Immunity Debugger is now released!
nicowow <nicolasimmunityinccom> Friday, August 3 2007 19:33.17 CDT


Announcing Immunity Debugger v1.0

After almost a year of intensive development and internal use, we are
pleased to announce the public release of Immunity Debugger v1.0.

When we started developing Immunity Debugger our main objective was to
combine the best of the commandline based and GUI based debugger worlds.
The commandline because most of us come from a UNIX background, and it
just ends up being more efficient than clicking your way around. The GUI
because we understand that we are visual beings that often can
grasp more from a single look at a graphical layout than from two days
of x/x-ing memory pages.

The third feature we required was full flexible access to the debugging API,
the graphing engine, and the GUI API. Because having to Re-Compile
plugins is lame, we decided to make everything accessible from Python.
So we put everything together and developed something we feel very
comfortable using.

This means we ended up with a fully flexible and extendible Win32
debugger that has all of it's features, both debugging and graphical,
easily accessible from it's Python scripting engine.

And best of all, it's available for free. That's right, Immunity
Debugger is released for free, including free monthly updates.

Here's some cool features:

o The Python API ("Immlib/Lib reference" for full documentation)
o A full Python based graphing library
o Full debugger and GUI API access
o A flurry of cool example scripts such as:

- !heap         A fully working heap dumping script (try the -d option!)
- !searchheap   Searching the heap
- !hippie       Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr       Dynamic search for function pointers in pages
- !findantidep  Find address to bypass software DEP

o Writing your own scripts for your specific tasks is easy :)

Interested? Give Immunity Debugger a spin and download it from:
http://www.immunitysec.com/products-immdbg.shtml

For feedback or bug reports please contact [email protected].

Happy debugging!

Thanks,
Team Immunity

PS: Yes, we will be implementing an interactive Python shell too.


Comments
dennis Posted: Saturday, August 4 2007 05:51.46 CDT
Nice, thanks a lot for sharing. I'm really expecting lots of
nice python scripts popping up. Time to learn python finally,
I guess ;-)
Btw: the "jobs" menu is a very good idea!

aLS Posted: Monday, August 6 2007 07:56.55 CDT
Well, nico, as ive said you before.. awesome job. I love to see the Olly niceness merged with the speed of the commandline and the power of Python. I can say, for me at least, that this will be a damn useful tool.

Congratz.

jms Posted: Monday, August 6 2007 13:46.19 CDT
I gotta say, this thing is the bomb! Well done! I can't wait to see what kind of scripts start coming out of the community, thanks to you and all of Immunity.

MohammadHosein Posted: Monday, August 6 2007 15:01.50 CDT

Time to learn python finally,
I guess ;-)

definitely  

collie Posted: Tuesday, August 7 2007 09:49.51 CDT

collie Posted: Tuesday, August 7 2007 10:06.23 CDT
I used Immunity D. and have problems, It lucks like  "Is debugger present" is needed and I do not know how to make it active. A good idea is a tutorial on how to construct plugins. (I think you made a good buisniss, if you cotinue to develop it.

jms Posted: Tuesday, August 7 2007 11:30.16 CDT
If you are having problems with an IsDebuggerPresent check, its trivial to bypass:

1) Set a breakpoint on kernel32.IsDebuggerPresent
2) When the breakpoint is hit, look two lines down for the CMP EAX... line.
3) Merely assemble there with an XOR EAX,EAX to zero it out.
4) Remove your breakpoint and hit F9

collie Posted: Tuesday, August 7 2007 11:36.35 CDT
jms:
That's good but its much more frendly with a plugin.

collie Posted: Tuesday, August 7 2007 11:48.40 CDT
I can not load the program, I get an error "Could not load the aplication, etc. in a diferent debugger it will load perfectely. I am only testing this debugger. If you can help I will be greatfull. Forgive my Inglish, I am doing my best.

nicowow Posted: Tuesday, August 7 2007 12:23.33 CDT
Collie,
  It's a good idea, and we will make a small tutorial on how to write a simple script.
  Mindtime, you can easily implement what jms said with a couple of lines of Python

import immlib
def main(args):
    imm = immlib.Debugger()
    ispresent = imm.getAddress( "kernel32.IsDebuggerPresent" )
    imm.writeMemory( ispresent, imm.Assemble("xor eax, eax\n ret")


Save those 5 lines of python into a file named bypassIDP.py into
c:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\

Now, on Immunity Debugger's command line you just run:

!bypassIDP

and it will work automatically for you.

jms Posted: Tuesday, August 7 2007 14:30.24 CDT
Damn Nico, I gotta get on this Python API of yours :)

n00b Posted: Wednesday, August 8 2007 07:24.45 CDT
nicowow Can you take a look in the forum i've posted a question about a plugin which was displayed on the web site and wanted to know if it was available to the public thank's.

neurogee Posted: Thursday, August 9 2007 00:38.30 CDT
Looks damn nice, on the download :)

collie Posted: Thursday, August 9 2007 11:12.51 CDT
nicowow:
        I have been investigating a bit with "immunityDebugger" I must say it is a good intention of making a new olly, I would sugest you to take a look at "NSOLD" a complate version of olly that I got throgh Internet,I think  it is RU, but I am not shore, It is the best I have used so far. It comes complate, plugins and other interesting features, Immunity will have to make many changes to make it popular, NSOLD las the same icon as olly but of a diferent color.
I will make a few constructive comments on Immunity.
1 It does not have plugins. (lack of instructions of how to make them.
2 I do not see any indication of when it is runing or when it is not.
3 It does not give me any indication of when a branch is to be taken before I execute the instruction.
4 Many more
  As I see them corrected I will give you more
P/D It is not NSOLD it is MSDOLD.

collie Posted: Thursday, August 9 2007 11:21.37 CDT
jms
Do you know where 0012D000 (Stack of main thread)is stored so that I can modify it, your last help was wonderfull.

collie Posted: Thursday, August 9 2007 11:49.50 CDT
jms:
   Do you thimk it could be posible with a change in olly plugin to make it available for immutityD.
I really do not know if this is fulish question.

morel Posted: Thursday, August 9 2007 13:15.39 CDT
"Immunity debugger" is a rather proud name. I'd call it "olly with python" :P

nicowow Posted: Thursday, August 9 2007 15:25.18 CDT
collie:
1. Yes we do. Next version we will release the SDK, and  support  for Olly plugins (Although, no support for those)
2. Little box at the bottom
3. It does, it's probably minimized on your ID. Check the horizontal line between the Assembly code and the Dump Window

WE appreciate all comments and testing!

collie Posted: Friday, August 10 2007 10:18.22 CDT
nicowow:
       Sorry you are rigfht I must have confused it with a non conditional jump.
From what I can see from MOREL's opinion I am going to have to learn Python. I will apreciate any information throgh my E-Mail (Tutorial's,etc.)

TQN Posted: Saturday, August 11 2007 12:03.50 CDT
We can modify OllyDbg plugin for Immunity Debugger. Untill now, I have two addition plugins for ID, HideOD and Phantom. Because they did not have source code, so I have analysis them and decompiler Bookmark plugin of ID, and compare. They are almost same, with two change: _ODBG_xxx to _IMMDBG_xxx export functions and OllyDbg.exe to ImmunityDebugger.exe import entry. We can use a PE Editor to modify them.
If we have the source of a OllyDbg plugin, we can recompile them, add _IMMDBG_xxx export function (by new function code or by forward export), and they can be used in Immunity Debugger.
Regards,

collie Posted: Sunday, August 12 2007 11:06.11 CDT
To Any one:
           I have managed to unpack a progran with Olly
but when I dump It, It changes a few addresses in the dump. (I managed to corect manually the addreses). I do not know if I can mention the packer.
beside it also changes the contents of .dll's. does any one know where these dll's are kept.  

collie Posted: Tuesday, August 14 2007 11:40.19 CDT
TQN:
    Your sugestion on Changing OllyDbg.exe for ImmunityDebugger.exe in olly's plugin, is Ok, but does not work because of the diference in size of the two names and the location of theese names are fixt.

RolfRolles Posted: Tuesday, August 14 2007 14:03.45 CDT
Collie:

The locations of the names (as well as the exported function names) are not fixed:  they're RVAs.  So, you can write new strings either in a cave or in a new section, and then update the import descriptor's Name RVA and the export information's AddressOfNames RVAs to point to them.  TQN is saying that a PE editor ought to take care of this for you.

Should work, assuming the only things that have changed about the plugin interface are the names of the functions and the fact that the plugins have to import ImmunityDebugger.exe instead of OllyDbg.exe.  However, some plugins (such as OllyAdvanced) make extensive patches to OllyDbg in memory, and those patches rely upon addresses specific to particular versions of OllyDbg, so these will never work under Immunity Debugger.

Anyway, nicowow said that they'll support Olly plugins in the next version, so it sounds like your problems will disappear on their own if you wait.