New or Updated Items - RCE Tools (including sub-categories)

Tool Updated: Open NT Native Template Library

Listed in categories: Kernel Tools, Needs New Category, Programming Libraries

Most recent version:

Most recent release date:
November 20, 2009

Description:
A set of tiny C++ RAII wrappers for NT Native/Win32 APIs including its own C++0x Standard Library (formerly STL) implementation.

Tool Updated: IDA Stealth

Listed in categories: IDA Extensions, Tool Hiding Tools

Most recent version:
1.1

Most recent release date:
November 15, 2009

Description:
IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.

Tool Updated: Hash & Crypto Detector

Listed in categories: Crypto Tools

Most recent version:
1.4

Most recent release date:
November 12, 2009

Description:
* HCD detects most common Hash & crypto Algorithmes and compilers for PE files.
* It can currently detect more than 90 different signatures .
* HCD is special in some aspects when compared to other identifiers already out there!

############################################################################################

1. It has a superb GUI and the interface is really intuitive and simple.
2. The rate of detection is very good.
3. Shell integration, Command line support.
4. Always on top And Drag'n'Drop capabilities.
5. Extra scanning techniques used for even better detections.
6. Total Scan able to find duplicate signatures and determine the location VA.
7. Save Log allows you to choose the place of keeping or copying the result.

############################################################################################

What's new in version 1.4 :
============
1-Deep Methode Scan.
2-Scan Memory for a Packed & Protected Executables Files.
3-Detect compiler (New methode).
4-Detect Heuristic (Packers a Protectors Used).
5-Information for a cryptographic Functions.
6-New Interface & Skin.
7-Some Bugs fixed

Tool Updated: AsProtect Signatures for IDA

Listed in categories: IDA Signatures

Most recent version:
0.1

Most recent release date:
November 12, 2009

Description:
Signature pack for IDA, that contains many AsProtect functions (~500). Run it on dumped AsProtect.dll.

Tool Updated: CodeDoctor

Listed in categories: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools

Most recent version:
0.90

Most recent release date:
November 12, 2009

Description:
<nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F


to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B

Tool Updated: CFF Explorer

Listed in categories: .NET Executable Editors, PE Executable Editors

Most recent version:
7.4.0.1

Most recent release date:
November 10, 2009

Description:
The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!

Tool Updated: Regshot Unicode

Listed in categories: Registry Diff Tools, Registry Monitoring Tools

Most recent version:
2.0.1.68 Unicode

Most recent release date:
November 9, 2009

Description:
Regshot is a small, free and open source (GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2. In addition, you can also specify folders (with sub filders) to be scanned for changes as well.

Tool Added: Pdf-parser

Listed in categories: Data Extraction Tools

Most recent version:
0.3.1

Most recent release date:
May 13, 2009

Description:
This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. The code of the parser is quick-and-dirty, I’m not recommending this as text book case for PDF parsers, but it gets the job done.

The stats option display statistics of the objects found in the PDF document. Use this to identify PDF documents with unusual/unexpected objects, or to classify PDF documents. For example, I generated statistics for 2 malicious PDF files, and although they were very different in content and size, the statistics were identical, proving that they used the same attack vector and shared the same origin.

The search option searches for a string in indirect objects (not inside the stream of indirect objects). The search is not case-sensitive, and is susceptible to the obfuscation techniques I documented (as I’ve yet to encounter these obfuscation techniques in the wild, I decided no to resort to canonicalization).

filter option applies the filter(s) to the stream. For the moment, only FlateDecode is supported (e.g. zlib decompression).

The raw option makes pdf-parser output raw data (e.g. not the printable Python representation).

objects outputs the data of the indirect object which ID was specified. This ID is not version dependent. If more than one object have the same ID (disregarding the version), all these objects will be outputted.

reference allows you to select all objects referencing the specified indirect object. This ID is not version dependent.

type alows you to select all objects of a given type. The type is a Name and as such is case-sensitive and must start with a slash-character (/).

Tool Updated: BeaEngine

Listed in categories: X86 Disassembler Libraries

Most recent version:
3.1.0

Most recent release date:
November 4, 2009

Description:
BeaEngine is a library coded in C. It contains actually one function called "Disasm" which allows to disassemble any instruction from the intel instructions set for processors 32 bits and 64 bits. You can use this lib with following languages : C, Python, Delphi, masm32, masm64, GoAsm32, GoAsm64, Nasm, Fasm. You can use it in ring3 or ring0 because it doesn't use the windows API. Th package you can download here contains the lib, the source code under LPGL3 license and examples including headers for C programmers, masm, nasm, fasm ,GoAsm Python, Delphi ones.

Tool Updated: Radare

Listed in categories: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

Most recent version:
1.4.1

Most recent release date:
November 3, 2009

Description:
<nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net

Tool Added: FoxPro file manager - Total Commander plugin

Listed in categories: FoxPro Tools

Most recent version:
0.95

Most recent release date:
25.10.2009

Description:

Tool Updated: Filter Monitor

Listed in categories: Kernel Filter Monitoring Tools

Most recent version:
1.1.0

Most recent release date:
October 20, 2009

Description:
This utility can list kernel mode filters and also unregister them. Monitored filters are, for instance, registry filters, create process and thread notifications. FilterMon comes both for x64 and x86 and it should work on all Windows systems from Vista RTM to Windows 7 RTM. However, I only tested it on Windows 7 RTM on x64 and I can't guarantee that it will work on future versions of Windows as it relies heavily on system internals.

As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that's why I wrote this little utility which monitors some key filters.

Since I haven't signed the driver of my utility, you have to press F8 at boot time and then select the "Disable Driver Signature Enforcement" option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.

Tool Updated: TurboDiff

Listed in categories: Executable Diff Tools, IDA Extensions

Most recent version:
1.01

Most recent release date:
October 14, 2009

Description:
Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

Tool Updated: WindowManipulator

Listed in categories: Window Manipulation Tools

Most recent version:
1.0.0.0

Most recent release date:
October 6, 2009

Description:
In the name of God

Using this tool you will be able to view and manipulate hidden and visible windows in your machine.

Features(v1.0):
- [+]Bring to Front: Bring window to front and show it in the top.
- [+]Restore: Restore a maximized window.
- [+]Maximize: Maximize window.
- [+]Minimize: Minimize window.
- [+]Move: Move window to new X,Y.
- [+]Resize: Resize window to new Height and Width.
- [+]Set On Top: Set window always on top(above all).
- [+]Set Not On Top: Set wndow not on top(normal).
- [+]Enable: Enable a disabled window.
- [+]Disable: Disabled an enabled window.
- [+]Destroy: Destroy window
- [+]Close: Close window
- [+]Force Closing: If window refuse to close you may force it.
- [+]Change Title: Change window title.
- [+]Set Transparency: Make window transparent and set transparency level.
- [+]Change Icon: Change window icon by extracting it from DLL or EXE or ICO.
- [+]Kill Process: Kill window process.
- [+]Open Process Directory: Open window process path and select process file.
------
- [+]Copy Window Title: Copy window title to clipboard.
- [+]Copy Window Handle: Copy window handle to clipboard.
- [+]Copy Window Class: Copy window Class to clipboard.
- [+]Copy Window State: Copy window state to clipboard.
- [+]Copy Process ID: Copy process id to clipboard.
- [+]Copy Process Name: Copy process name to clipboard.
- [+]Copy Process Path: Copy process path to clipboard.
- [+]Copy Whole Line: Copy all window informations to clipboard.

Options(v1.0):
- [+]Show Handle & PID in HEX: Show window handle and process id in hexadecimal format.
- [+]Show Handle & PID in DEC: Show window handle and process id in decimal format.
- [+]Show Hidden Windows: Show/Hide hidden window in the list.
- [+]Show Visible Windows: Show/Hide visible window in the list.
- [+]Hidden Windows Color: Select color to hidden window.
- [+]Visible Windows Color: Select color to visible window.
- [+]Auto Refresh: Enable/Disable autorefresh (interval=5sec).
- [+]Always On Top: Enable/Disable On top option to set WinMap above all.

Tool Updated: HideToolz

Listed in categories: Tool Hiding Tools

Most recent version:
2.2

Most recent release date:
October 3, 2009

Description:
This is version 2.2 of HideToolz. Version 2.1 did not work on Windows Vista SP1 or higher. I have modified the device driver so HideToolz now works on Vista SP1 through Windows 7 RTM.

-Fyyre

- - -

HideToolz is a configurable GUI based utilility that allows hiding of RCE tools from annoying detection (such as Themida). It does so by kernel mode driver which hooks functions such as NtQueryInformationProcess, NtSetContextThread, NtQuerySystemInformation, NtOpenProcess, NtOpenThread, etc... allowing you to debug 'protected' applications easily.

Features include:

Hide Processes
Protect Processes
Hide Windows
Protection from Windows hooks
Emulation of partent process (sets parent pid of target PID to explorer.exe).
Anti-Anti debug features.

Runs very stable under Windows XP through Windows 7 (x86 only). Please be aware some anti-virus detections HideToolz driver as a rootkit - this is basically correct, except HideToolz contains no payload, does not access any network api, etc... if you doubt, disasm the driver yourself.

Tool Updated: LordPE

Listed in categories: Dump Fixers, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers

Most recent version:
1.41 (Deluxe b)

Most recent release date:
September 30, 2009

Description:
LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...

Tool Updated: Plugins Manager

Listed in categories: OllyDbg Extensions

Most recent version:
1.2.0.0

Most recent release date:
September 20, 2009

Description:
A simple plugin for OllyDBG 1.10 to manage its other loaded plugins.

Features:
+ Ease of use:
Takes a simple double click to toggle the state of a plugin from Enabled to Disabled. The action can be also achieved
through a drop down menu.

+ Directly compatible with major OllyDBG customized editions:
Directly supported by OllyICE, OllySnD, OllyDRX, DeFixed ...
No need for any patching work (as long as OllyDBG.exe exists)

--------------------------------------------------------------

Tool Updated: Process Monitor

Listed in categories: File Monitoring Tools, Process Monitoring Tools, Registry Monitoring Tools

Most recent version:
2.7

Most recent release date:
September 18, 2009

Description:
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Tool Updated: VMMap

Listed in categories: System Information Extraction Tools

Most recent version:
2.3

Most recent release date:
September 17, 2009

Description:
VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features.

Besides flexible views for analyzing live processes, VMMap supports the export of data in multiple forms, including a native format that preserves all the information so that you can load back in. It also includes command-line options that enable scripting scenarios.

VMMap is the ideal tool for developers wanting to understand and optimize their application's memory resource usage.

Tool Updated: GMER

Listed in categories: Kernel Hook Detection Tools

Most recent version:
1.0.15.15087

Most recent release date:
September 15, 2009

Description:
GMER is an application that detects and removes rootkits .

It scans for:
* Hidden processes
* Hidden threads
* Hidden modules
* Hidden services
* Hidden files
* Hidden Alternate Data Streams
* Hidden registry keys
* Drivers hooking SSDT
* Drivers hooking IDT
* Drivers hooking IRP calls
* Inline hooks


GMER also allows to monitor the following system functions:
* Processes creating
* Drivers loading
* Libraries loading
* File functions
* Registry entries
* TCP/IP connections

GMER runs on Windows NT/W2K/XP/VISTA