Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  !ASLRdynamicbase Immunity Debugger Extension

Topic created on: August 11, 2007 09:20 CDT by Faithless .

The ASLRdynamicbase.py PyCommand will inspect each loaded module, and report whether the PEHeader contains the relevant information indicating it is compatible with Vista's ASLR implementation (DLLCharacteristics). It is interesting to note some of the Microsoft Office 2007 modules, Groove in particular, have not be compiled with the /dynamicbase option set. The same goes for the Apple Bonjour service DLL installed with Safari for Windows 3.0, providing a nice, stable set of opcodes within the svchost.exe processes that also houses many RPC interfaces.

Install by copying this file into the PyCommands\ folder, and from within the running debugger issue the !ASLRdynamicbase command.

-Rhys

  n00b   August 12, 2007 04:55.34 CDT
Oh great man keep up the good work m8.Any chance of getting a script that will check for buffer over flow's when reverse engineering stuff would be wiked also could implement pointing out possible format string's..

  Faithless     August 12, 2007 06:30.30 CDT
A much requested feature I'm sure n00b! Take a look at the strncpy_hook PyScript included with Immunity Debugger. I've implemented the same approach for memcpy, looking for particular exploit "primitives" with success. It's fairly easy to set a breakpoint on the memcpy function, and inspect the three arguments passed to it. Likewise for memmove() or pedram's previous CreateMailslot() work.

If I tidy up the memcpy_hook PyScript I might release it here in future.

Note: Registration is required to post to the forums.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit