def main(args): imm = immlib.Debugger() imm.openProcess("C://StrCpy.exe") #### Attaching to Process #### imm.Attach(int(args[0])) #### Show all Modules and their abilities #### td = imm.createTable("Module Information", ['Name', 'Base', 'Entry', 'Size', 'Version']) moduleList = imm.getAllModules() for entity in moduleList.values(): td.add(0, [ entity.getName(), '%08X' % entity.getBaseAddress(), '%08X' % entity.getEntry(), '%08X' % entity.getSize(), entity.getVersion() ]) imm.log(str(imm.getRes())) return "Success"
def run(self, regs): """This will be executed when hooktype happens""" imm = immlib.Debugger() # We will probably gonna need the threadid. Gather it through getEvent() readaddr = "" size = "" retaddr = imm.readLong(regs['EBP'] + 4) for a in regs: imm.log("%s:%08x" % (a, regs[a])) if not retaddr: self.UnHook() imm.log("Unhooking, wrong ESP") return endhook = EndHook(retaddr) endhook.add("EndHook_%x" % retaddr, retaddr) ahook = RtlAllocateHeapHook(retaddr) ahook.add("Alloc_%08x" % retaddr, self.allocaddr) fhook = RtlFreeHeapHook(retaddr) fhook.add("Free_%08x" % retaddr, self.freeaddr) imm.addKnowledge("end_%08x" % retaddr, (ahook, fhook)) imm.log("o Sniffing the selected Function", address=regs['EIP']) if not self.continuos: self.UnHook()
def main(args): imm = immlib.Debugger() look = " ".join(args) ret = imm.Search(imm.Assemble(look)) for a in ret: module = imm.findModule(a) if not module: module = "none" else: module = module[0] # Grab the memory access type for this address page = imm.getMemoryPagebyAddress(a) access = page.getAccess(human=True) imm.Log("Found %s at 0x%08x [%s] Access: (%s)" % (look, a, module, access), address=a) if ret: return "Found %d address (Check the Log Windows for details)" % len( ret) else: return "Sorry, no code found"
def run(self, regs): imm = immlib.Debugger() callstack = imm.callStack() for a in callstack: imm.log( "Address: %08x - Stack: %08x - Procedure: %s - frame: %08x - called from: %08x" % (a.address, a.stack, a.procedure, a.frame, a.calledfrom))
def main(args): imm = immlib.Debugger() if not args: usage(imm) return "No args" try: opts, argo = getopt.getopt(args, "m:f") except getopt.GetoptError: usage(imm) return "Bad heap argument %s" % args[0] module = None OnMemory = 1 for o,a in opts: if o == "-m": module = a elif o == '-f': OnMemory = 0 if not module: usage(imm) return "No module provided, see the Log Window for details of usage" try: ret = imm.findPacker( module, OnMemory = OnMemory) except Exception, msg: return "Error: %s" % msg
def main(args): imm = immlib.Debugger() path = imm.getModule(imm.getDebuggedName()).getPath() pe = pefile.PE(path) filename = os.path.basename(path) section_list = [] name_list = [] a = 0 for section in pe.sections: sec_name = section.Name.strip("\x00") if sec_name == "": sec_name = str(a) a += 1 sec_enp = section.get_entropy() final_enp = sec_enp name_list.append(sec_name) sec_start = pe.OPTIONAL_HEADER.ImageBase + section.VirtualAddress sec_size = section.Misc_VirtualSize #imm.log("section : %s || start addr : 0x%08X || size : 0x%08X" % (sec_name,sec_start, sec_size)) section_list.append( SEC(sec_name, sec_enp, final_enp, sec_start, sec_size)) for i in section_list: i.sec_print(imm) Patch_isdebuggerpresent(imm) Patch_checkremotedebuggerpresent(imm) Patch_zwqueryinformationprocess_test(imm) Patch_PEB(imm) Patch_PEB2(imm) Patch_Findwindow(imm) ##Yoda's Protector only Patch_getcurrentrocessid(imm) bpaddr = Patch_blockinput2(imm)
def main(args): types = {"isdebuggerpresent": 0} imm = immlib.Debugger() if not args: return "give patch type..." try: opts, argo = getopt.getopt(args, "t:s") except getopt.GetoptError: usage(imm) return "Bad patch argument %s" % args[0] type = None for o, a in opts: if o == '-t': low = a.lower() if types.has_key(low): type = types[low] else: return "Invalid type: %s" % a # IsDebuggerPresent if type == 0: imm.Log("Patching IsDebuggerPresent...") ispresent = imm.getAddress("kernel32.IsDebuggerPresent") imm.writeMemory(ispresent, imm.Assemble("xor eax, eax\n ret")) return "IsDebuggerPresent patched" else: usage(imm) return "Bad patch argument"
def main(args): # starting the debugger instance imm = immlib.Debugger() td = imm.createTable("Module Information", ["Name", "Base", "Entry", "Size", "File_Version"]) # getAllModules will return a dictionary of all loaded executable modules xModules = imm.getAllModules() # immlib.Debugger has a getALlModules method, and that will return a list of module obj which is a # class with methods in the lib.immDebugger.Modules, methods like getName()... for entity in xModules.values( ): # we are interested in the values part of each module obj # with hex formatting td.add(0, [ entity.getName(), '%08X' % entity.getBaseAddress(), '%08X' % entity.getEntry(), '%08X' % entity.getSize(), entity.getVersion() ]) ## ADDITIONALLY: logging current register info at this given instance moment of the running exe file imm.log(str(imm.getRegs())) imm.updateLog() return "[!] spse-outputTable_xModules.py is finished with status 0"
def main(args): """Main function used to invoke the decompiler.""" imm = immlib.Debugger() from sys import path path_to_add = r"y:\decompiler\decompilers\point source" if path_to_add not in path: path.append(path_to_add) #import test_immdbg #imm.log("===> %s" % test_immdbg) #from test_immdbg import main as test_main import pointsource imm.log("===> %s" % pointsource) from pointsource import main as test_main test_main() try: # FIXME: Remove this hardcoded path and get it dynamically from # somewhere else. #ret = execfile(r"y:\decompiler\decompilers\point source\pointsource.py") ret = "Decompiler execution finished" except Exception, err: imm.log("[-] Error on:", focus=1) imm.logLines(format_exc()) ret = err
def run2(self, regs): """This will be executed when hooktype happens""" imm = immlib.Debugger() imm.Error("hgook time") readaddr = "" size = "" src = regs['ESP'] + 0x8 #strncpy second arg maxlen = regs['ESP'] + 0xc #strncpy third arg res = imm.readMemory(src, 4) leng = imm.readMemory(maxlen, 4) for a in res: readaddr = "%s%s" % (a.encode('hex'), readaddr) readaddr = "0x%s" % readaddr for a in leng: size = "%s%s" % (a.encode('hex'), size) src_addr = int(readaddr, 16) readed = "" #read src arg readed = imm.readString(src_addr) imm.Log("strncpy source: %s" % readed) if len(readed) == int(size): imm.Log("*** STACK ***") callstack = imm.callStack() for a in callstack: imm.Log( "Address: %08x - Stack: %08x - Procedure: %s - frame: %08x - called from: %08x" % (a.address, a.stack, a.procedure, a.frame, a.calledfrom))
def main(args): imm = immlib.Debugger() table = imm.createTable('Silent Banker Strings', ['Address', 'Encoded', 'Decoded']) # get all cross-references to the decoding function refs = imm.getXrefFrom(0x100122E8) for ref in refs: addr = None # disassemble backwards until finding MOV r32, <const> for i in range(1, 5): op = imm.disasmBackward(ref[0], i) instr = op.getDisasm() if instr.startswith('MOV'): # get address of the encoded string in memory addr = op.getImmConst() break if addr != None: # read the encoded version of the string e_str = imm.readString(addr) # forcefully execute the decoding of each string imm.setReg('EIP', ref[0]) imm.writeLong(imm.getRegs()['ESP'], addr) imm.writeLong(imm.getRegs()['ESP'] + 4, addr) imm.stepOver() # now read the decoded string d_str = imm.readString(addr) table.add('', ['0x%x' % addr, '%s' % e_str, '%s' % d_str])
def main(args): imm = immlib.Debugger() if not args: return usage(imm) if len(args) != 2: return usage(imm) addr = int(args[0], 16) size = int(args[1], 16) dt = libdatatype.DataTypes(imm) mem = imm.readMemory(addr, size) if not mem: return "Error: Couldn't read anything at address: 0x%08x" % addr ret = dt.Discover(mem, addr, what='all') imm.log("Found: %d data types" % len(ret)) for obj in ret: t = "obj: %d" % obj.size if obj.data: msg = obj.Print() imm.log("obj: %s: %s %d" % (obj.name, msg, obj.getSize()), address=obj.address) return "Found: %d data types" % len(ret)
def main(args): imm = immlib.Debugger() functionToHook = "msvcrt.strcpy" #On windows systems, the STRCPY function functionAddress = imm.getAddress(functionToHook) #In this line we retrieve the memory address where the STRCPY function is loaded newHook = DemoHook() newHook.add("Demo Hook", functionAddress) return "Success!"
def main(args): imm = immlib.Debugger() imm.log("Log Entry!") imm.updateLog() ''' table = imm.createTable("PyCommand Example", ["PID", "NAME", "PATH", "SERVICES"]) psList = imm.ps() for ps in psList: table.add(0, [str(ps[0]), ps[1], ps[2], str(ps[3])]) imm.Attach(2564) imm.restartProcess() table = imm.createTable("Modules PyCommand", ["NAME", "BASE", "ENTRY", "SIZE", "VERSION"]) modules = imm.getAllModules() for module in modules.values(): table.add(0, [module.getName(), "%08x" %module.getBaseAddress(), "%08x" %module.getEntry(), "%08x" %module.getSize(), module.getVersion()]) ''' opcodes = imm.assemble("jmp esp\nret") for opcode in opcodes: imm.log("Assemble Func: " + hex(ord(opcode))) addresses = imm.search("\xff\xe4\xc3") for address in addresses: opcode = imm.disasm(address).getDisasm() imm.log("Disassmble Func: " + opcode) imm.updateLog() return "PyCommand Return!!"
def main(args): imm = immlib.Debugger() newHook = DemoHook() newHook.add("Demo Hook") return "YCSC Hooking PyCommand"
def main(args): imm=immlib.Debugger() try: opts, argo = getopt.getopt(args, "p:l:") except getopt.GetoptError: usage(imm) return "Wrong Arguments (Check usage on the Log Window)" processname = None level = 3 for o,a in opts: if o == '-p': processname = a elif o == '-l': level = int(a, 16) if processname is None: usage(imm) return "See log for usage info" d = DLLTree(imm, processname, level) d.Show() return "Check log window for results."
def run(self, registers): imm = immlib.Debugger() imm.log('[+] bind called') eip = registers['ESP'] # Read sockaddr structure address sockaddr = imm.readLong(registers['ESP'] + 8) # Read 2 bytes of sin_family member sockaddr_sin_family = imm.readShort(sockaddr) # Read 2 bytes of sin_port and calculate port number # since it is stored as big-endian port_hi_byte = ord(imm.readMemory(sockaddr + 2, 1)) port_low_byte = ord(imm.readMemory(sockaddr + 3, 1)) sockaddr_sin_port = port_hi_byte * 256 + port_low_byte # Read 4 bytes of sin_addr since it is stored as big-endian ip_first_byte = ord(imm.readMemory(sockaddr + 4, 1)) ip_second_byte = ord(imm.readMemory(sockaddr + 5, 1)) ip_third_byte = ord(imm.readMemory(sockaddr + 6, 1)) ip_forth_byte = ord(imm.readMemory(sockaddr + 7, 1)) # Print results to Log View window imm.log('---> Pointer to sockaddr structure: 0x%08x' % sockaddr) imm.log('---> sockaddr.sin_family: %d' % sockaddr_sin_family) imm.log('---> sockaddr.sin_port: %d' % sockaddr_sin_port) imm.log('---> sockaddr.sin_addr: %d.%d.%d.%d' % (ip_first_byte, ip_second_byte, ip_third_byte, ip_forth_byte)) imm.log('') imm.log("Press F9 to resume")
def main(args): imm = immlib.Debugger() modules = imm.getAllModules() for m in modules.values(): inspect_module(imm, m) return 'Analysis complete!'
def main(args): imm = immlib.Debugger() module = imm.getModule(imm.getDebuggedName()) base = module.getBase() end = base + module.getSize() imm.deleteBreakpoint(base, end) return "Deleted breakpoints"
def main(args): imm = immlib.Debugger() banner(imm) if imm.isFinished(): imm.log("Process aleady finished!") return ".err" listModules(imm) mInfo = ModuleInfo(imm) call_dict = mInfo.fetchRegCalls() setBpOnAddresses(imm, call_dict.keys(), "Call via register") while not imm.isFinished(): curr_addr = imm.getCurrentAddress() reg = call_dict.get(curr_addr) if not reg: imm.run() continue imm.log("CALL via: %s" % reg, curr_addr) call_addr = getRegValue(imm, reg) if not call_addr: break imm.stepIn() printFunction(imm, curr_addr, call_addr) imm.run() #ret is the string shown at status bar return ".ok"
def main(args): imm = immlib.Debugger() module_exists = False if not args: usage(imm) return "Incorrect number of arguments (No args)" if len(args) != 1: usage(imm) return "Incorrect number of arguments" if args[0].lower() == "all": mod_list = imm.getAllModules() for mod in mod_list.iteritems(): module = imm.getModule(mod[0]) sys_dll = module.getIssystemdll() if sys_dll == 0: imm.setStatusBar("Fetching RPC information for: %s" % mod[0]) get_rpc_info(imm, module, mod[0]) module_exists = True else: mod = imm.getModule(args[0]) if mod: module_exists = True imm.setStatusBar("Fetching RPC information for: %s" % args[0]) get_rpc_info(imm, mod, args[0]) if module_exists == False: return "Module not found" else: return "Module information outputted, check the Log."
def main(args): imm = immlib.Debugger() # code borrowed from safeseh pycommand allmodules = imm.getAllModules() for key in allmodules.keys(): dep = aslr = "NO" mod = imm.getModule(key) mzbase = mod.getBaseAddress() peoffset = struct.unpack('<L', imm.readMemory(mzbase + 0x3c, 4))[0] pebase = mzbase + peoffset flags = struct.unpack('<H', imm.readMemory(pebase + 0x5e, 2))[0] if (flags & IMAGE_DLLCHARACTERISTICS_NX_COMPAT != 0): dep = "YES" if (flags & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE != 0): aslr = "YES" imm.log("---- %s ----" % key) imm.log("DEP: %s ASLR: %s" % (dep, aslr)) imm.log("--------------") return "[+] Executed Successfully"
def main (args): imm = immlib.Debugger() base = None size = None try: opts, argo = getopt.getopt(args, "b:s:") except getopt.GetoptError: return "Usage: !rebase -b BASE -s SIZE" for o,a in opts: if o == "-b": base = atoi(a, 16) elif o == "-s": size = atoi(a, 16) if base==None or size==None: return "Usage: !rebase -b BASE -s SIZE" # pointer to PEB_LDR_DATA ldr = imm.readLong(imm.getPEBaddress()+12) # pointer to InLoadOrder list load_order_list = imm.readLong(ldr+12) # pointer to the first loaded module's base and size # this will be to the exe image itself ptr_base = load_order_list+24 ptr_size = load_order_list+32 mod_base = imm.readLong(ptr_base) # overwrite the base and size with the values # supplied by the user imm.writeLong(ptr_base, base) imm.writeLong(ptr_size, size)
def main(): imm = immlib.Debugger() #004EA300 /$ 56 PUSH ESI #004EA301 |. FF15 D023EB00 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount #004EA307 |. 8BF0 MOV ESI,EAX #004EA309 |. A1 20F51F01 MOV EAX,DWORD PTR DS:[11FF520] #004EA30E |. 05 60EA0000 ADD EAX,0EA60 #004EA313 |. 3BF0 CMP ESI,EAX #004EA315 |. 76 17 JBE SHORT iTunes.004EA32E #004EA317 |. E8 44D0F2FF CALL <iTunes.checkForDebuggers> ; Check for SoftICE device, SoftICE Registry entries & IsDebuggerPresent() #004EA31C |. 84C0 TEST AL,AL ; Hook here, and set AL=0x00 #004EA31E |. 74 08 JE SHORT iTunes.004EA328 #004EA320 |. 6A 00 PUSH 0 ; /ExitCode = 0 #004EA322 |. FF15 BC23EB00 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess #004EA328 |> 8935 20F51F01 MOV DWORD PTR DS:[11FF520],ESI #004EA32E |> 5E POP ESI #004EA32F \. C3 RETN instructions = "\x84\xC0\x74\x08\x6A\x00" res = imm.Search(instructions) for bp_address in res: logbp_hook = iTunes_checkForDebuggers() logbp_hook.add("iTunes_checkForDebuggers", bp_address) imm.Log("Placed hook: iTunes_checkForDebuggers", bp_address) imm.setComment(bp_address, "AUTO: Hook here, and set AL=0x00")
def main(args): if not args: return "No arguments given" heap = None Disable = False AllocFlag = False FreeFlag = False imm = immlib.Debugger() try: opts, argo = getopt.getopt(args, "h:uaf") except getopt.GetoptError: imm.setStatusBar("Bad argument %s" % str(args)) usage(imm) return 0 for o, a in opts: if o == "-h": try: heap = int(a, 16) except ValueError, msg: return "Invalid heap address: %s" % a elif o == "-u": Disable = True
def main(args): imm = immlib.Debugger() module = imm.getModule(imm.getDebuggedName()) imm.log("module %s at 0x%08X" % (module, module.getBase())) buf = "6D 65 64 75 6E 61 5F 61 69 72 70 6F 72 74 00 BA 0E 00 00 00 0F 00 00 00 00 00 00 00 27 00 00 00".replace( ' ', '').decode("hex") knowledge = imm.listKnowledge() # set breakpoint on place where save game is loaded imm.setBreakpoint(0x40BF80) # make sure module is analysed if not module.isAnalysed(): module.Analyse() for f in imm.getAllFunctions(module.getBase()): for ret in imm.getFunctionEnd(f): if "0x%08X" % ret not in knowledge: imm.log("function 0x%08X ret at 0x%08X" % (f, ret)) h = MemScanHook(buf) h.add("memscan 0x%08X" % f, ret) """ module_name = "kernel32.dll" api_name = "CreateFileW" #api_name = "CreateFileA" file_name = "myfile.bin" #file_name = "data_win32.dat" hook = CreateFileHook(file_name) f = imm.getAddress(api_name) hook.add("CreateFileHook", f) """ return "Hook done"
def main(args): imm = immlib.Debugger() if (args[0]=="assemble"): if(len(args) & lt:2): imm.log(" Usage : !plugin1 compare instruction") imm.log("separate multiple instructions with #") else: cnt=1 cmdInput="" while (cnt <: len(args)): cmdInput=cmdInput+args[cnt]+"" cnt=cnt+1 cmdInput=cmdInput.replace(",","") cmdInput=cmdInput.replace('"','') splitter=re.compile('#') instruction=splitter.split(cmdInput) for instruct in instructions: try: assembled=imm.Assemble(instruct) strAssembled="" for assemOpc in assembled: strAssembled = strAssembled+hex(ord(assemOpc)).replace('0x'\\x) imm.log("%s=%s" %(instruct,strAssembled)) except: imm.log('couldnot assemble %s' %instruct) continue
def run(self): """This will be executed when hooktype happens""" imm = immlib.Debugger() regs = imm.getRegs() disassembled = imm.disasm(regs["EIP"]) imm.Log("EIP on ACCESS_VIOLATION %s" % str(regs["EIP"])) imm.Log("Disassembled command: %s" % disassembled.result)
def main(args): imm = immlib.Debugger() imm.log("### Immunity's Search Heap ###") try: opts, argo = getopt.getopt(args, "h:w:a:v:rk", ["heap=", "what=", "action=", "value="]) except getopt.GetoptError: imm.setStatusBar("Bad heap argument %s" % args[0]) usage(imm) return 0 heap = 0x0 what = None action = None value = None restore = False chunkdisplay = 0 for o, a in opts: if o == "-h": try: heap = int(a, 16) except ValueError, msg: imm.InfoLine("Invalid heap address: %s" % a) return 0 elif o == "-r": restore = True
def run(self, regs): imm = immlib.Debugger() eip = regs["EIP"] imm.log("log, EIP is 0x%08X " % eip) imm.addKnowledge("0x%08X" % eip, eip) self.UnHook() imm.deleteBreakpoint(eip, eip+4)