From Collaborative RCE Tool Library

Jump to: navigation, search

Tool Extensions


Tool name: CPU Initialization Patch
Rating: 5.0 (1 vote)
Author: blurcode                        
Website: http://www.woodmann.com/forum/showthread.php?t=11302
Current version: 1.0.0.1
Last updated: April 12, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: This is a plugin for OllyDbg 1.10, which hot-patches Olly's code to resolve the issue of OllyDbg taking 100% CPU time as soon as the debugged process is running (i.e. after having pressed F9 inside OllyDbg).

If nothing else, this problem causes any laptop that you might be reversing on to lose much more battery life than necessary, and also to sound like a jet plane due to constant maximum fan rotation, so this plugin will come in hand for any laptop reversers at least.

For more info, please see the following thread:
http://www.woodmann.com/forum/showthread.php?t=11302

Changelog:
Version 1.0.0.1
April 12, 2008
- keeps the last selected option after restart
Version
February 11, 2008
Version 1.0.0.0
- initial release
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Class Informer
Rating: 5.0 (1 vote)
Author: Sirmabus                        
Website: http://www.openrce.org/blog/view/1344/Class_Informer_IDA_plug-in
Current version: 1.01
Last updated: April 2, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

See also screenshot example of vftable info set by plug-in below.
Also listed in: COM Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CommandBar
Rating: 5.0 (1 vote)
Author: Gigapede                        
Website: N/A
Current version: 3.20.110
Last updated: April 18, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: SoftICE commands in a small bar on the bottom. Macro function support.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Process Dumper
Rating: 5.0 (1 vote)
Author: thE Cur!ouZ                        
Website: N/A
Current version: 1.0
Last updated: July 9, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Process Dumper

Plugin to make a dump of the running process under IDA debugger.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDAFicator
Rating: 5.0 (2 votes)
Author: AT4RE                        
Website: http://www.at4re.com
Current version: 1.2.12
Last updated: May 6, 2008
Direct D/L link: http://www.at4re.com/tools/Releases/Zool@nder/IDAFicator/IDAFicator_1.2.12.zip
License type: Free
Description: This plugin tries to make the life of OllyDBG© users easier by bringing to him some fast and frequently used function. And here is the list of features brought by the plugin:
Versio, : 1.2.8
What's new:
- optimized assembling abilities (ONE.SHOT.ASSEMBLER)
- new breakpoints menu
- 3 new custom functions
- new mouse actions and shortcuts in disasm and dump windows

Version : 1.2.0
* 11 buttons added to the native toolbar:
1. The go back/forward button.
2. and finally The Reach beginning/End of procedures button
3. The search for all text string button.
4. Hardware Breakpoints Dialog box opener (In a non modal non child DB).
5. Multi-Commands assembler.
6. Target directory opener.
7. Customizable buttons.


* IDA-like mouse features:
1. The DISASSEMBLY WINDOW:
2. The DEFAULT DUMP WINDOW:
3. The STACK WINDOW:

* Dump and set a HWBP on [ESP].

* 'Universal' stolen code restoring

* Address Informer

* Direct Address Copier

And more.

What's new:
1. Adding support for asm like command in 'multicommand assembler'.
Added commands til now are:
1.1) PUSHSTR -> There'are 2 versions of this cmd:
1.1.1) First one, without argument
(ex: pushstr 'kernel32.dll' -> PUSH 3D0000 ; ASCII "kernel32.dll" )
1.1.2) Second one, accept one argument (The address where to assemble)
ex: pushstr 'kernel32.dll', 401000 -> PUSH 00401000

1.2) PUSHALL -> push several commands
(ex: pushall 0402000, @GWL_EXSTYLE
call GetWindowLongA

assembled to: ->
PUSH 00402000
CALL user32.GetWindowLongA)

+/- all constants in windows.inc (thanks hutch and iczelion for this
file) can be used just with the prefix '@'

1.3) INVOKE -> Works like its homologous asm command with an extra
Note that:
1.3.1 - The strings will be assembled in a 'rundom' address
allocated in debugee memory
1.3.2 - you can integrate string directly in the invoke macro
( ex1: invoke MessageBoxA, 'Text1 from invoke macro', 'Text2 from invoke macro', @MB_OK
-> PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
PUSH 1D0030 ; |Title = "Text2 from invoke macro"
PUSH 1D0048 ; |Text = "Text1 from invoke macro"
PUSH 00402000 ; |hOwner = 00402000
CALL DWORD PTR DS:[<&user32.MessageBoxA>> ; \MessageBoxA

ex1: And invoke GetPrivateProfileIntA, 'Section Name', 'Key', 0, 'B:\bla\bla\bla\bla.ini'
-> PUSH 1D0060 ; /IniFileName = "B:\bla\bla\bla\bla.ini"
PUSH 0 ; |Default = 0
PUSH 1D0077 ; |Key = "Key"
PUSH 1D007B ; |Section = "Section Name"
CALL DWORD PTR DS:[<&kernel32.GetPrivate> ; \GetPrivateProfileIntA
)

1.4) Note that the constants are located in 'BYTES.OEP' file provided
with this version (version of 06/05/ 2008) and you've to re^lace the old
one. Otherwise, all constants will return 0 and will assembled : push 0.


2- Position saving for most important and most used dialog boxes.
Please, consider to use the pushstr macro instead of invoke one if the
lenght of pushed text is > 40 chars Privacy note: The last entered piece
of text to assemble in MCasm is stored in registry
("HKEY_CURRENT_USER\Software\IDAFicator Plugin"), just in case.

3- MuCAsm now remembers last entered text even between debugging 2 sessions.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ImpREC Plugin Pack
Rating: 5.0 (1 vote)
Author: Multiple authors                        
Website: N/A
Current version: 080222
Last updated: February 22, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source (partly)
Description: A pack containing a big bunch of plugins for ImpREC.

It also contains source code for many of these plugins, for most common programming languages/compilers (VC++/Delphi/MASM/TASM). This source code is of course good for use as template code for new plugins.

It contains the following plugins WITH source:

ASProtect 1.2x
eXcalibur 1.x
Morphine 3.3
Perplex 1.01
PESpin 1.3.04
RLPack 0.7
tELock 0.92x
Yoda 1.02


It contains the following plugins WITHOUT source:

ACProtect #1.dll
ACProtect #2.dll
ACProtect #3.dll
Alex Protector.dll
Armadillo 2.6.dll
ASProtect 1.22.dll
ASProtect 1.23 rc4.dll
ASProtect 1.2x Emul API #1.dll
ASProtect 1.2x Emul API #2.dll
ASProtect 1.2x.dll
ASProtect 1.3.dll
ASProtect 2.xx.dll
CoolCrypt.dll
Cryptocrack's PE Protector.dll
Excalibur.dll
ExeCryptor.dll
EXEStealth275.dll
Expressor 1.5.x.dll
ExtOverlay.dll
GoatsPEMutilator16.dll
HowTo.txt
Krypton 0.4 - 0.5 #1.dll
Krypton 0.4 - 0.5 #2.dll
Krypton 0.5.dll
Morphine.dll
NTKrnl Protector 0.1.x.dll
Null.dll
Obsidium #1.dll
Obsidium #2.dll
Obsidium #3.dll
Obsidium 1.3.dll
Obsidium 1.3.dll.txt
PE123.dll
PECompact 2.7.x.dll
PELock 1.06 (regged).dll
PELock 1.06 (regged).dll.txt
PELock 1.0x.dll
Perplex101.dll
PESpin.dll
PESpinPlugin.dll
Plugin.txt
PrivateExeProtector 1.8.dll
PrivateExeProtector 1.8.txt
Privilege.dll
Protection Plus 4.x.dll
RLPack 0.7.dll
RLPack 0.7.x.dll
RLPack 0.x.dll
RLPack 1.16.dll
RLPack 1.18.dll
SDProtector 1.12.dll
SVK Protector #1.dll
SVK Protector #2.dll
tELock 0.71.dll
tELock 0.92.dll
tELock 0.98 #1.dll
tELock 0.98 #2.dll
tELock 0.98 #3.dll
tELock 0.98 #4.dll
tELock 0.98 #5.dll
tELock 0.99.dll
tELock 0.9x.dll
TPP.dll
VisualProtect.dll
Yoda Crypter 1.02.dll
Also listed in: ImpREC Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PhantOm
Rating: 5.0 (2 votes)
Author: Hellsp@wn & Archer & Olenevod                        
Website: N/A
Current version: 1.54
Last updated: January 7, 2009
Direct D/L link: http://securityblog.ws/work/phantom.plugin.1.54.zip
License type: Free
Description: Plugin (with driver) for hiding OllyDbg from following methods of detection:

// driver - extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

// plugin - PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput


What's new - 1.30
[*] Captions of main and CPU windows can be manually set (CAPTEXT and PRETEXT in OllyDbg's ini-file). By default, they are named "PhantOm" and "o_O".
[*] Fixed some bugs in "custom handler exceptions" feature
[*] Other minor fixes

What's new - 1.26
[*] Fixed bug with loading driver
[*] Fixed bug with memory breakpoints
(Now, when "custom handler exceptions" option is
checked - memory breapoints on access/write will work,
but break-on-access won't work)
[*] Fixed bug with updating plugin (after previous version)

What's new - 1.25
[*] Now you can manually set names of services (HIDENAME and RDTSCNAME)
[*] Fixed some minor bugs
[*] Fixed bug with memory breakpoints

What's new - 1.20
[*] Added own exception handler (C0000005)
[*] Added option to change caption of main OllyDbg window
[*] Added own exception handler (OUTPUT_DEBUG_STRING_EVENT)
[*] Impoved removing of int 3 breakpoint at EP, when pause is set to "system breakpoint"
[*] Added hook for BlockInput (only for Windows XP)
[*] Added own exception handler (C0000094)
[*] Added hide from GetStartupInfo
[*] Fixed bug with plugin options
[*] Added protection from detecting driver
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TurboDiff
Rating: 5.0 (1 vote)
Author: Nicolás Economou                        
Website: http://tinyurl.com/turbodiff
Current version: 1.01
Last updated: October 14, 2009
Direct D/L link: http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=turbodiff&file=turbodiff_v1.0.1.zip
License type: GPLv2
Description: Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.
Also listed in: Executable Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BinDiff
Rating: 4.0 (1 vote)
Author: zynamics GmbH                        
Website: http://www.zynamics.com/bindiff.html
Current version: 2.1
Last updated: 2009
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: A very powerful executable file diffing tool, in the form of an IDA Pro plugin.
Also listed in: Executable Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fast IDB2Sig and LoadMap IDA plugins
Rating: 4.0 (1 vote)
Author: TQN                        
Website: N/A
Current version: 1.0
Last updated: September 14, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: It took me two weeks to write two IDA plugins, a renew, fast IDB2Sig plugin and a new, very fast LoadMap plugin.
The IDB2SIG plugin I rewrote base on the orginal source code and idea of:
- Quine (quine@blacksun.res.cmu.edu)
- Darko
- IDB2PAT of J.C. Roberts <mercury@abac.com>
Thanks all of you very much. I think all of you will allow me to public the new source code.
The LoadMap plugin I wrote base on the idea of Toshiyuki Tega. It will supports loading and parsing VC++, Borland (Delphi/BC++/CBuilder) and DeDe map files.
And with two plugins, I need only two days to create two signature file for Delphi 6/7. Very fast and convenience. Hereafter, we can use two above plugins to create signature files, load map symbols...

Source is included, and plugins are precompiled for IDA 4.5 and 5.2.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Regmon and Filemon Log Duplicate Remover
Rating: 4.0 (1 vote)
Author: Kayaker                        
Website: N/A
Current version: 1.0
Last updated: November 11, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Designed to remove duplicate entries (at a designated filtering level) in Regmon and Filemon logs so it becomes humanly possible to scan large multi-thousand line logs for unique occurrences of a registry or file path being accessed.

The application parses the "Path" string of each entry and cuts it off at a subdirectory (\) level set by the user (Filter Level). A CRC32 value is then calculated on the remaining string. Any further occurrences of the same CRC32 value are considered "duplicates" and are discarded.

The string the CRC32 value is calculated on is actually a combination of the Process, plus the filtered Path string, and optionally the Request (CreateKey, OpenKey, QueryValueEx, etc.). Entries with one or more CLSID {} values can be handled separately so unique values are preserved irregardless of the Filter Level chosen.

Of course only the first occurrence is kept and is really only the "root" of the Path entry (unless you choose a Filter Level setting of 0), but by selecting a series of Filter Level settings you can choose the degree of detail you want to reveal.

Full MASM source is included.
Also listed in: Filemon Extensions, Regmon Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OllyHeapTrace
Rating: 3.0 (2 votes)
Author: Stephen Fewer                        
Website: http://www.harmonysecurity.com/OllyHeapTrace.html
Current version: 1.0
Last updated: February 23, 2008
Direct D/L link: Locally archived copy
License type:
Description: OllyHeapTrace is a plugin for OllyDbg (version 1.10) to trace the heap operations being performed by a process. It will monitor heap allocations and frees for multiple heaps, as well as operations such as creating or destroying heaps and reallocations. All parameters as well as return values are recorded and the trace is highlighted with a unique colour for each heap being traced.

The primary purpose of this plugin is to aid in the debugging of heap overflows where you wish to be able to control the heap layout to overwrite a specific structure such as a chunk header, critical section structure or some application specific data. By tracing the heap operations performed during actions you can control (for example opening a connection, sending a packet, closing a connection) you can begin to predict the heap operations and thus control the heap layout.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDACompare
Rating: 2.0 (1 vote)
Author: David Zimmer                        
Website: http://labs.idefense.com/software/static.php#more_idacompare
Current version: 5.4
Last updated: March 5, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: IDACompare is a plugin designed to compare and match up equivalent functions across two IDA databases. IDACompare was primarily designed for analyzing changes across malcode variants, it should also find good use when conducting patch analysis.

Once function matches have been made, names can be ported across disassemblies, or sequentially renamed in both.

Project also implements a signature scanner, letting you build your own listing of known functions.
Also listed in: Executable Diff Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: API Help
Rating: 0.0 (0 votes)
Author: Phoenix                        
Website: N/A
Current version:
Last updated: June 26, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Assists in finding API addresses and setting breakpoints, includes auto-completion feature. Supports ~120 DLL and ~14000 API.
For XPsp2 only! (place aphlp.ahd in main OllyDbg directory)
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Advanced obj and lib IDA signature ripper
Rating: 0.0 (0 votes)
Author: gerbay                        
Website: http://www.woodmann.com/forum/showthread.php?t=9931
Current version: 1.0
Last updated: May 23, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: It loads obj and lib (COFF format) files signature to ida database.

It identifies so many labels more than flair signatures.

FLIRT signature creation not possible for some situation, for example you can try to create flirt signature for flexlm libs, but this plugin will work in such situations too!
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AnalyzeThis!
Rating: 0.0 (0 votes)
Author: Joe Stewart                        
Website: http://www.joestewart.org
Current version:
Last updated: October 26, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: This plugin allows the OllyDbg analysis function to operate outside of the standard code segment as defined by the PE header. Particularly useful for packed files.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Asm2Clipboard
Rating: 0.0 (0 votes)
Author: fatmike                        
Website: N/A
Current version:
Last updated: April 8, 2005
Direct D/L link: Locally archived copy
License type: Free
Description: Copy asm code to clipboard.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AttachAnyway
Rating: 0.0 (0 votes)
Author: Joe Stewart                        
Website: N/A
Current version: 0.3
Last updated: September 7, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: AttachAnyway is a PoC OllyDbg plugin designed to show how to remove a process' hook on NtContinue by the anti-debugger-attach method devised by Piotr Bania here:

http://pb.specialised.info/all/anti-dattach.asm

This is not intended to be a universal plugin for all anti-attach methods, just one example of how you can do it. It works by enumerating all processes, searching their virtual memory space for a JMP hook on the NtContinue method, then replacing the jump with the original bytes from a non-hooked process, then calling the OllyDbg Attachtoactiveprocess API.

attach-test.exe is an assembled version of Piotr's anti-dattach.asm you can use to test the plugin with.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AttachExtended
Rating: 0.0 (0 votes)
Author: Hero                        
Website: http://www.woodmann.com/forum/showthread.php?t=12499
Current version:
Last updated: March 4, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: This is a really small plugin that I have written for improving attach feature of OllyDbg.
With this plugin,you can attach to process by identifing its PID directly,not only selecting process list. In addition,you can find PID of process by dragging a small cursor on each window(This can be used on some protection which remove process from process list like GameGuard).

Please let me know about Bugs, and your suggestions for more process attaching options.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BlkLabel
Rating: 0.0 (0 votes)
Author: Veronica Chapman                        
Website: http://www.veronicachapman.com/OllyDbg/
Current version: 1.0
Last updated: September 30, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: BlkLabel is a bulk labelling plugIn for OllyDbg.

The objective is to take a Memory Map listing from a compilation and extract all Label-Address (Symbol-Address) pairs from such a (text) file. These are then fed into OllyDbg such that it will display Symbols rather than Memory Addresses. This renders OllyDbg's presentations about as readable as is possible in a Debugging Environment.

The precursor is, of course, the availability of a Memory Map in textual format. Most IDEs (Linkers) should be able to produce that.

This is the link:

http://www.VeronicaChapman.com/OllyDbg/BlkLabel.zip

There is a ReadMe that explains the package. The PlugIn comes with a Help File that explains everything anyway (as far as I can see).

The main PlugIn (BlkLabel.dll) calls a Sub-Plugin (SubLabel.dll). All of the reformatting to support the extraction of Label-Address pairs for a specific Memory Map File Format is contained within SubLabel.dll. Write a different one of those, and you can decipher the Memory Map File of your choice. You just need to create an Export to handle (maybe translate) each Character, and another to decipher each Text Record. BlkLabel itself handles all the rest.

Oh. There's just one small thing. The Source Code is contained in the package, but the PlugIn is written in Clarion ... so I don't know if it will be much use to you but if it is you are welcome to use it.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CLBPlus!
Rating: 0.0 (0 votes)
Author: Robert Ayrapetyan                        
Website: N/A
Current version: 1.0
Last updated: October 1, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Extends standard capabilities of conditional log breakpointing, utilizing OllyDbg feature which allows passing commands to plugins from "Set conditional log breakpoint window". Version only supports a DUMP command, but with included source this is great example for creating additional functions.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ClassAndInterfaceToNames
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version:
Last updated: June 16, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Cleanup Ex
Rating: 0.0 (0 votes)
Author: Gigapede                        
Website: N/A
Current version: 1.12
Last updated: March 11, 2003
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Deletes all .udd, .bak files. Plugin & udd dir support.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Code Ripper
Rating: 0.0 (0 votes)
Author: Ziggy                        
Website: N/A
Current version:
Last updated: April 19, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Rips selected code from OllyDbg disassembler window and formats according to MASM, C/C++ (inline assembler) or Delphi (inline assembler). Customizable, supports labels, comments, detailed help.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Code Snippet Creator
Rating: 0.0 (0 votes)
Author: servil                        
Website: http://sharemation.com/servil/idaplugs/
Current version: 0.989 beta
Last updated: 2008
Direct D/L link: http://www.sharemation.com:80/servil/idaplugs/csc-bin.zip
License type: Freeware
Description: -------------------------------------------------------------------------------
code snippet creator plugin for ida pro by servil
version 0.989 beta (Feb 2008)
supported ida versions: 4.9 and above till API change
(tested on 5.2 without backward compatibility enforcement)
-------------------------------------------------------------------------------

basic ida plugin to automate migration of one or more functions from host
program to custom assembly project (primarily masm targetted). some effort was
put to be generic and able to process any processor and format based on
function model using basic assembler data types (byte, word, dword...), however
focussed and only properly tested on 32-bit borland and msvc code and is
expected to give best results for these compilers (generally the more actual
format is distant from pe-32 the less functionality you may expect), also all
runtime features only are available for pe-32 formats.

major features:

* static code and data flowgraph traversal
* static data formatting and bounds determining
* code and data integrity care
* integrated runtime evaluated addressing resolver (orig. executable required)
* integrated process data dumping with emulation of accessed virtual data and
stack variables (orig. executable required)
* iat address translation for dynamic runtimes build (pe-32 only)
* lexical compatibility adjustments, name conflicts resolving and basic
output garbage cleanup
* final flowgraph (kernel version 5.1 and newer)

plugin is designed to cover all possible address ranges the root function(s)
can access in real. the plugin is not click and go solution, only benefit csc
gives is reduction of boring uphill work - in most cases output will need
manual adjustments to pass compiler. plugin always builds reportlist hiliting
warnings, problems, unsure places, etc..., beside it doubtful lines are
commented in the sourcecode also.
code traversal is based on x-refs, not raw operand values, so that mutual
linkage of related ranges can be flexibly adjusted by user offsets or x-refs
manager (see below).

the plug got 4 components:

1. code ripper self
this is the main component: basic (optionally) recursive deadcode traversal
and creating output source file. additional options and adjustments are
available from startup dialog. most obvious enough, two run-time features
explained here:
* runtime evaluated addressing resolver is useful for discovering indirect
or runtime-evaluated jump/call targets (eg. call dword ptr [edx+08h], jmp
eax, etc.): while targets are evaluated and reached at run-time in host
application naturally, they are invisible at export time from deadcode,
thus they wouldn't be expectingly not even exported. the resolver cares of
tracing real targets and including targets to output - recommended for
images written by OOP language.
* process data dumper recognizes offsets to image range and to a known heap
block. currently these dynamic block types are recognized: msvc malloc,
delphi/cbuilder getmem, bcc malloc, gnu gcc malloc, virtualalloc, stack
variables. relaxing the rules for offset recognition may increase amount
of false offsets rapidly. runtime engines can process both standalone
executables and dll`s on certain conditions (a loader directly executable
by createprocess is present, loads the dll at some time and executes
desired code there).
2. indirect flow resolver from external debugger (deprecated)
3. flirt names matching (a helper for code ripper)
comparing libnames recognized by flirt to real library names is helpful to
prevent later linking problems (unmatched names get library flag removed),
worx in conjunctin with code ripper's 'include library functions` option
turned off.
4. xrefs manager (plugin call parameter 3)
view/create/remove user links between any two places of disassembly. two
samples of usage: for code ripper to cover code or data ranges not referred
from any of collected static areas or to change anchor point of non-head
memory operands (o_mem).
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CodeDoctor
Rating: 0.0 (0 votes)
Author: hnedka                        
Website: N/A
Current version: 0.90
Last updated: November 12, 2009
Direct D/L link: see details
License type: freeware
Description: <nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F


to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B
Also listed in: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Com helper
Rating: 0.0 (0 votes)
Author: servil                        
Website: http://www.sharemation.com/servil/idaplugs/
Current version: 2
Last updated: 2008
Direct D/L link: http://www.sharemation.com/servil/idaplugs/comhelper2-bin.zip
License type: Freeware
Description: Improved version of DataRescue's com helper plugin.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Conditional Branch Logger
Rating: 0.0 (0 votes)
Author: Blabberer / dELTA / Kayaker                        
Website: N/A
Current version: 1.0
Last updated: June13, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints.
Also listed in: Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CoverIt
Rating: 0.0 (0 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hexblog.com/2006/03/coverage_analyzer.html
Current version: 1.0
Last updated: March 27, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A code coverage plugin for IDA Pro. It colors all executed instructions directly inside the IDA GUI, including any collapsed functions containing executed instructions.
Also listed in: IDA Extensions, Code Coverage Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Data Ripper
Rating: 0.0 (0 votes)
Author: Ziggy                        
Website: N/A
Current version: 1.2
Last updated: January 28,.2006
Direct D/L link: Locally archived copy
License type: Free
Description: Rips any kind of data from an app being debugged with OllyDbg. The ripped data can be formatted and "declared" in the syntax of MASM, C/C++ and Delphi. Data Ripper is useful whenever you need to rip data, tables, etc. out of an app so the data can be used in another compiled program.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DeJunk
Rating: 0.0 (0 votes)
Author: flyfancy                        
Website: N/A
Current version:
Last updated: October 16, 2003
Direct D/L link: Locally archived copy
License type: Free
Description: Find/remove junkcode from packers, customizable.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DebugPlugin
Rating: 0.0 (0 votes)
Author: TBD                        
Website: N/A
Current version: 1.0
Last updated: November 28, 2002
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Loads OllyDbg and breakpoints on load plugin routine.
For OllyDbg 1.08b ONLY.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Desquirr - Decompiler Plugin for IDA Pro
Rating: 0.0 (0 votes)
Author: David Eriksson                        
Website: http://desquirr.sourceforge.net/desquirr/
Current version: 20070130 (desquirr-20070130-bin-ida_v5_0.zip)
Last updated: November 13, 2003
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Desquirr is a decompiler plugin for IDA Pro.

Desquirr currently consists of a little more than 5000 lines of C++ code, not counting empty lines or lines beginning with comments

Read the Master Thesis at http://desquirr.sourceforge.net/desquirr/desquirr_master_thesis.pdf
Also listed in: IDA Extensions, Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dump_all/load_all Set Of Tools For IDA 5.x
Rating: 0.0 (0 votes)
Author: deroko / ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.0
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=46
License type: Free
Description: A set made of two programs (an IDA plugin and a dumper) useful to analyze dumped memory regions inside IDA. Useful for malware or VMs to analysis of dynamically allocated memory code sections (full sources included)

dump_all/load_all set of tools by deroko ARTeam

dump_all.exe is program which will dump all regions of a certain executable into specified folder. All dumps are stored as r00000000.dmp where 00000000 is virtual address of a paticilar memory region.

Advice is to create always new folder for these dumped regions, as load_all will load all of these regions to IDA database. Just to keep everything organized, and to avoid loading of wrong files, which could occur under some cicumstances.

load_all.plw is and IDA plugin which will actually load all of these memory regions into IDA database. Example plugin is compiled with IDA 5.2 SDK, but you may compile it for other versions too.

Plugin will prompt you for file, so you are free to select any of these
.dmp, and plugin will load all of them into database. This could be useful
when analyzing malware or some protection with many buffers, for better
analyze of a VM, or import protection. This will avoid need to dump regions
manually.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Exception Counter
Rating: 0.0 (0 votes)
Author: ZeetreX                        
Website: N/A
Current version: 0.1
Last updated: August 25, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: A plugin to automate the process of unpacking with exceptions. (Count the number of exceptions before the app runs and then pass exceptions n-1 times in next restart)
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExtraCopy
Rating: 0.0 (0 votes)
Author: Regon                        
Website: N/A
Current version: 0.9
Last updated: July 1, 2003
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Copy portions of code inside OllyDbg and to clipboard.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExtraPass
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: https://www.openrce.org/blog/view/839/An_%22extra_pass%22_for_IDA_Pro
Current version: 2.1
Last updated: February 8, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: I made this little IDA plug-in to help working with some Win32 targets that don't disassemble so well. In particular exe's that have a lot of C++ indirections and lots of embedded script stubs..

It basically does a few more passes over an IDA code section. Prefers code over data. It can find a lot of missing code, functions, and alignment blocks. Works particularly well on large EXE's where there is a lot of disconnected code from heavy C++ OOP, script binds, etc.

Intended for typical Win32, mainly Microsoft complied binaries.
Won't work well (probably for the worse) with Delphi EXE's since those tend to have a lot of mixing of constant data in the ".text" section, but the align and missing function options might be of use still.

My 2nd attempt at it, it's simple but it works well. IMHO it's working well now.
Really can clean up discombobulated code.

[Feb, 8, 2007] 2.1 A lot of improvement!
[Nov, 26, 2007] 2.0 version. Now fixes align blocks, and finds missing functions, plus has a UI.
[Aug, 28, 2007] New and improved.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Firebug
Rating: 5.0 (1 vote)
Author: Joe Hewitt                        
Website: http://www.getfirebug.com
Current version: 1.03
Last updated: April 4, 2007
Direct D/L link: http://www.getfirebug.com/releases/firebug1.0-current.xpi
License type: Free / Open Source
Description: Firebug integrates with Firefox, to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

Probably the most advanced web/javascript debugger in existence.
Also listed in: Javascript Debuggers, Firefox Extensions, Web Application Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: flowinsp
Rating: 0.0 (0 votes)
Author: servil                        
Website: http://sharemation.com/servil/idaplugs
Current version: 0.977 beta
Last updated: 2008
Direct D/L link: http://www.sharemation.com/servil/idaplugs/flowinsp-bin.zip
License type: Free
Description: ---------------------------------------------------------------------------
Runtime-evaluated addressing resolver plugin for Ida Pro by servil
version 0.977 beta
---------------------------------------------------------------------------

Flow Inspector reveals run-time evaluated call/jump targets
(eg. call dword ptr [ecx+1ch], jmp eax, etc), especially suitable for binaries
written in high-level language using OOP. Resolving is done in application
tracing mode (thus the debuggee is fully run during plugin activity).
Flowinsp only runs for Win32-PE targets (due to tracing layer API).
It is optional how the caller -> callee pairs are described in idabase (as
comments, x-refs, or by renaming o_mem address).
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fubar
Rating: 0.0 (0 votes)
Author: servil                        
Website: http://www.sharemation.com/servil/idaplugs/
Current version: 0.982 beta
Last updated: 2008
Direct D/L link: http://www.sharemation.com/servil/idaplugs/fubar-bin.zip
License type: Freeware
Description: ---------------------------------------------------------------------------
fubar plugin v0.982 eternal beta: post-analysis tasks for ida pro by servil
supported ida versions: 4.90 and above till API change
(tested on 5.2 without backward compatibility enforcement)
---------------------------------------------------------------------------

various additional idabase formatting and describing, main units:

* resource parser and dereferencer
* mfc message map parser
* vcl object templates parser
* more... see main dialog for available steps, most jobs obvious enough
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: FullDisasm
Rating: 0.0 (0 votes)
Author: BeatriX                        
Website: http://beatrix2004.free.fr
Current version: 2.5
Last updated: August 2, 2009
Direct D/L link: http://beatrix2004.free.fr/FullDisasm/FullDisasm_OllyDbg.zip
License type: Free
Description: This plugin replaces the default OllyDbg disassembly routine with an engine which supports MMX, FPU, SSE, SSE2, SSE3, SSSE3, SSE4.1 and SSE4.2 instructions and undocumented instructions called "aliases". Displays processor support for these technologies. Allows disassembling globally or only on selected lines in Masm, Nasm ,GoAsm syntax and AT&T Syntax. Available as a plugin for OllyDbg or Immunity Debugger.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Function String Associate
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11748
Current version:
Last updated: May 13, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: I thought of this idea the other day based on the observation of "assert()", development, debug text strings, etc., that software developers often leave in programs I want to reverse.
As I'm sure others do, I look at these comments to help me determine what a particular function is for (x86 binary targets that is).
I thought, wouldn't be nice to somehow data mine this stuff and automatically put some of it as a function comment?

Based on this, what this plug-in does is iterate through every function in IDA and auto-comments every function that has these strings (unless it already has a comment). It applies a little logic to it, to try to put the most relevant strings first.

Sort of a proof of concept thing. It's hard to say how useful it is yet.
So far it does seem to help as I browse around a DB. I'm putting together things a bit faster because of it.

Of course it's only works as well as your target uses such messages mixed in it's code.
So far on programs I've used it it on, the plug-in finds such strings on about 15% of all functions.

With source. If you expand on the idea, add helpful modifications, etc., share them please.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUID-Finder
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/repositories/users/Sirmabus
Current version: 1.0b
Last updated: January 17, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A GUID/UUID finding/fixing IDA plug-in.

The COM side of RE'ing (at least with "dead listing") can be pretty elusive.
With this you can at least partially glean what interfaces and classes a target is
using.

This plug-in scans the IDB for class and interfaces GUIDs and creates the matching
structure with label. IDA can find these on it's own, but it often misses them, so
this can fill in the gap.
Plus this plug-in allows you to easily add custom declarations, and is handy to do
a general audit for such GUIDs.

This is based Frank Boldewin's IDA Python script that you can find here:
http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames
or off his home page:
http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip

It's a great utility, I found me self using it regularly. But I wanted one that
wasn't dependant on IDA Python, and one that might be a bit faster.
I've made some enhancements too (see below).

Some interesting reading:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
http://en.wikipedia.org/wiki/UUID

[How to run it]
Just invoke it using your selected IDA hot-key, or from "Edit->Plugins".
Normally you will want to keep the ""Skip code segments for speed"" check box checked,
because it can make a big difference in the run time. With unchecked, code segments are
also scanned. You'll want to scan the code to if the target is a Delphi, or others where
data tends to be code/.text segment, or if you just want to be more thorough.

It might take some time to scan everything depending on the size of the IDB your computer,
etc..

When it's done, you should see a list of interfaces and classes in the IDA log window.
If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on
the line and IDA will jump to it.


[How it works]
1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt".
A little enhancement here over Frank's format, you can have blank lines and have
comments prefixed with '#' (first char, whole line only. Not a very forgiving parser).

In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib")
to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs
plus all the ones to be found in VS2005 libraries along with DirectX 9.1,.

There could be more explicitly created in header (.h/.hpp) files but have yet to make
a utility to parse them.

If you want to add custom GUID defines (from 3rd party software, etc.), just edit
these text files manually.

2. After it loads in the defs, the plug-in iterates through all segments in your currently
open IDB. By default it will skip code/".text" segments, and import/export segments for
speed. Usually you find GUIDs in the ".rdata", and ".data" segments.

I originally intended to sort all the GUIDs by similarity and search with partial wild
cards for speed. If you take a look at the GUID defs you will see that many GUIDs share
common numbers that often differ only be the least significant digits ("Data4").
At least in theory, searching for groups wild cards should make searching faster.
Maybe next version..


[Known problems/issues/limitations]
1. If a given GUID 16byte def just so happens to match something that is not really a GUID,
the plug-in will try to convert it to one regardless (another reason not to run it
over code sections). So far I have not found this to be much of issue, although it could
be. Could add a confirm dialog for each to let the user decide.

2. Some GUID set operations will fail. This is usually because something is bad/wrong at the
particular address; like a partial code def, or incorrect xref.
The plug-in will display most of these errors in the IDA log window for manual correction.

3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull?
Also listed in: COM Debugging Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Games Invader
Rating: 0.0 (0 votes)
Author: GamingMasteR                        
Website: http://www.tuts4you.com/download.php?view.2148
Current version: 2.1
Last updated: March 1, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: I coded this plugin to help games hackers working on OllyDbg, it allows you to cheat games with OllyDbg.

+Ability to choose memory types to scan.
+Ability to determine the scanned memory scope.
+Can scan for [Exact values], [Values bigger than x], [Values smaller than x] or [values between x,y] .
+Scanning Algorithm optimized, now it's very fast than the old version.
+Auto update for found values.
+Known bugs fixed.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GoDup
Rating: 0.0 (0 votes)
Author: godfather+                        
Website: N/A
Current version: 1.2
Last updated: August 9, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: IDA signature loader/map loader/resource viewer/process info. View dialogs, version info and Delphi/BorlandC forms.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Header Pack Script
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/richsign/HeaderPack.cff
License type: Freeware/Open
Description: This neat little script does the following:

-- packs the dos header + PE header + section headers
-- removes useless things like the Rich Signature
-- removes linker references inside the PE header
-- strips the debug information (if any) from the PE
-- if it's a .NET, removes Strong Name Signature
-- updates checksum

The header produced by this script comes, as I said, without DOS stub: I don't think it will be missing in 2008. The most efficient way to use this script is to execute it automatically after every linking. The PE header could be packed even more (for example one could reduce the data directory entries), but this goes beyond what I wanted to do: I just wanted my executables to be garbage clean.
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hex-Rays
Rating: 5.0 (3 votes)
Author: Hex-Rays sprl (Ilfak Guilfanov)                        
Website: http://www.hex-rays.com
Current version: 1.0
Last updated: September 17, 2007
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: Hex-Rays is created by Ilfak Guilfanov, famous author of IDA Pro. It is a commercial IDA Pro plugin, and aims to be the best decompiler ever created.
Also listed in: Decompilers, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hexer Plugin - Calculating the entropy of a file
Rating: 0.0 (0 votes)
Author: Sebastian Porst                        
Website: http://www.the-interweb.com/serendipity/index.php?/archives/99-Sample-Hexer-Plugin-Calculating-the-entropy-of-a-file.html#extended
Current version: 1.4.0
Last updated: July 1, 2008
Direct D/L link: http://www.the-interweb.com/serendipity/exit.php?url_id=699&entry_id=107
License type: Free / Open Source
Description: I finally got around to write an example plugin for my hex editor Hexer to show how simple it is to extend Hexer according to your own needs. The Java plugin I am going to present calculates the entropy of files according to the method presented on Ero Carrera's blog. The plugin adds a new tab containing a line chart and a button to the File Statistics dialog. When the user clicks the button, the entropy of the active file (that is the file in the last active hex window) is calculated and shown in the line chart. The screenshot below shows the entropy distribution of Notepad.exe.

You can download the source file of the plugin here. The archive contains the source file EntropyCalculator.java as well as two class files which were created by compiling the source file using Java 1.6. To install the plugin, simply copy the two class files to the plugins directory of your Hexer installation. Since the plugin uses the JFreeChart library to display the graph it is also necessary to get the files jcommon-1.0.12.jar and jfreechart-1.0.9.jar from the JFreeChart package. Copy those files into the jars directory of your Hexer installation.

At the beginning of the source file the methods getDescription(), getGuid(), getName(), and init() are implemented. These methods must be implemented by all classes that implement the Hexer plugin interface IPlugin. The first three methods return the name, the description, and the GUID of the plugin. These values are necessary for plugin management. The init() method is called once by Hexer when the plugin is loaded for the first time. Its parameter of type IPluginInterface can be used by the plugin to interact with Hexer.

Afterwards the necessary methods of the IStatsPlugin plugin are implemented. This interface must be implemented by all plugins that want to extend the File Statistics dialog. The method getStatsDescription() returns the description of the file statistic as displayed in the tab header of the File Statistics dialog ("Entropy" in this case). The method getStatsComponent() returns the component that is used to display the calculated file statistic in the File Statistics dialog. For the Entropy Calculator plugin we only need the line chart and the button.

That's all that is necessary to extend the Hexer File Statistics dialog. The remaining methods are used to calculate and display the entropy. They are basically a direct Python-to-Java conversion of the code from Ero Carrera's blog. The only difference is that I averaged the entropies of larger files to make sure that the dataset is small enough for the line chart component to handle.

If you do not want to extend the File Statistics dialog but prefer to have your own Entropy dialog you can simply modify the plugin. Just implement the interface IPlugin instead of IStatsPlugin, add a menu to the Hexer main menu in the init() method, and create the dialog when the menu is clicked.
Also listed in: Entropy Analyzers, Hex Editors, Hexer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hotch
Rating: 0.0 (0 votes)
Author: sp                        
Website: http://www.the-interweb.com/serendipity/index.php?/archives/108-Hotch-1.0.0.html
Current version: 1.0.0
Last updated: July 10, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Hotch - named after everyone's favourite TV profiler - is an IDA plugin that can be used to profile binary files. It sets breakpoints on all basic blocks of a program, records breakpoints hits and tries to figure out statistics from these hits. Click here to seen an example of a simple profiling session (starting Notepad and exiting Notepad again). Click here to see a huge 6.5 MB results file that shows a larger profiling session (loading a file in Notepad and playing around in it).

Random Notes:

* "This is really slow for larger files". Yeah, it is really slow in IDA up to 5.2 but Ilfak fixed some things in IDA 5.3 and it works acceptably fast now. So patience, young padawan.
* "The timing results don't really make sense". Yeah, I know. Since I execute a callback function after each breakpoint hit tight loops take disproportionally much time. For anything but tight loops the timing results should kinda work, at least relative to each other of course.
* Ignore the source file libida.hpp, it's an early version of my experimental-at-best C++ wrapper library for the IDA SDK.
* I take feature requests for Hotch.
Also listed in: Code Coverage Tools, IDA Extensions, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA 2 PAT
Rating: 0.0 (0 votes)
Author: J.C. Roberts                        
Website: N/A
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: For the most part, this plugin is an exercise in futility. There are
very few valid reasons why anyone should ever want to build signatures
of the functions in an existing disassembly. There are better
reasons, methods and tools for creating signatures for use with IDA.
Most importantly, the right way to create signatures is from object
files, object libraries or dynamically linked libraries, so please
realize this plugin is nothing more than a kludge since we are asking
FLAIR to do something it was not designed to do.

**********************************************************************
Option: Create patterns for Non-Auto Named Functions

If you find the rare situation where you want to make patterns
from functions in an existing database, this option is probably your
best bet. It will only create patterns for functions without
auto generated names and it will exclude functions marked as libraries
(e.g. they were already found and named through other FLAIR
signatures). You may want to remove named functions like _main and
WinMain from the resulting pattern file, since these will already
exist in the disassembly where it's applied.

**********************************************************************
Option: Create Patterns for Library Functions Only

I did include the ability to build patterns for functions IDA has
already marked as libraries. This is forpeople doing source code
recovery/recreation since the pattern file can be further parsed to
figure out which header files are needed. There are probably better
ways to go about this as well but until I have time to write specific a
plugin for figuring out which headers are included, this can give you
a step in the right direction.Out side of gathering information on
applied library signatures, this feature is pointless since you're
building patterns for function that were previously found with other
signatures you already have.

**********************************************************************
Option: Create Patterns for Public Functions Only

This could be useful when dealing with a situation where functions
were once stored in a DLL and are now statically linked in an
executable. It's still may a better bet to build a signature from the
DLL and then apply it to the statically linked executable.

**********************************************************************
Option: Create Patterns For Everything

You generally do NOT want to build patterns for every function in
the disassembly. The only place where I can see a legitimate use for
creating signatures of every function in the database is if your goal
is to see how similar two executables are. Instead of using a hex
editor and doing a re-synchronizing binary compare between the two
executables,you could use IDA signatures to get a different/better
way to visualize the similarities.

There are a lot of problems with trying to do this. The first and
most obvious problem is reserved name prefixes (e.g. sub_) on
auto generated function names. Another cascading problem is of course
references to these names withing other functions and whether or not
to keep these references in the patterns in order to cut down the
number of collisions. There are plenty of other problems with this
approach that I won't mention but there are quite a few of them.

I've hacked together a simple work-around. When the user has
selected everything mode, the plugin will prepend the auto generated
function names with FAKE_ and references to these sub routines are
kept to reduce collisions. This should (in theory) work, since every
reference will also have it's own public pattern in the resulting
file. In other words, the named references will resolve to another
(public) function pattern in the file. The problem with this approach
is of course having erroneous address numbers in names of functions
where the signature is applied (e.g. the nameFAKE_sub_DEADBEEF could
be applied to any address where a matching function is found). My
guess why this will work is because a module in a library may have a
by name reference to another object in the library. The pattern file
of a library would keep the references, since the names are defined
in other pattern lines of the file. Of course I could be wrong but
it's worth a shot. If need be comment out the "sub_" tests in
part #7 (references) of make_pattern() to get rid of the refs.


**********************************************************************
Option: Create Pattern For User Selected Function

This allows the user to select a function from the list and
create a pattern for it. It does not work on functions with auto
generated names but probably could with a bit more work.

______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------

LIMITATIONS:

* References and tail bytes are only used by sigmake to resolve
collisions. Auto generated names with reserved prefixes "loc_" "byte_"
"dword_" are not going to be repeatable in the binary where you would
apply the resulting signature. If those references were kept and used
to resolve a collision, you'd end up with a useless signature that
would not be applied because those names do not exist in executable
where the resulting signature is being applied.

* Reference offsets that greater than 0x8000 bytes from the
function start may make this plugin explode or more likely, just make
unusable patterns.

* All references are assumed to be 4 bytes long. This will cause
some problems for situations (e.g. processors) where this is not true.


______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------
TODO:
* Error checking for reference offsets > 0x8000
* Change reference length from being fixed at 4 bytes.
* Create "append" versus "overwrite" dialog.
* Deal with the user choosing a function with an auto
generated name in the "Single Function" mode.


______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------
DEVELOPMENT:

I did this in MSVC++ v6. There are two projects in the workspace. One
is for the plugin and the other for IDAG.EXE so we can debug the
plugin once IDA loads it e.g. start the plugin and at the choose file
dilog break. In the list of modules, you'll find "run()" and other
functions from the plugin.

Depending on where you install IDA, you'll need to adjust where the
plugin is written. I've got output set to "C:\IDA\PLUGINS\IDB2PAT.plw"
The same is true for the location of the SDK and such.

When it's set to build the debug version, there will be a lot of
warnings due to info truncation of debug symbols. It's not a big deal.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Free 4.9 SDK Library Patch
Rating: 0.0 (0 votes)
Author: xtc                        
Website: http://www.woodmann.com/forum/showthread.php?t=10756
Current version: 0.1
Last updated: November 7, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This package is for patching the Visual C++ libraries of the IDA 4.9 SDK to work with the free version.

The included patchlib program serves two purposes:
1) Remap the export ordinals to match the free version of ida.wll.
2) Ensure that names are not used when importing from the library.

To facilitate the remapping, patchlib needs two files, ida.wll.exports and ida.wll.names.
ida.wll.exports contains a list of remapped ordinals and undecorated symbol names.
ida.wll.names contains a list of decorated symbols.

With the patched library you can build loaders and plugins.
Processor modules are blocked by the free version.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Inject
Rating: 0.0 (0 votes)
Author: Jan Newger                        
Website: http://newgre.net/idainject
Current version: 1.0.3
Last updated: July 18, 2008
Direct D/L link: http://newgre.net/system/files/IDAInject.rar
License type: Free / Open Source
Description: This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.
Also listed in: Code Injection Tools, IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Plugin Depack APlib And LZMA
Rating: 0.0 (0 votes)
Author: deroko / ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.0
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=45
License type: Free
Description: A plugin for IDA 5.2 and following, to decompress aplib or lzma packed data in your target when analyzing with IDA.

The plugin supports aPlib which is quite common in malware, but there's also support for packman lzma compression, even if this one is very rare.

Run plugin by pressing CTRL+9 and you will be prompted with a window for unpacking or simply go to Edit->plugins->aplib depack

Full C sources are included, aswell. See the readme.txt for further details and instructions.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Stealth
Rating: 0.0 (0 votes)
Author: Jan Newger                        
Website: http://newgre.net/idastealth
Current version: 1.1
Last updated: November 15, 2009
Direct D/L link: http://newgre.net/system/files/idastealth.rar
License type: Free / Open Source
Description: IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.
Also listed in: IDA Extensions, Tool Hiding Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA2PAT Reloaded
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11916
Current version: 1.0B
Last updated: July 19, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: An IDA Pro 5.xx plug-in to generate a pattern file.

You've probably seen or more of the different variants of this plug-in:
"ida2sig", "ida2pat", etc.
We want to create a pattern (".pat") file to assemble a FLIRT signature file (".sig"), using the FLAIR utility "sigmake.exe". This will allow one to apply these sigs to help port updats, etc.

I had preferred TQN's "ida2sig" version since it fastest (see below) I could find. But it had the same problems as the previous version. And I wanted to make a build I could updated with the latest FLAIR lib, etc.

[How to run it]
1. Invoke it using your selected IDA hot-key or from "Edit->Plugins".
2. Select the destination ".pat" file.
3. After it is done, convert your pattern file into a signature file using
"sigmake.exe",.

[Design & Outstanding issues]
There are zero options, the assumption is you want to save only, and all function names that are not autogenerated. That is for the most part, all functions that are not "sub_69B470", and "unknown_libname_228".

There are unfortunately ambiguities, and errors using function name flags like "pFunc->flags & FUNC_LIB", "is_public_name()", "dummy_name_ea()", etc., to determine what is a library, public, etc., function.

Biggest hurdle, consider this.. You go do your RE work, you rename some functions with a name that makes sense to you; or you just rename it specifically so you can come back to it later using a custom sig, etc.
Maybe all is well on the first time because IDA will see it as a user function and thus traditional IDA2PAT will create a pattern for it. But next time after update, etc., you apply the sig. It is no longer a "user function", IDA marks it as a library, or worse as autogenerated. Don't like this. We want to be able to apply a sig, work on the DB rename some functions with better fitting names as my understanding grows, etc., then create a new patterns and not have name collisions, etc.

AFAIK there is no solid way to determine what is "autogenerated", "user-generated" or otherwise, using the stock IDA SDK functions.

What "IDA2PAT Reloaded" does is solely rely on function name patterns instead. It simply rejects functions that start with ""sub_..", "unknown_libname_..", or that start with the characters '$', '@', '?', and '_', etc.

This will be a problem if you intentionally use using something like "sub_MyFunction", or "unknown_libname_MyFunction", etc., as your naming convention. This design assumes IDA is setup to display autogenerated function names as "sub_xxxxxx", etc., in the defaults.

Speed:
TQN's version was definitely faster then others, he replaced the file streaming "qfprintf()" with a very large buffer, then saved the buffer at the end. The real issue was a single "qflush()" call after each pattern create in
Quine's original code. FYI, a file "flush" causes the OS to flush it's write cache causing a file performance hit.

As a baseline, just iterating through around 100k functions (with zero processing) takes ~12seconds on my machine on average. Thus, any processing on top of that is just additive. IDA2PAT-Reloaded only adds ~3 seconds to the base line on a modern machine.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA2SICE
Rating: 0.0 (0 votes)
Author: Mostek                        
Website: http://mostek.subcultural.com
Current version: 4.09
Last updated: October 30, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDA to SoftIce is an IDA plugIn which loades IDA symbols to SoftIce. It can export them as nms file too.
To get the last version go to News page.

I started the project in May 2000 and it took me almost 9 months to reverse everything needed to make the plugIn (well around 4 month of real work).
The main reason for the plug was that at that time, you could only see global procedures and variables.
And because there was no local variables in SIce, reversing was really a pain in the .... So this plugIn solves that. :)

Some info:
Currently PE and LE file types are suported.
Use map2sice utilitie for all other types ( included in the package ).

One of the nicest feature of the plug is that you can see structures in SIce.
ex.: In IDA you set local/global structure and when in SIce you can use command '? myStructure' or '? myStructure.element.element', .....
PlugIn suports structure(union) in structure(union)).
Also listed in: IDA Extensions, SoftICE Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDAAPIHelp
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version: 0.3
Last updated: October 17, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDAAPIHelp is a small IDAPython script, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDAPerl
Rating: 0.0 (0 votes)
Author: Willem Jan Hengeveld                        
Website: http://www.xs4all.nl/~itsme/projects/idcperl
Current version: 0.3
Last updated: May 12, 2008
Direct D/L link: N/A
License type: Free / Open Source
Description: IDAPerl, is a plugin for IDA Pro, which adds Perl scripting support.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Immunity Debugger
Rating: 0.0 (0 votes)
Author: Immunity Inc / Oleh Yuschuk                        
Website: http://debugger.immunityinc.com
Current version: 1.6
Last updated: March 27, 2008
Direct D/L link: N/A
License type: Free
Description: Immunity Debugger is based on OllyDbg.

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

* A debugger with functionality designed specifically for the security industry
* Cuts exploit development time by 50%
* Simple, understandable interfaces
* Robust and powerful scripting language for automating intelligent debugging
* Lightweight and fast debugging to prevent corruption during complex analysis
* Connectivity to fuzzers and exploit development tools
Also listed in: OllyDbg Custom Versions, Ring 3 Debuggers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MFC42Ord2FuncNames
Rating: 0.0 (0 votes)
Author: Frank Boldewin                         
Website: http://www.reconstructer.org
Current version:
Last updated: June 03, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: mIDA
Rating: 0.0 (0 votes)
Author: Tenable Network Security                        
Website: http://cgi.tenablesecurity.com/tenable/mida.php
Current version: 1.0.10
Last updated: October 21, 2008
Direct D/L link: http://cgi.tenablesecurity.com/tenable/dl.php?p=mIDA-1.0.8.zip
License type: Free
Description: mIDA is a plugin for the IDA disassembler that can extract RPC interfaces from a binary file and recreate the associated IDL definition. mIDA is free and fully integrates with the latest version of IDA (5.0).
This plugin can be used to :

* Navigate to RPC functions in IDA
* Analyze RPC function arguments
* Understand RPC structures
* Reconstruct an IDL definition file

The IDL code generated by mIDA can be, most of the time, recompiled with the MIDL compiler from Microsoft (midl.exe).
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Mapgen
Rating: 0.0 (0 votes)
Author: servil                        
Website: http://www.sharemation.com/servil/idaplugs/
Current version: 0.985 beta
Last updated: 2008
Direct D/L link: http://www.sharemation.com/servil/idaplugs/mapgen-bin.zip
License type: Freeware
Description: ---------------------------------------------------------------------------
map file exporter plugin for ida pro by servil version 0.985 beta
---------------------------------------------------------------------------

the plugin extends mapfile generating to export better information into
ollydbg. exported files can be processed by modified mapconv plugin included
in this archive.

features:
- imports comments as comments and labels as labels
- all segments
- relocated images (dlls) taken into account
- extended by exporting local variables, enums, struct offsets,
register variables and forced operands

source code: http://sharemation.com/servil/idaplugs/mapgen-src.zip
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OllyDbg (OllyICE Modification)
Rating: 0.0 (0 votes)
Author: Hacnho                        
Website: N/A
Current version: 1.10.0
Last updated: August 27, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This is the final OllyDbg release from Hacnho, his further enhanced OllyDbg Hacnho modification. It includes all the bug fixes from his original Hacnho. It is also compressed using the Themida 1.xx Ring-0 engine to help hide the debugger from detection. Be warned it runs quite slowly because of this and it is not very compatible with certain operating systems (WinXP SP2) and applications like anti-virus tools. Blue Screens of Death (BOD) are quite common with this Olly.
Also listed in: OllyDbg Custom Versions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: OllyDbg (Shadow Modification)
Rating: 0.0 (0 votes)
Author: Shadow                        
Website: N/A
Current version: 1.10.0
Last updated: August 27, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: Apart from a couple of aesthetic modifications Shadow's Olly modification has quite a few bug fixes and changes. Not much is known about exactly what changes have been made but it is regarded as being one of the better modified OllyDbg versions available. Known to be well-hidden.
Also listed in: OllyDbg Custom Versions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ordinal imports/exports resolver
Rating: 0.0 (0 votes)
Author: servil                        
Website: http://www.sharemation.com/servil/idaplugs/
Current version: 1
Last updated: 2008
Direct D/L link: http://www.sharemation.com/servil/idaplugs/impbyord-bin.zip
License type: Freeware
Description: Name says all?
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PDB
Rating: 0.0 (0 votes)
Author: Servil                        
Website: http://www.sharemation.com/servil/idaplugs/
Current version:  ?
Last updated: 2008
Direct D/L link: http://www.sharemation.com/servil/idaplugs/pdb.zip
License type: Freeware
Description:
This is yet another extension built on original Datarescue`s PDB plugin.

Main enhancements from original plugin:
* Integrates advantages of Microsoft Debug Information Accessor (DIA). The
interface provided by DIA offers more complete description of executable
against DbgHelp(ImagHlp) API. If DIA server is not installed DbgHelp's engine
is used (use newest version possible to achieve best results).
* Preserved names mangling on public symbols (ida still shows C prototype where
full ida typeinfo can't be successfully set).
* Replication of complex types (struct, enum) and typedefs from PDB.
* Scoped UDT members handled (inherited members and nested typedefs, structs
and enums).
* Exact format to static data symbols and static struct members, forced code at
function start (extern symbols format preserved).
* Full ida typeinfo to static symbols and struct members.
* Names, exact format and full ida typeinfo to function arguments and local
symbols stored at frame, recursive traversal all nested sub-blocks of function
(with DIA only). Supported (both top and bottom) ebp- and esp-based frame
models, support for register variables and params was removed during testing
(see known problems and anomalies/#3).
* Source lines import to idabase where file accessible (as anterior lines).
* Foreign program databases support for importing data types only. Selective
filtering of unwanted types is offered before own storage. For this feature
call the plugin with argument 2 (use IDC command or edit plugins.cfg for that).
* Alots of minor adjustments not worth to mention.
* No UI (lazy) - always apply all features.

Source code included.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PE Validator Script
Rating: 0.0 (0 votes)
Author: Daniel Pistelli                        
Website: http://ntcore.com/
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/PEValidator.cff
License type: Freeware/Open
Description: A simple script for the CFF Explorer which detects some of the most common PE integrity problems. Some of the things checked by this script:

-- check CRC32 (useful for drivers)
-- check number of rva and sizes
-- check image size
-- check sections
-- check that EP is valid
-- check that EP is in code
-- check that the EP section is executable
-- check data directories RVAs
-- check whether the API IsDebuggerPresent is imported
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PESpin ImpREC Plugin
Rating: 0.0 (0 votes)
Author: tnagareshwar                        
Website: http://www.securityxploded.com/pespinplugin.php
Current version: 1.0
Last updated: June 17, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: ImpREC plugin for PESpin 1.3 & 1.304.

Including full source, AND tutorial on how to write your own ImpREC plugins!
Also listed in: ImpREC Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ProcessStalker GDL Viewer
Rating: 0.0 (0 votes)
Author: AmesianX                        
Website: https://www.openrce.org/forums/posts/707
Current version: 1.0
Last updated: January 28, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: A GUI plugin for bringing up the GDL graphs of ProcessStalker directly inside IDA Pro.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: QuickUnpack CFF Explorer Extension
Rating: 5.0 (1 vote)
Author: Shub-nigurrath                        
Website: http://arteam.accessroot.com/releases.html
Current version: 1.0
Last updated: January 24, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: Extension for CFF Explorer. This is an adaptation of the already released QuickUnpack DLL (http://www.woodmann.com/collaborative/tools/index.php/QuickUnpack_DLL), which is in turn based on the original QUnpack sources (by FEUERRADER of AHTeam).
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Resource Tweaker
Rating: 5.0 (1 vote)
Author: Daniel Pistelli                        
Website: http://ntcore.com/restweaker.php
Current version: 1.0.0.1
Last updated:
Direct D/L link: http://ntcore.com/Files/ResourceTweaker.zip
License type: Freeware
Description: Resource Tweaker is an extension for the CFF Explorer, which makes it possible for older resource editors such as Resource Hacker to edit PE64 files (you can edit all non-x86 PEs). Win32 resources haven't changed much (what changed are bitmaps, icons, cursors which can be edited with the CFF Explorer), although the PE format has. It doens't make much sense to reinvent the wheel, since, through this extension, you can keep using your favourite resource editor. This extension works 100%.
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reveal Imports
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2008/11/04/ida-plugin-reveal-imports/
Current version: 1.0
Last updated: November 4, 2008
Direct D/L link: http://www.box.net/shared/static/pbm0okvb86.zip
License type: Free
Description: The plugin reveals imports of a dumped process. It will come in handy when you need to analyze a dump without rebuilding the file using an external tool.

Usage: put the plugin inside IDA plugin directory and to run the plugin hit ALT+z.
Here is a screeshot. As you can see the plugin creates a new window filled with revealed imports.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SiDAg
Rating: 0.0 (0 votes)
Author: Zool@nder                        
Website: N/A
Current version: 1.0
Last updated: August 31, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: The is a GUI tool that helps beginners making IDA signatures from Obj files/ librarries and PAT files.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ultimate Aspacker Unpacker
Rating: 5.0 (1 vote)
Author: Pnluck                        
Website: http://pnluck.netsons.org/
Current version:
Last updated:
Direct D/L link: http://pnluck.netsons.org/soft/UAU.rar
License type: Openware / Freeware
Description: The Ultimate Aspacker Unpacker is an Aspack 2.12 offline unpacker extension for the CFF Explorer which supports any kind of PE file.
Also listed in: CFF Explorer Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: VtablesStructuresFromPSDK2003R2
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version:
Last updated: July 16, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This small IDAPython script includes all vtable structures that can be found in the files of the Microsoft PSDK 2003-R2. After running the script in IDA it adds these vtable structures to an IDB file. This will save time while reconstructing COM code.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Zaesars heap plugin
Rating: 0.0 (0 votes)
Author: Zaesar                        
Website: http://www.deneke.biz/obsidian
Current version:
Last updated: October 21, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Heap plugin for the Obsidian non-intrusive debugger, helpful if you are manipulating the heaps structure etc.

PS.
Don't mind the dirty way in which this module was put into a dll. It was received before the plugin interface was available, and "ported" making as few changes as possible when the plugin system was published.
Also listed in: Obsidian Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


...

There were too many (recursive) child objects of this category to display them all, please use the sub categories below to increase the detail of your search criteria!


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 12 subcategories to this category.


Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/Category:Tool_Extensions"



Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (176)
   Categorized by Tool Type  (983)
   Anti Anti Test Tools  (15)
   Assemblers  (15)
   Code Coverage Tools  (12)
   Code Injection Tools  (32)
   Code Ripping Tools  (2)
   Crypto Tools  (5)
   Data Extraction Tools  (19)
   Debuggers  (42)
   Decompilers  (20)
   Deobfuscation Tools  (12)
   Dependency Analyzer Tools  (5)
   Diff Tools  (29)
   Disassemblers  (45)
   Dongle Analysis Tools  (24)
   Exe Analyzers  (31)
   Firefox Extensions  (1)
   GUI Manipulation Tools  (16)
   Hardware Reversing Tools  (24)
   Hex Editors  (12)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (13)
   Memory Data Tracing Tools  (6)
   Memory Patchers  (3)
   Memory Search Tools  (7)
   Monitoring Tools  (110)
   Network Tools  (15)
   PE Executable Editors  (79)
   Packers  (16)
   Patch Packaging Tools  (7)
   Profiler Tools  (10)
   Programming Libraries  (32)
   Regular Expression Tools  (3)
   Resource Editors  (12)
   Reverse Engineering Frameworks  (7)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (7)
   Technical PoC Tools  (7)
   Test and Sandbox Environments  (16)
   Tool Extensions  (137)
   Tool Hiding Tools  (5)
   Tool Signatures  (22)
   Tracers  (17)
   Unpacking Tools  (59)
   Needs New Category  (2)