From Collaborative RCE Tool Library

Jump to: navigation, search

New or Updated Items - RCE Tools (including sub-categories)

RSS feed If you want to keep track of all these updates automatically, simply use this RSS feed instead!

Tool Updated: ExeInfo PE

At: 2020-07-20 08:34:11

Listed in categories: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Deobfuscation Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers

Most recent version: - ( 1066 / 86 - x64 signatures )

Most recent release date:
February 27, 2020

Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,cab,msi,bzip,
GFX :bmp/jpg/png/gif,
Colored Disassembler,
Delphi Form viewer ,
.Zlib unpacker v1.2.8 ,
.NET exe info
Send sha256 to
Internal detector for non executable files.
Included EXTERNAL : userDB.txt - 4524 Signatures.
included : Ext_detector - v5.4.8 ( 548 non exe signatures , like 7z , zip , .rar , .lz , .mp4 )
Linux ELF Ripper.
Generic installers detector.

Tool Updated: RSATool

At: 2020-06-12 16:11:22

Listed in categories: Crypto Tools

Most recent version:

Most recent release date:
June 13, 2020

RSATool, RSA public key encryption algorithm tool.

This Windows program I Jiri Kocian Jr. created is very useful breaktrough cryptoanalytic utility for generating keypairs, calculating private exponent from P, Q primes and Factorisation of the N modulus to primes P, Q. Now the program also encrypts and decrypts data, all using famous RSA algorithm.

The user enters the keysize in bits, public exponent E and Number base and then from this information keypairs can be generated. The program is also useful for Calculating private exponent D from any P, Q primes entered in edit boxes. The program is also very interesting because of the feature to factorise modulus N to primes P and Q using Quadratic Sieve algorithm. Program also can encrypt and decrypt any text or binary data entered in the Encryption / Decryption dialog text box. Encrypted data can be saved to hard disk in the binary form. Program has a feature to save generated keys. Program also can load the saved keys from files. And neccessary note, please be patient using this program, generating keys with long keysizes like 4096 bits or even 8192 bits or more takes some time in minutes, factorisation is even more time consuming process so be patient.

Release notes:

Since the version 1.17 there is repaired small bug now the main dialog not close when enter is pressed and the default keylength is set to 2048 bits.

Since the version 1.15 in the Encrypt/Decrypt dialog box, there's special feature to choose public exponent E or private exponent D for Encryption.

Since the version 1.10 encrypted data are also saved in encrypted.hex file.

Since the version 1.09 the keypair can be now loaded from saved files into program.

Since the version 1.08 the primes P and Q are also saved into the file called primes.p12 when the button Save generated keys clicked.

Since the version 1.06 the program has a feature to save the generated keypair into the files public.key and private.key.

Since the version 1.04.03 the load of binary encrypted data is supported.

Since the version 1.04 there's Encrypt / Decrypt dialogbox included in the program.

In future versions there will be then new dialog box for encryption and decryption of any binary or text data using generated keys.

Program is tested in Windows 7/8.1/10.

Tool Updated: Ultra hash cracking tool

At: 2020-02-09 21:26:42

Listed in categories: Crypto Tools

Most recent version:

Most recent release date:
March 12, 2017

This cryptoanalytic tool is created for cracking one way hash function algorithms.
The program also can be useful as hash calculator. The feature of the new version is file hashing.

Ultra supports following hash algorithms:


Program uses bruteforce with different charsets and also random attack.
Exclusive option of this software is also ultrafast dictionary attack.

Release notes:

Since the version 1.54 there's a feature to save the generated hash to the binary file "hash.bin" and text file "hash.hex" in the program.

Since version 1.51.4.rc1 there's support for file hashing in this version and next versions of the Hash knife. There are still missing support for file hash in some algorithms. This will be implemented in future versions.

Since November 23, 2015 version 1.39s is available and contains variable salt string edit box. This version is available on the Website.

Since version 1.38 the program accepts zero length messages also as a Max. value (Min. = 0; Max. =0) to generate only zero length message.

Since version 1.31 Ultra handles zero length messages in brute force options (All combinations).

Program is tested in Windows 7/8.1/10.

Tool Updated: Flat Assembler (FASM)

At: 2020-01-17 15:23:49

Listed in categories: Assemblers

Most recent version:

Most recent release date:
December 5, 2019

From the source:

"The flat assembler is a fast and efficient self-assembling x86 assembler for DOS, Windows and Linux operating systems. Currently it supports x86 and x86-64 instructions sets with MMX, 3DNow!, SSE up to SSE4, AVX, AVX2 and XOP extensions, can produce output in plain binary, MZ, PE, COFF or ELF format. It includes the powerful but easy to use macroinstruction support and does multiple passes to optimize the instruction codes for size. The flat assembler is self-compilable and the complete source code is included.

The only difference between the various flat assembler packages is the operating system on which they can be executed. From given source each version will generate exactly the same output file, so with each of the following releases you can compile programs for any operating system."

Tool Updated: MasmBasic

At: 2020-01-17 14:50:37

Listed in categories: Programming Libraries

Most recent version:

Most recent release date:
January 14, 2020

BASIC is the Best Approach to Simple and Intelligent Coding. MasmBasic is a library that allows to use BASIC syntax in assembler, i.e. it is not a "separate" language but rather a library of macros and routines, fully compatible with the latest Masm32 SDK (version 11), MASM (version 6.15 or higher) and UAsm, and thoroughly tested on Windows XP, 7, 8 and 10.

While MasmBasic is pretty stable (and pretty fast - typically twice as fast as C), it is still Assembler, therefore the usual disclaimers apply - do not use for military purposes, in hospitals and anywhere else where buggy applications could cause damage. You have been warned 8)

To install the library, double-click SetupMasmBasic.exe in the attached archive (see step-by-step instructions).

For an overview of the over 400 available functions, see \Masm32\MasmBasic\MbGuide.rtf (after extracting the archive, of course) or see the (incomplete) MasmBasic Quick Reference online. See also A guide to the RichMasm editor.

14 January 2020: Updated archive, now with ArrayIndex(array, match), _Local x$="Hello World", better UTF-8 support, MemState for finding leaks, MapView control, Math symbols in RichMasm, PrintRtf, dual 32/64-bit examples in File/New Masm source menu, and a 64-bit version of the deb macro. Older changes: For_ each x$ in My$(), improved Switch_; GetFiles returns UTF8 now; WebCam, GetProcessArray(), new GSL lib, Choose, fast MemSet, Instr_() and Sinus() added, GuiTextBox improved. Data and Read , float counters are valid in For_ ... Next, and xmm regs are preserved for all MasmBasic commands. Note that simple Windows API calls can trash them on 64-bit versions of Windows.

Older additions: GuiXX functions, Split$, Join$, Filter$, commandline to Files$(), GfCallback, true Unicode, also in file I/O; UnzipFile, ArraySet, SetReg64 for 64-bit registry settings, ArrayMerge, Age(), GetRegArrays, unsigned LONGLONG in Str$(), ShEx, xls interface, ArraySet, ArrayPlot, AddWin$, WritePipe, Plugins, IsFolder(), wOpen, FileOpen$/FileSave$, also as Unicode versions, Extract$, Dialogs, COM support (CoInvoke, GuidsEqual(), IUnknown, VARIANT, ...), improved ANSI and Unicode commandline macros CL$()/wCL$(), improved xHelp, Launch$(), Try/Catch/Finally, ...

Installation hints for Windows 8 ... 10:

- click on below
- depending on your browser and zip application, choose open in xyZip or Save as...
- if it doesn't open in 7-zip or WinZip or whatever, locate the zip file and open it
- once you see SetupMasmBasic.exe, open it (double-click or select and Enter)
- you should see an extraction dialog, and shortly after a box "Windows Protected Your PC - Windows SmartScreen prevented..."
- do NOT click OK; instead, click on the tiny green link "More info"
- you will see Program SetupMasmBasic.exe and "unknown publisher"; click "Run Anyway"
- the screen will darken, and you see a box "Do you want to allow .. changes to your computer?"
- click Yes
- you should see now a big box "MasmBasic - a fast library..." with a EULA; read it, then click "Accept & Install"

** if anything goes wrong, have a look at our AV Software sh*t list subforum, then disable your antivirus for the \Masm32 folder and try again; if that doesn't help, reply to this thread **

Tool Updated: Solar Assembler (SolAsm)

At: 2020-01-17 14:36:05

Listed in categories: Assemblers

Most recent version:

Most recent release date:
July 8, 2018

SOLAR Assembler is a modern multipass macro assembler that can compile 16/32/64 bits code and runs on Windows, Linux, MacOSX and Solar_OS.

A few Features:
•Fast on huge and complex projects: 350.000 lines per second
•Can directly generate PE32/64, Binary 16/32/64, DLL32/64
•Can output OMF32, COFF32/64, ELF32/64 and MachO32 OBJ
•    Can encode 16/32/64 ASM code 
•     Strong recursive and nested MACRO system
•     Includes a rich set of High Level primitives:
•         .IF .ELSEIF .ELSE .ENDIF with AND/OR/NOT multiple conditions
•         INVOKE with ADDR support
•         .REPEAT .UNTIL
•         #if, #ifdef, #if_used, #else
•        does not need PROTO, checks PROC arguments 
•     Includes mini in memory resource compiler
•     Emits Listing in standard text format
•     Emits Debug Output in COFF format and an easy to read text format
•     Multiplatform, runs on:
•        WIn95, Win98, Windows XP, VISTA, Windows 7 32 and 64 bits
•         Mac OS X 
•         Unix / Linux and other unix like OSes that can link with an ELF libc
•         Solar OS 
•     It is fully written in ASM, Compiles itself
•     Compiles huge and complex ASM projects like:
•         Solar OS
•         Hostile Encounter RTS Game 
•     Has a rich manual and a set of samples to get you started

Tool Updated: Frida

At: 2020-01-17 14:20:51

Listed in categories: API Monitoring Tools, Android Tools, Code Injection Tools, IPhone Tools, Memory Data Tracing Tools, Network Monitoring Tools, Non-Intrusive Debuggers, Programming Libraries, Reverse Engineering Frameworks, Ring 3 Debuggers, Tracers

Most recent version:

Most recent release date:
January 14, 2020

Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX.

It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.


Your own scripts get injected into black box processes to execute custom debugging logic. Hook any function, spy on crypto APIs or trace private application code, no source code needed!


Stealthy code tracing without relying on software or hardware breakpoints. Think DTrace in user-space, based on dynamic recompilation, like DynamoRIO and PIN.


Works on Windows, macOS, Linux, iOS, Android, and QNX. Install the Node.js bindings from npm, grab a Python package from PyPI, or use Frida through its Swift bindings, .NET bindings, Qt/Qml bindings, or C API.

Why do I need this?

Great question. We’ll try to clarify with some use-cases:

* There’s this new hot app everybody’s so excited about, but it’s only available for iOS and you’d love to interop with it. You realize it’s relying on encrypted network protocols and tools like Wireshark just won’t cut it. You pick up Frida and use it for API tracing.

* You’re building a desktop app which has been deployed at a customer’s site. There’s a problem but the built-in logging code just isn’t enough. You need to send your customer a custom build with lots of expensive logging code. Then you realize you could just use Frida and build an application- specific tool that will add all the diagnostics you need, and in just a few lines of Python. No need to send the customer a new custom build - you just send the tool which will work on many versions of your app.

* You’d like to build a Wireshark on steroids with support for sniffing encrypted protocols. It could even manipulate function calls to fake network conditions that would otherwise require you to set up a test lab.

* Your in-house app could use some black-box tests without polluting your production code with logic only required for exotic testing.

Tool Added: SyserStealth

At: 2019-07-14 00:19:22

Listed in categories: Tool Hiding Tools

Most recent version:

Most recent release date:
January 11, 2015

older tool what never got released and i recently updated it a bit

it might be to old now target was windows xp

Tool Updated: IceStealth

At: 2019-07-05 13:13:59

Listed in categories: SoftICE Extensions, Tool Hiding Tools

Most recent version:

Most recent release date:
July 7, 2019

IceStealth is a SoftICE hiding tool, that should protect from:

CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find SoftICE with these methods
OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
UnhandledExceptionFilter (2 Options)
SEH BPM Protection
BPM Protection
int 41 killed + DPL 0
int 1 DPL 0
Basic Registry Protection (if ever needed)
(RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyA, RegOpenKeyW)
SaveDisk Protection

Also Improvements To NTICE

Tool Updated: BeaEngine

At: 2019-06-21 13:42:52

Listed in categories: X64 Disassembler Libraries, X86 Disassembler Libraries

Most recent version:

Most recent release date:
June 21, 2019

BeaEngine is a multi-plateform library coded in C (ISO99). It contains actually one function called "Disasm" which allows to disassemble any instruction from the intel instructions set for processors 32 bits and 64 bits. You can use this lib with following languages : C#, C, Python, Delphi, PureBasic, masm32, masm64, GoAsm32, GoAsm64, Nasm, Fasm, WinDev. You can use it in ring3 or ring0 because it doesn't use the windows API. The package you can download here contains the lib, the source code under LPGL3 license and examples including headers for C programmers, C#, masm, nasm, fasm ,GoAsm Python, Delphi, PureBasic, WinDev ones.

Tool Updated: REDasm

At: 2019-05-23 22:12:06

Listed in categories: Disassemblers, Linux Disassemblers, Visual Basic Decompilers

Most recent version:

Most recent release date:
May 23, 2019

REDasm is an interactive, multiarchitecture disassembler written in modern C++11 using Qt5 as UI Framework.
Its core is modular and it can be easily extended in order to support new file formats and instruction sets.
You can hack and improve REDasm without any issues and limitations.

Runs on Windows and Linux.

Tool Updated: PPEE (puppy)

At: 2018-08-18 12:15:31

Listed in categories: .NET Executable Editors, Dependency Analyzer Tools, Entropy Analyzers, Exe Analyzers, Executable CRC Calculators, Executable File Editors & Patchers, Export Editors, Hex Editors, Import Editors, Malware Analysis Tools, PE Executable Editors, Relocation Tools, String Finders

Most recent version:

Most recent release date:
August 17, 2018

This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them.
Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported.
Two companion plugins are also provided. FileInfo, to query the file in the well-known malware repositories and take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on. YaraPlugin, to test Yara rules against opened file.

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details.

Puppy is free and tries to be small, fast, nimble and friendly as your puppy!


Both PE32 and PE64 support
Examine YARA rules against opened file
Virustotal and OPSWAT's Metadefender query report
Statically analyze windows native and .Net executables
Robust Parsing of exe, dll, sys, scr, drv, cpl, ocx and more
Parse Rich Header
Edit almost every data structure
Easily dump sections, resources and .Net assembly directories
Entropy and MD5 calculation of the sections and resource items
View strings including URL, Registry, Suspicious, ... embedded in files
Resolve ordinal to name in imported APIs
Detect common resource types
Extract artifacts remained in PE file
Anomaly detection
Right-click for Copy, Search in web, Whois and dump
Built in hex editor
Explorer context menu integration
Descriptive information for data members
Refresh, Save and Save as menu commands
Drag and drop support
List view columns can sort data in an appropriate way
Open file from command line
Checksum validation
Plugin enabled

Feel free to use it ;)

Tool Updated: XVolkolak

At: 2018-07-13 08:30:34

Listed in categories: Automated Unpackers, Exe Analyzers, Packer Identifiers, Unpacking Tools, X86 Emulators, X86 Sandboxes

Most recent version:

Most recent release date:
July 12, 2018

Xvolkolak is an unpacker emulator.
Unlike programs of this type, it does not use DebugAPI and other features of the operating system. Everything is emulated. You can safely unpack malware for further investigation without the risk of damaging the system.
All machine instructions are not executed on a real processor, so unpacking occurs regardless of the processor type and the operating system.
It is possible to unpack 64 bit files on 32 operating systems.
This build emulates the processors intel x86 and AMD64.
It supports unpacking 32 and 64 bit Windows executable files.

Due to its capabilities, with the correct manual setting, the program engine can be used to unpack almost any packer / protector.
However, this version of the program works in a fully automatic mode and can only unpack simple non-commercial unpackers such as:

(Win) Upack
and some others

Tool Updated: Rohitab API Monitor

At: 2018-06-15 21:56:31

Listed in categories: API Monitoring Tools, COM Monitoring Tools, File Monitoring Tools, Memory Dumpers, Memory Patchers, Monitoring Tools, Network Monitoring Tools, Registry Monitoring Tools

Most recent version:
v2 (Alpha-r13) (and old stable 1.5b)

Most recent release date:
March 14, 2013

API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.

* Supports monitoring of 32-bit and 64-bit applications and services
* API Definitions for over 15,000 API’s from 200 DLL’s and over 17,000 methods from 1,800+ COM Interfaces (Shell, Web Browser, DirectShow, DirectSound, DirectX, Direct2D, DirectWrite, Windows Imaging Component, Debugger Engine, MAPI etc)
* Decode and display 2000 different structures and unions, 1000+ Enumerated data types, 800+ flags. Buffers and arrays within structures can also be viewed
* Display input and output buffers
* Call Tree display which shows the hierarchy of API calls
* Decode Parameters and Return Values
* Control the target application by setting breakpoints on API calls
* Instant monitoring of any API from any DLL without requiring any definitions
* Memory Editor that lets you view, edit and allocate memory in any process
* Dynamic Call Filtering capabilities which allows you to hide or show API calls based on a certain criteria
* Supports monitoring of COM Interfaces
* Decode error codes and display friendly messages by calling an appropriate error function to retrieve additional information about the error
* Capture and view the call stack for each API call
* Custom DLL Monitoring - Supports creating definitions for any DLL or COM Interface
* Support for filtering calls by threads
* Displays the duration for each API call
* Process detection and notification

Tool Updated: DynLogger

At: 2018-06-15 21:00:15

Listed in categories: API Monitoring Tools

Most recent version:

Most recent release date:
April 14, 2008

DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application. It also logs the loaded modules.

Download the x64 version of DynLogger only if the process is not an x86 process. In all other cases download the x86 version.

I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.

Tool Updated: SpyStudio

At: 2018-06-15 20:57:55

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:

Most recent release date:
November 17, 2015

SpyStudio is a powerful application that simplifies the code execution interception operations, also called "hooking". Users can now easily monitor and gain control over processes in their systems, to really know what is happening in the Operating System and it's applications.

With SpyStudio you can monitor and intercept API calls at any time, change its parameters, and resume execution.

SpyStudio uses the Deviare API technology to intercept functions' calls, this allows the user to monitor and hook applications in real time.
Deviare is a very complex technology, that can be used through the most simple interfaces.

This useful application provides the ability to break process execution and inspect the function's parameters at any level, and even change its values.

* Hooks any module of any application.

* Understands almost any function's parameters. Every defined data structures and types in windows.h are supported.

* Break on monitor: Break application's code execution, watch and modify function's parameters.

* Integrated Python shell: Now allows to execute Python scripts and handle hooks!

* Some of the modules included on the database are:


Tool Updated: Scdbg

At: 2018-06-15 20:50:47

Listed in categories: API Monitoring Tools, Automated Unpackers, Debuggers, Malware Analysis Tools, Monitoring Tools, Needs New Category

Most recent version:

Most recent release date:
March 30, 2012

scdbg is a shellcode analysis application built around the libemu emulation library. When run it will display to the user all of the Windows API the shellcode attempts to call.

Additions include:
100+ new api hooks, 5 new dlls, interactive debug shell, memory dumping, rebuilt PEB, SEH support, support for file format exploits, support for return address scanners, memory monitor, report mode, dump mode, easily human readable outputs, log after xx capabilities, directory mode, inline analysis of process injection shellcode and more...

Builds are available for Windows (native), Cygwin, and *nix variants.

See tool web page for more details.

New catagory Request: Shellcode Analysis

While other categories describe functions of this tool, its a really specialized niche field.
Not many people know specialized tools exist for it, a category of its own (probably
within the Malcode Analysis section?) would help people find it. I can think of two other applications to link into this new section. (libemu and sclog) and maybe shellcode_2_exe

Tool Updated: Pin

At: 2018-06-15 20:49:14

Listed in categories: API Monitoring Tools, Code Injection Tools, Programming Libraries, Reverse Engineering Frameworks

Most recent version:

Most recent release date:
February 11, 2018

Pin is a dynamic binary instrumentation framework for the IA-32, x86-64 and MIC instruction-set architectures that enables the creation of dynamic program analysis tools. Some tools built with Pin are VTune Amplifier XE, Inspector XE, Advisor XE and SDE. The tools created using Pin, called Pintools, can be used to perform program analysis on user space applications on Linux, Windows and OS X*. As a dynamic binary instrumentation tool, instrumentation is performed at run time on the compiled binary files. Thus, it requires no recompiling of source code and can support instrumenting programs that dynamically generate code.

Pin provides a rich API that abstracts away the underlying instruction-set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin was originally created as a tool for computer architecture analysis, but its flexible API and an active community (called "Pinheads") have created a diverse set of tools for security, emulation and parallel program analysis.

Tool Updated: Malcode Analysis Pack

At: 2018-06-15 20:43:55

Listed in categories: API Monitoring Tools, Import Editors, Malware Analysis Tools, Network Sniffers, Network Tools, Process Monitoring Tools, Reverse Engineering Frameworks, TCP Proxy Tools

Most recent version:

Most recent release date:
May 5, 2012

Update: This is no longer available through the iDefense website. An updated package has been made available by the author.

The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 5 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes
• finddll - scan processes for loaded dll by name
• Virustotal - virus reports for single and bulk hash lookups. Explorer integration

Tool Updated: SysAnalyzer

At: 2018-06-15 20:38:54

Listed in categories: API Monitoring Tools, Disk Monitoring Tools, File Monitoring Tools, Install Monitoring Tools, Memory Dumpers, Network Monitoring Tools, Registry Monitoring Tools

Most recent version:

Most recent release date:
March 21, 2011

Update: This tool is no longer available for download through the iDefense website. An updated installer has been made available by the author.

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

* Running Processes
* Open Ports
* Loaded Drivers
* Injected Libraries
* Key Registry Changes
* APIs called by a target process
* File Modifications
* HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

* Create a memory dump of target process
* parse memory dump for strings
* parse strings output for exe, reg, and url references
* scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package.