Beispiel #1
def main(args):

    imm = immlib.Debugger()
    Name = "hippie"

    fast = imm.getKnowledge(Name)
    if fast:
        # We have previously set hooks, so we must want
        # to print the results
        hook_list = fast.getAllLog()

        rtlallocate, rtlfree = imm.getKnowledge("FuncNames")

        for a in hook_list:
            ret = showresult(imm, a, rtlallocate)

        return "Logged: %d hook hits. Results output to log window." % len(

    # We want to stop the debugger before monkeying around

    rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
    rtlallocate = imm.getAddress("ntdll.RtlAllocateHeap")

    module = imm.getModule("ntdll.dll")
    if not module.isAnalysed():

    # We search for the correct function exit point
    rtlallocate = getRet(imm, rtlallocate, 1000)
    imm.Log("RtlAllocateHeap hook: 0x%08x" % rtlallocate)

    # Store the hook points
    imm.addKnowledge("FuncNames", (rtlallocate, rtlfree))

    # Now we start building the hook
    fast = immlib.STDCALLFastLogHook(imm)

    # We are trapping RtlHeapAllocate at the end of the function
    imm.Log("Logging on Alloc 0x%08x" % rtlallocate)
    fast.logBaseDisplacement("EBP", 8)
    fast.logBaseDisplacement("EBP", 0xC)
    fast.logBaseDisplacement("EBP", 0x10)

    # We are trapping RtlHeapFree at the head of the function
    imm.Log("Logging on RtlHeapFree  0x%08x" % rtlfree)
    fast.logFunction(rtlfree, 3)

    # Set the hook

    # Store the hook object so we can retrieve results later
    imm.addKnowledge(Name, fast, force_add=1)

    return "Hooks set, press F9 to continue the process."
def main(args):

    imm = immlib.Debugger()
    Name = "hippie"

    fast = imm.getKnowledge(Name)
    if fast:
        # Wir haben bereits Hooks fesetzt, d.h., wir
        # wollen nun die Ergebnisse ausgeben.
        hook_list = fast.getAllLog()

        rtallocate, rtlfree = imm.getKnowledge("FuncNames")
        for a in hook_list:
            ret = showresult(imm, a, rtlallocate)

        return "Logged: %d hook hits. Results output to log window." % len(

    # Wir halten den Debugger an bevor wir herumspielen
    rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
    rtlallocate = imm.getAddress("ntdll.RtlAllocateHeap")

    module = imm.getModule("ntdll.dll")
    if not module.isAnalysed():

    # Wir suchen den richtigen Exit-Punkt der Funktion
    rtlallocate = getRet(imm, rtlallocate, 1000)
    imm.log("RtlAllocateHeap hook: 0x%08x" % rtlallocate)

    # Die Hook-Punkte speichern
    imm.addKnowledge("FuncNames", (rtlallocate, rtlfree))

    # Nun beginnen wir damit, den Hook aufzubauen
    fast = immlib.STDCALLFastLogHook(imm)

    # Wir fangen RtlAllocateHeap am Ende der Funktion ab
    imm.log("Logging on Alloc 0x%08x" % rtlallocate)
    fast.logBaseDisplacement("EBP", 8)
    fast.logBaseDisplacement("EBP", 0xC)
    fast.logBaseDisplacement("EBP", 0x10)

    # Wir fangen RtlFreeHeap zu Beginn der Funktion ab
    imm.log("Logging on RtlFreeHeap 0x%08x" % rtlfree)
    fast.logFunction(rtlfree, 3)

    # Den Hook setzen

    # Das Hook-Objekt speichern, damit wir die Ergebnisse später
    # abrufen können
    imm.addKnowledge(Name, fast, force_add=1)

    return "Hooks set, press F9 to continue the process."
def main(args):
	imm = immlib.Debugger()
	Name = "hippie"
	# Gets python object from the knowledge database.
	# 下面会用addKnowledge储存到knowledge database
	fast = imm.getKnowledge(Name)
	if fast:
		# 我们之前已经设置hooks了,所以我们打印结果
		hook_list = fast.getAllLog()
		rtlallocate,rtlfree = imm.getKnowledge("FuncNames")
		for a in hook_list:
			ret = showresult(imm, a, rtlallocate)
		return "Logged: %d hook hits." % len(hook_list)
	# 暂停进程
	rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
	rtlallocate  = imm.getAddress("ntdll.RtlAllocateHeap")
	imm.log("rtlallocate:0x%08x" % rtlallocate, address = rtlallocate)
	module = imm.getModule("ntdll.dll")
	# 若还没分析这个模块,就去分析
	if not module.isAnalysed():
	# 我们寻找正确的函数退出点(返回点)
	rtlallocate = getRet(imm, rtlallocate, 1000)
	imm.log("RtlAllocateHeap hook:0x%08x" % rtlallocate, address = rtlallocate)
	# 储存hook的地址
	imm.addKnowledge("FuncNames", (rtlallocate, rtlfree))
	# 开始构建hook
	fast = immlib.STDCALLFastLogHook(imm)

	imm.log("Logging on Alloc 0x%08x" % rtlallocate, address = rtlallocate)
	# 我们要hook的是rtlallocate函数中的某个地址(这个地址会被跳转指令覆盖)
	# 根据EBP的偏移获取数据
	fast.logBaseDisplacement("EBP", 8)
	fast.logBaseDisplacement("EBP", 0xC)
	fast.logBaseDisplacement("EBP", 0x10)
	# 跟踪eax寄存器

	imm.log("Logging on RtlFreeHeap 0x%08x" % rtlfree, address = rtlfree)
	fast.logFunction(rtlfree, 3)
	# 设置钩子 
	# 储存钩子对象
	imm.addKnowledge(Name, fast, force_add = 1)
	return "Hooks setm press F9 to continue the process."
Beispiel #5
def main(args):
    imm          = immlib.Debugger()
        opts, argo = getopt.getopt(args, "osdpch:a:C")
    except getopt.GetoptError:
        return "Wrong Argument (Check Log Window)"

    FlagCmd    = 0
    heap = None
    chunkaddress = None
    for o,a in opts:
        if o == '-o':
            FlagCmd = SWITCH
        elif o == '-s':
            FlagCmd = SHOW
        elif o == '-d':     
            FlagCmd = DELETE            
        elif o == '-p':
            FlagCmd = PAUSE             
        elif o == '-c':
            FlagCmd = CONTINUE
        elif o == '-C':
            FlagCmd = CLEAR
        elif o == '-h':
            heap = int(a, 16)
        elif o == '-a':
            chunkaddress = int(a, 16)
    Name = "hippiehook"

    if FlagCmd == SWITCH:
        if imm.getKnowledge(Name):
            return "Cannot set Hooks:  Hooks are already set"
        rtlfree      = imm.getAddress("ntdll.RtlFreeHeap")
        allocate     = imm.getAddress("ntdll.RtlAllocateHeap")
        # We need to hook on the the ret point of RtlAllocateHeap so we can
        #  get the result of the allocation.
        mod = imm.getModule("ntdll.dll")
        if not mod.isAnalysed():
            imm.analyseCode( mod.getCodebase() )        
        imm.log("oOoo: 0x%08x" % allocate)
        rtlallocate  = getRet(imm, allocate, 1000) 
        imm.addKnowledge("FuncNames",  ( rtlallocate, rtlfree ) )

        imm.log("0x%08x 0x%08x (0x%08x)" % (rtlallocate, rtlfree, allocate))
        fast = immlib.STDCALLFastLogHook( imm )
        imm.log("Logging on Free  0x%08x" % rtlfree)
        fast.logFunction( rtlfree, 3 )

        imm.log("Logging on Alloc 0x%08x" % rtlallocate)
        fast.logFunction( rtlallocate, 0)
        fast.logBaseDisplacement( "EBP",    8)
        fast.logBaseDisplacement( "EBP",  0xC)
        fast.logBaseDisplacement( "EBP", 0x10)
        fast.logRegister( "EAX" )
        # Manual Way to do it
        #fast = immlib.FastLogHook( imm ) 
        #imm.log("Logging on 0x%08x" % rtlallocate)
        #fast.logFunction( rtlallocate )
        #fast.logBaseDisplacement("ESP", 4)
        #fast.logBaseDisplacement("ESP", 8)
        #fast.logBaseDisplacement("ESP", 12)

        #fast.logFunction( rtlfree )
        #imm.log("Logging on 0x%08x" % rtlfree)
        #fast.logBaseDisplacement("ESP", 4)
        #fast.logBaseDisplacement("ESP", 8)
        #fast.logBaseDisplacement("ESP", 12)
        imm.addKnowledge(Name, fast, force_add = 1)

    elif FlagCmd == DELETE:
        fast = imm.getKnowledge( Name )
        if not fast:
            return "Couldn't find the name tag" 
        imm.forgetKnowledge( Name )     
        return "Hook removed: %s" % Name        

    elif FlagCmd == CLEAR:
        fast = imm.getKnowledge(Name)
        if not fast:
            return "Couldn't find the name tag"
        return "Hook has been clear"
    elif FlagCmd == SHOW:
        fast = imm.getKnowledge(Name)
        if not fast:
            return "Couldn't find the name tag"

        rtlallocate, rtlfree = imm.getKnowledge("FuncNames")
        ret = fast.getAllLog()
        NDX = {rtlallocate: 3, rtlfree: 2} 
        for a in ret:
            extra = ""
            if heap:
                if heap == a[1][0]:
                    if chunkaddress:
                       if a[1][ NDX[ a[0] ] ] == chunkaddress:
                           extra = "<---- * FOUND *"
                    showresult(imm, a, rtlallocate, extra)
                   #        showresult(imm, a, rtlallocate)                        
                if chunkaddress:
                    if a[1][ NDX[ a[0] ] ] == chunkaddress:
                        extra = "<---- * FOUND *"
                showresult(imm, a, rtlallocate, extra)
                #        showresult(imm, a, rtlallocate)
        imm.log("=" * 0x2f)                    
        return "Traced %d functions" % len(ret)

    elif FlagCmd == PAUSE:
        fast = imm.getKnowledge(Name)
        if not fast:
            return "Couldn't find the name tag"
        if not fast.Pause():
            return "Error: not been able to pause %s hook " % Name
        imm.addKnowledge(Name, fast, force_add = 1)
        return "Hook %s paused" % Name

    elif FlagCmd == CONTINUE:
        fast = imm.getKnowledge(Name)
        if not fast:
            return "Couldn't find the name tag"
        if not fast.Continue():
            return "Error: not been able to continue %s hook " % Name
        imm.addKnowledge(Name, fast, force_add = 1)
        return "Hook %s continued" % Name

    return "Done"