Quantcast
Channel: Tuts 4 You : Downloads
Viewing all 327 articles
Browse latest View live

Xbox360 Xex Loader 6.6

September 5, 2014, 7:49 pm
$
0
0
These loaders will let you load an xex file directly into IDA without having to do any preprocessing first. The accompanying Xbox360.xml file contains lists of imports that are used to name functions imported into the xex being disassmebled.

While this was built with the IDA SDK v6.4, it may well still work fine with earlier versions of IDA. I haven't tested this however.
Search

WinDbg 6.3.9600.16384

September 5, 2014, 7:51 pm
$
0
0
WinDbg is a multipurpose debugger for Microsoft Windows, distributed on the web by Microsoft. It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. It is a GUI application, but it has little in common with the better known, but less powerful, Visual Studio Debugger.

WinDbg can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a bug check is issued. It can also be used to debug user-mode crash dumps. This is known as post-mortem debugging.

WinDbg also has the ability to automatically load debugging symbol files (e.g., PDB files) from a server by matching various criteria (e.g., timestamp, CRC, single or multiprocessor version). This is a very helpful and time saving alternative to creating a symbol tree for a debugging target environment. If a private symbol server is configured, the symbols can be correlated with the source code for the binary. This eases the burden of debugging problems that have various versions of binaries installed on the debugging target by eliminating the need for finding and installing specific symbols version on the debug host. Microsoft has a public symbol server that has most of the public symbols for Windows 2000 and later versions of Windows (including service packs).

SmartDec 0.0.4

September 5, 2014, 7:53 pm
$
0
0
SmartDec is a native code to C/C++ decompiler.

- Enjoys all executable file formats supported by the disassembler.
- Benefits from IDA’s signature search, parsers of debug information, and demanglers.
- Decompiles a chosen function or the whole program by push of a button.
- Allows easy jumping between the disassembler and the decompiled code.
- Fully integrated into IDA’s GUI.

ScyllaHide 1.2 (1)

September 5, 2014, 8:07 pm
$
0
0
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing
- NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- BlockInput
- Remove Debug Privileges
- OutputDebugStringA - OutputDebugStringW

Timing Hooks:
- GetTickCount
- GetTickCount64
- GetLocalTime
- GetSystemTime
- NtQuerySystemTimeHook
- NtQueryPerformanceCounter

Special functions:
- prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
- Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

ScyllaHide 1.2 (i)

September 5, 2014, 8:08 pm
$
0
0
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing
- NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- BlockInput
- Remove Debug Privileges
- OutputDebugStringA - OutputDebugStringW

Timing Hooks:
- GetTickCount
- GetTickCount64
- GetLocalTime
- GetSystemTime
- NtQuerySystemTimeHook
- NtQueryPerformanceCounter

Special functions:
- prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
- Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

ScyllaHide 1.2 (x)

September 5, 2014, 8:09 pm
$
0
0
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing
- NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- BlockInput
- Remove Debug Privileges
- OutputDebugStringA - OutputDebugStringW

Timing Hooks:
- GetTickCount
- GetTickCount64
- GetLocalTime
- GetSystemTime
- NtQuerySystemTimeHook
- NtQueryPerformanceCounter

Special functions:
- prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
- Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

PPC Altivec 1.8

September 5, 2014, 8:12 pm
$
0
0
This plugin for IDA originally written by Dean Ashton to add support for Altivec/VMX instructions to IDAs normal PPC processor module.

Dean did the hard work in creating and setting up this plugin, and since then many other people including myself have taken advantage of the existing sourcecode to add more instructions and tweaks to support a variety of other special instructions. It now supports the extra instructions used by Xbox360, PS3, Gamecube and Wii, as well as the original Altivec and VMX instructions.

OllyTraceGraph 0.2.0

September 5, 2014, 8:15 pm
$
0
0
OllyTraceGraph is a modification made by Jan Beck of OllyGraph by Austyn Krutsinger. It creates a visual compiler graph (VCG) file for OllyDbg 2.01 that is readable by wingraph32, provided by hex-rays.
Search

Multiline Ultimate Assembler 2.3 (2)

September 5, 2014, 8:23 pm
$
0
0
Multiline Ultimate Assembler (formerly MUltimate Assembler) is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.

General:

- MUltimate Assembler is a multiline (and ultimate) assembler (and disassembler)
- To disassemble code, select it, and choose "MUltimate Assembler" from the right click menu
- To assemble code, click the Assemble button in the assembler window

Rules:

- You must define the address your code should be assembled on, like this: <00401000>- You can use any asm commands that OllyDbg can assemble
- You can use RVA (relative virtual) addressess with a module name, like this: $module.1000 or $"module".1000, or $$1000 to use the module of the address definition (e.g. <$m.1000>PUSH $$3 is the same as <$m.1000>PUSH $m.3)
- You can use labels, that must begin with a '@', and contain only letters, numbers, and _
- You can use anonymous labels, which are defined as '@@' and are referenced to as @b (or @r) for the preceding label and @f for the following label
- You can use C-style strings for text and binary data (use the L prefix for unicode)

Example:

<00401000>    NOP ; This is a nop
    JMP SHORT @f

@str:
    "Hello World!\0"
    ; L"Hello World!\0" ; for unicode

@@:
    PUSH @str
    CALL @print_str
    RET

<00401030>@print_str:
    RET 4 ; TODO: Write the function

Multiline Ultimate Assembler 2.3 (i)

September 5, 2014, 8:24 pm
$
0
0
Multiline Ultimate Assembler (formerly MUltimate Assembler) is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.

General:

- MUltimate Assembler is a multiline (and ultimate) assembler (and disassembler)
- To disassemble code, select it, and choose "MUltimate Assembler" from the right click menu
- To assemble code, click the Assemble button in the assembler window

Rules:

- You must define the address your code should be assembled on, like this: <00401000>- You can use any asm commands that OllyDbg can assemble
- You can use RVA (relative virtual) addressess with a module name, like this: $module.1000 or $"module".1000, or $$1000 to use the module of the address definition (e.g. <$m.1000>PUSH $$3 is the same as <$m.1000>PUSH $m.3)
- You can use labels, that must begin with a '@', and contain only letters, numbers, and _
- You can use anonymous labels, which are defined as '@@' and are referenced to as @b (or @r) for the preceding label and @f for the following label
- You can use C-style strings for text and binary data (use the L prefix for unicode)

Example:

<00401000>    NOP ; This is a nop
    JMP SHORT @f

@str:
    "Hello World!\0"
    ; L"Hello World!\0" ; for unicode

@@:
    PUSH @str
    CALL @print_str
    RET

<00401030>@print_str:
    RET 4 ; TODO: Write the function

Multiline Ultimate Assembler 2.3 (1)

September 5, 2014, 8:24 pm
$
0
0
Multiline Ultimate Assembler (formerly MUltimate Assembler) is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.

General:

- MUltimate Assembler is a multiline (and ultimate) assembler (and disassembler)
- To disassemble code, select it, and choose "MUltimate Assembler" from the right click menu
- To assemble code, click the Assemble button in the assembler window

Rules:

- You must define the address your code should be assembled on, like this: <00401000>- You can use any asm commands that OllyDbg can assemble
- You can use RVA (relative virtual) addressess with a module name, like this: $module.1000 or $"module".1000, or $$1000 to use the module of the address definition (e.g. <$m.1000>PUSH $$3 is the same as <$m.1000>PUSH $m.3)
- You can use labels, that must begin with a '@', and contain only letters, numbers, and _
- You can use anonymous labels, which are defined as '@@' and are referenced to as @b (or @r) for the preceding label and @f for the following label
- You can use C-style strings for text and binary data (use the L prefix for unicode)

Example:

<00401000>    NOP ; This is a nop
    JMP SHORT @f

@str:
    "Hello World!\0"
    ; L"Hello World!\0" ; for unicode

@@:
    PUSH @str
    CALL @print_str
    RET

<00401030>@print_str:
    RET 4 ; TODO: Write the function

Multiline Ultimate Assembler 2.3 (x)

September 5, 2014, 8:24 pm
$
0
0
Multiline Ultimate Assembler (formerly MUltimate Assembler) is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.

General:

- MUltimate Assembler is a multiline (and ultimate) assembler (and disassembler)
- To disassemble code, select it, and choose "MUltimate Assembler" from the right click menu
- To assemble code, click the Assemble button in the assembler window

Rules:

- You must define the address your code should be assembled on, like this: <00401000>- You can use any asm commands that OllyDbg can assemble
- You can use RVA (relative virtual) addressess with a module name, like this: $module.1000 or $"module".1000, or $$1000 to use the module of the address definition (e.g. <$m.1000>PUSH $$3 is the same as <$m.1000>PUSH $m.3)
- You can use labels, that must begin with a '@', and contain only letters, numbers, and _
- You can use anonymous labels, which are defined as '@@' and are referenced to as @b (or @r) for the preceding label and @f for the following label
- You can use C-style strings for text and binary data (use the L prefix for unicode)

Example:

<00401000>    NOP ; This is a nop
    JMP SHORT @f

@str:
    "Hello World!\0"
    ; L"Hello World!\0" ; for unicode

@@:
    PUSH @str
    CALL @print_str
    RET

<00401030>@print_str:
    RET 4 ; TODO: Write the function

Bypass Antivirus Dynamic Analysis

September 5, 2014, 8:27 pm
$
0
0
Antivirus are easy to bypass », « Antivirus are mandatory in defense in depth », «This Cryptor is FUD» are some of the sentence you hear when doing some researches on antivirus security. I asked myself, hey is it really that simple to bypass AV? After some research I came (like others) to the conclusion that bypassing Antivirus consists in two big steps:

. Hide the code which may be recognized as malicious. This is generally done using encryption.
. Code the decryption stub in such a way it is not detected as a virus nor bypassed by emulation/sandboxing.

In this paper I will mainly focus on the last one, how to fool antivirus emulation/sandboxing systems.

I’ve set myself a challenge to find half a dozen of ways to make a fully undetectable decryption stub (in fact I found way more than that). Here is a collection of methods. Some of those are very complex (and most “FUD cryptor” sellers use one of these). Others are so simple I don’t understand why I’ve never seen these before. I am pretty sure underground and official virus writers are fully aware about these methods so I wanted to share these with the public.

Mapimp 1.0

September 8, 2014, 6:55 pm
$
0
0
This is an open source OllyDbg plugin which will help you to import map files exported by IDA or Dede. There are many plugins using which you can perform similar actions, but mapimp:

- Recognizes debugged file segments and applies names correctly
- Has an option to overwrite or skip names that intersect already defined
- Has a filter option which gives you great name demangling potential

• Filter
The main idea is to apply series of masks to every single name loaded. Mask syntax goes.
as follows:

/key[/]regex

Key "c" cuts the matched substring selected by regular expression.

[SAMPLE]
name: System::__linkproc__ GetMem(int)
mask: /c__linkproc__
applied: System::GetMem(int)
[/SAMPLE]

Key "s" skips the name if regular expression succeeds. It may be useful if you want to skip some dummy or incorrect names.

[SAMPLE]
name: unknown_libname_2519
mask: /sunknown_libname_
applied:
[/SAMPLE]

Key "r" replaces the substring selected by regular expression with your own.

/rsubstring/regex

As you can see slash character delims your substring from the regular expression. Use double slash to define slash as a character of your substring.

[SAMPLE]
name: System@Function(System@AnsiString;System@AnsiString)
mask: /rsys::/System@
applied: sys::Function(sys::AnsiString;sys::AnsiString)

name: System@Function(System@AnsiString;System@AnsiString)
mask: /r//_/@
applied: System/_Function(System/_AnsiString;System/_AnsiString)
[/SAMPLE]

Remember that if the name met the mask condition it will be changed, then the second mask is applied to the changed name and so on. The order of mask applying is undefined so be careful, because some masks may intersect.

As about regular expressions, the plugin uses pcre library which syntax is compatible with perl regular expression. Check www.pcre.org for docs and sources.

SigCreator 0.2

September 11, 2014, 5:29 am
$
0
0
SigCreator is a reproduction of "SigMaker 0.4" for the new OllyDbg version 2.xx.

SigCreator generates you all needed information for using the selected signature in your code. Furthermore it will give you a list of all occurrences of the signature in the current module.

Result:
-------

Address // Address of signature occurrence
Modulebase // Base address of the module
Offset // Offset from base address to the signature
Signature // Signature in code design
Mask // Mask of signature in SigMaker-Style


Note: SigCreator menu will only appear in the disassembler menu.
Note: You can copy the results by shortcur "Ctrl+C" or by popup menu.
Search

IDA Sploiter 1.0

September 15, 2014, 3:43 am
$
0
0
IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others.

The motivation for the development of IDA Sploiter was to make IDA Pro a comfortable, powerful and integrated environment for vulnerability research and exploit development. The plugin is designed to make many repetitive and time consuming tasks as effortless and natural as possible, so you can concentrate on other more challenging aspects of exploit development.

To make the work with the plugin convenient, IDA Sploiter closely integrates with the IDA UI and exposes its functionality and various configurations through various views and forms. The plugin's logic uses IDA's powerful disassembly engine and various debugger plugins. As a result, IDA Sploiter can take advantage of many of IDA's unique features (e.g. building ROP chains remotely on a lab machine while effortlessly switching between debugger plugins).

In the user guide below, you will find a comprehensive discussion of various plugin features and their sample use. Most of the sections are independent of each other, so you are welcome to jump ahead or read through the entire guide.

PluginMaster 1.00

September 16, 2014, 7:42 pm
$
0
0
I once made a program called PluginMaster, it can organise various plugin DLL files by reading the plugin export for it's name and allowing you to rename the plugin with descriptive names.

The main function however is what you can do with the plugins, PE-identifiers and unpacker plugins (PE Explorer, RDG, PE-Tools, Quick Unpack etc) plugins can be converted to PEiD plugins, or into stand-alone exes.

Also (unpacked!) OllyDbg v1.10 plugins are converted to 'AnyDbg' plugins, and as the name suggests they can be loaded in any patched version of OllyDbg v1.10, or ImmDbg v1.xx - without any further changes. This makes it possible to have just one folder of 'AnyDbg' plugins for many different patched versions of OllyDbg or Immunity Debugger.

Supported Plugin Types: Supported Features:
PEiD - http://PEiD.info/ Convert Plugin -> Exe
PE Explorer - http://heaventools.com/ Convert Plugin -> Exe, Convert Plugin -> PEiD Plugin
PE-Tools - http://www.uinc.ru/ Convert Plugin -> Exe, Convert Plugin -> PEiD Plugin
DiE - http://hellspawn.nm.ru/ Convert Plugin -> Exe, Convert Plugin -> PEiD Plugin
RDG Packer Detector - http://www.rdgsoft.8k.com/ Convert Plugin -> Exe, Convert Plugin -> PEiD Plugin
Immunity Debugger - http://www.ImmunityInc.Com/ Make Plugin work with all OllyDbg variants
OllyDbg 1.10 - http://www.ollydbg.de/ Make Plugin work with all OllyDbg variants
SnD OllyDbg - http://Tuts4You.Com/ Make Plugin work with all OllyDbg variants
DeRoX OllyDbg - http://Tuts4You.Com/ Make Plugin work with all OllyDbg variants
FOFF Team OllyDbg - http://foff.astalavista.ms/ Make Plugin work with all OllyDbg variants
PECompact Codec - http://bitsum.com/ Detection only ..
PECompact Hook - http://bitsum.com/ Detection only ..
PECompact Loader - http://bitsum.com/ Detection only ..
Quick Unpack - http://Tuts4You.Com/ Convert Plugin -> Exe, Convert Plugin -> PEiD Plugin
Quick Unpack OEP - http://Tuts4You.Com/ Convert Plugin -> Exe, Convert Plugin -> PEiD Plugin
ImpRec Tracer - http://Tuts4You.Com/ Detection only ..
LordPE Dumper Engine - http://y0da.cjb.net Detection only ..
SoftSnoop - http://y0da.cjb.net Detection only ..

Fine Grain Cross-VM Attacks on Xen and VMware

September 16, 2014, 7:46 pm
$
0
0
This work exposes further vulnerabilities in virtualized cloud servers by mounting Cross-VM cache attacks in Xen and VMware VMs targeting AES running in the victim VM. Even though there exists a rich literature on cache attacks on AES, so far only a single work, demonstrating a working attack on an ARM platform running a L4Re virtualization layer has been published. Here we show that AES in a number popular cryptographic libraries including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s correlation attack when run in Xen and VMware (bare metal version) VMs, the most popular VMs used by cloud service providers (CSP) such as Amazon and Rackspace. We also show that the vulnerability persists even if the VMs are placed on different cores in the same machine. The results of this study shows that there is a great security risk to AES and (data encrypted under AES) on popular cloud services.

RDG Packer Detector 0.7.3.2014

September 25, 2014, 7:16 pm
$
0
0
RDG Packer Detector is a detector packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers.

+ New Symbols
+ Windows 7 Compatible
+ Windows 8 Compatible
+ Fewer False Positives
+ Increased Stability
+ 32/64 bit PE Detection

- Has Fast detection system.
- Powerful -has detection system analyzing the entire file, enabling detection muli-packers in several cases.
- Allows create your own signature detection signatures.
- Has Crypto-Graphic Analyzer.
- Allows calculate the checksum of a file.
- Allows calculate Entropy, informing if the analyzed program is compressed, encrypted or not.
- Detector OEP (Original Entry Point) of a program.
- Check and download signatures.
- Loader Plug-ins ..
- Converter Of Signatures.
- Detector Of distorters Entry Point.
- Binder-of-puller attachments.
- Enhanced Heuristic -System.

IDA Pomidor 1.0

September 25, 2014, 7:17 pm
$
0
0
IDA Pomidor is a fun and simple plugin for the Hex-Ray's IDA Pro disassembler that will help you retain concentration and productivity during long reversing sessions.

The plugin uses a Pomodoro Technique©, a popular time management technique which works as follows:

- Decide on a task you want to accomplish and set a timer for 25 minutes (one Pomidor)
- Once the timer expires, take a 5 minute break.
- Every fourth break, take a longer 15 minute break.

The plugin will automatically pop up after each "Pomidor" (means tomato in Russian) to remind you to take a break. As a personal suggestion, I would recommend to step away from the computer and do anything that takes your mind off that malware (e.g. physical exercise, do the chores if you are at home). IDA Pomidor helped me stay focused throughout the day and I hope it will help you as well.
Viewing all 327 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>