def main(args):
imm = immlib.Debugger()
imm.openProcess("C://StrCpy.exe")
#### Attaching to Process ####
imm.Attach(int(args[0]))
#### Show all Modules and their abilities ####
td = imm.createTable("Module Information",
['Name', 'Base', 'Entry', 'Size', 'Version'])
moduleList = imm.getAllModules()
for entity in moduleList.values():
td.add(0, [
entity.getName(),
'%08X' % entity.getBaseAddress(),
'%08X' % entity.getEntry(),
'%08X' % entity.getSize(),
entity.getVersion()
])
imm.log(str(imm.getRes()))
return "Success"
def run(self, regs):
"""This will be executed when hooktype happens"""
imm = immlib.Debugger()
# We will probably gonna need the threadid. Gather it through getEvent()
readaddr = ""
size = ""
retaddr = imm.readLong(regs['EBP'] + 4)
for a in regs:
imm.log("%s:%08x" % (a, regs[a]))
if not retaddr:
self.UnHook()
imm.log("Unhooking, wrong ESP")
return
endhook = EndHook(retaddr)
endhook.add("EndHook_%x" % retaddr, retaddr)
ahook = RtlAllocateHeapHook(retaddr)
ahook.add("Alloc_%08x" % retaddr, self.allocaddr)
fhook = RtlFreeHeapHook(retaddr)
fhook.add("Free_%08x" % retaddr, self.freeaddr)
imm.addKnowledge("end_%08x" % retaddr, (ahook, fhook))
imm.log("o Sniffing the selected Function", address=regs['EIP'])
if not self.continuos:
self.UnHook()
def main(args):
imm = immlib.Debugger()
look = " ".join(args)
ret = imm.Search(imm.Assemble(look))
for a in ret:
module = imm.findModule(a)
if not module:
module = "none"
else:
module = module[0]
# Grab the memory access type for this address
page = imm.getMemoryPagebyAddress(a)
access = page.getAccess(human=True)
imm.Log("Found %s at 0x%08x [%s] Access: (%s)" %
(look, a, module, access),
address=a)
if ret:
return "Found %d address (Check the Log Windows for details)" % len(
ret)
else:
return "Sorry, no code found"
def run(self, regs):
imm = immlib.Debugger()
callstack = imm.callStack()
for a in callstack:
imm.log(
"Address: %08x - Stack: %08x - Procedure: %s - frame: %08x - called from: %08x"
% (a.address, a.stack, a.procedure, a.frame, a.calledfrom))
def main(args):
imm = immlib.Debugger()
if not args:
usage(imm)
return "No args"
try:
opts, argo = getopt.getopt(args, "m:f")
except getopt.GetoptError:
usage(imm)
return "Bad heap argument %s" % args[0]
module = None
OnMemory = 1
for o,a in opts:
if o == "-m":
module = a
elif o == '-f':
OnMemory = 0
if not module:
usage(imm)
return "No module provided, see the Log Window for details of usage"
try:
ret = imm.findPacker( module, OnMemory = OnMemory)
except Exception, msg:
return "Error: %s" % msg
def main(args):
imm = immlib.Debugger()
path = imm.getModule(imm.getDebuggedName()).getPath()
pe = pefile.PE(path)
filename = os.path.basename(path)
section_list = []
name_list = []
a = 0
for section in pe.sections:
sec_name = section.Name.strip("\x00")
if sec_name == "":
sec_name = str(a)
a += 1
sec_enp = section.get_entropy()
final_enp = sec_enp
name_list.append(sec_name)
sec_start = pe.OPTIONAL_HEADER.ImageBase + section.VirtualAddress
sec_size = section.Misc_VirtualSize
#imm.log("section : %s || start addr : 0x%08X || size : 0x%08X" % (sec_name,sec_start, sec_size))
section_list.append(
SEC(sec_name, sec_enp, final_enp, sec_start, sec_size))
for i in section_list:
i.sec_print(imm)
Patch_isdebuggerpresent(imm)
Patch_checkremotedebuggerpresent(imm)
Patch_zwqueryinformationprocess_test(imm)
Patch_PEB(imm)
Patch_PEB2(imm)
Patch_Findwindow(imm)
##Yoda's Protector only
Patch_getcurrentrocessid(imm)
bpaddr = Patch_blockinput2(imm)
def main(args):
types = {"isdebuggerpresent": 0}
imm = immlib.Debugger()
if not args:
return "give patch type..."
try:
opts, argo = getopt.getopt(args, "t:s")
except getopt.GetoptError:
usage(imm)
return "Bad patch argument %s" % args[0]
type = None
for o, a in opts:
if o == '-t':
low = a.lower()
if types.has_key(low):
type = types[low]
else:
return "Invalid type: %s" % a
# IsDebuggerPresent
if type == 0:
imm.Log("Patching IsDebuggerPresent...")
ispresent = imm.getAddress("kernel32.IsDebuggerPresent")
imm.writeMemory(ispresent, imm.Assemble("xor eax, eax\n ret"))
return "IsDebuggerPresent patched"
else:
usage(imm)
return "Bad patch argument"
def main(args):
# starting the debugger instance
imm = immlib.Debugger()
td = imm.createTable("Module Information",
["Name", "Base", "Entry", "Size", "File_Version"])
# getAllModules will return a dictionary of all loaded executable modules
xModules = imm.getAllModules()
# immlib.Debugger has a getALlModules method, and that will return a list of module obj which is a
# class with methods in the lib.immDebugger.Modules, methods like getName()...
for entity in xModules.values(
): # we are interested in the values part of each module obj
# with hex formatting
td.add(0, [
entity.getName(),
'%08X' % entity.getBaseAddress(),
'%08X' % entity.getEntry(),
'%08X' % entity.getSize(),
entity.getVersion()
])
## ADDITIONALLY: logging current register info at this given instance moment of the running exe file
imm.log(str(imm.getRegs()))
imm.updateLog()
return "[!] spse-outputTable_xModules.py is finished with status 0"
def main(args):
"""Main function used to invoke the decompiler."""
imm = immlib.Debugger()
from sys import path
path_to_add = r"y:\decompiler\decompilers\point source"
if path_to_add not in path:
path.append(path_to_add)
#import test_immdbg
#imm.log("===> %s" % test_immdbg)
#from test_immdbg import main as test_main
import pointsource
imm.log("===> %s" % pointsource)
from pointsource import main as test_main
test_main()
try:
# FIXME: Remove this hardcoded path and get it dynamically from
# somewhere else.
#ret = execfile(r"y:\decompiler\decompilers\point source\pointsource.py")
ret = "Decompiler execution finished"
except Exception, err:
imm.log("[-] Error on:", focus=1)
imm.logLines(format_exc())
ret = err
def run2(self, regs):
"""This will be executed when hooktype happens"""
imm = immlib.Debugger()
imm.Error("hgook time")
readaddr = ""
size = ""
src = regs['ESP'] + 0x8 #strncpy second arg
maxlen = regs['ESP'] + 0xc #strncpy third arg
res = imm.readMemory(src, 4)
leng = imm.readMemory(maxlen, 4)
for a in res:
readaddr = "%s%s" % (a.encode('hex'), readaddr)
readaddr = "0x%s" % readaddr
for a in leng:
size = "%s%s" % (a.encode('hex'), size)
src_addr = int(readaddr, 16)
readed = ""
#read src arg
readed = imm.readString(src_addr)
imm.Log("strncpy source: %s" % readed)
if len(readed) == int(size):
imm.Log("*** STACK ***")
callstack = imm.callStack()
for a in callstack:
imm.Log(
"Address: %08x - Stack: %08x - Procedure: %s - frame: %08x - called from: %08x"
% (a.address, a.stack, a.procedure, a.frame, a.calledfrom))
def main(args):
imm = immlib.Debugger()
table = imm.createTable('Silent Banker Strings',
['Address', 'Encoded', 'Decoded'])
# get all cross-references to the decoding function
refs = imm.getXrefFrom(0x100122E8)
for ref in refs:
addr = None
# disassemble backwards until finding MOV r32, <const>
for i in range(1, 5):
op = imm.disasmBackward(ref[0], i)
instr = op.getDisasm()
if instr.startswith('MOV'):
# get address of the encoded string in memory
addr = op.getImmConst()
break
if addr != None:
# read the encoded version of the string
e_str = imm.readString(addr)
# forcefully execute the decoding of each string
imm.setReg('EIP', ref[0])
imm.writeLong(imm.getRegs()['ESP'], addr)
imm.writeLong(imm.getRegs()['ESP'] + 4, addr)
imm.stepOver()
# now read the decoded string
d_str = imm.readString(addr)
table.add('', ['0x%x' % addr, '%s' % e_str, '%s' % d_str])
def main(args):
imm = immlib.Debugger()
if not args:
return usage(imm)
if len(args) != 2:
return usage(imm)
addr = int(args[0], 16)
size = int(args[1], 16)
dt = libdatatype.DataTypes(imm)
mem = imm.readMemory(addr, size)
if not mem:
return "Error: Couldn't read anything at address: 0x%08x" % addr
ret = dt.Discover(mem, addr, what='all')
imm.log("Found: %d data types" % len(ret))
for obj in ret:
t = "obj: %d" % obj.size
if obj.data:
msg = obj.Print()
imm.log("obj: %s: %s %d" % (obj.name, msg, obj.getSize()),
address=obj.address)
return "Found: %d data types" % len(ret)
def main(args):
imm = immlib.Debugger()
functionToHook = "msvcrt.strcpy" #On windows systems, the STRCPY function
functionAddress = imm.getAddress(functionToHook) #In this line we retrieve the memory address where the STRCPY function is loaded
newHook = DemoHook()
newHook.add("Demo Hook", functionAddress)
return "Success!"
def main(args):
imm = immlib.Debugger()
imm.log("Log Entry!")
imm.updateLog()
'''
table = imm.createTable("PyCommand Example", ["PID", "NAME", "PATH", "SERVICES"])
psList = imm.ps()
for ps in psList:
table.add(0, [str(ps[0]), ps[1], ps[2], str(ps[3])])
imm.Attach(2564)
imm.restartProcess()
table = imm.createTable("Modules PyCommand", ["NAME", "BASE", "ENTRY", "SIZE", "VERSION"])
modules = imm.getAllModules()
for module in modules.values():
table.add(0, [module.getName(), "%08x" %module.getBaseAddress(), "%08x" %module.getEntry(), "%08x" %module.getSize(), module.getVersion()])
'''
opcodes = imm.assemble("jmp esp\nret")
for opcode in opcodes:
imm.log("Assemble Func: " + hex(ord(opcode)))
addresses = imm.search("\xff\xe4\xc3")
for address in addresses:
opcode = imm.disasm(address).getDisasm()
imm.log("Disassmble Func: " + opcode)
imm.updateLog()
return "PyCommand Return!!"
def main(args):
imm = immlib.Debugger()
newHook = DemoHook()
newHook.add("Demo Hook")
return "YCSC Hooking PyCommand"
def main(args):
imm=immlib.Debugger()
try:
opts, argo = getopt.getopt(args, "p:l:")
except getopt.GetoptError:
usage(imm)
return "Wrong Arguments (Check usage on the Log Window)"
processname = None
level = 3
for o,a in opts:
if o == '-p':
processname = a
elif o == '-l':
level = int(a, 16)
if processname is None:
usage(imm)
return "See log for usage info"
d = DLLTree(imm, processname, level)
d.Show()
return "Check log window for results."
def run(self, registers):
imm = immlib.Debugger()
imm.log('[+] bind called')
eip = registers['ESP']
# Read sockaddr structure address
sockaddr = imm.readLong(registers['ESP'] + 8)
# Read 2 bytes of sin_family member
sockaddr_sin_family = imm.readShort(sockaddr)
# Read 2 bytes of sin_port and calculate port number
# since it is stored as big-endian
port_hi_byte = ord(imm.readMemory(sockaddr + 2, 1))
port_low_byte = ord(imm.readMemory(sockaddr + 3, 1))
sockaddr_sin_port = port_hi_byte * 256 + port_low_byte
# Read 4 bytes of sin_addr since it is stored as big-endian
ip_first_byte = ord(imm.readMemory(sockaddr + 4, 1))
ip_second_byte = ord(imm.readMemory(sockaddr + 5, 1))
ip_third_byte = ord(imm.readMemory(sockaddr + 6, 1))
ip_forth_byte = ord(imm.readMemory(sockaddr + 7, 1))
# Print results to Log View window
imm.log('---> Pointer to sockaddr structure: 0x%08x' % sockaddr)
imm.log('---> sockaddr.sin_family: %d' % sockaddr_sin_family)
imm.log('---> sockaddr.sin_port: %d' % sockaddr_sin_port)
imm.log('---> sockaddr.sin_addr: %d.%d.%d.%d' %
(ip_first_byte, ip_second_byte, ip_third_byte, ip_forth_byte))
imm.log('')
imm.log("Press F9 to resume")
def main(args):
imm = immlib.Debugger()
modules = imm.getAllModules()
for m in modules.values():
inspect_module(imm, m)
return 'Analysis complete!'
def main(args):
imm = immlib.Debugger()
module = imm.getModule(imm.getDebuggedName())
base = module.getBase()
end = base + module.getSize()
imm.deleteBreakpoint(base, end)
return "Deleted breakpoints"
def main(args):
imm = immlib.Debugger()
banner(imm)
if imm.isFinished():
imm.log("Process aleady finished!")
return ".err"
listModules(imm)
mInfo = ModuleInfo(imm)
call_dict = mInfo.fetchRegCalls()
setBpOnAddresses(imm, call_dict.keys(), "Call via register")
while not imm.isFinished():
curr_addr = imm.getCurrentAddress()
reg = call_dict.get(curr_addr)
if not reg:
imm.run()
continue
imm.log("CALL via: %s" % reg, curr_addr)
call_addr = getRegValue(imm, reg)
if not call_addr:
break
imm.stepIn()
printFunction(imm, curr_addr, call_addr)
imm.run()
#ret is the string shown at status bar
return ".ok"
def main(args):
imm = immlib.Debugger()
module_exists = False
if not args:
usage(imm)
return "Incorrect number of arguments (No args)"
if len(args) != 1:
usage(imm)
return "Incorrect number of arguments"
if args[0].lower() == "all":
mod_list = imm.getAllModules()
for mod in mod_list.iteritems():
module = imm.getModule(mod[0])
sys_dll = module.getIssystemdll()
if sys_dll == 0:
imm.setStatusBar("Fetching RPC information for: %s" % mod[0])
get_rpc_info(imm, module, mod[0])
module_exists = True
else:
mod = imm.getModule(args[0])
if mod:
module_exists = True
imm.setStatusBar("Fetching RPC information for: %s" % args[0])
get_rpc_info(imm, mod, args[0])
if module_exists == False:
return "Module not found"
else:
return "Module information outputted, check the Log."
def main(args):
imm = immlib.Debugger()
# code borrowed from safeseh pycommand
allmodules = imm.getAllModules()
for key in allmodules.keys():
dep = aslr = "NO"
mod = imm.getModule(key)
mzbase = mod.getBaseAddress()
peoffset = struct.unpack('<L', imm.readMemory(mzbase + 0x3c, 4))[0]
pebase = mzbase + peoffset
flags = struct.unpack('<H', imm.readMemory(pebase + 0x5e, 2))[0]
if (flags & IMAGE_DLLCHARACTERISTICS_NX_COMPAT != 0):
dep = "YES"
if (flags & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE != 0):
aslr = "YES"
imm.log("---- %s ----" % key)
imm.log("DEP: %s ASLR: %s" % (dep, aslr))
imm.log("--------------")
return "[+] Executed Successfully"
def main (args):
imm = immlib.Debugger()
base = None
size = None
try:
opts, argo = getopt.getopt(args, "b:s:")
except getopt.GetoptError:
return "Usage: !rebase -b BASE -s SIZE"
for o,a in opts:
if o == "-b":
base = atoi(a, 16)
elif o == "-s":
size = atoi(a, 16)
if base==None or size==None:
return "Usage: !rebase -b BASE -s SIZE"
# pointer to PEB_LDR_DATA
ldr = imm.readLong(imm.getPEBaddress()+12)
# pointer to InLoadOrder list
load_order_list = imm.readLong(ldr+12)
# pointer to the first loaded module's base and size
# this will be to the exe image itself
ptr_base = load_order_list+24
ptr_size = load_order_list+32
mod_base = imm.readLong(ptr_base)
# overwrite the base and size with the values
# supplied by the user
imm.writeLong(ptr_base, base)
imm.writeLong(ptr_size, size)
def main():
imm = immlib.Debugger()
#004EA300 /$ 56 PUSH ESI
#004EA301 |. FF15 D023EB00 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
#004EA307 |. 8BF0 MOV ESI,EAX
#004EA309 |. A1 20F51F01 MOV EAX,DWORD PTR DS:[11FF520]
#004EA30E |. 05 60EA0000 ADD EAX,0EA60
#004EA313 |. 3BF0 CMP ESI,EAX
#004EA315 |. 76 17 JBE SHORT iTunes.004EA32E
#004EA317 |. E8 44D0F2FF CALL <iTunes.checkForDebuggers> ; Check for SoftICE device, SoftICE Registry entries & IsDebuggerPresent()
#004EA31C |. 84C0 TEST AL,AL ; Hook here, and set AL=0x00
#004EA31E |. 74 08 JE SHORT iTunes.004EA328
#004EA320 |. 6A 00 PUSH 0 ; /ExitCode = 0
#004EA322 |. FF15 BC23EB00 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
#004EA328 |> 8935 20F51F01 MOV DWORD PTR DS:[11FF520],ESI
#004EA32E |> 5E POP ESI
#004EA32F \. C3 RETN
instructions = "\x84\xC0\x74\x08\x6A\x00"
res = imm.Search(instructions)
for bp_address in res:
logbp_hook = iTunes_checkForDebuggers()
logbp_hook.add("iTunes_checkForDebuggers", bp_address)
imm.Log("Placed hook: iTunes_checkForDebuggers", bp_address)
imm.setComment(bp_address, "AUTO: Hook here, and set AL=0x00")
def main(args):
if not args:
return "No arguments given"
heap = None
Disable = False
AllocFlag = False
FreeFlag = False
imm = immlib.Debugger()
try:
opts, argo = getopt.getopt(args, "h:uaf")
except getopt.GetoptError:
imm.setStatusBar("Bad argument %s" % str(args))
usage(imm)
return 0
for o, a in opts:
if o == "-h":
try:
heap = int(a, 16)
except ValueError, msg:
return "Invalid heap address: %s" % a
elif o == "-u":
Disable = True
def main(args):
imm = immlib.Debugger()
module = imm.getModule(imm.getDebuggedName())
imm.log("module %s at 0x%08X" % (module, module.getBase()))
buf = "6D 65 64 75 6E 61 5F 61 69 72 70 6F 72 74 00 BA 0E 00 00 00 0F 00 00 00 00 00 00 00 27 00 00 00".replace(
' ', '').decode("hex")
knowledge = imm.listKnowledge()
# set breakpoint on place where save game is loaded
imm.setBreakpoint(0x40BF80)
# make sure module is analysed
if not module.isAnalysed():
module.Analyse()
for f in imm.getAllFunctions(module.getBase()):
for ret in imm.getFunctionEnd(f):
if "0x%08X" % ret not in knowledge:
imm.log("function 0x%08X ret at 0x%08X" % (f, ret))
h = MemScanHook(buf)
h.add("memscan 0x%08X" % f, ret)
"""
module_name = "kernel32.dll"
api_name = "CreateFileW"
#api_name = "CreateFileA"
file_name = "myfile.bin"
#file_name = "data_win32.dat"
hook = CreateFileHook(file_name)
f = imm.getAddress(api_name)
hook.add("CreateFileHook", f)
"""
return "Hook done"
def main(args):
imm = immlib.Debugger()
if (args[0]=="assemble"):
if(len(args) & lt:2):
imm.log(" Usage : !plugin1 compare instruction")
imm.log("separate multiple instructions with #")
else:
cnt=1
cmdInput=""
while (cnt <: len(args)):
cmdInput=cmdInput+args[cnt]+""
cnt=cnt+1
cmdInput=cmdInput.replace(",","")
cmdInput=cmdInput.replace('"','')
splitter=re.compile('#')
instruction=splitter.split(cmdInput)
for instruct in instructions:
try:
assembled=imm.Assemble(instruct)
strAssembled=""
for assemOpc in assembled:
strAssembled = strAssembled+hex(ord(assemOpc)).replace('0x'\\x)
imm.log("%s=%s" %(instruct,strAssembled))
except:
imm.log('couldnot assemble %s' %instruct)
continue
def run(self):
"""This will be executed when hooktype happens"""
imm = immlib.Debugger()
regs = imm.getRegs()
disassembled = imm.disasm(regs["EIP"])
imm.Log("EIP on ACCESS_VIOLATION %s" % str(regs["EIP"]))
imm.Log("Disassembled command: %s" % disassembled.result)
def main(args):
imm = immlib.Debugger()
imm.log("### Immunity's Search Heap ###")
try:
opts, argo = getopt.getopt(args, "h:w:a:v:rk",
["heap=", "what=", "action=", "value="])
except getopt.GetoptError:
imm.setStatusBar("Bad heap argument %s" % args[0])
usage(imm)
return 0
heap = 0x0
what = None
action = None
value = None
restore = False
chunkdisplay = 0
for o, a in opts:
if o == "-h":
try:
heap = int(a, 16)
except ValueError, msg:
imm.InfoLine("Invalid heap address: %s" % a)
return 0
elif o == "-r":
restore = True
def run(self, regs):
imm = immlib.Debugger()
eip = regs["EIP"]
imm.log("log, EIP is 0x%08X " % eip)
imm.addKnowledge("0x%08X" % eip, eip)
self.UnHook()
imm.deleteBreakpoint(eip, eip+4)
