|
DLL Export Viewer v1.10 x64
|
|
Hits: 5 |
|
Date added: 04/13/2007 |
|
This utility displays the list of all exported functions and their virtual memory addresses for the specified DLL files. You can easily copy the memory address of the desired function, paste it into your debugger, and set a breakpoint for this memoery address. When this function is called, the debugger will stop in the beginning of this function.
For example: If you want to break each time that a message box is going to be displayed, simply put breakpoints on the memory addresses of message-box functions: MessageBoxA, MessageBoxExA, and MessageBoxIndirectA (or MessageBoxW, MessageBoxExW, and MessageBoxIndirectW in unicode based applications) When one of the message-box functions is called, your debugger should break in the entry point of that function, and then you can look at call stack and go backward into the code that initiated this API call. |
|
|
|
|
|
|
Sigcheck
|
|
Hits: 4 |
|
Date added: 03/01/2005 |
|
Verify that images are digitally signed and dump version information with this simple command-line utility.
usage: sigcheck [-i][[-s]|[-v]][-q][-u] [-c catalog file] <file or directory>
-c Look for signature in the specified catalog file
-i Show image signers
-s Recurse subdirectories
-q Quiet (no banner)
-u Show unsigned files only
-v Csv output
One way to use the tool is to check for unsigned files in your WindowsSystem32 directories with this command:
sigcheck -u c:windowssystem32
You should investigate the purpose of any files that are not signed.
Download Sigcheck (16 KB)
Streams
The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax file:stream , you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply. First, change to a directory on a NTFS drive from within a command prompt. Next, type echo hello > test:stream . You've just created a stream named 'stream' that is associated with the file 'test'. Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter more < test:stream (the type command doesn't accept stream syntax so you have to use more).
NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information. Full source code is included.
Usage: streams [-s] [-d] <file or directory>
-s Recurse subdirectories.
-d Delete streams.
Streams takes wildcards e.g. 'streams *.txt'. |
|
|
|
|
|
|
Junction
|
|
Hits: 4 |
|
Date added: 03/01/2005 |
|
Win2K's version of NTFS supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. For example, if the directory D:SYMLINK specified C:WINNTSYSTEM32 as its target, then an application accessing D:SYMLINKDRIVERS would in reality be accessing C:WINNTSYSTEM32DRIVERS. Directory symbolic links are known as NTFS junctions in Win2K. Unfortunately, Win2K comes with no tools for creating junctions - you have to purchase the Win2K Resource Kit, which comes the linkd program for creating junctions. I therefore decided to write my own junction-creating tool: Junction. Junction not only allows you to create NTFS junctions, it allows you to see if files or directories are actually reparse points. Reparse points are the mechanism on which NTFS junctions are based, and they are used by Win2K's Remote Storage Service (RSS), as well as volume mount points.
If you want to view reparse information, the usage for Junction is the following:
Usage: junction [-s] <directory or file name>
-s Recurse subdirectories.
If you want to create or delete a junction, use Junction like this:
Usage: junction [-d] <junction directory> [<junction target>]
To delete a junction specify the -d switch and the junction name.
-Source code:
http://www.sysinternals.com/files/jnctnsrc.zip |
|
|
|
|
|
|
DiskMon NT v2.01
|
|
Hits: 4 |
|
Date added: 01/27/2006 |
|
DiskMon is an application that logs and displays all hard disk activity on a Windows system. You can also minimize DiskMon to your system tray where it acts as a disk light, presenting a green icon when there is disk-read activity and a red icon when there is disk-write activity. |
|
|
|
|
|
|
ListDLLs x86
|
|
Hits: 4 |
|
Date added: 01/26/2005 |
|
A question that I often get asked is Do you know of a utility that will show me which DLLs are loaded on Windows 9x or NT? . The answer I gave up until recently was no , until I discovered a tool in the Windows NT Resource Kit called tlist that does show this information. I decided to write a free-ware version, ListDLLs. Unlike tlist, however, ListDLLs is able to show you the full path names of loaded modules - not just their base names. In addition, ListDLLs will flag loaded DLLs that have different version numbers than their corresponding on-disk files (which occurs when the file is updated after a program loads the DLL), and can tell you which DLLs were relocated because they are not loaded at their base address. |
|
|
|
