Programming Libraries

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

BCEL

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

The Apache Jakarta Project

Website:

http://jakarta.apache.org/bcel

Current version:

5.2

Last updated:

June 6, 2006

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

The Byte Code Engineering Library is intended to give users a convenient possibility to analyze, create, and manipulate (binary) Java class files (those ending with .class). Classes are represented by objects which contain all the symbolic information of the given class: methods, fields and byte code instructions, in particular.

Such objects can be read from an existing file, be transformed by a program (e.g. a class loader at run-time) and dumped to a file again. An even more interesting application is the creation of classes from scratch at run-time. The Byte Code Engineering Library (BCEL) may be also useful if you want to learn about the Java Virtual Machine (JVM) and the format of Java .class files.

BCEL contains a byte code verifier named JustIce, which usually gives you much better information about what's wrong with your code than the standard JVM message.

BCEL is already being used successfully in several projects such as compilers, optimizers, obsfuscators, code generators and analysis tools. Unfortunately there hasn't been much development going on over the past few years.

Also listed in:

Java Disassembler Libraries

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

bzip2

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Julian Seward

Website:

http://www.bzip.org

Current version:

1.0.4

Last updated:

December 20, 2006

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

bzip2 is a freely available, patent free (see below), high-quality data compressor. It typically compresses files to within 10% to 15% of the best available techniques (the PPM family of statistical compressors), whilst being around twice as fast at compression and six times faster at decompression.

The current version is 1.0.4, released 20 December 2006.

Why would I want to use it?

* Because it compresses well. So it packs more stuff into your overfull disk drives, distribution CDs, backup tapes, Zip disks, etc. And/or it reduces your phone bills, customer download times, long distance network traffic, etc. It's not the world's fastest compressor, but it's still fast enough to be very useful.

* Because it's open-source (BSD-style license), and, as far as I know, patent-free. (To the best of my knowledge. I can't afford to do a full patent search, so I can't guarantee this. Caveat emptor). So you can use it for whatever you like. Naturally, the source code is part of the distribution.

* Because it supports (limited) recovery from media errors. If you are trying to restore compressed data from a backup tape or disk, and that data contains some errors, bzip2 may still be able to decompress those parts of the file which are undamaged.

* Because you already know how to use it. bzip2's command line flags are similar to those of GNU Gzip, so if you know how to use gzip, you know how to use bzip2.

* Because it's very portable. It should run on any 32 or 64-bit machine with an ANSI C compiler. The distribution should compile unmodified on Unix and Win32 systems. Earlier versions have been ported with little difficulty to a large number of weird and wonderful systems.

* Because (by now, late 2006) everybody else uses it too.

The code is organised as a library with a programming interface. The bzip2 program itself is a client of the library. You can use the library in your own programs, to directly read and write .bz2 files, or even just to compress data in memory using the bzip2 algorithms.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

cryptlib

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Peter Gutmann (yeah, that lunatic)

Website:

http://www.cs.auckland.ac.nz/~pgut001/cryptlib/

Current version:

3.3.1

Last updated:

recent snapshots always available

Direct D/L link:

http://www.cypherpunks.to/~peter/cl331.zip

License type:

"GPL-compatible license", A.K.A. "Sleepycat license"...

Description:

Besides very, very diverse and creative name, cryptlib comes with 400+ pages manual (...), and really fast implementations of common crypto primitives.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

Crypto++

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Wei Dai

Website:

http://www.cryptopp.com

Current version:

5.5.2

Last updated:

September 24, 2007

Direct D/L link:

http://www.cryptopp.com/cryptopp552.zip

License type:

Public Domain (!)

Description:

Cross platform library with usual crypto primitives: Hashing algos, asymmetric and symmetric algorithms, MAC's and support for elliptic curve cryptography.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

diStorm64 x86-64 Disasm Lib

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Gil Dabah & Co.

Website:

http://www.ragestorm.net/distorm

Current version:

1.7.29

Last updated:

March 7, 2008

Direct D/L link:

http://www.ragestorm.net/distorm/dl.php?id=11

License type:

BSD license

Description:

Cross platform x86, x64, MMX, SSE, SSE2, SSE3, SSE4 and soon SSE5 support with open opcode database support (tools available, carefully examine the whole page, you're looking for disops.zip, at the moment available at http://www.ragestorm.net/distorm/dl.php?id=13)

'nough said.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

DisasMSIL

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Daniel Pistelli

Website:

http://ntcore.com/Files/disasmsil.htm

Current version:

1.0

Last updated:

April 30, 2008

Direct D/L link:

http://ntcore.com/Files/disasmsil/DisasMSIL.zip

License type:

Free / Open source

Description:

DisasMSIL is a free/open disasm engine for the Microsoft Intermediate Language (MSIL). You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

Note: Don't rely on the ECMA specification (Partition III: Common Language Infrastructure), since it's incomplete. Some new opcodes were introduced with the .NET Framework 2.0.

Also listed in:

.NET Disassembler Libraries

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Disasm32

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Russell Libby

Website:

http://users.adelphia.net/~rllibby/source.html

Current version:

Last updated:

March 1, 2004

Direct D/L link:

License type:

Free / Open Source

Description:

Delphi Disassembler Conversion of libdisasm 2.0. This is a Delphi conversion of the libdisasm project. The source code provides basic disassembly of Intel x86 instructions from a binary stream. The intent is to provide an easy to use disassembler class which can be called to disassemble instructions from memory. Disassembled information is in Intel syntax, as well as in an intermediate format which includes detailed instruction and operand type information.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

eXtended Disassembler Engine (XDE)

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Z0mbie

Website:

http://vx.netlux.org/vx.php?id=ex01

Current version:

1.02

Last updated:

October 2004

Direct D/L link:

License type:

Free / Open Source

Description:

XDE is based on the LDE/ADE engines. It allows you to find length of any x86 instruction, source/destination register usage for most commonly used instructions, and to split/merge instruction to/from some binary structure.

From program's viewpoint, CPU operates with: different types of registers, memory and io-devices. As such, there are introduced "object set" concept, which means bitset of registers/memory/etc. being read/written by each instruction.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

Fixed OllyDbg Disasm DLL

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

CondZero

Website:

http://arteam.accessroot.com/releases.html

Current version:

1.10

Last updated:

April 9, 2008

Direct D/L link:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

License type:

Free

Description:

An improved and fixed version of the already known disasm library (released by Oleh, Olly's author and part of the Olly's disasm engine). A little tool might help for your tools.

This package includes source code of 32-bit Disassembler and 32-bit single line Assembler for 80x86-compatible processors. The source is a slightly stripped/modified version of code used in OllyDbg v1.10 and is well proven by its numerous users.

The disasm.dll has been built using VS2005 VC 8.0 (special note: I had to make a couple modifications for errors during compilation in the source).

To include in your program, make sure the disasm.lib file is in your project folder and the resultant disasm.dll in your executable folder. Be sure to add this to your source code:
#pragma hdrstop
#include "disasm.h"

Also listed in:

Disassembler Libraries

More details:

Tool name:

GNU Multiple Precision Arithmetic Library (GMP)

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Free Software Foundation

Website:

http://gmplib.org

Current version:

4.2.2

Last updated:

September 11, 2007

Direct D/L link:

http://ftp.sunet.se/pub/gnu/gmp/gmp-4.2.2.tar.gz

License type:

Free / Open Source

Description:

GMP is a free library for arbitrary precision arithmetic, operating on signed integers, rational numbers, and floating point numbers. There is no practical limit to the precision except the ones implied by the available memory in the machine GMP runs on. GMP has a rich set of functions, and the functions have a regular interface.

The main target applications for GMP are cryptography applications and research, Internet security applications, algebra systems, computational algebra research, etc.

GMP is carefully designed to be as fast as possible, both for small operands and for huge operands. The speed is achieved by using fullwords as the basic arithmetic type, by using fast algorithms, with highly optimized assembly code for the most common inner loops for a lot of CPUs, and by a general emphasis on speed.

GMP is faster than any other bignum library. The advantage for GMP increases with the operand sizes for many operations, since GMP uses asymptotically faster algorithms.

The first GMP release was made in 1991. It is continually developed and maintained, with a new release about once a year.

Also listed in:

BigNum Libraries

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Hacker Disassembler Engine (HDE)

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Veacheslav Patkov

Website:

http://patkov-site.narod.ru

Current version:

0.28

Last updated:

March 09, 2009

Direct D/L link:

http://patkov-site.narod.ru/download/hde32-0.28.tar.gz

License type:

Free

Description:

This is small disassembler engine intended to x86-32 code analyse. HDE get length of command, prefixes, ModR/M and SIB bytes, opcode, immediate value, displacement, etc. For example, you can use HDE when writing unpackers, decryptors, viruses of executable files. HDE package include compiled object files in difference formats, header files and assembler source.

* Supports FPU, MMX, SSE, SSE2, SSE3, 3DNow! instructions
* High speed and small size (~ 1.5 kb)
* Position and OS independent code
* Compatibility with a most coding languages

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

jclasslib

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

ej-technologies

Website:

http://www.ej-technologies.com/products/jclasslib/overview.html

Current version:

3.0

Last updated:

January 14, 2005

Direct D/L link:

Java Disassembler Libraries

License type:

Free / Open Source

Description:

jclasslib bytecode viewer is a tool that visualizes all aspects of compiled Java class files and the contained bytecode. In addition, it contains a library that enables developers to read, modify and write Java class files and bytecode.

Also listed in:

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

libarchive

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

kientzle@freebsd.org

Website:

http://people.freebsd.org/~kientzle/libarchive

Current version:

2.4.11

Last updated:

December 30, 2007

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

Libarchive is a programming library that can create and read several different streaming archive formats, including most popular tar variants, several cpio formats, and both BSD and GNU ar variants. It can also write shar archives and read ISO9660 CDROM images and ZIP archives. The bsdtar program is an implementation of tar(1) that is built on top of libarchive. It started as a test harness, but has grown into a feature-competitive replacement for GNU tar. The bsdcpio program is an implementation of cpio(1) that is built on top of libarchive.

The libarchive library offers a number of features that make it both very flexible and very powerful.

* Automatic format detection: libarchive can automatically determine both the compression and the archive format, regardless of the data source. (GNU tar and star only do full format detection when reading from a file, for instance. Gunnar Ritter's heirloom tar also does full automatic format detection.)

* Reads popular formats: libarchive can read GNU tar, ustar, pax interchange format, cpio, zip, and ISO9660 formats. The internal architecture is easily extensible. The only requirement for read support is that all metadata for a file must precede the file data itself within the archive.

* Writes popular formats: libarchive can write ustar, pax interchange format, cpio, and shar formats. The internal architecture is easily extensible. The only requirement for write support is that all metadata for a file must follow the preceding file's data within the archive. (Yes, there are formats that libarchive can write but not read and vice versa.)

* Reads and writes POSIX formats: libarchive reads and writes POSIX-standard formats, including "ustar," "pax interchange format," and the POSIX "cpio" format.

* Supports pax interchange format: Pax interchange format (which, despite the name, is really an extended tar format) eliminates almost all limitations of historic tar formats and provides a standard method for incorporating vendor-specific extensions. libarchive exploits this extension mechanism to support ACLs and file flags, for example. (Joerg Schilling's star archiver and recent versions of GNU tar also support pax interchange format.)

* High-Level API: the libarchive API makes it fairly simple to build an archive from a list of filenames or to extract the entries from an archive. However, the API also provides extreme flexibility with regards to data sources. For example, there are generic hooks that allow you to write an archive to a socket or read data from an archive entry into a memory buffer.

* Modular: The library design carefully minimizes link pollution. If you only need read support for a single format, for example, you will only get the required code. This minimizes the size of statically-linked executables. (In particular, zlib or libbz2 are only required if you specifically request gzip or bzip2 support.)

* Extensible: The internal design uses generic interfaces for compression, archive format detection and decoding, and archive data I/O. It should be very easy to add new formats, new compression methods, or new ways of reading/writing archives.

* Featureful: Libarchive handles ACLs, file flags, extended attributes, international characters, large files, long pathnames, and many other features. Details vary depending on the particular format, of course.

* Fast: Libarchive minimizes data copying when handling archive files and contains carefully-tuned code for recreating objects on disk.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

libdisasm

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

mammon_, ReZiDeNt, The Grugq, MO_K, a_p, fbj

Website:

http://bastard.sourceforge.net/libdisasm.html

Current version:

0.23

Last updated:

January 16, 2008

Direct D/L link:

License type:

Free / Open Source

Description:

x86 Disassembler Library

The libdisasm library provides basic disassembly of Intel x86 instructions from a binary stream. The intent is to provide an easy to use disassembler which can be called from any application; the disassembly can be produced in AT&T syntax and Intel syntax, as well as in an intermediate format which includes detailed instruction and operand type information.

This disassembler is derived from libi386.so in the bastard project; as such it is x86 specific and will not be expanded to include other CPU architectures. Releases for libdisasm are generated automatically alongside releases of the bastard; it is not a standalone project, though it is a standalone library.

The recent spate of objdump output analyzers has proven that many of the people [not necessarily programmers] interested in writing disassemblers have little knowledge of, or interest in, C programming; as a result, these "disassemblers" have been written in Perl. In order to address this audience, a HOWTO has been provided which demonstrates how to use the libdisasm opcode tables to implement a true disassembler using Perl.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

MIRACL

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

ShamusSoftware

Website:

http://www.shamus.ie

Current version:

5.4

Last updated:

July 18, 2009

Direct D/L link:

ftp://ftp.computing.dcu.ie/pub/crypto/miracl.zip

License type:

Free

Description:

MIRACL is a Big Number Library which implements all of the primitives necessary to design Big Number Cryptography into your real-world application. It is primarily a tool for cryptographic system implementors. RSA public key cryptography, Diffie-Hellman Key exchange, DSA digital signature, they are all just a few procedure calls away. Support is also included for even more esoteric Elliptic Curves and Lucas function based schemes. The latest version offers full support for Elliptic Curve Cryptography over GF(p) and GF(2m) - see the links on this page for more details. Less well-known techniques can also be implemented as MIRACL allows you to work directly and efficiently with the big numbers that are the building blocks of number-theoretic cryptography. Although implemented as a C library, a well-thought out C++ wrapper is provided, which greatly simplifies program development. Most example programs (25+ of them) are provided in both C and C++ versions.

MIRACL now provides more support for conventional cryptography. The latest version implements the Advanced Encryption Standard (AES), Modes of Operation, and the new hashing standards SHA-160/256/384/512.

MIRACL is compact, fast and efficient and its now easier than ever to get the same near-optimal performance from any processor. Although essentially a portable library, inline assembly and special techniques can be invoked for blistering speed. MIRACL has also been successfully used in both embedded and DSP environments where space is at a premium. A new special purpose macro assembler feature facilitates the achievement of best possible performance from your embedded processor (see embedded.doc). MIRACL is, to an extent, self-configuring. Use your compiler to compile and run a simple configuration program, which proceeds with user interaction to generate optimal settings for your environment.

Also listed in:

BigNum Libraries, Crypto Libraries

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

mlde32

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

uNdErX

Website:

http://vx.netlux.org/vx.php?id=em24

Current version:

Last updated:

January 2003

Direct D/L link:

License type:

Free / Open Source

Description:

Micro Length-Disassembler Engine 32 (mlde32), is a length-disassembler engine, i.e. a piece of code that allows u to know the length of any x86 instruction. The mlde32 engine supports the ordinary 386 opcode set, plus the extensions: fpu, mmx, cmov, sse, sse2 etc...

It's usage is very simple here's the prototype:

int __cdecl mlde32(void *codeptr);
where:
codeptr -> is a pointer to the opcode that u want to know the size.

if you have any problem using the engine, just take look in some examples at the /examples (nothing more obvious). That's a very simple and powerful engine,and does not require too much system resources either,just 160 bytes of stack space is needed. This engine is only code, and no fixed offsets were used so it can be permutaded/perverted at your own will.

Engine was released in 29A#7 magazine. The size of the engine is 431 byte.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

OpenSSL libcrypto

Currently4/5
1
2
3
4
5

Rating: 4.0 (1 vote)

Author:

The OpenSSL Project

Website:

http://www.openssl.org

Current version:

Last updated:

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

Very competent crypto library used in OpenSSL.

Online documentation at:

http://www.openssl.org/docs/crypto/crypto.html

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

PaiMei

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Pedram Amini

Website:

http://paimei.googlecode.com

Current version:

1.1-REV122

Last updated:

May 22, 2007

Direct D/L link:

Debugger Libraries, Reverse Engineering Frameworks

License type:

Free / Open Source

Description:

PaiMei, is a reverse engineering framework consisting of multiple extensible components. The framework can essentially be thought of as a reverse engineer's swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as fuzzer assistance, code coverage tracking, data flow tracking and more. The framework breaks down into the following core components:

* PyDbg: A pure Python win32 debugging abstraction class.
* pGRAPH: A graph abstraction layer with seperate classes for nodes, edges and clusters.
* PIDA: Built on top of pGRAPH, PIDA aims to provide an abstract and persistent interface over binaries (DLLs and EXEs) with separate classes for representing functions, basic blocks and instructions. The end result is the creation of a portable file that when loaded allows you to arbitrarily navigate throughout the entire original binary.

A layer above the core components you will find the remainder of the PaiMei framework broken into the following over-arching components:

* Utilities: A set of utilities for accomplishing various repetitive tasks.
* Console: A pluggable WxPython GUI for quickly and efficiently rolling out your own sexy RE utilities.
* Scripts: Individual scripts for accomplishing various tasks. One very important example of which is the pida_dump.py IDA Python script which is run from IDA to generate .PIDA modules.

The documentation for the framework is available online at: http://pedram.openrce.org/PaiMei/docs

A very informative discussion thread about PaiMei, including a bunch of tutorials on how to use the different aspects of it, can be found at:
http://www.woodmann.com/forum/showthread.php?t=10851

Also listed in:

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

pynary

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

c1de0x

Website:

http://code.google.com/p/openrce-snippets/wiki/pynary

Current version:

0.0.1

Last updated:

Direct D/L link:

N/A

License type:

Open Source

Description:

pynary will become a powerful platform independent framework for binary code analysis.

The initial goal is to the implementation of function signature matching using graph isomorphism and an extensible 'write-your-own-heuristic' model to allow tweaks for particular targets. It will also identify standard library global constants and structure where possible.

Once the initial goal is achieved, a number of cool features are planned:

* stack frame analysis
* un-inliner
* exception handling parsing/analysis
* 'functionally equivalent' matching
* c++ template function matching
* meta-data transfer between IDBs
* c++ class reconstruction (with/without RTTI)
* ...

This project is still in its infancy, and looking for volunteers.

Also listed in:

Deobfuscation Tools, Executable Diff Tools, Reverse Engineering Frameworks, Exe Analyzers, Diff Tools

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

Ragweed

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Matasano Security

Website:

http://www.matasano.com/log/1799/ruby-for-pentesters-the-dark-side-i-ragweed/

Current version:

Last updated:

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

Ragweed is available as a gem through github:

sudo gem install tduehr-ragweed

Why a scriptable debugger?

When reversing, the usual debugging tools for developers aren’t as useful. They’re built for stepping interactively through programs you have source code for. They don’t generally have methods to get data out.

Reversing also requires being able to do mean and nasty things to the running process. When tracing calls, you want to watch how they interact. The last thing you want to do is anything manual. Automation is a requirement.

Also helpful is the ability to automate information gathering tasks, or the ability to dynamically add, remove or change breakpoints. These features are why scriptable debuggers have been created: To play with black boxes in a more dynamic and seedier manner.

What’s available already?

There are already scriptable debuggers out there. The most notable are PaiMei/PyDbg, Immunity Debugger and IDA.

PaiMei is written in Python, bills itself as “a reverse engineer’s swiss army knife” and uses the Python ctypes library for low level win32 calls.

Immunity Debugger is a GUI debuggger for win32 that uses Python for its scripting functionality.

IDA Pro is largely a win32 disassembler, but it is scriptable, again in Python, and includes a debugging module.

Before I get run off by a screaming mob with pitchforks, flightless birds, members of the family bovidae, etc., I will also mention GDB which has a library in development (libgdb) and can be scripted through macros.

With the exception of GDB which runs on most platforms and has its own macro language, these all share two common problems: Win32 and Python. Matasano is a Ruby shop. We like Ruby. It is good to us. We also wanted a tool for non-Win32 applications. But mostly, we just wanted something in Ruby.

Enter Ragweed

I’m going to stick to the OSX side of Ragweed for this article since I’m most familiar with it and there is still work to be done to unify the (currently) three debugging APIs —- Win32, Linux, and OSX —- inside Ragweed.

Under the hood, Ragweed (on OSX) uses Ruby/DL to perform the various low level system calls necessary to create a debugger. (More about that in my post from last year). These calls are abstracted somewhat to provide a smoother, more Ruby-like interface.

There are two caveats for Ragweed in OSX:

* Due to the changes in Ruby 1.9 to DL, it is currently incompatible with 1.9.
* Also, under OSX, Ragweed wants to run as root due to restrictions on
Code:

task_for_pid

.

A quick example (this we can do in IRB):

# debugging ftp using default signal handlers, printing registers every stop and logging calls to _lpwd

require ‘ragweed’
class DebugFtp < Debuggerosx

# print the registers every time the process stops

def on_stop(signal)

puts "Stopped with signal #{signal}"

self.threads.each {|t| self.get_registers(t).dump}

end

end

# no process lookup by name yet

d = DebugFtp.new(pid) # where pid is the id of ftp for this example

# set breakpoint for lpwd

d.breakpoint_set(0x420f,‘lpwd’, (bpl = lambda do | t, r, s | puts "#{ s.breakpoints[r.eip].first.function } hit in thread #{ t }\n"; end))

d.install_breakpoints

d.continue

d.loop #loop until child exits

# now go do stuff in in your other terminal window running ftp

That’s it. We just override the signal handlers for the signals we want to know about (or not), attach to a running process, set and install breakpoints, and it’s off to the traces. A simple hit tracer is only a CSV file and read loop away from this.

Want info on a region of memory?

d.region_info(0x0,:basic).dump

What about:

thread_info

?

d.threadinfo(threadid).dump

Break stuff by playing with registers?

regs = d.get_registers(thread_id) regs.eip = 0x420f d.set_registers(thread_id, regs)

Grope through the child’s memory?

Ragweed::Wraposx::vm_read(d.task, address, size) #returns a string of child's memory

There you have it. It’s not pretty but it’s only begun.

Also listed in:

Debugger Libraries

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

SharpZipLib

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

IC#Code

Website:

http://www.icsharpcode.net/OpenSource/SharpZipLib/Default.aspx

Current version:

0.85.4

Last updated:

September 9, 2007

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

#ziplib (SharpZipLib, formerly NZipLib) is a Zip, GZip, Tar and BZip2 library written entirely in C# for the .NET platform. It is implemented as an assembly (installable in the GAC), and thus can easily be incorporated into other projects (in any .NET language). The creator of #ziplib put it this way: "I've ported the zip library over to C# because I needed gzip/zip compression and I didn't want to use libzip.dll or something like this. I want all in pure C#."

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

SysDasm

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Kayaker

Website:

http://rootkit.com/newsread.php?newsid=208

Current version:

Last updated:

October 26, 2007

Direct D/L link:

License type:

Free / Open Source

Description:

Full-Text Disassembler DLL Export Module for Kernel Mode

I use the source code of NDISASM, the Netwide Disassembler portion of NASM, compiled into a user mode DLL, for use in various reversing projects that incorporate a disassembler component. Recently I decided to recompile the code into a *kernel mode* DLL, to see what use might be made of it in a driver context. The result may be of interest to some, perhaps as a self contained full-text disassembly module for testing or development (i.e. "playing"), or simply as an example of creating and using kernel mode export drivers.

The full-text disassembly module, SysDasm.sys, is created with a single export, which acts as a wrapper around the NDISASM internal disasm routine. This export-only driver is loaded from another driver, either by linking to it explicitly, or by loading it with ZwSetSystemInformation using the SystemLoadImage class.

In this type of export module, the DriverEntry routine is never called but exists so the file is compiled correctly as a .sys driver. If you want to design such a Kernel Mode DLL with functional entry/exit routines, you can add PRIVATE exports declared as DllInitialize/DllUnload. For more on this see for example
DLLs in Kernel Mode by Tim Roberts
http://www.wd-3.com/archive/KernelDlls.htm

The easiest way to use such a kernel mode DLL is to include its .LIB file when compiling the driver which will communicate with it, and to declare the functions you want to import with EXTERN_C DECLSPEC_IMPORT. When the driver is loaded by the system, this second module is loaded as a required kernel DLL and the functions can then be called directly by name. The DLL is unloaded by the system when the driver closes.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

TurboPower LockBox

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

benoram, chaoticpup, fredhuffman & tpsfadmin

Website:

http://sourceforge.net/projects/tplockbox

Current version:

2.07

Last updated:

January 21, 2003

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

LockBox is a cross-platform toolkit for data encryption. It contains routines & components for use with Borland Delphi, C++Builder, & Kylix. It provides support for Blowfish, RSA, MD5, SHA-1, DES, triple- DES, Rijndael, & digital signing of messages.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

Udis86

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Vivek Mohan

Website:

http://udis86.sourceforge.net

Current version:

1.6

Last updated:

August 5, 2007

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

Udis86 is an easy-to-use minimalistic disassembler library (libudis86) for the x86 and AMD64 (x86-64) range of instruction set architectures. The primary intent of the design and development of udis86 is to aid software development projects that entail binary code analysis.

1. Full support for the x86 and x86-64 (AMD64) range of instruction set architectures.
2. Full support for all AMD-V, INTEL-VMX, MMX, SSE, SSE2, SSE3, FPU(x87), and AMD 3Dnow! instructions.
3. Supports 16bit, 32bit, and 64bit disassembly modes.
4. Generates output in AT&T or INTEL assembler language syntaxes.
5. Supports flexbile input methods: File, Buffer, and Hooks.
6. Thread-safe and Reentrant.
7. Clean and very easy-to-use API.
8. Builds on *nix systems, Win32, DJGPP (new), Standalone, etc.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

VirtualBox Disassembler Library

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

OHPen

Website:

http://www.woodmann.com/forum/showthread.php?t=11904

Current version:

Last updated:

July 15, 2008

Direct D/L link:

License type:

Free / Open Source

Description:

Because I needed a good disassembler for my projects I check different distributions in the internet. Most of them are homebrew and the support, or let's better say MAINTAINANCE is in most cases not the best.

I really hate it if use a component and realize that there is a bug and the releaser of the component is not able to fix it or sometimes has no real interest in fixing it. That sucks.

That's why I focused on a disassembler which is well maintained and last but not least a good one.

During my search I stumbled over VirtualBox, which is an similar SUN implementation of VMWare's Workstation. The difference is that VirtualBox comes with source, or at least you can download the source (http://www.sun.com/software/products/virtualbox/get.jsp).

I thought that they'd pretty sure have to have an working disassembler inside there virtual machine and bingo... they have.
The problem was that the disassembler was not contained in form of a library, it was simply integrated in the source.

It took me about 2 hours to extract the needed source parts out of virtualbox and built a project for a library for it.

I now use it for my projects and it is very useful for me.

Also listed in:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

More details:

Tool name:

WinPcap

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

WinPcap team

Website:

http://www.winpcap.org

Current version:

4.0.2

Last updated:

November 9, 2007

Direct D/L link:

http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe

License type:

Free / Open Source

Description:

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

Also listed in:

Networking Libraries

More details:

Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)

Tool name:

zlib

Currently0/5
1
2
3
4
5

Rating: 0.0 (0 votes)

Author:

Jean-loup Gailly & Mark Adler

Website:

http://www.zlib.net

Current version:

1.2.3

Last updated:

July 18, 2005

Direct D/L link:

N/A

License type:

Free / Open Source

Description:

zlib is designed to be a free, general-purpose, legally unencumbered -- that is, not covered by any patents -- lossless data-compression library for use on virtually any computer hardware and operating system. The zlib data format is itself portable across platforms. Unlike the LZW compression method used in Unix compress(1) and in the GIF image format, the compression method currently used in zlib essentially never expands the data. (LZW can double or triple the file size in extreme cases.) zlib's memory footprint is also independent of the input data and can be reduced, if necessary, at some cost in compression. A more precise, technical discussion of both points is available on another page.

zlib was written by Jean-loup Gailly (compression) and Mark Adler (decompression). Jean-loup is also the primary author/maintainer of gzip(1), the author of the comp.compression FAQ list and the former maintainer of Info-ZIP's Zip; Mark is also the author of gzip's and UnZip's main decompression routines and was the original author of Zip. Not surprisingly, the compression algorithm used in zlib is essentially the same as that in gzip and Zip, namely, the `deflate' method that originated in PKWARE's PKZIP 2.x.

Also listed in: