About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New


Customize Theme

Flag: Tornado! Hurricane!

OpenRCE Hosted Downloads

Latest Additions and Updates
Name Author Category Description Excerpt Last Updated
oSpy Ole Andre Vadla Ravnaas Standalone oSpy is a tool which aids in reverse-engineering software running ... Apr 5, 2009
IDA Stealth Plugin memger IDA Plugins IDA Stealth is a plugin which aims to hide the IDA debugger from ... Mar 25, 2009
PatchDiff 2 nicoP IDA Plugins PatchDiff2 is a plugin for the Windows version of the IDA ... Feb 12, 2009
mIDA nicoP IDA Plugins mIDA is a plugin for the IDA disassembler that can extract RPC ... Oct 21, 2008
Process Heap Viewer Nagareshwar Standalone This is the tool to enumerate process heaps on windows. It uses ... Oct 5, 2008


Categorized Downloads
Name Author Description Excerpt Last Updated
IDA Plugins
IDA Stealth Plugin memger IDA Stealth is a plugin which aims to hide the IDA debugger from ... Mar 25, 2009
PatchDiff 2 nicoP PatchDiff2 is a plugin for the Windows version of the IDA ... Feb 12, 2009
mIDA nicoP mIDA is a plugin for the IDA disassembler that can extract RPC ... Oct 21, 2008
IDA Extra Pass Jim Lacy IDA Pro is amazing, IMHO the best disassembler of it's class. But ... Nov 26, 2007
HeapTracer Gerardo Richarte HeapDraw was originally created as a postmortem analisys tool, to ... Jul 7, 2007
List All ...
IDA Scripts
VtablesStructuresFromPSDK frank boldewin On the flight back from New York i had some time to write... Jul 16, 2007
ClassAndInterfaceToNames frank boldewin This small IDAPython script scans an idb file for class a... Jun 16, 2007
VB Helper Script Reginald Wong This IDC script will show the vb header in some detail po... Jun 4, 2007
Microsoft VC++ Reversing Helpers Igor Skochinsky These IDC scripts help with the reversing of MSVC program... Sep 21, 2006
Scrabble Itzik Finds refactorable code parts that could be used during e... Aug 7, 2006
List All ...
OllyDbg Plugins
OllyScript SHaG OllyScript is a plugin for OllyDbg, which is, in my opini... Nov 20, 2007
Catcha! mikado Sometimes you don't know how to start a program correctly... Jul 6, 2007
OllySSEH Mario Ballano This plugin does an in-memory scanning of process loaded ... May 21, 2007
Modified CmdLine Plug-in anonymouse This plug-in is a modified version of the default command... Apr 29, 2007
Olly Advanced MaRKuS_TH-DJM This general purpose plug-in exposes a number of advancem... Mar 13, 2007
List All ...
OllyDbg OllyScripts
ACProtect 2.0 ColdFever OEP + IAT, OS: WinXP SP2 Pro Note: This script won't w... Feb 8, 2007
Stone's PE-ExeEncrypter v1.13 - Find target's OEP DeAtH HaS cOMe Find the OEP of a given target. Apr 1, 2005
WinKripT v1.0 - Find target's OEP DeAtH HaS cOMe Apr 1, 2005
ExeStealth v3.04 and Morphine v2.7 haggar Finds OEP on ExeStealth3.04/Morphine2.7 packed programs (... Mar 29, 2005
eXPressor 1.2 OEP Finder haggar This script finds the OEP. Mar 25, 2005
List All ...
Standalone Tools
oSpy Ole Andre Vadla Ravnaas oSpy is a tool which aids in reverse-engineering software... Apr 5, 2009
Process Heap Viewer Nagareshwar This is the tool to enumerate process heaps on windows. I... Oct 5, 2008
ImmDbg nicowow Immunity Debugger is a powerful new way to write exploits... Aug 8, 2007
PaiMei Pedram Amini [b]Update[/b]: Project website is now at [url]http://paim... May 22, 2007
JDO: Java Deobfuscator chris A Java Class Deobfuscator, with support for auto-deobfusc... Jan 25, 2007
List All ...
Other / Un-categorized
Tron Alan Bradley Tron is a kernel driver that you can load into a non-SMP ... Oct 5, 2006
ADHD - Another Debugger Hiding Driver Alan Bradley ADHD - Another Debugger Hiding Driver This is a kernel... Oct 5, 2006
APIAddress Erawtfos Simple graphical utility for translating resolving the li... Jun 20, 2006
AppInit Hot Code Patching Vinay A. Mahadik This utility is essentially a combination of the "Ap... Mar 2, 2006
VS6 IDA Plugin AppWizard theCaller This plug-in is for Visual C++ 6.0 to assist developers o... Oct 10, 2005
List All ...


Last 5 User Repository Uploads
  Username Filename Size Upload Date
QvasiModo         winappdbg-1.2.win32.exe 380 KB Jun 30 2009
What is WinAppDbg?
==================

The WinAppDbg python module allows developers to quickly code instrumentation
scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides
an object-oriented abstraction layer to manipulate threads, libraries and
processes, attach your script as a debugger, trace execution, hook API calls,
handle events in your debugee and set breakpoints of different kinds (code,
hardware and memory). Additionally it has no native code at all, making it
easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to
test / fuzz Windows applications with quickly coded Python scripts. Several
ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open
source diStorm project, see http://ragestorm.net/distorm/), debugging multiple
processes simultaneously and produce a detailed log of application crashes,
useful for fuzzing and automated testing.


Where can I find WinAppDbg?
===========================

The WinAppDbg project is currently hosted at Sourceforge, and can be found at:

    http://winappdbg.sourceforge.net/

It's also hosted at the Python Package Index (PyPi):

    http://pypi.python.org/pypi/winappdbg/1.2
QvasiModo         winappdbg-1.2.tar.bz2 129 KB Jun 30 2009
What is WinAppDbg?
==================

The WinAppDbg python module allows developers to quickly code instrumentation
scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides
an object-oriented abstraction layer to manipulate threads, libraries and
processes, attach your script as a debugger, trace execution, hook API calls,
handle events in your debugee and set breakpoints of different kinds (code,
hardware and memory). Additionally it has no native code at all, making it
easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to
test / fuzz Windows applications with quickly coded Python scripts. Several
ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open
source diStorm project, see http://ragestorm.net/distorm/), debugging multiple
processes simultaneously and produce a detailed log of application crashes,
useful for fuzzing and automated testing.


Where can I find WinAppDbg?
===========================

The WinAppDbg project is currently hosted at Sourceforge, and can be found at:

    http://winappdbg.sourceforge.net/

It's also hosted at the Python Package Index (PyPi):

    http://pypi.python.org/pypi/winappdbg/1.2
Sirmabus         Class_Informer101.zip 386 KB Apr 2 2009

"Class Informer"
=========================================================
IDA Pro 5.xx Win32 class vftable finder, namer, fixer, lister plug-in.
Version 1.01, April 2009
By Sirmabus

---------------------------------------------------------

Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type
data. Places structure defs, names, labels, and comments to make more sense of
class vftables ("Virtual Function Table") and make them read easier as an aid
to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx

It's currently targeted specifically for Microsoft Visual C++ 32bit complied
binaries only. Will get unpredictable results if used on other targets.

Currently somewhat limited for other then the norm of vftables being in
".rdata", and code in the ".text" segments.

Based off of the article and IDC scripts by Igor Skochinsky:
http://www.openrce.org/articles/full_view/23
http://www.openrce.org/downloads/details/196

And derivative work:
http://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/
Paper/bh-dc-07-Sabanal_Yason-WP.pdf


-- [Install] --------------------------------------------
Copy the plug-in to your IDA Pro 5.xx "plugins" directory.
Then edit your "..\plugins\plugins.cfg" to setup with a hotkey.

IE: Add these two lines:

; Sirmabus "Class Informer" plug-in
Class-Informer IDA_ClassInformer_PlugIn.plw Alt-7 0

See IDA documentation for more on installing and using plug-ins.


-- [How to run it] --------------------------------------
Invoke as typical in IDA with hot key, or through IDA's Edit->Plugins menu.

If you are working on an unpacked target, you should fix the PE sections
and name the ".text" and ".rdata" segments you want to examine.

It will typically run from a few seconds to several minutes, depending on the
size of the target, and generally how fast your machine is (with hard drive
speed being a contributing factor).
Since version 1.01, placing structures is only about 2x slower not 40x!
So using the place structures option is less of a burden.

Try using my "Extra Pass" plug-in first for best results, as the ".text" clean-
up might expose more validated tables.

On completion a list window will come up showing any found vftables and
and class information.
Click on a line to jump to it.

If you want to save the list to text file, get a debug output viewer like
Mark Russinovich's excellent "DebugView" at:
http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx

Example list output:
0046769C 077 CEdit:CWnd, CCmdTarget, CObject;  (SI)

This is: vftable address, method count, then class hierarchy, and ended with
some additional class info.
To make things easier to read, all known type names are considered to be a
"class" unless explicitly proceeded with "struct" to indicate "structure" type.

The addition info at the end:
"(SI)" single inheritance hierarchy, "(MI)" multiple inheritance,
"(VI)" virtual inheritance, or "(MI VI)" multiple virtual inheritance.
If there is an absence of one of these then it's a MFC 'RTCI' type.

Using latest IDA SDK and tested on versions 5.2 and 5.3,.


-- [Design] -------------------------------------------

I read Igor Skochinsky's excellent article "Reversing Microsoft Visual C++"
some time ago. But only recently tried his IDC scripts accompanying the article.
I was amazed at how well it worked in identifying vftables with type info and
how it cleaned the IDB up (a large MSVC compiled target).

IMHO it can be overlooked if you RE'ing MSVC C++ targets.
I wanted to put it into a plug-in for speed, flexibility, and as a general test
bed for R&D on the area.

I originally wanted to have automatic member naming.
The idea being to take the class name and at least partially naming
member functions (mostly ignoring calling and returning arguments).
But decided it probably isn't that useful.
And there will probably be a lot of redundancy that can ends up in custom sigs,
as noise.
Also the same reasoning I did not use the ctor and dtor identifications
found in Igorsk's scripts.

For my RE work I just want to see these classes by name, and where to find
them for examination.

Essentially, it works a lot like Igorsk's scripts, with some differences like
doing MFC 'RTCI' types, placing type structures (rather then the individual
fields), and does static/global ctor/dtor processing.


I got tired of IDA's only partially functioning wait box, so I
sub-classed it. Should now have near instant cancel when you click the "Cancel"
button or press the "break" key.
And to better show progress, I fancied it up a bit with with a progress bar,
and indicator w/text animation.


-- [Known problems] -----------------------------------

For some odd reason, when you first load a IDB and activate the plug-in, IDA does
something that causes it to be active (in plug-in terms "autoIsOk() == FALSE").
Just invoke the plug-in again to pass it.

Please report any (other) problems, and, or errors to me at openrce.org,
or woodmann.com,.

-- [Changes] ------------------------------------------

1.01 - 1) No longer pops up an error and exits IDA when an incompatible IDB is loaded!
          Just displays a "not loaded" log message now.
       2) Fixed IDA tab page update issue.
       3) Now built with IDA SDK 5.4, and tested with IDA 5.4.
       4) Fixed incorrect string placement in the RTTI type info struct.
          Now the structures are right which make a cleaner DB.
          This was a major bottleneck that caused the structure placement to be about
          36x slower, now only about 1x.
       5) Fixed some misspellings.

-- [TODO] ---------------------------------------------
Get compiler specific info for at least other popular compilers (Intel,
Borland, GCC, etc).


- Sirmabus


Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability or fitness for any particular use. It may contain bugs, so use
this software is at your own risk.  The author(s) are not responsible for
any damage that may be caused through its use.
apridgen         IDACompare5.4_patched.zip 35 KB Mar 5 2009
archive file contains the original source file, the modified source file, a diff of the 2, and a compiled version of the IDACompare plugin for IDA Pro 5.4.
RolfRolles         ReWolfCompiler.ml 41 KB Feb 6 2009


Users With Repository Entries AlanBradley, AlexIonescu, anonymouse, apridgen, camill8, codypierce, daeken, deft, dennis, drew, e0n, Faithless, GynvaelColdwind, halvar, hoglund, itsme, jms, joestewart, Kostya, luis, MohammadHosein, nezumi, nummish, Paolo, pedram, peter, Piotr, PSUJobu, QvasiModo, randori82, RolfRolles, Sirmabus, Soul12, tnagareshwar, vam, zen
Active in Last 5 Minutes
Sirmabus

There are 12,026 total registered users.


Recently Created Topics
Understanding raw fl...
Jul/03
Non invasive debuggi...
Jul/02
breaking a security ...
Jul/01
Using Debugger when ...
Jun/25
RockDebugger 3
Jun/24
Custom graph window ...
Jun/24
Early Debugger Detec...
Jun/24
Jun/24
Debug Motorola HC05 ...
Jun/23
IDA Python reading d...
Jun/18


Recent Forum Posts
Understanding raw fl...
detlef
Non invasive debuggi...
Soul12
Non invasive debuggi...
Soul12
Non invasive debuggi...
Gynvael...
breaking a security ...
lallous
Debug Motorola HC05 ...
hmoodi22
Using Debugger when ...
dennis
Using Debugger when ...
benington
Using Debugger when ...
dennis
RockDebugger 3
dimaky


Recent Blog Entries
valkyriexresearch
Jun/25
Green Dam - Research
valkyriexresearch
Jun/25
A web site without password...
darkfloyd
Jun/24
Technical Analysis of Green...
sagar
Jun/23
Thinking about a talk in Ek...
ohjeongwook
Jun/19
Exporting IDA function for ...
More ...


Recent Blog Comments
lallous on:
Jun/26
A web site without password...
detlef on:
Jun/25
Green Dam - Research
kizi on:
Jun/25
i started working on Ubuntu
bitwav3 on:
Jun/22
i started working on Ubuntu
wzzx on:
Jun/19
i started working on Ubuntu
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit