OpenRCE: Downloads

IDA Stealth Plugin

IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll actually implements most of the stealth techniques either by hooking system calls or by patching some flags in the remote process.

oSpy

oSpy is a tool which aids in reverse-engineering software running on the Windows platform. With the amount of proprietary systems that exist today (synchronization protocols, instant messaging, etc.), the amount of work required to keep up when developing interoperable solutions will quickly become a big burden when limited to traditional techniques.

However, when the sniffing is done on the API level it allows a much more fine-grained view of what's going on. Seeing return-addresses for each recv/send call (for example), can prove useful when you want to look at the processing code at that spot in a debugger or static analysis tool. And if an application uses encrypted communication it's easy to intercept these calls as well. oSpy already intercepts one such API, and is the API used by MSN Messenger, Google Talk, etc. for encrypting/decrypting HTTPS data.

Another neat feature is when wanting to see how an application behaves when in a firewalled environment. Normally you would have to simulate such an environment by configuring firewalls etc., which not only is time-consuming, but might also cripple the rest of the applications you've got running. oSpy solves this problem by a feature called softwalling which allows you to set rules based on the type of function-call, the return-address, local/remote address/port, etc., and lets you choose which error to signal back to the application when the rule matches. This way you can make the application think that for example a connect() timed out, connection was refused, there was no route to host, etc.

PatchDiff 2

PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.2).
The plugin can perform the following tasks :

* Display the list of identical functions
* Display the list of matched functions
* Display the list of unmatched functions (with the CRC)
* Display a flow graph for identical and matched functions

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs.
Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.

mIDA

mIDA is a plugin for the IDA disassembler that can extract RPC interfaces from a binary file and recreate the associated IDL definition. mIDA is free and fully integrates with the latest version of IDA (5.2 or later).
This plugin can be used to :

    * Navigate to RPC functions in IDA
    * Analyze RPC function arguments
    * Understand RPC structures
    * Reconstruct an IDL definition file

The IDL code generated by mIDA can be, most of the time, recompiled with the MIDL compiler from Microsoft (midl.exe).

mIDA is freely distributed to the community by Tenable in the hope it will be useful to you and help research engineers to work more effectively on RPC programs. However, Tenable does not provide support for this tool and offers no garantee regarding its use or output. Please read the end-user license agreement before using this program.

Process Heap Viewer

This is the tool to enumerate process heaps on windows. It uses much better technique than slower Windows heap API functions which makes it faster and efficient. You can enumerate the heaps from normal Windows processes as well as system services. Its very useful tool for anyone involved in analyzing process heaps. Vulnerability researchers can use it as a side tool for discovering heap related vulnerabilities.

Now it comes with integrated search feature which makes it easy to find ASCII as well as Unicode strings within the heap blocks.

This is standalone tool and does not require any installation.

    * Launch ProcHeapViewer by clicking on the binary file. It automatically loads all running processes including services.
    * Select any process from the list. Then all the heap nodes for that process will be displayed.
    * Now you can click on any of the heap nodes to display all the heap blocks within it.
    * Next click on one of the heap block to view its content. You can store this data by clicking on the "save" button. To get back to the main screen, simply click on "close" button.