Jump to content
Nytro

RogueKillerPE

By Nytro, in Programe utile

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

RogueKillerPE

Description

RogueKillerPE is a PE parsing tool, able to show internal structure of executable files. It’s able to read either the memory image (process module) or the disk image (filesystem) of a given executable.

[TABLE]

[TR]

[TD]

RogueKillerPE 32 bits Download 14 Mb

[/TD]

[TD]

RogueKillerPE 64 bits Download 14 MB

[/TD]

[/TR]

[/TABLE]

Features:

  • Open PE from file, and read disk image.
  • Open PE from process, and read memory or disk image.
  • Open file from command line.
  • Drag and drop support.
  • Process general information (pid, parent, …)
  • File general information (attributes, size, …)
  • Process module general information (address, size, …)
  • A bunch of hashes (MD5, SHA1, SHA256, …)
  • Process memory pages, with ability to dump.
  • Injected pages detection, non-readable pages detection.
  • Ability to dump injected pages to file.
  • Hex code, with ability to search (hex values, or string ANSI/UNICODE).
  • Assembly code, with ability to navigate.
  • PE Headers (MZ, PE, Optional, …)
  • RunPE detection, shows which header fields are modified.
  • Checksum validation.
  • PE Sections, with ability to watch hex code and dump to file.
  • PE Imports, with ability to watch APIs assembly code (memory only).
  • PE Exports, with ability to watch APIs assembly code.
  • Hooks detection in imports/exports (table and inline hooks).
  • PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, …)
  • Executable files detection in resources.
  • Ability to watch hex code of resources.
  • Ability to dump resources to file.
  • PDB path detection.
  • Strings scanner, with classification (Registry, files, …)
  • Ability to dump all strings (by category or not) to file.

User guide

  • Start the tool.
  • Drag a file on the interface, or load the process list.
  • If you choose a file, there you go.
  • If you choose a process, you can inspect a different module by selecting a new one in the modules list.
  • If you choose a process, you can toggle disk/image and switch from process memory to disk image and vice-versa.

bottomshadow-110-95-1.png

Capture5.png

Sursa: RogueKillerPE download

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...