P. 1
Immunity Debugger & Python(office97~2003)

Immunity Debugger & Python(office97~2003)

|Views: 653|Likes:
Published by MinChang Jang

More info:

Published by: MinChang Jang on Feb 11, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PPT, PDF, TXT or read online from Scribd
See more
See less

03/06/2013

pdf

text

original

Beistlab (mins4416@naver.

com)

`

Immunity Debugger¶s summary & feature Structure & Instruction of Immunity Debugger¶s Python Script How to use Python Script Practice & Etc

`

`

`

`

Simple, understandable interface Robust and powerful scripting language for automating intelligent debugging Lightweight and fast debugging to prevent corruption during complex analysis Connectivity to fuzzers and exploit development tools

`

`

`

GUI Command Line Python Script .

which reminds of Olly Debugger The capability of creating function graphs Easier to learn complex commands ` ` .` Easy visualization of debugee context.

.

.

EAX .Assemble at address ` ` .A 401000.` Immunity Debugger¶s Command line plug-in has a simple interface We can debug remotely from another computer using remote Command line server Examples . XOR EAX.

` Immunity Debugger¶s Python API includes many useful utilities and function We can do the most of things that we can think of with Python Script Familiar and easy to learn Open source ` ` ` .

.

` Basic Frame .

PyCommands PyHooks PyScripts ImmunityDBG Python Scripts .

` PyCommands -Immunity Debugger\PyCommands PyHooks -Immunity Debugger\PyHooks PyScripts -Immunity Debugger\PyScripts ` ` .

If the PyCommand needs extra argument Example .!scanpe . also scan just EntryPoint ` .Can be executed from the command bar and main toolbar .` PyCommands .Detect a Packer/Cryptor of Main module.

.

add() ` . they look exactly as a python plug-in.Python Hooks that are loaded at startup.myhook = imm.` PyHooks . only that they are placed inside PyHooksdirectory Example .myhook.AccessViolationHook() .myhook.disable() << .

` PyScripts .PyScripts are called when ALT+F3 or the PyScript icon located at main toolbar are pressed .

.

com/update/ Documentation/ref ` .immunityinc.` We need knowledges about Immunity Debugger¶s API and Python Immunity Debugger API .http://debugger.

` ` ` ` ` ` ` ` ` Display BreakPoint Assemble/Disasm Memory Flow Fetch Information Search Hook Misc .

Used for making visual effects on Immunity Debugger Example .` Display API .Error(msg) .setStatusBar(msg) ` .

setMemBreakpoint(address.disableBreakpoint(address) . size) ` .setBreakpoint(address) . type.` BreakPoint API .Used for setting up BreakPoint Example .

.

` Memory API . buffer) ` .readMemory(address. size) .writeMemory(address.Used for reading and writing values from the Memory address Example .

.

` Flow API .StepIn(address) ` .Run(address) .StepOver(address) .Used for executing and stepping (Run/StepOver/StepIn) Example .

Used for searching about code ` Example .searchCommandsOnModule(address.` Search API . cmd) .Search(buffer) .searchCommands(cmd) .

.

bpxep .` PyCommands .hidedebug .Can be executed from the command bar and main toolbar Example .packets ` .searchcode .

` bpxep .Sets a breakpoint on EP of main module .

Used for patch a lot of anti-debugging trick (Anti-Debug. Anti-Window-finding) . Anti-Process-finding.` hidedebug .

.

` Example .IsDebuggerPresent .

.

py Line 225 ~ 237 .` hidedebug.

Original IsDebuggerPresent I=1 I=2 I=3 I=4 .

.

` patch.Used for patch a IsDebuggerPresent .py .

Creates a table that displays packets received on the network.` packets . .

0.127.0.1:5555 .

.

Target file : system32\winmine. writeMemory - .Using API : readMemory.exe .` Forking & Finding Mine .

.

0x01005340 ~ 0x0100548A Size = 0x14A 0x01005340 ~ 0x0100557F Size = 0x23F 0x01005340 ~ 0x0100556F Size = 0x22F 0x01005340 ~ 0x0100567F Size = 0x33F .

` mine_finder.py .

.

xstone.` Thank you .org/9 .IsDebuggerPresent.exe Microsoft Windows .Winmine.exe http://zesrever.

` Thank you .IsDebuggerPresent.exe http://zesrever.xstone.Winmine.org/9 .exe Microsoft Windows .

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->