New version of Ollydbg!

Fri, 24 Aug 2012 10:48:48 -0500

The new version of Olly is OllyDbg 2.01 beta 2, more info here.

Immunity debugger - default PyCommands

Wed, 15 Aug 2012 08:34:01 -0500

This blog entry is just quick note. I am new user of immdbg and it's nice to have short list of commands :)

Activex:
- activex - This is script that will resolve exposed COM functions to their relative address.

Logging:
- apitrace - Hooks all intermodular function calls and logs them
- sqlhooker - logs SQL queries
- getevent - Get a log of current debugevent

Heap:
- chunkanalyzehook - Analize a Specific Chunk at a specific moment. Gets address as a value of EIP and expression to calculate the chunk address
- funsniff - Analize the heap pattern of a executed function
- heap - Immunity Heap Dump and analyzing tool
- hippie - Heap logging function
- hookheap - Hook on RtlAllocateHeap/RtlFreeHeap and display information
- horse - Low Fragmentation Heap Viewer
- lookaside - Shows the Lookaside of the Heap structure

Exploiting:
- acrocache - Dumps Acrobat Reader Cache state
- duality - Looks for mapped address that can be 'transformed' into opcodes
- findantidep - Find address to bypass software DEP
- safeseh - Looks for exception handlers registered with SafeSEH
- vcthook - This hook is used to check if the arguments of VariantChangeType are pointers to the same object. There might be vulnerabilities in code that call this function in such a manner.

Searching and comparing:
- cmpmem - Compare memory with a file
- mark - Static Analysis: Mark the tiny ones. Search and mark given function.
-search - simple script that lets you quickie search for regexp
- searchcode - Search code in memory
- searchcrypt - Search a defined memory range looking for cryptographic routines
- searchheap - Search the heap for specific chunks
- searchspray - Script to search all occurences of a string in memory and display them on a table
- shellcodediff - Check for badchars

Analyzing:
- bpxep - Finds entry point...
- dependencies - Find a exported function on the loaded dll
- finddatatype - Attempts to find the type of the data spanning
- findloop - Find natural loops given a function start address
- findpacker - Find a Packer/Cryptor on a Module
- getrpc - Get the RPC information of a loaded dll
- hookndr - Hooks the NDR unmarshalling routines and prints them out so you can see which ones worked
- recognize - Function Recognizing using heuristic patterns
- scanpe - Detect a Packer/Cryptor of Main Module, also scan just EntryPoint. Calculates the entropy of a chunk of data.
- stackvars - set comments around the code to follow stack variables size and content
- syscall - discover system calls
- treedll - Creates imported dll tree

Network:
- hookssl - Creates a table that displays packets received on the network
- mike - Attempts to automate tracing the lifecycle of a network packet's contents.
- packets - Creates a table that displays packets received on the network

Misc:
- gflags - Global flags management tools
- hidedebug - Patches lots of anti-debug protection
- list - List all pycommands in log window
- modptr - Patch all Function Pointers and detect when they triggered
- nohooks - Clean all hooks from memory
- openfile - Opens a File
- pyexec - Non interactive python shell [immlib already imported]
- template - Immunity PyCommand Template
- traceargs - Find User supplied arguments into a given function
- usage - Return the usage information for a python command

It's all. Any mistakes?

OpenRCE: Blog

New version of Ollydbg!

Immunity debugger - default PyCommands