def main(args):
imm = immlib.Debugger()
Name = "hippie"
fast = imm.getKnowledge(Name)
if fast:
# We have previously set hooks, so we must want
# to print the results
hook_list = fast.getAllLog()
rtlallocate, rtlfree = imm.getKnowledge("FuncNames")
for a in hook_list:
ret = showresult(imm, a, rtlallocate)
return "Logged: %d hook hits. Results output to log window." % len(
hook_list)
# We want to stop the debugger before monkeying around
imm.Pause()
rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
rtlallocate = imm.getAddress("ntdll.RtlAllocateHeap")
module = imm.getModule("ntdll.dll")
if not module.isAnalysed():
imm.analyseCode(module.getCodebase())
# We search for the correct function exit point
rtlallocate = getRet(imm, rtlallocate, 1000)
imm.Log("RtlAllocateHeap hook: 0x%08x" % rtlallocate)
# Store the hook points
imm.addKnowledge("FuncNames", (rtlallocate, rtlfree))
# Now we start building the hook
fast = immlib.STDCALLFastLogHook(imm)
# We are trapping RtlHeapAllocate at the end of the function
imm.Log("Logging on Alloc 0x%08x" % rtlallocate)
fast.logFunction(rtlallocate)
fast.logBaseDisplacement("EBP", 8)
fast.logBaseDisplacement("EBP", 0xC)
fast.logBaseDisplacement("EBP", 0x10)
fast.logRegister("EAX")
# We are trapping RtlHeapFree at the head of the function
imm.Log("Logging on RtlHeapFree 0x%08x" % rtlfree)
fast.logFunction(rtlfree, 3)
# Set the hook
fast.Hook()
# Store the hook object so we can retrieve results later
imm.addKnowledge(Name, fast, force_add=1)
return "Hooks set, press F9 to continue the process."
def main(args):
imm = immlib.Debugger()
Name = "hippie"
fast = imm.getKnowledge(Name)
if fast:
# Wir haben bereits Hooks fesetzt, d.h., wir
# wollen nun die Ergebnisse ausgeben.
hook_list = fast.getAllLog()
rtallocate, rtlfree = imm.getKnowledge("FuncNames")
for a in hook_list:
ret = showresult(imm, a, rtlallocate)
return "Logged: %d hook hits. Results output to log window." % len(
hook_list)
# Wir halten den Debugger an bevor wir herumspielen
imm.pause()
rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
rtlallocate = imm.getAddress("ntdll.RtlAllocateHeap")
module = imm.getModule("ntdll.dll")
if not module.isAnalysed():
imm.analyseCode(module.getCodebase())
# Wir suchen den richtigen Exit-Punkt der Funktion
rtlallocate = getRet(imm, rtlallocate, 1000)
imm.log("RtlAllocateHeap hook: 0x%08x" % rtlallocate)
# Die Hook-Punkte speichern
imm.addKnowledge("FuncNames", (rtlallocate, rtlfree))
# Nun beginnen wir damit, den Hook aufzubauen
fast = immlib.STDCALLFastLogHook(imm)
# Wir fangen RtlAllocateHeap am Ende der Funktion ab
imm.log("Logging on Alloc 0x%08x" % rtlallocate)
fast.logFunction(rtlallocate)
fast.logBaseDisplacement("EBP", 8)
fast.logBaseDisplacement("EBP", 0xC)
fast.logBaseDisplacement("EBP", 0x10)
fast.logRegister("EAX")
# Wir fangen RtlFreeHeap zu Beginn der Funktion ab
imm.log("Logging on RtlFreeHeap 0x%08x" % rtlfree)
fast.logFunction(rtlfree, 3)
# Den Hook setzen
fast.Hook()
# Das Hook-Objekt speichern, damit wir die Ergebnisse später
# abrufen können
imm.addKnowledge(Name, fast, force_add=1)
return "Hooks set, press F9 to continue the process."
def main(args):
imm = immlib.Debugger()
Name = "hippie"
# Gets python object from the knowledge database.
# 下面会用addKnowledge储存到knowledge database
fast = imm.getKnowledge(Name)
if fast:
# 我们之前已经设置hooks了,所以我们打印结果
hook_list = fast.getAllLog()
rtlallocate,rtlfree = imm.getKnowledge("FuncNames")
for a in hook_list:
ret = showresult(imm, a, rtlallocate)
return "Logged: %d hook hits." % len(hook_list)
# 暂停进程
imm.pause()
rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
rtlallocate = imm.getAddress("ntdll.RtlAllocateHeap")
imm.log("rtlallocate:0x%08x" % rtlallocate, address = rtlallocate)
module = imm.getModule("ntdll.dll")
# 若还没分析这个模块,就去分析
if not module.isAnalysed():
imm.analyseCode(module.getCodebase())
# 我们寻找正确的函数退出点(返回点)
rtlallocate = getRet(imm, rtlallocate, 1000)
imm.log("RtlAllocateHeap hook:0x%08x" % rtlallocate, address = rtlallocate)
# 储存hook的地址
imm.addKnowledge("FuncNames", (rtlallocate, rtlfree))
# 开始构建hook
fast = immlib.STDCALLFastLogHook(imm)
imm.log("Logging on Alloc 0x%08x" % rtlallocate, address = rtlallocate)
# 我们要hook的是rtlallocate函数中的某个地址(这个地址会被跳转指令覆盖)
fast.logFunction(rtlallocate)
# 根据EBP的偏移获取数据
fast.logBaseDisplacement("EBP", 8)
fast.logBaseDisplacement("EBP", 0xC)
fast.logBaseDisplacement("EBP", 0x10)
# 跟踪eax寄存器
fast.logRegister("EAX")
imm.log("Logging on RtlFreeHeap 0x%08x" % rtlfree, address = rtlfree)
fast.logFunction(rtlfree, 3)
# 设置钩子
fast.Hook()
# 储存钩子对象
imm.addKnowledge(Name, fast, force_add = 1)
return "Hooks setm press F9 to continue the process."
def main(args):
imm = immlib.Debugger()
Name = "hippie"
fast = imm.getKnowledge(Name)
if fast:
hook_list = fast.getAllLog()
rtlallocate, rtlfree = imm.getKnowledge("FuncNames")
for a in hook_list:
ret = showresult(imm, a, rtlallocate)
return "Logged:%d hook hits.Results output to log window." % len(
hook_list)
imm.Pause()
rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
rtlallocate = imm.getAddress("ntdll.RtlAllocateHeap")
module = imm.getModule("ntdll.dll")
if not module.isAnalysed():
imm.analyseCode(module.getCodebase())
rtlallocate = getRet(imm, rtlallocate, 1000)
imm.Log("RtlAllocateHeap hook:0x%08x" % rtlallocate)
imm.addKnowledge("FuncNames", (rtlallocate, rtlfree))
fast = immlib.STDCALLFastLogHook(imm)
imm.Log("Logging on Alloc 0x%08x" % rtlallocate)
fast.logFunction(rtlallocate)
fast.logBaseDisplacement("EBP", 8)
fast.logBaseDisplacement("EBP", 0xC)
fast.logBaseDisplacement("EBP", 0x10)
fast.logRegister("EAX")
imm.Log("Logging on RtlHeapFree 0x%08x" % rtlfree)
fast.logFunction(rtlfree, 3)
fast.Hook()
imm.addKnowledge(Name, fast, force_add=1)
return "Hooks set,press F9 to continue the process."
def main(args):
imm = immlib.Debugger()
try:
opts, argo = getopt.getopt(args, "osdpch:a:C")
except getopt.GetoptError:
usage(imm)
return "Wrong Argument (Check Log Window)"
FlagCmd = 0
heap = None
chunkaddress = None
for o,a in opts:
if o == '-o':
FlagCmd = SWITCH
elif o == '-s':
FlagCmd = SHOW
elif o == '-d':
FlagCmd = DELETE
elif o == '-p':
FlagCmd = PAUSE
elif o == '-c':
FlagCmd = CONTINUE
elif o == '-C':
FlagCmd = CLEAR
elif o == '-h':
heap = int(a, 16)
elif o == '-a':
chunkaddress = int(a, 16)
Name = "hippiehook"
if FlagCmd == SWITCH:
if imm.getKnowledge(Name):
usage(imm)
return "Cannot set Hooks: Hooks are already set"
imm.pause()
rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
allocate = imm.getAddress("ntdll.RtlAllocateHeap")
# We need to hook on the the ret point of RtlAllocateHeap so we can
# get the result of the allocation.
mod = imm.getModule("ntdll.dll")
if not mod.isAnalysed():
imm.analyseCode( mod.getCodebase() )
imm.log("oOoo: 0x%08x" % allocate)
rtlallocate = getRet(imm, allocate, 1000)
imm.addKnowledge("FuncNames", ( rtlallocate, rtlfree ) )
imm.log("0x%08x 0x%08x (0x%08x)" % (rtlallocate, rtlfree, allocate))
fast = immlib.STDCALLFastLogHook( imm )
imm.log("Logging on Free 0x%08x" % rtlfree)
fast.logFunction( rtlfree, 3 )
imm.log("Logging on Alloc 0x%08x" % rtlallocate)
fast.logFunction( rtlallocate, 0)
fast.logBaseDisplacement( "EBP", 8)
fast.logBaseDisplacement( "EBP", 0xC)
fast.logBaseDisplacement( "EBP", 0x10)
fast.logRegister( "EAX" )
# Manual Way to do it
#fast = immlib.FastLogHook( imm )
#imm.log("Logging on 0x%08x" % rtlallocate)
#fast.logFunction( rtlallocate )
#fast.logBaseDisplacement("ESP", 4)
#fast.logBaseDisplacement("ESP", 8)
#fast.logBaseDisplacement("ESP", 12)
#fast.logRegister("EAX")
#fast.logFunction( rtlfree )
#imm.log("Logging on 0x%08x" % rtlfree)
#fast.logBaseDisplacement("ESP", 4)
#fast.logBaseDisplacement("ESP", 8)
#fast.logBaseDisplacement("ESP", 12)
fast.Hook()
imm.addKnowledge(Name, fast, force_add = 1)
elif FlagCmd == DELETE:
fast = imm.getKnowledge( Name )
if not fast:
return "Couldn't find the name tag"
fast.unHook()
imm.forgetKnowledge( Name )
return "Hook removed: %s" % Name
elif FlagCmd == CLEAR:
fast = imm.getKnowledge(Name)
if not fast:
return "Couldn't find the name tag"
fast.Clear()
return "Hook has been clear"
elif FlagCmd == SHOW:
fast = imm.getKnowledge(Name)
if not fast:
return "Couldn't find the name tag"
rtlallocate, rtlfree = imm.getKnowledge("FuncNames")
ret = fast.getAllLog()
NDX = {rtlallocate: 3, rtlfree: 2}
for a in ret:
extra = ""
if heap:
if heap == a[1][0]:
if chunkaddress:
if a[1][ NDX[ a[0] ] ] == chunkaddress:
extra = "<---- * FOUND *"
showresult(imm, a, rtlallocate, extra)
#else:
# showresult(imm, a, rtlallocate)
else:
if chunkaddress:
if a[1][ NDX[ a[0] ] ] == chunkaddress:
extra = "<---- * FOUND *"
showresult(imm, a, rtlallocate, extra)
#else:
# showresult(imm, a, rtlallocate)
imm.log("=" * 0x2f)
return "Traced %d functions" % len(ret)
elif FlagCmd == PAUSE:
fast = imm.getKnowledge(Name)
if not fast:
return "Couldn't find the name tag"
if not fast.Pause():
return "Error: not been able to pause %s hook " % Name
imm.addKnowledge(Name, fast, force_add = 1)
return "Hook %s paused" % Name
elif FlagCmd == CONTINUE:
fast = imm.getKnowledge(Name)
if not fast:
return "Couldn't find the name tag"
if not fast.Continue():
return "Error: not been able to continue %s hook " % Name
imm.addKnowledge(Name, fast, force_add = 1)
return "Hook %s continued" % Name
return "Done"