Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  Immunity Debugger / intermodular call logging without dbg symbols

Topic created on: October 22, 2011 05:50 CDT by enodr .

Hi,

I am using Immunity Debugger to do API (intermodullar) calls logging using code similar to this:
*** Immunity Debugger Python Shell v0.1 ***
Immlib instanciated as 'imm' PyObject
READY.
>>>stacks = imm.callStack()
>>>main_call = False
>>>for i in stacks:
>>> if i.getProcedure().startswith(" ") == False:
>>> if main_call == True:
>>> break
>>> else:
>>> main_call = True
>>> print "Main Call %s" % i.getProcedure()
>>> else:
>>> print "Argument: %s" % i.getProcedure()
>>>
Main Call kernel32.CreateFileA
Argument:   FileName = "C:\WINDOWS\System32\drivers\etc\services"
Argument:   Access = GENERIC_READ
Argument:   ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
Argument:   pSecurity = 0345EFC4
Argument:   Mode = OPEN_EXISTING
Argument:   Attributes = NORMAL
Argument:   hTemplateFile = NULL
>>>


Of course with this example kernel32.dll has full debug symbols so the result displays correctly the parameters names and content.

How would it be possible to do the same display formating with dlls which don't have debug symblos, but for which you know the function parameters names and type?

I guess I could make some kind of file with function prototypes but then I don't know how to deal with the python script and callstack.getProcedure or such.

Thanks.

No posts found under this topic.
Note: Registration is required to post to the forums.

There are 30,783 total registered users.


Recently Created Topics
How can i find conne...
Nov/27
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit