Reverse Engineering b10g | REM

McAfee Rootkit Detective 1.0 is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system. http://vil.nai.com/vil/stinger/rkdui.gif McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system. Features Following are the features of this program that are designed to proactively detect and clean rootkits from the system. This program is not dependent on any signatures and can proactively detect most of the existing and upcoming rootkits and allow the user to clean them. Designed to proactively detect the system objects like processes, files and registry that are hidden to the user. Provides information about all running processes in the system. Provides information about various system hooks like SSDT(System Service Descriptor Table) hooks, user/kernel IAT/EAT(Import/Export Address Table) hooks. Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry. Allows the user to terminate the malicious processes. Users can submit samples using the submission feature present in the tool http://download.nai.com/products/mcafee-avert/McafeeRootkitDetective.zip link 4 all ppl in the world: http://rapidshare.com/files/45724533/mac_rootkitrar.rar

This utility displays the list of all exported functions and their virtual memory addresses for the specified DLL files. You can easily copy the memory address of the desired function, paste it into your debugger, and set a breakpoint for this memoery address. When this function is called, the debugger will stop in the beginning of this function –screen shot: http://www.nirsoft.net/utils/dllexp.gif –webpage: http://www.nirsoft.net/utils/dll_export_viewer.html –link: —-4 win32 http://rapidshare.com/files/45132358/dllexp.zip —-4 x64 http://rapidshare.com/files/45132362/dllexp-x64.zip

Introduction Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista link: http://rapidshare.com/files/45131759/ProcessMonitor.zip

hi a little patch i created for yahoo messenger 8.1.0.413 for removing ads ,multi yahoo… only for test http://rapidshare.com/files/44072637/yahoo_.messenger.8_1_0_413-patchF.rar

Explorer Suite II (15/07/2007)

http://ntcore.com/exsuite.php

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever

Download Multi-Platform Version

http://ntcore.com/Files/ExplorerSuite.exe

mirorr:

http://rapidshare.com/files/43782926/ExplorerSuite.exe

Download x86 version

http://ntcore.com/Files/ExplorerSuite-x86.exe

mirorr:

http://rapidshare.com/files/43782897/ExplorerSuite-x86.exe 

 

HeapDraw was originally created as a postmortem analisys tool, to see how the heap evolved during the life of a process. The idea is that although we may be used to textual output, like that of ltrace or a malloc/free hooking library, it’s much better to see it graphically (in fact I used to make drawings by hand until I realized “WTF am I doing? I have a computer to do it for me!”).

HeapTracer is the new name, after it became a runtime analisys tool.

In the image you can see an example. It’s the heap of ping. The 4 spikes correspond to the 4 packets sent. Before the first spike you can see the initialization, and after the last, the evolution of the heap for the final phase.

In this release you can find four different versions of HeapDraw/HeapTracer, all including full sourcecode:

 

If you are an IDA fan, and like developing for it, you may find interesting the IDA Plugin version, as it’s a relatively complex example of an IDA debugging plugin which opens an OpenGL window to make drawings.

Source code and precompiled versions

We’ve packaged the four versions with their sourcecode and e brief tutorial in a single file:

Compiling the source and installing

The package contains a separate directory for every version. Each of this directories contains specific instructions on how to build and run the tool

 

Documentation

 

Licensing

 

This software is provided under a slightly modified version of the Apache Software License. Feel free to review it here and compare it to the official Apache Software License.

 

Contact Us

 

Whether you want to report a bug, send a patch or give some suggestions on this package, drop us a few lines at oss@coresecurity.com.

 

link:

 http://rapidshare.com/files/42714110/HeapDraw-HeapTracer-07-07-07.tar.gz

What is uhooker?

 

The Universal Hooker is a tool to intercept execution of programs. It enables the user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory.

Why is it ‘Universal’? There are different ways of hooking functions in a program, for example, it can be done by setting software breakpoints (int 3h), hardware breakpoints (cpu regs), or overwriting the prologue of a function to jump to a ’stub’, etc. All the methods mentioned required above, specially the latter, require the programmer of the code creating the hook to have certain knowledge of the function it is intercepting. If the code is written in a programming language like C/C++, the code will normally need to be recompiled for every function one wants to intercept, etc.

The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed whent the hooked function is called in run-time.

The Universal Hooker builds on the idea that the function handling the hook is the one with the knowledge about the parameters type of the function it is handling. The Universal Hooker only knows the number of parameters of the function, and obtains them from the stack (all DWORDS). The hook handler is the one that will interpret those DWORDS as the types received by the function.

The hook handlers are written in python, what eliminates the need for recompiling the handlers when a modification is required. And also, the hook handlers (executed by the server) are reloaded from disk every time a hook handler is called, this means that one can change the behavior of the hook handler without the need to recompile the code, or having to restart the application being analyzed.

Win32 binaries

Quick start:Download the .zip file and extract to the ollydbg directory. The uhooker.dll must be in the ollydbg directory for it to be loaded as a plugin. and that’s it!. Make sure that .py files in windows are associated with the python interpreter. For example, if you have a .py file and type ‘myfile.py’ and press enter on a cmd.exe window and it doesn’t run, the association is not configured correctly.

Requirements

Documentation

Click the following link for an online copy of the documentation and scripts to be used with the uhooker. This page also contains an API reference and sample scripts that are frequently updated.

 

Known issues

Sometimes it does not work.

 

Licensing

This software is provided under the following license for non-commercial use.

 

Contact Us

Whether you want to report a bug, send a patch or give some suggestions on this package, drop us a few lines at oss@coresecurity.com . To contact me, the author, you can reach me at hochoa[ a t ]coresecurity.com

LordCHEAT

LordCHEAT is a game trainer. You can use it to cheat any game with easy. LordCHEAT allows you to monitor & inject a new value at memory address of your choice. Features : Can run under windows 98 up to Vista Realtime Memory monitor etc. Download LordCHEAT 1.1.9 - Beta [106 kb]

AsmPad

AsmPad is a basic assembly editor that you can use to create simple documents. You can use AsmPad to view, edit or compile assembly files. Features : Simple & Easy to use Syntax highlighting Keyword search F1 etc. Download AsmPad 1.1a [43 kb]

X-Tra Lock

X-Tra Lock locks Windows until you enter a right password, so you nobody else can’t use it while you are away. X-Tra Lock can’t be closed by resetting the computer. Features : Lock windows Remove Alt+Tab Remove Ctrl+Alt+Del etc. Download X-Tra Lock 1.0 [79 kb]

X-Tweak Pro (XP)

X-Tweak Pro is a special utility to configure and personalize Windows XP looks and feels. Using easy to use graphical user interface you can configure hundreds of Windows XP hidden settings, from the Start Menu, Desktop, Accessories, Windows Explorer, to Internet Explorer. This is something that you cannot do on the regular operations. Features : 100% FREEWARE Designed for easy to use, complate, small & fast Support Scripts Support Plugins etc. Download X-Tweak Pro 1.0 Final [178 kb]

Smart Screen Capture

Smart Screen Capture is a application to create, save and print images from different areas of your screen. You can capture entire screen, the current window (including child window), a selected region, menu window or Windows games. Features : Designed for easy to use, complate & fast Custom shape for selected area Custom screen area, rect & capture method Capture, Save & Print arbitrary portions of the screen of any dimensions Can capture any child of window with have disabled or transparent style Can set captures image as Wallpaper etc. ScreenShots View Screenshots Download Smart Screen Capture 1.4 [110 kb]

iNFO Viewer

iNFO Viewer is a program to view .NFO & .DIZ files with a beautiful ASCII or ANSI art. Features : URL autodetect and start Support Favorites Support Plugins etc. ScreenShots View Screenshots Download iNFO Viewer 1.0.7 [86 kb] Plugins BassModPlayer 1.0 [87 kb] Checksum 1.0 [32 kb]

Notepad R2

The Notepad R2 is a more powerfull text editor than the standart windows Notepad. With Notepad R2 you will have more functions & many extra features on text editing. Notepad R2 works on Windows 95/98 (with Riched20.dll v3.0 or above), 98SE, Me, NT, 2k and XP. Features : URL autodetect and start Automatic save Support bookmarks Support for Unicode, Unix and Mac text files Useful words, lines and block editing shortcuts Unlimited Undo/Redo etc. ScreenShots View Screenshots Download Notepad R2 1.2 [75 kb]

Virtual Alkitab

Virtual Alkitab adalah program Alkitab Elektronik, program ini gratis (Freeware), dan tidak untuk diperjual-belikan dengan alasan apapun. Program ini ditujukan sebagai acuan pribadi dan untuk kalangan sendiri. Seluruh program disajikan secara apa adanya dan tanpa jaminan akan keakuratan isi maupun tata penulisan materi yang disertakan. Untuk referensi yang lebih akurat, selalu gunakan Alkitab cetakan Lembaga Alkitab Indonesia atau cetakan resmi lainnya. Program Virtual Alkitab memiliki fasilitas standart yang mendukung pembaca Alkitab, seperti yang biasa dilakukan oleh kebanyakan pembaca alkitab yaitu memberi Text Highlighter pada ayat penting, memberi catatan pada setiap ayat seperti penjelasan atau makna ayat tersebut serta terdapat penanda buku yang tak terbatas untuk mengingat posisi kitab, pasal dan ayat. Features : Dapat dijalankan pada Windows 98, 98SE, ME, NT4, 2000, 2003, XP, Vista Navigasi yang mudah dan sangat nyaman (User Frendly) Text Highlighter Ayat Link (Ayat Sinkronisasi) Dapat memberi catatan pada setiap ayat Bookmark (Penanda Buku) Pencarian ayat atau kata Terdapat Referensi Silang, Ayat Paralel, Daftar Nubuat, Perumpamaan dan Kamus Alkitab Support Skins dll. What’s New Version History Download Virtual Alkitab 3.3 [3.41 mb] - ZIP (MD5 = 9F07EE3EB146661E440BDB51F6062443)

Beginner

Name	Size	Description	Compiler
Image Button	14 kb	Example how to make image button for win98 & winXP	Masm
Property Sheet	28 kb	Property Sheet example	Masm
GDI example	9 kb	GDI example	Masm
tws	43 kb	Transparant Window Shape	Masm
Ani Cursor	23 kb	How to load & show Ani Cursor example for win98/NT/XP	Masm
TreeView-CBRB	15 kb	TreeView Control example with have CheckBoxes & Radio Button.	Masm
LoadRtfFromRes	15 kb	Example on how to load a *.rtf file from resource into a richedit control & URL autodetect and start.	GoAsm
IE Style Menu Bar	84 kb	Creating an Internet Explorer-style Menu Bar.	Masm
Time Date Stamp	11 kb	Time Date Stamp converter	Masm
Ms Access Shift Menu	25 kb	Ms Access Shift Menu.	Masm

Intermediate

Name	Size	Description	Compiler
Region Maker 1.2.2	45 kb	Region Maker is a program to create region data for bitmap	Masm
Window Hack 3.0	102 kb	Window Hack is a program to spy and can modify windows.	Masm
Secure Delete 1.2	44 kb	Secure Delete is a utility that securely deletes your files so they can never be recovered.	Masm
Magic Clock 1.2	22 kb	Magic Clock is a program to show Clock & Date on Foreground Windows Title Bar.	Masm
Enabler Plus 1.2	23 kb	Enabler Plus allows the user to enable disabled Windows, Menu & Controls such as buttons, static, editbox & toolbar items.	Masm
X-Calculator Gold 1.1	130 kb	X-Calculator Gold performs basic arithmetic, calculate operations like (Shl, Rol, Adc, Neg, Xor), Hash (md5, Sha1, Sha256) and Base64 Encode/Decode.	Masm
Desktop Lights 1.0	36 kb	Desktop Lights places strings bulbs around the edges of your screen.	Masm

Virtual Alkitab

Name	Size	Description	Compiler
VASrc31Disk1 VASrc31Disk2 VASrc31Disk3	250 kb 250 kb 138 kb	Virtual Alkitab (Bible) version 3.1 - Source Code. Use MasterJoiner to join the files. Run MasterJoiner.exe and select VASrc31Disk1.zip to create VASrc31.zip.	Masm

Library

Name	Size	Description
AniGIF	75 kb	Animated GIF library
Ufmod	128 kb	Library to play MOD music

WindowsHack 3.0
An interesting program to edit currently running program’s resources (or even destroy them)
(resources like labels, contents of textboxes, pics, etc…)

Version History

Version 3.0
# Added Extended Window/Window/Control style names
# Added Action -> Set Transparent (for NT only)
[+] Added HWND_BROADCAST to Send Message
[+] Fixed Set Window Pos
[+] Numerous other minor improvements

Version 2.0
# Added Action -> Flash Window
# Added Action -> Set Window Pos
# Added Action -> Send Text
# Added Action -> State
# Added Class Icon & Cursor Viewer
# Added Toolbar Tooltip
[+] Fixed Find Window Under Cursor

Version 1.0.1
[+] Fixed Minor Bug
[+] Update Toolbar Icons

Version 1.0
[!] Initial release

link:

http://geocities.com/asmfreesoft/download/WindowHack30.zip 

 

Download

Name	Size	Description
Region Maker 1.2.2	56 kb	Region Maker is a program to create region data for bitmap
Window Hack 3.0	35 kb	Window Hack is a program to spy and can modify windows.
Secure Delete 1.2	15 kb	Secure Delete is a utility that securely deletes your files so they can never be recovered.
Magic Clock 1.2	8 kb	Magic Clock is a program to show Clock & Date on Foreground Windows Title Bar.
Enabler Plus 1.2	7 kb	Enabler Plus allows the user to enable disabled Windows, Menu & Controls such as buttons, static, editbox & toolbar items.
X-Calculator Gold 1.1	30 kb	X-Calculator Gold performs basic arithmetic, calculate operations like (Shl, Rol, Adc, Neg, Xor), Hash (md5, Sha1, Sha256) and Base64 Encode/Decode.
Desktop Lights 1.0	14 kb	Desktop Lights places strings bulbs around the edges of your screen.

Programers Tools

Name	Size	Description
thINC	26 kb	Translate H to INC file
L2inc12	29 kb	Import library to Include file conversion

Support Tools

Name	Size	Description
Master Joiner	3 kb	Master Joiner allows to combine multiple files to one big file.

 

 

utility that lists all system calls

2007/07/13 - merged 32 and 64bit versions to single source 

and cleaned the code a bit (lister and driver). Also updated sample output. 

link of sampels :

http://rapidshare.com/files/42705942/syscall-xp-32.txt

http://rapidshare.com/files/42706000/syscall-xp-64.txt 

link :

http://rapidshare.com/files/42706805/syscall.zip