immunity debugger & python(office97~2003)
Post on 02-Apr-2015
652 Views
Preview:
TRANSCRIPT
Beistlab장민창 (mins4416@naver.com)
Immunity Debugger’s summary & feature
Structure & Instruction of Immunity Debugger’s Python Script
How to use Python Script
Practice & Etc
Simple, understandable interface
Robust and powerful scripting language for automating intelligent debugging
Lightweight and fast debugging to prevent corruption during complex analysis
Connectivity to fuzzers and exploit development tools
Easy visualization of debugee context, which reminds of Olly Debugger
The capability of creating function graphs
Easier to learn complex commands
Immunity Debugger’s Command line plug-in has a simple interface
We can debug remotely from another computer using remote Command line server
Examples - A 401000, XOR EAX, EAX - Assemble at address
Immunity Debugger’s Python API includes many useful utilities and function
We can do the most of things that we can think of with Python Script
Familiar and easy to learn
Open source
Basic Frame
PyCommands -Immunity Debugger\PyCommands
PyHooks -Immunity Debugger\PyHooks
PyScripts -Immunity Debugger\PyScripts
PyCommands - Can be executed from the command bar and main toolbar - If the PyCommand needs extra argument
Example - !scanpe - Detect a Packer/Cryptor of Main module,
also scan just EntryPoint
PyHooks - Python Hooks that are loaded at startup, they look exactly as a python plug-in,
only that they are placed inside PyHooks- directory
Example - myhook = imm.AccessViolationHook() - myhook.disable() << - myhook.add()
PyScripts - PyScripts are called when ALT+F3 or the PyScript icon located at main toolbar are pressed
We need knowledges about Immunity Debugger’s API and Python
Immunity Debugger API - http://debugger.immunityinc.com/update/ Documentation/ref
Display BreakPoint Assemble/Disasm Memory Flow Fetch Information Search Hook Misc
Display API - Used for making visual effects on
Immunity Debugger
Example - Error(msg) - setStatusBar(msg)
BreakPoint API - Used for setting up BreakPoint
Example - setBreakpoint(address) - disableBreakpoint(address) - setMemBreakpoint(address, type, size)
Memory API - Used for reading and writing values from the Memory address
Example - readMemory(address, size) - writeMemory(address, buffer)
Flow API - Used for executing and stepping (Run/StepOver/StepIn)
Example - Run(address) - StepOver(address) - StepIn(address)
Search API - Used for searching about code
Example - Search(buffer) - searchCommands(cmd) - searchCommandsOnModule(address,
cmd)
PyCommands - Can be executed from the command bar and main toolbar
Example - bpxep - hidedebug - searchcode - packets
bpxep - Sets a breakpoint on EP of main module
hidedebug - Used for patch a lot of anti-debugging
trick (Anti-Debug, Anti-Process-finding, Anti-Window-finding)
Example - IsDebuggerPresent
hidedebug.py Line 225 ~ 237
Original -IsDebuggerPresent
I = 1
I = 2
I = 3
I = 4
patch.py - Used for patch a IsDebuggerPresent
packets - Creates a table that displays packets received on the network.
127.0.0.1:5555
Forking & Finding Mine - Target file : system32\winmine.exe - Using API : readMemory, writeMemory -
0x01005340 ~0x0100548A
Size = 0x14A
0x01005340 ~0x0100556F
Size = 0x22F
0x01005340 ~0x0100557F
Size = 0x23F
0x01005340 ~0x0100567F
Size = 0x33F
mine_finder.py
Thank you - IsDebuggerPresent.exe http://zesrever.xstone.org/9 - Winmine.exe Microsoft Windows
Thank you - IsDebuggerPresent.exe http://zesrever.xstone.org/9 - Winmine.exe Microsoft Windows
top related