OpenRCE: Blog

Immunity Debugger v1.4

Mon, 04 Feb 2008 12:27:14 -0600

Immunity is proud to announce: Immunity Debugger v1.4 "veni, vidi, pwn"

We would like to express our appreciation for the enormous amount of
contributions, feedback and requests we receive daily from the Immunity
Debugger community at http://forum.immunityinc.com.

Our TODO list seems infinite but we are getting the most requested
features out there for you guys.

New in this release: a proper process detach, a Second Pass Analysis
which will soon grow into better argument/local variable recognitions
and a new Silent Mode for batch scripts.

Last but not least, we have included a collection of new scripts
including a lot of contributions from forum regular Bob (scanpe.py,
hidedebug.py and bpxep.py) and the contest winning plugin from JMS
(Instead of a candle dinner with Kostya, he received a brand new job as
a Developer on the CANVAS team).

Thanks for using Immunity Debugger! We hope you enjoy this month's
release, Check out the Changelog below for more detailed information.

You can upgrade your current Immunity Debugger by going to Help/Update
or directly downloading the new installer from
http://debugger.immunityinc.com/register.html

Sincerely
Team Immunity
http://www.immunityinc.com

PS: Feedback, Requests, Scripts and Cool Screenshots are always
welcome at http://forum.immunityinc.com

1.40 Build 0

New Features:

- Debugger Core:
  o Added Silent Debugging Flag [accesible via Debugging options ALT-O or via immlib]
    http://forum.immunityinc.com/index.php?topic=157.0
  o Added Analysis Second Pass [Decoding Functions]
    http://forum.immunityinc.com/index.php?topic=163.0

- Debugger GUI Core:
  o Now you can add headers + other useful information on every Row
    displayed at the Disasm Window. The information will be saved
    as part of dump struct.
  o Dettach option added to File Menu: Go to File -> Dettach [You need to be attached to
    gray out Dettach]
    http://forum.immunityinc.com/index.php?topic=158.0

- Debugger GUI:
  o Right click on disasm line -> Add Header will add headers to your line

- Immunity Debugger API:
  o Row Headers / Adding Lines to CPU
    - Added imm.addHeader() and imm.getHeader() methods.
    - imm.addLine behaves like addHeader()
    - Added imm.removeHeader()/imm.removeLine() && imm.getHeader()/imm.getLine()
    - Added imm.getTraceArgs()

  o Added imm.goSilent() method.
  o Added imm.undecorateName() method: Undecorate symbol names
    http://forum.immunityinc.com/index.php?topic=159.0
  o Added imm.Dettach() method: Dettach current process from debugger
  o Added imm.prepareForNewProcess() method: Prepare Debugger core for a fresh start
  o Updated BoB's UserDB.txt (http://peid.info/BobSoft/Downloads.html)

- PyCommands:
  o Added namefunc.py : a simple samplescript that uses imm.addHeader to name
    functions in module
  o Added traceargs.py: find User supplied arguments into a given function.
  o Added JMS's Mike & Boo script
  o User Contributed PyCommands:
     - BoB (http://PEiD.info/BobSoft/)
       * scanpe.py (http://forum.immunityinc.com/index.php?topic=137.0)
       * hidedebug.py (http://forum.immunityinc.com/index.php?topic=140.0)
       * bpxep.py (http://forum.immunityinc.com/index.php?topic=138.0)

Bug Fixes:

- Fixed error when adding knowledge and changing python enviroments later.
  (__dict__ not accesible in restricted mode error)

Vista Heap, Controlling the Determinism.

Tue, 23 Oct 2007 19:04:34 -0500

Sometimes, I believe Microsoft made it easy for us with the introduction of the default Low Fragmentation Heap on Vista. You can probably tell me 'yeah, but unlink is dead'. The Unlink Write4 was already dead long time ago, when ASLR came out and we dont have much to write.

Part of what we said on our Advance heap overflow trainning is that heap overflow are not about the unlink write4, but about controlling the determinism. This is gonna be part of my PacSec talk, Exploiting is far from  just sending a string with a what and a where, It's about a methodology that includes  a complete understanding of the allocation algorythm, different step that in the life of heap overflow and their layout and a deep as it can understanding of the server you are exploiting (At least, based on their allocation/deallocation patterns).

The objective now is  aiming into the data (No matter how cool technique might came out for tricking the Vista algo).
Anyways, continuing with my statement, the Low Fragmentation Heap makes our life somehow easy to predict what we are overwriting either for small or a bigger application, since it allocates a big bucket of chunks of the same size all together.

(Now its a good time for checking the attached ScreenShot and see how a bucket looks like and how ID can tell you exactly the order where those chunks would be taken out when a chunk of that size is requested.)

So, if we have a Function Pointers, some structure and even a String we want to overwrite, apart of the usual magic we need to craft the 'overwriting' chunk as the same size of what we target. After that we would have everything on a 'small universe' where we can probably predict nicely.

PS: With the 'usual magic', I meant the usual holes filling, etc.
PS2: The screenshot can be found here:
  http://forum.immunityinc.com/index.php?topic=99.0

For those who miss it: Immunity Debugger v1.2 Release

Mon, 08 Oct 2007 12:02:14 -0500

This release we include a flurry of new exciting features!

We are proud to announce the first beta version of our free
Vista Heap Library, which supports the new 'Freelist' and
Low Fragmentation Chunk.  Check out the new usage of the
!heap command for more details.

Also included in this release the new recognition library using
heuristic patterns, with a huge database of known windows static
functions. Immunity Debugger includes this library both as a
PyCommand (use !recognize) and as a function for scripting
(use searchFunctionByHeuristic).

As an example usage, imagine you want to release your own script
and set a breakpoint on a unnamed function which might move or
change slightly across different versions of the program. Using
Immunity Debugger's API you can get the heuristic out of the
function and do:

Code:

address = imm.searchFunctionByHeuristic( heuristic)
imm.setBreakpoint( address )

Finally, we include our own small version of peid called
!findpacker using Ero Carrera's pefile and Bob's UserDB with
around 1300 signatures for packers, cryptors and other loaders.

Immunity is also moving the deadline for the PyCommands contest
to the 10th of December to give you more time to use the new features.

Thanks for using Immunity Debugger! We hope you enjoy this month's
release. You+can upgrade your current Immunity Debugger by going to
Help/Update or by directly downloading the new installer from
http://debugger.immunityinc.com/register.html

Don't forget to check out the Immunity Forum (http://forum.immunityinc.com)
for more examples, feedback, cool screenshots, etc.

Thanks
Immunity Debugger Team

1.20 Build 0
October 1, 2007

New Features:

- Immunity Debugger API
  o immlib.getThreadId() method added: return the current debuggee thread id
        o immlib.getCallTree() method added: return the call tree for given
          address
        o immlib.setFocus() method added: focus ID window
        o immlib.isValidHandle() method added: check if a HWND is still valid
        o immlib.getInfoPanel() method added: get information from panel window
          and optionally receives a type flag to force the kind of comment
          fetched.
        o imm.findPacker() method added: find packers/cryptors on a file or a
          loaded module
        o imm.getMemoryPagebyOwner(): Find all the memory pages belonging to a
          module.
        o immlib.ps() returns two extra objects: the tcp list and the udp list
        o immlib.getComment() now will try to fetch all types of comments
        o Added new HOOKTYPE: PRE_BP_HOOK, hooks exactly before the breakpoint
          is hit (Decoding events timeline)
        o New Vista support for libheap
        o Custom Tables has "Clear Window" menu now
        o Added several methods from librecognize

- PyCommands
        o findpacker added. (Use of findPacker to get Packers from a module)
        o recognize added. (Function Recognizing using heuristic patterns)
        o Hippie now can filter by heap
        o heap updated to work with new Vista Heap
        o Optimized code for stackvars (Memory usage reduction during runtime)

- Core
        o Pyshell can be focused once created with alt-F11
        o Shortcut for attach process added: Ctrl+F1
        o Added librecognition.py (Library for function recognizing)
- Graph
        o immvcglib.generateGraphFromBuf() method added: play with your own vcg
          files!
        o Redesign of VCG parser: easier to read, easier to use.

Bug Fixes:

o Return value (HWND) of createTable
o Fixed Attach Search Filtering :
  http://forum.immunityinc.com/index.php?topic=49.0
o Grapher: Vertex lastline jumps correctly displayed now
o Fixed crash when searching on modules:
  http://forum.immunityinc.com/index.php?topic=63.0
o Fixed search issue on protected binary:
  http://forum.immunityinc.com/index.php?topic=34
o Fixed breakpoint/logpoint hooks issue (logic/stepping inside a hook)
o Fixed PyString_AsString() missbehaviour
o Fixed PyCommand Gui Arguments box to receive \x00 as argument
o Fixed imm.getModulebyAddress() to receive any module address and not only
  module entry point
  http://forum.immunityinc.com/index.php?topic=74.0

Immunity Debugger v1.1 Release

Thu, 30 Aug 2007 16:09:20 -0500

The number one request this month was "Please implement a Python shell so I can write scripts and play with immlib features on the fly!". This is now done. Enjoy! Next to that we continued our efforts to improve the overall debugging experience with two new libraries, libstackanalyze and Ero's Carrera pefile and two new scripts: searchcrypt and stackvar.   The Immunity Debugger engine has also undergone changes to improve reliability issues, fix reported memleaks and remove some well-know bugs used for packers such as the printfloat format error (a.k.a the FLD bug).   Keep in mind we still have a contest going for the best Immunity Debugger script. The winner gets a free SILICA! Get more details from http://forum.immunityinc.com/index.php?topic=12.0 .
We hope you enjoy this month's release. You can upgrade your current Immunity Debugger by going to Help/Update or directly downloading from http://debugger.immunityinc.com/register.html

Feedback, Requests, and Cool Screenshots  are always welcomed at http://forum.immunityinc.com
Sincerely,
Team Immunity
http://www.immunityinc.com
PS: If you are a company, and you are looking for a person
with the right  skills, try our ID Job Advertisement program: http://www.immunityinc.com/products-idadvertising.shtml

-------------------------------
1.1 Build 0
August 30, 2007

New Features:

o Interactive Python Shell added
o Lookaside enhanced output + Discovery option
o libdatatype "Get" Function
o Get OS information methods
o Ero Carrera's pefile.py (http://code.google.com/p/pefile/)
o Python engine rewritten to properly use thread locking/unlocking
o Added ignoreSingleStep method for immlib (TRANSPARENT + CONVENTIONAL)
o Attach process window is now dynamically searchable
o Added clean ID memory methods inside immlib
o Added Stack analyzation library (libstackanalyze)
o Fixed some memleak on Disasm
o Fixed wrong arguments on Disasm operand
o Improved Patch command
o Safeseh moved into a PyCommand

New Scripts:

o searchcrypt PyCommand
o stackvars PyCommand

Bug Fixes:

o Solved 'ij' issue inside attach window
o Fixed VCG parser (Blocks display complete address now)
o Fixed traceback error when trying to graph and not attached
o Fixed printfloat() format error
o Fixed ret value of Getaddrfromexp in case of non-existing expression

Immunity Debugger Plugin Awards

Wed, 15 Aug 2007 14:38:18 -0500

The Why
To celebrate the official release of the Immunity Debugger we are having an Immunity Debugger plugin contest. The Immunity Debugger is a full featured Win32 debugger aimed at streamlining VulnDev and Reverse Engineering work.

You can read all about it at http://www.immunityinc.com/products-immdbg.shtml.

Immunity Debugger is available to the community for free! The fully integrated Python scripting engine means you are able to rapidly develop highly flexible debugger plugins. The entire debugger API, the GUI and the graphing engine are available from this pure Python environment.

Immunity Debugger comes with a set of example plugins, but those only scratch the surface of what you can do with the engine. So to get the creative juices flowing, Immunity has organized an ID plugin writing contest for and by the people.

Yah, we're socialist like that.

The What

First prize will consist of either a candle lit dinner with Kostya, or a Immunity SILICA unit. You pick.

Second prize will consist of maybe a blender. But we have a really bad track record for sending those out. So you should probably go for first place.

The How

Plugins need to be written in Python using the Immunity Debugger API. If any part of your plugin is not written in Python, you will have to provide full sourcecode access.

Plugins will be scored by means of a voting process. Winners and not-winners-but-still-really-cool will be listed on the Immunity website.

The criteria are as follows:

o Original Content
o Novelty of the Research involved
o Overall Coolness

Judges:

- Damian Gomez
- Dave Aitel
- Halvar Flake
- Pedram Amini
- Sinan Eren

The When

Right now! The submission deadline is 11:59PM on October 10th 2007. You can submit your plugins to: immunitydebugger ( at ) immunityinc.com. We encourage you to post hashes of your plugins to FD.

Legal Note

All submitted entries need to be licensed under the modified (3-clause, aka non-attribution) BSD license to be considered for the prize.
By submitting your plugin, you grant Immunity Inc. the right to distribute, reproduce, and advertise your plugin. The winner of a SILICA unit will be subject to the terms of the SILICA license and will have to provide proof of identity.