📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  ImmDbg Plug-in to Log all the Registry Function Calls in advapi32.dll

Topic created on: November 7, 2007 17:11 CST by black13 .

can the immunity debugger + python plugin trap registry function calls in advapi32.dll ? and can i log the arguments passed to these function calls?
thanks

  jms     November 7, 2007 23:56.58 CST
Yep, determine what calls you want to trap, and set breakpoints on them. I don't have time to whip up a PyCommand right now but here is the pseudocode:

1) Set LoggingBPHooks on all of the registry functions you want to hook.
2) Inside the run() function in your BPHook class, have it do a call stack retrieval and it will have fully decoded function parameters.

Just look at some examples in the PyCommands directory for hooking, and use the documentation for doing the call stack decoding.

PS http://forum.immunityinc.com/index.php?topic=88.msg317#msg317

  rbw   November 9, 2007 19:58.40 CST
#!/usr/bin/env python

import immlib
from immlib import LogBpHook


class MyOwnHook(LogBpHook):
    def __init__(self):
        LogBpHook.__init__(self)

    def run(self, regs):
        imm = immlib.Debugger()
        callstack = imm.callStack()
        for a in callstack:
            imm.Log("Address: %08x - Stack: %08x - Procedure: %s - frame: %08x - called from: %08x" %( a.address,a.stack,a.procedure,a.frame,a.calledfrom))
        

def usage(imm):
    imm.Log("!hookapi module api")
    imm.Log("!hookapi advapi32.dll RegQueryValueExA")


def main(args):
    imm = immlib.Debugger()
    
    if not args:
        usage(imm)
        return "Wrong Arguments (Check Log Windows for the usage information)"

    module_name = args[0]
    api_name = args[1]

    imm.Log("module name:%s api name:%s" % (module_name, api_name))
    module = imm.getModule(module_name)

    hook = MyOwnHook()
    f = imm.getAddress(api_name)
    hook.add("hookit", f)

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit