Tuesday, September 21, 2004

ExeInfo PE

ExeInfo PE have some same features with PEiD but with some extra function to make it more easier and faster to access such as





Main interfaces is very similar to PEiD but with some great functionalities. 


With Rip button all resources can be extracted at once and saved into current directory.


With tools menu user can get a lot of information inside PE files such as registry key, OEP, save resource section, XoR permutator (easy to reverse any reversed string such as ROT13) and many more.


File Menu offer to you multiple options about taking action to your analyzed file. WYSIWYG.


EXEInfo PE can be downloaded from:
http://www.exeinfo.xwp.pl

PEiD - PE Identifier

This small tools have a big features for those who want to extract information from PE files.



PEiD have its own special features:
1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
5. Multiple file and directory scanning with recursion.
6. Task viewer and controller.
7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
8. Extra scanning techniques used for even better detections.
9. Heuristic Scanning options.
10. New PE details, Imports, Exports and TLS viewers
11. New built in quick disassembler.
12. New built in hex viewer.
13. External signature interface which can be updated by the user.

Well, I use it for long time and this is the great and fast tools for getting PE information without need to install anything.

PEiD can be downloaded from here:
http://www.peid.info

Sunday, September 19, 2004

Explorer Suite

This one of most advanced freeware tools for Reverse Code Engineer. Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

- Explorer Suite (Multi-Platform Version, Recommended)
- Explorer Suite (x86 Version)
- CFF Explorer (x86 Version, stand-alone, Zip Archive)

- CFF Explorer Extensions Repository 





The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface. 



Features:

  • Process Viewer
  • Windows Viewer
  • PE and Memory Dumper
  • Full support for PE32/64
  • Special fields description and modification (.NET supported)
  • PE Utilities
  • PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
  • View and modification of .NET internal structures
  • Resource Editor (full support for Windows Vista icons)
  • Support in the Resource Editor for .NET resources (dumpable as well)
  • Hex Editor
  • Import Adder
  • PE integrity checks
  • Extension support
  • Visual Studio Extensions Wizard
  • Powerful scripting language
  • Dependency Walker
  • Quick Disassembler (x86, x64, MSIL)
  • Name Unmangler
  • Extension support
  • File Scanner
  • Directory Scanner
  • Deep Scan method
  • Recursive Scan method
  • Multiple results
  • Report generation
  • Signatures Manager
  • Signatures Updater
  • Signatures Collisions Checker
  • Signatures Retriever

TrID - File Identifier

TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded rules, TriID has no such rules. Instead, it is extensible and can be trained to recognize new formats in a fast and automatic way.
TrID has many uses: identify what kind of file was sent to you via e-mail, aid in forensic analysis, support in file recovery, etc.
TrID uses a database of definitions which describe recurring patterns for supported file types. As this is subject to very frequent update, it's made available as a separate package. Just download both TrID and this archive and unpack in the same folder.

The database of definitions is constantly expanding; the more that are available, the more accurate an analysis of an unknown file can be. You can help! Use the program to both recognize unknown file types and develop new definitions that can be added to the library. See the TrIDScan page for information about how you can help. Just run the TrIDScan module against a number of files of a given type. The program will do the rest.
Because TrID uses an expandable database it will never be out of date. As new file types become available you can run the scan module against them and help keep the program up to date. Other people around the world will be doing the same thing making the database a dynamic and living thing. If you have special file formats that only you use, you can also add them to your local database, making their identification easier.
To get you started, the current library of definitions is up to 3833 file types and growing fast.
TrID is simple to use. Just run TrID and point it to the file to be analyzed. The file will be read and compared with the definitions in the database. Results are presented in order of highest probability.




For more information and download click here.

OllyDump for OllyDebugger

OllyDump is one of advanced memory dumping tools. It is easy to use with OllyDbg as a plugin. Once the process is being debugged at runtime, it will be automatically search for PE section. But this tools does not give you automatically an OEP for any compressed PE file. You still have to find their OEP offset manually and write down the offset to the OllyDump window. The picture below show you how the OllyDump plugin works for dumping UPX packed file.



Just simply add your founded OEP to the Modify box and hit Dump button to save as a dumped file. You can edit the listed section for your own usages. You can easily dumping PE file without need to highlight all the debugged code and choose 'Follow in Dump > Selection'. This way sometime does not produce an accurate result.

You can find OllyDump here or here.

LordPE Deluxe


LordPE Deluxe is one of the greatest tools for making process dump on memory for along time. It was developed by yoda. Here it is what this tools can do:

+ Dump process from memory and save as file.
+ Dump process module
+ Get Basic information about PE header.
+ Rebuild any PE file (realign, wipe relocation, rebuild import table, etc)



Author website can be reach at http://y0da.cjb.net but it no longer exist I guess. You can try get it from here.