From Collaborative RCE Tool Library
Tracers
| Tool name: | radare |
| ||
|---|---|---|---|---|
| Author: | pancake | |||
| Website: | http://radare.nopcode.org | |||
| Current version: | 0.9.9 | |||
| Last updated: | September 2, 2008 | |||
| Direct D/L link: | http://radare.nopcode.org/get/radare-0.9.9.tar.gz | |||
| License type: | GPL | |||
| Description: | The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc. The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls. The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary. The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java. The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so). The debugger is mainly developed on linux and {Net|Free|Open}BSD on 32 and 64 bits on Intel x86 but it has support for linux-ARM, linux-MIPS, and Windows support is in mind too. Latest work on the debugger makes aims to make it work on MacOSX and Solaris/OpenSolaris for sparc, powerpc and intel. But there are IO plugins for debugging windows and DOS applications via wine and dosemu. Initial gxemul support gives us the possibility to also debug ARM, MIPS, SPARC, .. binaries. There are some internal commands to handle memory maps, mount a syscall proxy, inject code, patch data, dump user data sections, step-back, syscall tracing, hardware DRx register manipulation, conditional watchpoints with expressions, signalling manipulation, syscall injection and very early threading support.. Data structures can be parsed with hand-written C programs called as extensions from radare. So the hexadecimal editor comes with a set of views for different bases and print formats like URL-encoding, binary, octal, shellcode, C string-like, which is really useful for developing shellcodes. Python, LUA and perl scripting facilities with an API to manage the core, the debugger, code analysis, tracing facilities, handle metadata, etc.. There's a minimal GUI frontend written in C that interacts directly with an VTE running radare. But I plan to write a new native frontend written in Vala. Current development plugins are: * ewf: EnCase (R) forensic disk images and more * malloc: anonymous memory buffers * mmap: mapping files on memory * shm: shared memory access * socket: socket stream access * winedbg: WineDebugger interface ( winedbg://./program.exe ) * haret: Remotely read WindowsCE memory ( haret://host:port ) * ptrace: Debugs or attach to a process ( dbg://file or pid://PID ) * sysproxy: Connects to a remote syscallproxy server * remote: TCP IO ( listen://:port or connect://host:port ) * gdb: Debugs or attach to a process using gdb (gdb://file, gdb://PID, gdb://host:port) * w32: posix to native w32 api io * posix: plain posix file access The tools provided around the core are: * radare: command line hexadecimal editor with IO plugin extensions * rabin: get info from ELF/MZ/PE/MACHO/CLASS files * rasc: shellcode generator and tester (outputs in raw, hexpairs or C) * rasm: in line assembler/disassembler for multiple archs * radiff: binary diffing utilities for raw files, binaries, data blocks, etc * xrefs: find crossed references on raw images for ppc, arm and x86 * hasher: calculate different algorithms over data blocks of a file or stream * rsc: command line helpers written in shellscript or perl * javasm: minimalistic java assembler/disassembler/classdumper * xc: cmdline multiple radix numeric conversor FMI see the mailing list Have fun! | |||
| Also listed in: | .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CFSearch |
| ||
|---|---|---|---|---|
| Author: | Sirmabus | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=11306&page=2 | |||
| Current version: | 1.0A | |||
| Last updated: | February 15, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Extremely cool tracer tool that makes use of the "single step on branch", LBR ("last branch recording") features of current processors. Not released yet, but we're awaiting it with great anticipation! | |||
| Also listed in: | Code Coverage Tools, Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Conditional Branch Logger |
| ||
|---|---|---|---|---|
| Author: | Blabberer / dELTA / Kayaker | |||
| Website: | N/A | |||
| Current version: | 1.0 | |||
| Last updated: | June13, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints. | |||
| Also listed in: | Code Coverage Tools, OllyDbg Extensions, Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DotNET Tracer |
| ||
|---|---|---|---|---|
| Author: | Kurapica | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=11859 | |||
| Current version: | 0.3 | |||
| Last updated: | June 30, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This is a simple tool that has a similar functionality to RegMon or FileMon but it's designed to trace events in .NET assemblies in runtime, many events can be reported so you can understand what's going on in the background. 1- Select the assembly you want to analyze 2- Set the Events Mask, i.e Events you want to catch 3- Click "Start" I hope it's useful and as always bug reports are welcome. | |||
| Also listed in: | .NET Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Dream of every reverser |
| ||
|---|---|---|---|---|
| Author: | deroko of ARTeam | |||
| Website: | http://deroko.phearless.org | |||
| Current version: | public | |||
| Last updated: | May 6, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Engine used to perfrom stealth memory trace of a target. Public version only supports tracing of the eip in certain range. To compile source you will need DDK. It supports MP and win2k/winxp. Systems running KAV are not supported as KAV installs hook in SwapContext which is essential for this tracer. Technical aspects: 1. Hooks int 0e and int 01 2. Hooks SwapContext 3. Installs ProcessNotifyRoutine Due to the nature of paged memory in r3, there are 2 ways of tracing: using U/S flag, and using P bit in PTE. Both cases are handled and supports PAE and nonPAE addressing modes. Role of SwapContext is to set breaks on given range when traced process is about to execute. Role of notify routine is to stop tracer if traced program exits by any chance during tracing. When good range is hit, tracer will automaticaly stop and you will see in DebugView or DbgMon when EIP is in good range. | |||
| Also listed in: | Technical PoC Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ERESI Framework |
| ||
|---|---|---|---|---|
| Author: | The ERESI Project | |||
| Website: | http://www.eresi-project.org | |||
| Current version: | 0.8a23 | |||
| Last updated: | November 30, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS. ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information. The ERESI framework includes: * The ELF shell (elfsh), an interactive and scriptable ERESI interpreter dedicated to instrumentation of ELF binary files. * The Embedded ELF debugger (e2dbg), an interactive and scriptable high-performance userland debugger that works without standard debug API (namely without ptrace). * The Embedded ELF tracer (etrace), an interactive and scriptable userland tracer that works at full frequency of execution without generating traps. * The Kernel shell (kernsh), an interactive and scriptable userland ERESI interpreter to inject code and data in the OS kernel, but also infer, inspect and modify kernel structures directly in the ERESI language. * The Evarista static analyzer, a work in progress ERESI interpreter for program transformation and data-flow analysis of binary programs directly implemented in the ERESI language (no web page yet). Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program: * libelfsh : the binary manipulation library on which ELFsh, E2dbg, and Etrace are based. * libe2dbg : the embedded debugger library which operates from inside the debuggee program. * libasm : the disassembly engine (x86 and sparc) that gives semantic attributes to instructions and operands. * libmjollnir : the code fingerprinting and graph manipulation library. * librevm : the Reverse Engineering Vector Machine, that contains the meta-language interpretor and the standard ERESI library. * libaspect : the type system and aspect library. It can define complex data-types to be manipulated ad-hoc by ERESI programs. * libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format by automatically generating new ERESI types. | |||
| Also listed in: | Reverse Engineering Frameworks, Linux Debuggers, Linux Disassemblers, Code Injection Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Fenris |
| ||
|---|---|---|---|---|
| Author: | lcamtuf | |||
| Website: | http://lcamtuf.coredump.cx/fenris | |||
| Current version: | 0.07-m2 build 3245 | |||
| Last updated: | July 11, 2004 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. The main logical components are: * Fenris: high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code. * libfnprints and dress: fingerprinting code that can be used to detect library functions embedded inside a static application, even without symbols, to make code analysis simplier; this functionality is both embedded in other components and available as a standalone tool that adds symtab to ELF binaries and can be used with any debugger or disassembler. * Aegir: an interactive gdb-alike debugger with modular capabilities, instruction by instruction and breakpoint to breakpoint execution, and real-time access to all the goods offered by Fenris, such as high-level information about memory objects or logical code structure. * nc-aegir: a SoftICE-alike GUI for Aegir, with automatic register, memory and code views, integrated Fenris output, and automatic Fenris control (now under development). * Ragnarok: a visualisation tool for Fenris that delivers browsable information about many different aspects of program execution - code flow, function calls, memory object life, I/O, etc (to be redesigned using OpenDX or a similar data exploration interface). * ...and some other companion utilities. | |||
| Also listed in: | Reverse Engineering Frameworks, Linux Disassemblers, Linux Debuggers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Float Tracer |
| ||
|---|---|---|---|---|
| Author: | j00ru | |||
| Website: | http://vexillium.org/?sec | |||
| Current version: | 0.0.1 | |||
| Last updated: | January 28, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | The main aim of Float Tracer is to monitor the specific process' execution and log the occurences of FPU instructions, showing its dissassembly, address, optionally modified STx value etc. It can also mark the immediate values you specify, as well as instructions, value ranges of ST0-ST7 registers, and so on :) | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | HBGary Inspector |
| ||
|---|---|---|---|---|
| Author: | HBGary | |||
| Website: | http://www.hbgary.com/inspector_v2.shtml | |||
| Current version: | 2.0 | |||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Commercial | |||
| Description: | HBGary Inspector speeds team reverse engineering of software binaries. Inspector integrates dynamic runtime tracing with dataflow and static code analysis. Captured test data is recorded in a team-member shared database for further analysis with automated scripts and interactive graphing. Packed, obfuscated, and self-modifying malware binaries resist static disassembly. Anti-debugging tricks hinder runtime analysis. However, malware must unpack and de-obfuscate itself to execute. Inspector defeats many anti-debugging tricks and recovers true program instructions and live memory evidence as malware operates. Dynamic analysis provides accurate information about malware behavior. HBGary Inspector can trace data buffers and packets as they propagate in memory, saving countless hours and days of work for the Reverse Engineer. Complex control flow paths are mapped with interactive navigation graphs. Runtime code coverage is indicated and measured. Inspector is extensible with an exposed application program interface (API) and a powerful scripting system for analysis automation. | |||
| Also listed in: | Code Coverage Tools, Memory Data Tracing Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | MSIL Dumper |
| ||
|---|---|---|---|---|
| Author: | Kurapica | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=11809 | |||
| Current version: | ||||
| Last updated: | June 11, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | The idea of this tool is to achieve two objects: 1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder. 2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies. I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods. you can find more on LibX protection here hxxp://www.reteam.org/board/showthread.php?t=799 | |||
| Also listed in: | .NET MSIL Dumpers, .NET Tracers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PIN |
| ||
|---|---|---|---|---|
| Author: | Intel | |||
| Website: | http://rogue.colorado.edu/pin | |||
| Current version: | 2.3 (rev 18525) | |||
| Last updated: | April 10, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open source | |||
| Description: | Pin is a tool for the dynamic instrumentation of programs. It supports Linux binary executables for Intel (R) Xscale (R), IA-32, IA-32E (64 bit x86), and Itanium (R) processors. It also allow instrumentation of Windows programs on IA-32 and Intel (R) 64 processors Pin was designed to provide functionality similar to the popular ATOM toolkit for Compaq's Tru64 Unix on Alpha, i.e. arbitrary code (written in C or C++) can be injected at arbitrary places in the executable. Unlike Atom, Pin does not instrument an executable statically by rewriting it, but rather adds the code dynamically while the executable is running. This also makes it possible to attach Pin to an already running process. Pin provides a rich API that abstracts away the underlying instruction set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well. Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template. | |||
| Also listed in: | Code Injection Tools, Profiler Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Process Stalker |
| ||
|---|---|---|---|---|
| Author: | Pedram Amini | |||
| Website: | http://www.openrce.org/downloads/details/171 | |||
| Current version: | 1.1 | |||
| Last updated: | July 13, 2005 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Process Stalking is a term coined to describe the combined process of run-time profiling, state mapping and tracing. Consisting of a series of tools and scripts the goal of a successful stalk is to provide the reverse engineer with an intuitive visual interface to filtered, meaningful, run-time block-level trace data. The Process Stalker suite is broken into three main components; an IDA Pro plug-in, a stand alone tracing tool and a series of Python scripts for instrumenting intermediary and GML graph files. The generated GML graph definitions were designed for usage with a freely available interactive graph visualization tool. Data instrumentation is accomplished through a series of Python utilities built on top of a fully documented custom API. Binaries, source code and in-depth documentation are available in the bundled archive. An indepth article was written and released on OpenRCE.org detailing step by step usage of Process Stalker, the article is a good starting point for understanding the basics behind the tool set. Manual: http://pedram.redhive.com/process_stalking_manual/ API docs: http://pedram.redhive.com/process_stalking_manual/ps_api_docs/ | |||
| Also listed in: | Code Coverage Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
