Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  !findtrampoline Immunity Debugger Extension

Topic created on: August 11, 2007 08:57 CDT by Faithless .

Findtrampoline.py is a simple Immunity Debugger 'PyCommand' script. It finds a suitable trampoline to the chosen register. These could be suitable addresses to use in overwriting the saved return address, when exploiting a classic stack overflow.

This is similar functionality to eEye's findjmp and Metasploit's msfpescan tools.

Install by copying this file into the PyCommands\ folder, and from within the running debugger issue the !findtrampoline <register> command. It will search for the basic jmp, call and push/ret combinations to direct execution into a register which points to our shellcode.

-Rhys

  MohammadHosein     August 11, 2007 09:10.10 CDT
well done ! thanks

  kernex   August 11, 2007 10:53.54 CDT
:) i wrote a script like this before you :
http://www.openrce.org/forums/posts/558

  n00b   August 11, 2007 12:37.03 CDT
Oh great nice work im guna test it out so we can find the correct jmp <esp> or call <reg>.

  nicowow     August 11, 2007 15:17.29 CDT
That's so cool! You can also use the generic script that cames with ImmunityDebugger (but is not as automatic at yours):
!searchcode <asm code>
ex: !searchcode jmp ebx

  Faithless     August 12, 2007 00:21.17 CDT
Nico,
Oh yes I was aware of !searchcode <asm> as a quick and easy way to scan for particular opcodes, but I believe the benefit of my PyCommand is that it searches for both jmp, call and other relevant combinations that are applicable to directing execution into the chosen buffer.

They are both (!searchcode and !findtrampoline) useful in different circumstances.

  n00b   August 12, 2007 04:53.04 CDT
Yeh it's good but i didn't find any for the safeseh script i couldn't get it to work is there any documentation for this script.!

  jms     August 12, 2007 22:48.32 CDT
I had contacted MMiller at the Metasploit project about porting their msfopcode to Python so we could use it inside ImmuDBG. Is anyone interested in this? It would basically enable you to search the Metasploit OpcodeDB on the fly.....if there is interest I will start the port.

  hochi   August 27, 2007 14:44.06 CDT
YES! it would be extremely useful

> jms: I had contacted MMiller at the Metasploit project about porting their msfopcode to Python so we could use it inside ImmuDBG. Is anyone interested in this? It would basically enable you to search the Metasploit OpcodeDB on the fly.....if there is interest I will start the port.

  skycrack     March 4, 2014 00:18.17 CST
thanks !!!!

Note: Registration is required to post to the forums.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit