Forensics

Dumproc 0.2

A quick tool for dumping memory from a process or writing data into it.

Lame Patcher 0.4.4b

file patcher available with both GUI (on Windows) and command-line mode plus various features. It uses some text files with the lpatch extension for the list of operations to perform on the target file to patch.These text files are trivial to create and edit and allow to specify comments, the default name of the file to patch, an introduction to display before apply the patch, MD5 hash verification, the modification of a byte at a specific offset, the substitution of a sequence of bytes or a string, wildcards and more.Exists also an older version of "patch files" used for substituting bytes at fixed offsets and are identified by the lpatch.dat name.On Windows the tool can also be used to patch a running process and launching+patching it.
this patcher and its patch files are the only that I use for my patches.

Signsrch 0.2.3

Tool for searching signatures inside files, extremely useful in reversing engineering for figuring or having an initial idea of what encryption/compression algorithm is used for a proprietary protocol or file.It can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code, which can be also manually added since it's all based on a text signature file read at run time and easy to modify.Supports multi threading, scanning of folders using wildcards, scanning of processes, conversion of the executables offsets in memory offsets, loading of custom signature files and their automatic checking for avoiding errors, automatic finding of the instructions that reference the found signatures (like "Find references" of Ollydbg) and the launching of an executable placing an INT3 byte at the desired memory offset.

Executable's strings lister and replacer 0.2.3a

this tool has the main purpose of finding any ASCII and unicode string inside PE and ELF executables with the possibility of modifying them using any external text editor and re-injecting them in the original executable.
technically the finding of the strings works in the following way: it disassembles all the executable sections of the input file (like .text, only x86 32 bit supported) and visualizes any string or any array of strings, so any instruction like push "string" or mov eax, "string" or mov eax, "[4*edx+array]" and so on is handled perfectly.instead the injecting of the modified strings back in the executable (ELF not supported) is performed through the adding of a new "stringz" section which contains all the new strings and the substituting of all the pointers to those strings collected in the "finding" operation with the new ones (relocation).the tool can be also used as a quick and advanced strings program (the one available on *nix) with the difference that the strings found by exestringz are not casuals but are found and confirmed by the disassembled code avoiding false positives.anyway through the -b option the tool can acts exactly like the strings program and naturally can also re-import the modified strings.there is also an "experimental" option specific for the Asian utf8 which was also the reason of the initial creation of this tool for the translating of a Japanese game.note that for obvious technical reasons is not possible to export and re import ever all the strings for any executable because in some cases (usually with big programs) could be generated false positives, anyway the output file generated by the tool is very easy to understand and edit so it's not a problem.

technical limitations:

AndroChef Java Decompiler

AndroChef Java Decompiler is Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8 , 8.1 and Windows 10 decompiler for Java that reconstructs the original source code from the compiled binary CLASS files. AndroChef Java Decompiler is able to decompile the most complex Java 6 applets and binaries, producing accurate source code.

AndroChef successfully decompiles obfuscated Java 6, Java 7 and Java 8 .class and .jar files. Support Java language features like generics, enums and annotations. According to some studies, AndroChef Java Decompiler is able to decompile 98.04% of Java applications generated with traditional Java compilers - a very high recovery rate. It is simple but powerful tool that allows you to decompile Java and Dalvik bytecode (DEX, APK) into readable Java source. Easy to use.

ILSpy

ILSpy is the open-source .NET assembly browser and decompiler.

ILSpy Features:

Assembly browsing
IL Disassembly
Support C# 5.0 “async”
Decompilation to C#
Supports lambdas and ‘yield return’
Shows XML documentation
Decompilation to VB
Saving of resources
Save decompiled assembly as .csproj
Search for types/methods/properties (substring)
Hyperlink-based type/method/property navigation
Base/Derived types navigation
Navigation history
BAML to XAML decompiler
Save Assembly as C# Project
Find usage of field/method
Extensible via plugins (MEF)
Assembly Lists

Snowman is a native code to C/C++ decompile

Snowman is a native code to C/C++ decompiler

Standalone Version
Supports ARM, x86, and x86-64 architectures.
Reads ELF, Mach-O, and PE file formats.
Reconstructs functions, their names and arguments, local and global variables, expressions, integer, pointer and structural types, all types of control-flow structures, including switch.
Has a nice graphical user interface with one-click navigation between the assembler code and the reconstructed program.
Has a command-line interface for batch processing.

IDA Plug-in
Enjoys all executable file formats supported by the disassembler.
Benefits from IDA’s signature search, parsers of debug information, and demanglers.
Decompiles a chosen function or the whole program by push of a button.
Allows easy jumping between the disassembler and the decompiled code.
Fully integrates into IDA’s GUI.

Pin - A Binary Instrumentation Tool

Overview

Pin is a dynamic binary instrumentation framework for the IA-32 and x86-64 instruction-set architectures that enables the creation of dynamic program analysis tools. Some tools built with Pin are VTune Amplifier XE, Inspector XE, Advisor XE and SDE. The tools created using Pin, called Pintools, can be used to perform program analysis on user space applications in Linux and Windows. As a dynamic binary instrumentation tool, instrumentation is performed at run time on the compiled binary files. Thus, it requires no recompiling of source code and can support instrumenting programs that dynamically generate code.

Pin provides a rich API that abstracts away the underlying instruction-set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin was originally created as a tool for computer architecture analysis, but its flexible API and an active community (called "Pinheads") have created a diverse set of tools for security, emulation and parallel program analysis.

Distribution

Pin is proprietary software developed and supported by Intel and is supplied free of charge for non-commercial use. Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template.

FTimes

FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.FTimes is a lightweight tool in the sense that it doesn't need to be "installed" on a given system to work on that system, it is small enough to fit on a single floppy, and it provides only a command line interface.Preserving records of all activity that occurs during a snapshot is important for intrusion analysis and evidence admissibility. For this reason, FTimes was designed to log four types of information: configuration settings, progress indicators, metrics, and errors. Output produced by FTimes is delimited text, and therefore, is easily assimilated by a wide variety of existing tools.FTimes basically implements two general capabilities: file topography and string search. File topography is the process of mapping key attributes of directories and files on a given file system. String search is the process of digging through directories and files on a given file system while looking for a specific sequence of bytes. Respectively, these capabilities are referred to as map mode and dig mode.FTimes supports two operating environments: workbench and client-server. In the workbench environment, the operator uses FTimes to do things such as examine evidence (e.g., a disk image or files from a compromised system), analyze snapshots for change, search for files that have specific attributes, verify file integrity, and so on. In the client-server environment, the focus shifts from what the operator can do locally to how the operator can efficiently monitor, manage, and aggregate snapshot data for many hosts. In the client-server environment, the primary goal is to move collected data from the host to a centralized system, known as an Integrity Server, in a secure and authenticated fashion.

pyflag

PyFlag features a rich FeatureList which include the ability to load many different log file formats, Perform forensic analysis of disks and images. PyFlag can also analyze network traffic as obtained via tcpdump quickly and efficiently.Since PyFLAG is web based, it is able to be deployed on a central server and shared with a number of users at the same time. Data is loaded into cases which keeps information separated.

Syndicate content