def main(args):
modulenames, addresses = parse_args(args)
if modulenames and addresses:
ret = "[+] Module loaded. Will break on: {0}".format(zip(modulenames, addresses))
hook = DLLHook(modulenames, addresses)
hook.add("dll_hooker")
else:
imm = Debugger()
ret = "[-] Incorrect arguments. Usage: <script> mod1,mod2 0x1234,0x4321"
imm.log(ret)
return ret
def main(args):
modulenames, addresses = parse_args(args)
if modulenames and addresses:
ret = '[+] Module loaded. Will break on: {0}'.format(
zip(modulenames, addresses))
hook = DLLHook(modulenames, addresses)
hook.add('dll_hooker')
else:
imm = Debugger()
ret = '[-] Incorrect arguments. Usage: <script> mod1,mod2 0x1234,0x4321'
imm.log(ret)
return ret
def main(args):
"""The main function.
Args:
args: Command-line arguments
"""
imm = Debugger()
module = None
try:
opts, args = getopt.getopt(args, 'hm:')
except getopt.GetoptError:
usage(imm)
return 'Incorrect arguments (check log window)'
for opt, arg in opts:
if opt == '-h':
usage(imm)
return ''
if opt == '-m':
module = arg
if module:
return hash_module(imm, module)
elif len(args) == 2:
return hash_address_range(imm, args[0], args[1])
else:
usage(imm)
return 'Incorrect arguments (check log window)'
class DLLHook(LoadDLLHook):
def __init__(self, modulename):
LoadDLLHook.__init__(self)
self.imm = Debugger()
self.modulename = modulename
self.imm.log('watching for %s %s' % (__VERSION__, self.modulename))
def run(self, regs):
if self.modulename in self.imm.getAllModules().keys():
module = self.imm.getModule(self.modulename)
base = module.getBase()
self.imm.log('Hit %s at 0x%x' % (self.modulename, base) )
pe = pefile.PE(module.getPath())
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
if exp.address > 0:
self.imm.log('Name: %s,RelativeAddress: 0x%x, Ordinal: 0x%x' % (exp.name, exp.address, exp.ordinal))
self.imm.setBreakpoint(base + exp.address)
self.disable()
self.UnHook()
def __init__(self):
"""Instance initialization."""
super(Disassembler, self).__init__()
#
# Set architecture specific types for the current binary being
# analyzed.
#
architecture = self.get_architecture()
if architecture is X86_ARCH:
import x86 as current_arch
self.current_arch = current_arch
self.instruction_set = current_arch.InstructionSet
# Perform additional initializations.
self._post_init()
self.debugger = Debugger()
def main(args):
"""The main function.
Args:
args: Command-line arguments
"""
imm = Debugger()
module = None
rules_path = None
try:
opts, args = getopt.getopt(args, 'hm:r:')
except getopt.GetoptError:
usage(imm)
return 'Incorrect arguments (check log window)'
for opt, arg in opts:
if opt == '-h':
usage(imm)
return ''
elif opt == '-m':
module = arg
elif opt == '-r':
if (arg.startswith('"') and arg.endswith('"')) or \
(arg.startswith('\'') and arg.endswith('\'')):
arg = arg[1:-1]
rules_path = os.path.abspath(arg)
if not rules_path:
usage(imm)
return 'Incorrect arguments (Path to Yara rule file required)'
# Compile the Yara rules
try:
rules = yara.compile(filepath=rules_path)
except (yara.Error, yara.SyntaxError):
return '%s is an invalid Yara rules file' % rules_path
if module:
return run_yara_on_module(imm, module, rules)
elif len(args) == 2:
return run_yara_on_address_range(imm, args[0], args[1], rules)
else:
usage(imm)
return 'Incorrect arguments (check log window)'
class DLLHook(LoadDLLHook):
imm = Debugger()
def __init__(self, modulenames, addresses):
LoadDLLHook.__init__(self)
self.modulenames = modulenames
self.addrs = addresses
def run(self, regs):
for module in self.modulenames:
if module in self.imm.getAllModules().keys():
# set breakpoint
index = self.modulenames.index(module)
self.imm.setBreakpoint(self.addrs[index])
self.modulenames.remove(module)
self.imm.log('[+] Breakpoint set in 0x%x' % self.addrs[index])
# unhook
if not self.modulenames:
self.disable()
self.UnHook()
def __init__(self, modulename):
LoadDLLHook.__init__(self)
self.imm = Debugger()
self.modulename = modulename
self.imm.log('watching for %s %s' % (__VERSION__, self.modulename))
def main(args):
imm = Debugger()
imm.log("*****@*****.**")
return ""
class Disassembler(BaseDebugger):
"""Debugger specific functions for the Immunity debugger from Immunity
Inc.
"""
DEBUGGER_NAME = "Immunity Debugger"
# Currently supported architectures by this debugger.
SUPPORTED_ARCHS = [X86_ARCH]
def __init__(self):
"""Instance initialization."""
super(Disassembler, self).__init__()
#
# Set architecture specific types for the current binary being
# analyzed.
#
architecture = self.get_architecture()
if architecture is X86_ARCH:
import x86 as current_arch
self.current_arch = current_arch
self.instruction_set = current_arch.InstructionSet
# Perform additional initializations.
self._post_init()
self.debugger = Debugger()
@property
def screen_address(self):
"""Return the effective memory address under the cursor."""
# I was unable to find a way to determine current cursor position in
# the screen so I ended using the EIP register address because imdbg
# should have it set while running. This makes impossible to decompile
# an offline application.
if self.debugger.isRunning() or self.debugger.isEvent() or \
self.debugger.isStopped():
return self.debugger.getRegs()["EIP"]
raise ImmunityDebuggerException("Debugger must be running to execute")
@property
def architecture(self):
"""Return the current architecture in use."""
return X86_ARCH # This is the only supported architecture.
def get_input_file(self):
"""Return the name of the file being disassembled."""
return self.debugger.getDebuggedName()
def get_current_function_name(self):
"""Return the name of the current function under the cursor."""
self._raise(self.get_current_function_name)
def get_function_name(self, address):
"""Get the name of the function at the specified memory address."""
self._raise(self.get_function_name)
def get_address_label(self, address):
"""Return the label for the specified address."""
self._raise(self.get_address_label)
def get_function_instructions_addresses(self, address):
"""Obtain the list of every instruction address inside the current
function.
This includes addresses from instructions on chunk tails.
"""
self._raise(self.get_function_instructions_addresses)
def is_basic_block_start_address(self, ea, index, in_edges, lir_function):
"""..."""
self._raise(self.is_basic_block_start_address)
def generate_lir(self, func_address):
"""Analyze every instruction and operand and it's references in the
current function and generate a low level IR equivalente with them.
"""
# Obtain function scope if available.
func = self.debugger.getFunction(func_address)
if not func:
raise ImmunityDebuggerException(
"Unable to obtain function object for address 0x%X" %
func_address)
try:
bbs = func.getBasicBlocks()
except Exception, err:
raise ImmunityDebuggerException(
"Unable to obtain basic blocks for function at address 0x%X" \
"- %s" % (func_address, err))
bbmap = dict()
cfg = dict()
"""
#Make a control flow graph
for bb in bbs:
cfg[bb.getStart()] = bb.getEdges()
#Make a hash of each BB
for bb in bbs:
bbhash_data = []
for op in bb.get_instructions(self.imm):
#take into account just information about the opcode
instr = []
instr.append(op.getMemType())
instr.append(op.indexed)
instr.append(op.getCmdType())
instr.append(op.optype[0])
instr.append(op.optype[1])
instr.append(op.optype[2])
instr.append(op.getSize())
bbhash_data.append(self.hash_a_list(instr))
bbhash = self.hash_a_list(bbhash_data)
bbmap[bb.getStart()] = bbhash
"""
return None