Sample code how to use Control Flow Guard to intercept all indirect calls/jumps in CFG enabled binaries
IDA Loader plugin to properly load ELF32 files, which don't have Section Header/or it's corrupted which is never used during ELF file loading into memory
IDA Python script to mark jcc/jmp/call/ret inside of a given procedure with different colors for easier or "harder" analyze
Tool which traces execution of program with Pin, and logs execution path. Produces log file which can be imported into IDA thus parts of code which are executed more times will be highlighted. x32/x64 both Windows and Linux
Immunity Debugger Plugin which allows Immunity Debugger to use SoftICE and WinDbg key mapping
Console tool to list all tables from .NET binary. With minor changes can be used on other systems also
IDA plugin to extract, save, and view resources from IDA
Simple unpacker template which uses my
tracer.sys(custom debug engine) to unpack some simple packers (upx/aspack/fsg/maybe some more!?)
This tool will dump symbols and Service Call Numbers from win32k.sys
Tool to dump x64 targets, and to fix imports. It uses 1API = 1IID technique for import fixing, ported to x64 platforms. My Blog entry at woodmann board :
Imports are easy to fix
Source code of first public x64 unpacker. It also has separate code for import table rebuilding so you may include it in your own projects if you want
Tool to display some informations about windowses on your desktop.
Small unpacker for mpress packed x64 images. Seems like first public unpacker for x64 images...
Code allows you to break at entry of .dll for easier debugging. Useful only for softice users or for writing unpackers. Dll is loaded in 2 ways : manual or via LoadLibraryEx depending on selected options in command line
Generic Unpacker is unpacker for some simple packers, it uses modified(added MP support)
Dream Of Every Reverser Engine to trace execution of the target, source is included, as this is "How to make unpacker" example
TheMida Spy gives you ability to break in kernel32 and advapi32 dll during TheMida layer execution
Demonstrates novel attack in hooking dlls. Basically old dll is replaced in PEB with new dll in such way that whenever GetModuleHandleA/W, LoadLibraryA/W etc. is called it will get handle to my dll and then I can log, fake data when API is called from my .dll.
Code to execute your target from context of explorer.exe. I'm not guy which likes GUI much and I do almost all of my job in console, so when some crackme from www.crackmes.de wants to be started by clikcing on it, then I use this code.
Locate OEP of Debugblocker protected application, during tracign patch will be applied to arma code so you can fix imports w/o a problem, on other hand there is also CopyMemII dumper, code which will apply patch to imports and will dump CopyMem protected application in a metter of seconds.
Once application is dumped, you may use this code to fix SVKP imports very fast.
OepFinder is code which I've developed in some free time for fun of it, later I used it in my tut about ExeCryptor, now I don't use it anymore. Trick with this code is to set PAGE_GUARD on certain range and monitor when EIP is in the range. It is probably the first code to use stealh debugging known also as nonintrusive tracer.
Code was used during themida 1.0.0.5 unpacking, and also for TheHyper Unpackme #2.
Due to the logic of almost all of my dumps non of exisitng import reconstruction engines was good, so I wrote my own which does exactly what I want.