RevEngX is an extension for the Debugging Tools for Windows, Windows Debuggers, that aids the user in Research, Reverse Engineering, finding IAT and EAT hooks, and performing Code Injection from the debugger. x86 and x64 targets are supported.
RevEngX is licensed, not sold. By downloading a RevEngX module you indicate your acceptance of the license agreement.
Installation
To install RevEngX you must first have installed the Debugging Tools for Windows available from https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).aspx. Select the appropriate 64-bit (AMD64 / x64) or 32-bit (i386 / x86) for your system. Not that if you are using a 64-bit (AMD64/x64) system you can use the x64 version of RevEngX with 32-bit (WOW64) processes.
Next download the matching x64 or x86 version of RevEngX.dll from the list below. Verify that the file has not been tampered with by checking the SHA1 or MD5 hash. Then copy RevEngX.dll into the winext\ directory created by the Debugging Tools for Windows installer. (e.g. C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\ )
To use the extensions in the debugger (e.g. windbg.exe, ntsd.exe, etc.) load it with !load RevEngX
Downloads
Downloadable Version |
Secure Hash & Changes |
RevEngX.dll for 64-bit x64/AMD64 Debugging Tools for Windows |
MD5: 3d0a75cd7e592bfce5cce225c1be2994
SHA1: bc54db1fb852c016a56af012be82f6125706e880
|
RevEngX.dll for 32-bit x86/i386 Debugging Tools for Windows |
MD5: 2175de698f2ed97a0c44c3ae5527a9ab
SHA1: 67ebc1d209ca326649886de88600110def6f0707
|
v1.0.0.17.release.zip containing both 64-bit and 32-bit RevEngX.dll's |
Changes:
- Fixes !callfn on Windows 10 Anniversary Edition and elsewhere that WriteProcessMemory no longer overrides page permissions.
- Adds DML to !callfn usage examples.
- !callfn -noexec retains virtual memory as with -retainvm.
|
v1.0.0.15.release.zip containing both 64-bit and 32-bit RevEngX.dll's |
Changes:
- Fixes !callfn where an x64 target function was beyond 32-bit reach of an 0xe8 call.
- Fixes !callfn on Windows 8 where the WOW64 ntdll is called ntdll_xxxx (where xxxx is the base address) instead of ntdll32.dll.
- Fixes !callfn so that the AMD64 debugger can invoke functions in a WOW64 debuggee properly.
|
v1.0.0.14.release.zip containing both 64-bit and 32-bit RevEngX.dll's |
Adds commands:
- !iid pointer-to-iid [match-iid-or-regname-to-set-$t1] - Displays and optionally matches an IID
- !clsid pointer-to-clsid [match-clsid-or-regname-to-set-$t0] - Displays and optionally matches a CLSID
- !regiid IID name - Register an IID (in database)
- !regclsid CLSID name - Register a CLSID (in database)
|
v1.0.0.10.release.zip containing both 64-bit and 32-bit RevEngX.dll's |
See above for unzipped RevEngX.dll hashes
|
v1.0.0.9.release.zip containing both 64-bit and 32-bit RevEngX.dll's |
|
v1.0.0.6.release.zip containing both 64-bit and 32-bit RevEngX.dll's |
|
|