Linux Memory tools are a set of Linux tools (Python, C and ASM) which aim is to facilitate exploit development. These tools can be used to dump process memory, search for patterns and quickly find OPCODEs location addresses (instructions and mnemonics are functional but still in development). OPCODE search is possible on an instant memory snapshot or using a file dump. These tools are been quickly coded and should be considered as helpful scripts. Return addresses or shellcode locations can be found instantly.
b563de74e1cda35f782a23fd14e98e36f0b0c04030335f5778d239a1c883e3e3
PaiMei is a reverse engineering framework consisting of multiple extensible components. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei is written entirely in Python and exposes at the highest level a debugger, a graph based binary abstraction and a set of utilities for accomplishing various repetitive tasks. The framework can essentially be thought of as a reverse engineer's swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as: fuzzer assistance, code coverage tracking, data flow tracking and more.
f027a3b0b418697874b0a94638fd5384a09eea2e16778ac1bf21c0ea708b4c9a
Disit is a new open source disassembler engine.
7aceb71d9143184a945084ed93d86e101db05cbb842250649377f0303dc4d23d
elf is a command-line tool that allows a user, be it a script or a human, to analyze the contents of an ELF object file header. This header contains various integral values such as the virtual entry point of the object file, the machine architecture it was compiled for and more.
ba504141b5e785fc1d7f12e8239b05346b36be25671c0ad626f1baa248ad8791
Well written whitepaper about reverse engineering backdoored binaries. It is meant for the beginner reverse engineer with some knowledge of ELF, C, x86 ASM, and Linux.
b31fe0048b71bab934815417a3d57f26b2f50823b7d9600434d47c9c533ed212
REC is a portable reverse engineering decompiler which reads an executable file and attempts to produce a C-like representation of the code and data used to build it. It can decompile 386, 68k, PowerPC, and MIPS R3000 programs and recognizes the following file formats: ELF (System V Rel. 4, e.g. Linux, Solaris, etc.), COFF (System V Rel. 3.x, e.g. SCO), PE (Win32 .EXE and .DLL for Microsoft Windows 95 and NT), AOUT (BSD derivatives, e.g. SunOS 4.x), Playstation PS-X (MIPS target only), and raw binary data (via .cmd files).
3f8f4c802b33352fe0114bbf7758d4f5510b3e435824539cf8b5a73eb0162a87
Valgrind is a GPL'd tool to help you find memory-management problems in your programs. When a program is run under Valgrind's supervision, all reads and writes of memory are checked, and calls to malloc/new/free/delete are intercepted. You can use it to debug most dynamically linked ELF x86 executable, without modification, recompilation, or anything. If you want, Valgrind can start GDB and attach it to your program at the point(s) where errors are detected, so that you can poke around and figure out what was going on at the time.
36f95c24257c440eadcff12f88b18d8572aa7e47c014494d8804f3d194719cd9
Procshow is a tool to analyze live processes. It shows ELF information as objdump, nm, readelf, etc but using a file in a runtime state. It helps an end user learn about a process, detect anomalies, backdoors, and holds various other uses.
aea8414360a66bbebafe5d48db71857829d9ecdf679ad3ee204de0802423425c
Elf Shell v0.51b3-portable is an automated reverse engineering tool with read/write capability for the ELF format. Sophisticated output with cross references using .got, .ctors, .dtors, .symtab, .dynsym, .dynamic, .rel.* and many other with an integrated hexdump. Designed for Linux. All calls encapsulated in libelfsh.a, so the elfsh API is really reusable.
ecffe100d0da12235cfe464726313491409739493030f3fbdb3a28696b23447f
Linux LKM that disables ptrace abilities in the 2.4.x kernels.
1d8cb9eedc847c0da5391b758eba2303658fc96887860ddadb104e0b904b66df
oOps.c grabs hardcoded strings from binary files. Shows rootkit passwords and other information that is encoded character at a time to avoid binary examination like the strings command. Tested on Linux.
6ec922e0fecc9ff438d329269c632e0bdae94a19c0a176bb42b7160fa0bb0f73
LDasm (Linux Disassembler) is a Perl/Tk-based GUI for objdump/binutils that tries to imitate the look and feel of W32Dasm. It searches for cross-references (e.g. strings), converts the code from GAS to a MASM-like style, and much more.
f6adaed7d64c1cb2b5338b0f8a9ca16f597170edb56fca926f6a82e2d426c189
anti-anti-debug is a Linux kernel module that is used to stop the technique currently implemented into closed source Linux binaries that disallow or restrict debugging and tracing with tools like gdb and strace.
aeca12c39a86982dc39a6c75f1547017d9e4b6274450bd8692153ad954b3dabd
Elf Shell v0.43b-portable is an automated reverse engineering tool with read/write capability for the ELF format. Sophisticated output with cross references using .got, .ctors, .dtors, .symtab, .dynsym, .dynamic, .rel.* and many other with an integrated hexdump. Designed for Linux. All calls encapsulated in libelfsh.a, so the elfsh API is really reusable. Sample output here.
9068395673dc10ca19ad2f71181d0ce313ff9da89bde2727c0db51c616b87c20
The Examiner is a tool to analyze foreign binary executables. The goal of is to be able to get output similar to strace without executing the binary in question. Uses the objdump command to disassemble and comment binaries. This tool was designed for forensic purposes but could be used for basic reverse-engineering goals as well.
535c72a78282386f1909287a9812a255bac983a1a3e4e05c9e270bd9eee4ff47
A disassembler written for disassembly of x86 ELF targets on Linux (other file formats/CPUs can be 'plugged in'). Written as a backend or engine -- the UI is a command line; support for controlling the disassembler via pipes or FIFOs is provided. Note that this disassembler does not rely on libopcodes to do its disassembly; rather, the 'libi386' plugin is a standard .so that can be reused by other projects.
ff3d0ecbcfd3aae1a05edbb12329d7b53e69f35f6276bbcb2fe8b968e739217d
A disassembler written for disassembly of x86 ELF targets on Linux (other file formats/CPUs can be 'plugged in'). Written as a backend or engine -- the UI is a command line; support for controlling the disassembler via pipes or FIFOs is provided. Note that this disassembler does not rely on libopcodes to do its disassembly; rather, the 'libi386' plugin is a standard .so that can be reused by other projects.
deb4902992d31c1b6c37b4dcbc701dbc71c042fb0433831e4d972abcf40efb8c
A disassembler written for disassembly of x86 ELF targets on Linux (other file formats/CPUs can be 'plugged in'). Written as a backend or engine -- the UI is a command line; support for controlling the disassembler via pipes or FIFOs is provided. Note that this disassembler does not rely on libopcodes to do its disassembly; rather, the 'libi386' plugin is a standard .so that can be reused by other projects.
6a45ac0ea697d4b71994d3441b9fe0d946819bbd9ee3082f187536aa7225c3b6
hypersrc is a GUI program for browsing source code, which uses GTK+. It provides a list widget containing sorted source code tags. A programmer can click a tag to hyperlink to a particular tagged line in a source code file. Screenshot here.
04047cfe613f5003f883a85b25857edb33b11c44b5d61921d4945554a5fb281b
hypersrc is a GUI program for browsing source code, which uses GTK+. It provides a list widget containing sorted source code tags. A programmer can click a tag to hyperlink to a particular tagged line in a source code file. Screenshot here.
e207046f65bd61093049aee58e950c824eef84f69463e5a7db0db8d22e977399
GVD is a general purpose graphical debugger frontend. It features advanced data display and visualization capabilities, and allows the debugging of multi-process/multi-threaded applications in the same debugging session. GVD works with native and cross-debuggers and can handle several languages in the same debugging session and the same application. C and Ada are supported. GVD can run on a host different from the machine where the debugger is running and provides friendly support for cross-debuggers (VxWorks, Lynx, etc.). For instance, you can use Linux or Windows to debug an application running on a Power PC board with a debugger running on a Sun workstation.
f64f511f0fca1fbd9d0ec8ffed761392d45aaeaf37065995d45c7e36a435d1f2
Segment debugger is an ELF binary segment scanner with a console ncurses interface. its currently in alpha stages and features only stack phrase, and double word searching.
a69144965104163e2f64d988a65e509f4f27e166452012c72a23349f8b313c6e
Biew is Binary vIEWer with built-in editor for binary, hexadecimal and disassembler modes. It contains a PentiumIII/K7Athlon/Cyrix-M2 disassembler, full preview of MZ, NE, PE, LE, LX, DOS.SYS, NLM, arch, ELF, a.out, coff32, PharLap, and rdoff executable formats, a code guider, a text viewer with russian codepages support, and many other features.
0c61690e636e16954dfdb9eec1001653d7bb8232dcaf176c26d976db285fa3f7
The Reverse Engineer's Patcher is the first byte patcher for UNIX systems. It will compare two binaries and produce a patch in C.
32184bfa34a3bb03ec189b479b49c03cc81c292b3a5be5081a2189e0f0180516
Source-Navigator is a source code analysis tool. With it, you can edit source code, display relationships between classes and functions and members, display call trees, and build projects.
646b0bb295d013a2983e27d0adbf286415e12e6d4288932a8025ba16fcd88083