|
*LEGAL DISCLAIMER: The content on this website, including tools are for educational purposes only.
This website makes no warranties express or implied. You use any tools at your own risk!
Welcome to my FREEWARE tools page. The Open-Source GNU GPL tools listed here may be freely used and altered
according to the enclosed license. The other tools may be used free of charge provided they are not altered
without written permission if redistributed to the public. All tools may be freely distributed as long as they
retain their original contents as available on this website.
These tools are a mix of mostly command line applications originally built for Windows XP although they should
run on Windows 7 and up. Some newer tools include a Linux version. While the Windows tools have a dependency on
the Visual C++ runtime (available as a separate download), I decided to make things simpler for the Linux
versions by linking the executables statically, although the resutling executables are larger than I'd like.
For questions, comments or bug reports, please use the
Contact Form.
strlook |
Apr 2023 UPDATE |
Hilighting Search Tool for Text and Binary Files |
|
pelook |
Sep 2022 UPDATE |
PE/COFF dump and conversion tool |
|
jiggler |
May 2022 UPDATE |
Automated Mouse Mover |
|
datesum |
Oct 2020 UPDATE |
Simple day conversion calculator for dates |
|
peupdate |
Feb 2023 UPDATE |
update hidden PE and PDB information in Win32/64 executables |
|
bytepatch |
Sep 2018 UPDATE |
a simple binary and opcode patcher with pointer address support |
|
disasmdump |
Jan 2017 UPDATE |
a command line 32-bit x86 disassembly dump tool |
|
evl |
Sep 2020 UPDATE |
a programmer's calculator and base converter |
|
str |
Jul 2021 UPDATE |
a string swiss-army-knife |
|
forevery |
Sep 2020 UPDATE |
Simple tool to execute a command for each file or directory matching a path mask |
|
xprop |
Jun 2017 UPDATE |
Tiny program to display Window's Explorer properties dialog for given pathname |
|
shelljmp |
Jan 2018 UPDATE |
x86 Win32 exeution host for raw binary code |
|
hashfile |
Sep 2018 UPDATE |
calculate md5/sha1/sha256 or crc32 hashes from files, stdin or command line strings |
|
xorit |
Mar 2020 UPDATE |
generic tool for applying an xor pattern/key over stdin or input file |
|
bd |
Jan 2021 UPDATE |
a feature-rich binary hex-dump utility |
|
injectdll |
Jul 2017 UPDATE |
dll injection tool for hacking penetration testing |
|
gethttp |
Jan 2021 UPDATE |
command line HTTP/S dumper with color hilight (headers vs entity), certificate info and download options |
|
base64 |
|
base64 encode/decode utility |
|
quicksync |
|
feature-rich directory tree synchronization/mirroring utility |
|
datesync |
|
fill in missing/wrong timestamps on dest files from one or more source trees |
|
envset |
|
list, add, delete or update system or user environment variables with broadcast |
|
killdir |
|
directory removal utility supporting masks and recursion |
|
killeventlogs |
|
NT event log clearing tool |
|
killproc |
Jan 2018 UPDATE |
process killer and command-line lister |
|
linecount |
|
C/C++ source line counter showing percentage of whitespace/comments versus code |
|
lockfile |
|
temporarily lock a file with exclusive access (prevent anyone else from opening) |
|
sanitize |
|
secure file wipe utility |
|
tagtreeviewer |
|
GUI HTML/XML parser |
|
uptime |
|
Display various stats based on Windows' 32-bit system tick count; i.e. GetTickCount(). The tool also features a built-in stopwatch. |
|
|
|
 |
strlook / [Command Line Help] / [Changelist]
Latest Version: 1.10
Released: Apr 1, 2023
|
|
 |
pelook / [Command Line Help] / [Changelist]
Latest Version: 1.75
Released: Sep 7, 2022
|
|
 |
jiggler
Latest Version: 1.10
Released: May 15, 2022
|
|
 |
datesum / [Command Line Help] / [Changelist]
Latest Version: 1.0
Released: Oct 28, 2020
|
|
 |
peupdate / [Command Line Help] / [Changelist]
Latest Version: 1.51
Released: Feb 14, 2023
Peupdate originally started as a tool to alter the PDB pathname string embedded within executable modules
by Microsoft's compilers and build tools. This tool now supports other useful modifications to
PE files, including removal of
Microsoft's undocumented "Rich" Header,
and altering the PE timestamp to a specific date/time or literal values now used by Windows 10 as unique
[hash] ids (making deterministic builds possible). Multiple files can be processed at once, and each
file processed can have multiple modifications (i.e. whatever actions currently supported),
making this tool useful as a post-build step.
Peupdate's original purpose was to clear the PDB path string in an executable module placed by
Microsoft's linker; assuming you don't want [or can't] re-link with the /PDBPATH:none option because you don't have access to the source code.
Options include clearing the entire PDB path string, stripping just the path, or setting to a custom value specifed on the command line. 32
and 64-bit PE images are supported as well as CLR executables making use of the .NET framework. Leaving the filename intact
but stripping the path (-s option) is officially recommended as debuggers can rely on existing facilities to locate the PDB
file when the path has been removed.
The changes made by peupdate should not not alter the functionality of the executable module in any way although if
the file was originally (or needs to be) digitally signed or some post-build equivalent, it goes without saying that
the digital signature or other post-build steps would need to be re-applied after peupdate is used.
Upon changes, peupdate will recalculate the PE checksum as needed (unless forcibly disabled with
the -n option). For non-driver files and DLLs not
loaded during boot, a checksum is not required. This is why Microsoft's default linker settings set a
module's checksum to zero. For drivers and other PE images with a nonzero checksum, peupdate will recalculate
and store the updated checksum automatically, if changes have been made to the file.
You can however force the checksum to be calculated and saved with the -f option for any
module. This can be used as a standalone feature without any other changes to the PE image if you need to
generate and write the correct checksum to a PE image.
PDB Background: By default, Microsoft's linker embeds the full path string of the program database file
(.PDB) into an executable module whenever a .PDB is built with the module. This results in disclosure of what
some developers may consider private path information - information they'd rather not have present in binaries
released to the public. It's not uncommon to generate release/retail PDB files for crash-dump analysis and
or other debugging purposes, so disabling the PDB from being generated doesn't address the problem. Changing
the name of the executable does not change the original path information that may have been embedded within
the file at link time. A PDB path like:
D:\My Projects\right_wing_left_corp\hacks_for_annoying_customers\quick_and_dirty.pdb
may represent private information not meant for public consumption.
Even if not, why release a path that will probably never exist on a machine other
than the developer's? The best solution is to add the /PDBPATH:none or /PDBALTPATH:<path> options to
your linker settings and re-link. If re-linking isn't an option, or the source is not available, peupdate
can fix this path string for you in your final executables.
The idea for peupdate originated while I was searching for a tool to clear the PDB path string from my own executables.
I never found such a tool, but I did find this
source code.
Although I subsequently wrote peupdate from scratch due to some bugs and limitations in the original project,
this code was extremely useful for proper interpretation of the debug directory structure.
|
|
 |
bytepatch / [Command Line Help] / [Changelist]
Latest Version: 1.3
Released: Sep 18, 2018
|
|
 |
disasmdump (source included) / [Command Line Help] / [Changelist]
Latest Version: 1.66
Released: Jan 16, 2017
|
|
 |
evl / [Command Line Help] / [Changelist]
Latest Version: 2.03
Released: Sep 8, 2020
Evl is a command line programmer's calculator. It evaluates C-style mathematical expressions from the command line, working with
values up to 64-bits, but with the capability to constrain results to smaller standard int sizes. Like C-style
expressions, base-10 numbers are the default and hex values may be entered when the numbers are prefixed with 0x
(zero-x) such as 0xDB. Unlike C-style expressions, Evl has additional features such as support for bitwise rotation
(ROR, ROL) and input values being specified in binary (prefix numbers with 0b, such as 0b10001001.
Evl performs all standard arithmetic operations in addition to modulus, square roots, powers, string comparison,
boolean logic and bitwise operations. The command line switches also let you change the floating point
precision and add variable substitutions. To convert a number (or otherwise the result of the expression) to a
common base, simply use any combination of the output flags: /o: (b=binary, o=octal, h=hex, s=signed int,
u=unsigned int, d=double float, c=char). Like C-style expressions, when a floating point number is encountered,
the type of the expression result is promoted to a double.
The base conversion facilities between different int types may be more useful to some than the expression capabilities.
I.e.: simply input a number in any standard base and specify one or more output flags to see a representation in another.
Evl integer arithmetic and bitwise operations work natively with a 64-bit int QWORD type, however the output of
an expression can be forced into any of the standard int sizes (signed or unsigned) in BYTE, WORD, DWORD types.
For example, the smallest type to contain the value is how the value is handled and displayed by default. This is
especially useful to properly display negative integers, as Evl intelligently trims off sign extension
bits so a signed byte that happens to be negative can be interpreted properly when the same value in a larger
int type would be positive. For example, -1 can be 0xFF when decoding a signed BYTE but when displayed in a
signed WORD, becomes positive 255 (0x00FF).
EXAMPLES:
• add 171 to 196 (notice that input numbers can use and mix any base provided you specify the proper
prefix) and see the result in both hex and unsigned int:
evl /o:hu 0xAB+0b11000100
hex: 016F
uns: 367
• calculate the total price based on 8.325% sales tax, only keeping 2 decimal points of precision in the
result:
evl "(29.95+14.95)*1.08325" /f:2
48.64
• convert 75 degrees Fahrenheit to Celsius using formula (F-32*5/9):
evl "(75-32)*5/9.0"
23.888889
• use variable substitution to calculate area of a circle using pi*radius 2 formula:
evl "pi*r pow 2" /v:pi=3.14159 /v:r=5
78.539750
• determine the smallest negative value that can fit in a 16-bit signed WORD by
applying a bitwise NOT to zero, dividing the result half and adding one when specifying the int size as a WORD;
Note, you can use the same expression to see the smallest negative value of any int size type by simply
changing the /t argument:
evl "~0/2+1" /o:s /t:w
sgn: -32768 (WORD)
[16-bit WORD]
• determine the opposite of above; the largest positive value that can fit in a 16-bit signed WORD by removing
the +1 of the expression above:
evl "~0/2" /o:s /t:w
sgn: 32767
[16-bit WORD]
• take byte value 0x67 and rotate the bits to the right 4 places, effectively swapping the nibbles:
evl "0b01100111 }} 4" /pfx:2 /o:hb /t:b
bin: 0b01110110 (7 significant bits of 8)
hex: 0x76
[8-bit BYTE]
|
|
 |
str / [Command Line Help] / [Changelist]
Latest Version: 1.23
Released: Jul 26, 2021
str is a silly little tool to perform rudimentary string operations and dump the result to the
console. str allows standard string operations to be accessible from the command
line using a concise syntax. If writing a test program, script or even pasting into a text editor for
purposes of achieving a quick string result seems like overkill, that was my opinion too!
If you've ever needed to run strlen() against the data on the clipboard, maybe even lowercase all the
characters, strip-out the non-printables, and place the result back on the clipboard, this tool may be for you.
From whitespace
stripping, search and replace to ASCII hex dumps. Str currently supports C-style unescaping from
the command-line, get and retrieval from the Windows clipboard, reversing characters, strcmp, etc.
While single actions can be performed on single strings, the power of str is that actions can be chained
together allowing the result of one action to be the input into the next. In practice however, you may
only ever chain at most two actions if at all! With that said, let me explain the action-chaining:
The first string specified
occupies the first slot and identifies the target string. When an action is performed on the target,
the result overwrites the first. The next action operates on that result and overwrites it with
the new result. When multiple arguments are required, such as for the -sr (search and replace action),
the search and replace strings are additionally specified in order followed by the -sr action.
The resulting string is then written to slot #1 and slot's #2 and #3 are cleared for the next operation.
It then makes sense that the arguments are order-specific, so options that you want to take effect at the time
the action is taken must be specified prior to the action. This is why all options can be turned on and off
since you might want some options enabled only at certain points in the chain.
The final string is written upon termination of the program in verbose mode (default) or the string may
be manually output at any step in the chain of actions. In this example, we want to uppercase an arbitrary string,
search and replace all of the spaces to "_" underscore characters, then base64 encode the result. We'll
use the command-line sequence below and specify -out actions in between so you can see the result of each stage of the chain:
str "the wave of the future is now" -uc -out " " _ -sr -out -b64e
"THE WAVE OF THE FUTURE IS NOW" (strlen=29)
replacements=6
"THE_WAVE_OF_THE_FUTURE_IS_NOW" (strlen=29)
"VEhFX1dBVkVfT0ZfVEhFX0ZVVFVSRV9JU19OT1cA" (strlen=40)
We can replace the clipboard's contents in-place - converting backslash-escaped quotes to normal quotes:
NOTE: In accordance with cmd.exe's escapement rules, literal backslashes and quotes must be properly escaped so they are properly passed to the tool
str -g \\\" \" -sr -s
In another example we can see the hex representation of a string with:
str "hello world" -hex
68 65 6C 6C 6F 20 77 6F 72 6C 64
IMPORTANT: To specify a string that is or begins with the switch character "-", you must escape the command line argument
with a hyphen-frontslash sequence "-/" (without quotes) prior to the string parameter. This lets the program know the
argument that follows IS NOT a switch. For example, to pull a
string from the Windows clipboard, remove all hyphens, then store the result back on the clipboard, you'd use the -sr (search and replace) action like this:
str -g -/ - "" -sr -s //if the clipboard started with "one-two-three-four-five---->ten"
// it would end up with "onetwothreefourfive>ten"
|
|
 |
forevery / [Command Line Help]
Latest Version: 1.0
Released: Sep 1, 2020
|
|
 |
xprop
Latest Version: 1.0
Released: Jun 5, 2017
|
|
 |
shelljmp / [Command Line Help] / [Sample Usage] / [Changelist]
Latest Version: 0.9d
Released: Jan 31, 2018
|
|
  |
hashfile / [Command Line Help] / [Changelist]
Latest Version: 1.2
Released: Sep 8, 2018
As there were no built-in hashing command line utilities in Windows at the time this was written, I found having
such a utility was useful. This utility can calculate an MD5, SHA1, SHA256 or CRC32 hash from a file, standard
input or string specified directly from the command line. I'm also making the linux version of this utility
available, although you might wonder why since most Linux distros come with the md5sum, sha1sum and sha256sum
utilities. For starters, this was one of my first projects I started with my new cross platform library and,
ideally any non-Windows specific applications will have a linux counterpart. Secondly, for hash calculations
where no default linux program is usually installed such as CRC32, or newly-added algorithms in the future.
|
|
  |
xorit / [Command Line Help] / [Changelist]
Latest Version: 1.11
Released: Mar 10, 2020
Since the XOR operation is commonly used as an encryption/obfuscation technique in many applications, I found
having a utility that XOR'ed a repeating (or non-repeating) key to a chunk of data was useful enough to warrant
a dedicated tool. If you have a high-entropy key containing truly random data such as samples of radioactive
decay, XOR can be used as encryption that is theoretically unbreakable, when applied properly. Known as the
one-time pad, this type of encryption is generally not used due to the impractical nature of protecting and
destroying such a key. That does not stop XOR from being a common obfuscation/deobfuscation operation by itself or
coexisting with additional encryption. XOR is popular since it is a fast, simple bitwise operation supported by
all processors as it is one of the base logic gates in electrionic components.
In reverse engineering, it is not uncommon to come across a chunk of data that has been
obfuscated with a single repeating byte or series of bytes that you must XOR. Rather than writing a custom
program to perform such a simple operation, this tool might prove useful in your toolset.
|
|
  |
bd / [Command Line Help] / [Changelist]
Latest Version: 2.58
Released: Jan 1, 2021
|
|
 |
injectdll / [Command Line Help] / [Changelist]
Latest Version: 1.10
Released: Jul 28, 2017
|
|
 |
gethttp / [Command Line Help] / [Changelist]
Latest Version: 1.0
Released: Jan 1, 2021
|
|
 |
base64 / [Command Line Help]
Base64 is a simple tool used to encode or decode data in the Base64 scheme. Output may be send to
the console or to a file. Input may be speicifed on the command line or as an input file.
64 is the smallest power of two base that can represent printable ASCII characters including the digits,
uppercase and lowercase letters. This scheme was invented in the early days of the internet as a way to encode
and transport binary data (like file attachments) over text-only protocols such as POP3 and SMTP for e-mail.
|
|
 |
quicksync / [Command Line Help]
feature-rich directory tree synchronization/mirroring utility
|
|
 |
datesync / [Command Line Help]
fill in missing/wrong timestamps on dest files from one or more source trees
|
|
 |
envset / [Command Line Help]
list, add, delete or update system or user environment variables with broadcast
|
|
 |
killdir / [Command Line Help]
directory removal utility supporting masks and recursion
|
|
 |
killeventlogs / [Command Line Help]
NT event log clearing tool
|
|
 |
killproc / [Command Line Help] / [Changelist]
Latest Version: 1.51
Released: Jan 24, 2018
This utility kills processes by name or by PID, like many other similar utilities, but this tool has a unique
list-mode feature. The /l option will list active processes by matched substring (matching not
only the name, but the full command line used to start the process). More importantly, the processes in list
mode are sorted descending by aggregate time running in system. This means the last processes you see listed will be the
most recently run. This makes malware or other recently-run programs easy to spot quickly.
Supports 32 and 64 bit processes; when run under 64-bit versions of Windows, the "bitness" of each process is indicated.
NOTE: This program requires administrator rights to kill or retrieve information for system processes.
|
|
 |
linecount / [Command Line Help]
C/C++ source line counter showing percentage of whitespace/comments versus code
|
|
 |
lockfile / [Command Line Help]
temporarily lock a file with exclusive access (prevent anyone else from opening)
|
|
 |
sanitize / [Command Line Help]
This tool wipes files in accordance to DoD 5220.22-M, which may not the most forensically secure method in modern days
but certainly offers some security beyond a simple file-delete.
Note the security of this tool relies on the underlying filesystem mapping the overwrite-data to the same physical location as the original.
This is often the case unless the file is on a journalling or transactional filesystem. The method used is:
-overwrite all data with bit pattern 10's (byte pattern 0xAA)
-overwrite all data with bit pattern 01's (byte pattern 0x55)
-overwrite all data with random bits and verify
Finally, the file is renamed, then deleted.
|
|
 |
tagtreeviewer
|
|
 |
uptime / [Command Line Help]
Display various stats based on Windows' 32-bit system tick count; i.e. GetTickCount(). The tool also features a built-in stopwatch.
|
|
| |
|
|
|