OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, September 29 2009 09:13.53 CDT Modified: Tuesday, September 29 2009 09:18.08 CDT

Printer Friendly ...

Immunity Debugger Plugin

Author: zqyves

# Views: 5398

Hello,

The following is an Immunity Debugger command that can be used to change the way an application behaves runtime by changing the values of the registers at predefined breakpoints.

The idea behind this PyCommand is that a breakpoint is set at each point that the program execution must be manipulated. Once the breakpoint is hit, the relevant manipulation associated with it will be executed. That may be setting the value of a register to a specified value (eg. EAX=0x00000000) or to the contents of another register (eg. EAX = EBX) .

The required information in order to setup the breakpoint hooks is:
    * ID: A unique - descriptive - name in order to identify the hook by
    * ADDRESS: The address that the breakpoint will be set
    * REGISTER: The register to be modified
    * VALUE: The value to be set to the register, this can either be static (0x00000000) or the name of another register in which case the value of that register is being copied to the one we wish.

So at the end of the day you ended up with something along the lines of:

!bsu.py -b PREJMP:0x0040501290:EAX:EBX;POSTCMP:0x00407612:EAX:00000001

As you can see more than one can be set. More info behind the drivers for implementing such a command here.

CODE
----



import immlib

from immlib import LogBpHook

import getopt



class BSU(LogBpHook):

    def __init__(self):

        LogBpHook.__init__(self)

        self.availableRegs = ['EIP','ESP','EDI','EAX','EBP','EDX','EBX','ESI','ECX']

        

    def run(self,regs):

        """This will be executed when hooktype happens"""

        imm = immlib.Debugger()

        actaddr = "%08x" % regs['EIP']

        behaviour = imm.getKnowledge(actaddr)

        imm.log("Hook hit at %s" % actaddr)

        imm.log('Set behaviour %s' % behaviour)

        pair = behaviour.split(':')

        actReg = pair[0]

        if (pair[1] in (self.availableRegs)):

            value = regs[pair[1]]

        else:

            value = int(pair[1],16)

        imm.setReg(actReg,value)



def usage(imm):

    imm.Log('bsu.py -b ID:ADDRESS:REGISTER:VALUE<;><ID:ADDRESS:REGISTER:VALUE><;>...')

    imm.Log('   ID: something descriptive to identify your hook')

    imm.Log('   ADDRESS: the break point address')

    imm.Log('   REGISTER: the register to modify')

    imm.Log('   VALUE: either a set value or the name of a register whose value to copy')

    return 'Check usage'



def main(args):

    imm = immlib.Debugger()

    try:

        opts,argo = getopt.getopt(args, "hb:")

    except:

        return usage(imm)

    for o,a in opts:

        if (o=='-b'):

            iStream = a

        if (o=='-h'):

            return usage(imm)

    imm.Log('Setting up the hooks...')

    bPoints = iStream.split(';')

    hooker = BSU()

    for p in bPoints:

        det = p.split(':')

        desc = det[0]

        bp = long(int(det[1],16))

        behav = det[2]+':' + det[3]

        ret=hooker.add(desc,bp)

        if ret == -1:

            imm.Log('Counldn\'t install hook at %s %08x %s' % (desc,bp,behav))

        else:

            imm.addKnowledge("%08x" % bp , behav)

            imm.Log('Installed hook at %s %08x %s' % (desc,bp,behav))

    imm.addKnowledge('bsu',hooker)

    return 'Finished hooking, check Log to spot any failures'

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit