Paper Clip Productions

Function Hacker

Downloads:
Latest version:
Function Hacker v2.5

and older versions:

Credits:

• Geoff McDonald, JLIB_HTML_CLOAKING
• Zelimir Bozic, JLIB_HTML_CLOAKING .

Thanks WindowFinder by Corneliu I. Tusnea.

Description:
This is for 32bit processes only. If you are running a 64bit operating system, only try to attach to processes running in 32 bit mode.

Function Hacker is a dedicated hacking, reverse-engineering, debugging, and anti-virus tool. It utilizes mass code-injection to record inter-modular and intra-modular calls within the target process to allow for quickly find functions within the target process. Please provide feedback on bugs or feature ideas to me at JLIB_HTML_CLOAKING .

• Records inter-modular and intra-modular function calls.
• Visualization for the function calls. All the calls are visualized by drawing lines between the functions.
• Visualization for the function call frequency versus time for each data recording. Using the mouse this can be zoomed in on, regions can be selected, and the cursor can be set.
• Lists the function call traces with arguments for the data recordings.
• Automatic detection of number of function arguments.
• Names of functions are included when available.
• Can filter the function calls based on a large variety of criterion including type, time range, call count, number of agruments, argument contents, and address.
• Can enable and disable functions through the right-click context menu on the functions.
• Can send function calls through the right-click context menu on the functions.

Version History:

March 25th, 2012: Function Hacker v2.5

• Calls with source addresses larger or smaller than the largest or smallest call destination address within a module are excluded.
• The destination of each call is analyzed now, and if it lies in the middle of an instruction it will be excluded.
• A bug in the disassembly engine has been fixed where calls would be improperly thought to exist. A check was added to make sure the call instruction is 5 bytes to qualify.
• Function address, name, or both, can be copied to clipboard through the right click context menu.
• The user settings can now be edited, only a few basic options are available.

January 14th, 2012: Function Hacker v2.4

• Quick Filter feature has been added. This is a quick text filter on the Description column of the function list.
• Changed to software vertex processing, which may fix some problems with displaying the call display bar.
• Upgraded to a new custom disassembly engine.
• Can zoom in on the call display bar with the mouse scroll wheel.
• Shortcut key of CTRL+F5 has been added to start and stop a recording.
• Can load symbols from .map files. Right click in the function list and select the load from .map file option.
• Estimating the number of arguments for functions has been fixed, this should result in far fewer target process crashes when sending function calls.
• Functions can now be renamed. Click on the function name in the Description column, and type in a custom name.
• Advanced users can now edit exact heaps to disassemble.
• Now recognizes function calls to jump table PE import tables.
• Can enable or disable multiple functions at the same time.
• The options dialog to change the cache size and maximum number of functions to record is now skipped to reduce the complexity of the program for the user.

July 26th, 2011: Function Hacker v2.3 Alpha

• Can now send calls to functions. Just right click on the function in the function list or call list and select Send Calls.
• A basic memory viewer has been added. Right click on a memory heap on the left side to bring a tab up.
• Improved the assembly analysis to estimate the code regions. This should reduce the number of target process crashes.
• The default selected modules is now smarter.
• Slight restructuring of the function list and call list tables.
• Can now resize most of the panels.
• Fixed a visualization bug when clipping recorded data to selected region and replacing current list.

June 6th, 2011: Function Hacker v2.2 Alpha

• Fixed the dropping of the last call in each measurement when the last call had no arguments.
• Fixed a crash when navigating the function list/call lists.
• The PE function importing now handles tables with no function name directory.
• Complete address of source and destination functions added to the call list.

June 3rd, 2011: Function Hacker v2.1 Alpha

• Fixed crash when generating process memory map on some machines.
• Fixed the data collection dropping the last funciton call of each measurement.
• Added better assembly analysis to estimate the code regions. This should reduce the number of target process crashes.
• The function and call display grids are now wider.
• Imported functions with multiple names associated with the same address are now all displayed.
• Fix a minor playbar display error when viewing data after clipping to selected region.
• The call and function call display grids now remember your selection and scroll position when changing between them.
• Can now delete functions through the right click context menu.

June 2nd, 2011: Function Hacker v2.0 Alpha

• Initial release of version 2.

YouTube Tutorial Video:

Screenshots: