TProbe is created to enable and support work of RE analysts in their analyses of software (i.e. cyber weapons) used in cyber operations. I've created it with my colleague back in 2017, it started even earlier, as part of our project within the polish chapter of the Honeynet Project. I think it was one of the first if not THE first introspective debugger that was in it's entirety outside the debugged OS.

TProbe significantly reduces analysis time by lowering barriers and delivering more data for analysis. Withdrawing from debugged environment increases the chance of evading anti-debugging techniques. It's almost impossible that software sample will alter it's behaviour in response to detecting your analysis.

Providing memory view from perspective of kernel and other processes means that you need only one tool to analyse all the operations performed in the analysis environment. You can change perspective from one process to another or to kernel perspective with a single click.Delivering ready-to-use data structures allows you to interpret memory easily and rapidly.

I wrote a series of introductory articles:

• TProbe - installation
• TProbe - functionality
• TProbe - tracking injected code
• TProbe - crossing the userspace / kernelspace border

‍

[ C ] [ Python ] [ Qemu ] [ Volatility ]