type  (973)
   Anti Anti Test Tools  (15)
   Assemblers  (15)
   Code Coverage Tools  (12)
   Code Injection Tools  (32)
   Code Ripping Tools  (2)
   Crypto Tools  (5)
   Data Extraction Tools  (19)
   Debuggers  (42)
   Decompilers  (20)
   Deobfuscation Tools  (11)
   Dependency Analyzer Tools  (5)
   Diff Tools  (29)
   Disassemblers  (45)
   Dongle Analysis Tools  (24)
   Exe Analyzers  (31)
   Firefox Extensions  (1)
   GUI Manipulation Tools  (15)
   Hardware Reversing Tools  (24)
   Hex Editors  (12)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (12)
   Memory Data Tracing Tools  (6)
   Memory Patchers  (3)
   Memory Search Tools  (7)
   Monitoring Tools  (110)
   Network Tools  (15)
   PE Executable Editors  (78)
   Packers  (16)
   Patch Packaging Tools  (7)
   Profiler Tools  (10)
   Programming Libraries  (31)
   Regular Expression Tools  (3)
   Resource Editors  (11)
   Reverse Engineering Frameworks  (7)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (7)
   Technical PoC Tools  (7)
   Test and Sandbox Environments  (16)
   Tool Extensions  (135)
   Tool Hiding Tools  (5)
   Tool Signatures  (21)
   Tracers  (17)
   Unpacking Tools  (58)
   Needs New Category  (1)