首页
社区
课程
招聘
[转帖]ARTeam: xTracer 1.0 by deroko
发表于: 2009-5-26 09:33 3199

[转帖]ARTeam: xTracer 1.0 by deroko

2009-5-26 09:33
3199
Hi all,
a new release from deroko of ARTeam. A really powerful tool (you may experiment how powerful it is..)

xtracer is TLB memory tracer. It tries to locate first break in code section of traced process using split TLB which is available in intel architecture.
This code can be used to locate OEP of traced process easily. Currently only 1st break is reported, but you may modify code to handle more breaks as that's not a problem at all if you go trough ring3 program which actually controls driver. You may expect to get very good and fast results no matter which protection you are tracing. Time needed to locate OEP is equal to the time needed to execute protection layer without debugger, nor any tracer.

I hope that you will enjoy this fine release from ARTeam, as we only try to bring quality releases to the RCE community. Of course, full source is included for learning purposes (code and tool released under GPL 3.0).

Code can be customized to handle various scenarios. Eg. add more breaks on code sections, hooking more some native calls to keep control of almost every allocated buffers, but that's up to the user to implement if he needs it.

To use this code simply type:

xtracer.exe <applicaton to trace>

wait a little bit. Also note that you must have internet connection as code is using my SymbolFinder class to locate some symbols from ntoskrnl.exe which makes this code compatible with windows versions from win2k to Vista SP1.

http://www.accessroot.com/arteam/site/download.php?view.309

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (2)
雪    币: 98803
活跃值: (201054)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
2
本地备档一份
上传的附件:
2009-5-26 09:36
0
雪    币: 403
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
动态取得进入点, Cool!
2009-5-28 20:57
0
游客
登录 | 注册 方可回帖
返回
//