Immunity Debugger Plugin

Tue, 29 Sep 2009 09:13:53 -0500

Hello,

The following is an Immunity Debugger command that can be used to change the way an application behaves runtime by changing the values of the registers at predefined breakpoints.

The idea behind this PyCommand is that a breakpoint is set at each point that the program execution must be manipulated. Once the breakpoint is hit, the relevant manipulation associated with it will be executed. That may be setting the value of a register to a specified value (eg. EAX=0x00000000) or to the contents of another register (eg. EAX = EBX) .

The required information in order to setup the breakpoint hooks is:
    * ID: A unique - descriptive - name in order to identify the hook by
    * ADDRESS: The address that the breakpoint will be set
    * REGISTER: The register to be modified
    * VALUE: The value to be set to the register, this can either be static (0x00000000) or the name of another register in which case the value of that register is being copied to the one we wish.

So at the end of the day you ended up with something along the lines of:

!bsu.py -b PREJMP:0x0040501290:EAX:EBX;POSTCMP:0x00407612:EAX:00000001

As you can see more than one can be set. More info behind the drivers for implementing such a command here.

CODE
----



import immlib

from immlib import LogBpHook

import getopt



class BSU(LogBpHook):

    def __init__(self):

        LogBpHook.__init__(self)

        self.availableRegs = ['EIP','ESP','EDI','EAX','EBP','EDX','EBX','ESI','ECX']

        

    def run(self,regs):

        """This will be executed when hooktype happens"""

        imm = immlib.Debugger()

        actaddr = "%08x" % regs['EIP']

        behaviour = imm.getKnowledge(actaddr)

        imm.log("Hook hit at %s" % actaddr)

        imm.log('Set behaviour %s' % behaviour)

        pair = behaviour.split(':')

        actReg = pair[0]

        if (pair[1] in (self.availableRegs)):

            value = regs[pair[1]]

        else:

            value = int(pair[1],16)

        imm.setReg(actReg,value)



def usage(imm):

    imm.Log('bsu.py -b ID:ADDRESS:REGISTER:VALUE<;><ID:ADDRESS:REGISTER:VALUE><;>...')

    imm.Log('   ID: something descriptive to identify your hook')

    imm.Log('   ADDRESS: the break point address')

    imm.Log('   REGISTER: the register to modify')

    imm.Log('   VALUE: either a set value or the name of a register whose value to copy')

    return 'Check usage'



def main(args):

    imm = immlib.Debugger()

    try:

        opts,argo = getopt.getopt(args, "hb:")

    except:

        return usage(imm)

    for o,a in opts:

        if (o=='-b'):

            iStream = a

        if (o=='-h'):

            return usage(imm)

    imm.Log('Setting up the hooks...')

    bPoints = iStream.split(';')

    hooker = BSU()

    for p in bPoints:

        det = p.split(':')

        desc = det[0]

        bp = long(int(det[1],16))

        behav = det[2]+':' + det[3]

        ret=hooker.add(desc,bp)

        if ret == -1:

            imm.Log('Counldn\'t install hook at %s %08x %s' % (desc,bp,behav))

        else:

            imm.addKnowledge("%08x" % bp , behav)

            imm.Log('Installed hook at %s %08x %s' % (desc,bp,behav))

    imm.addKnowledge('bsu',hooker)

    return 'Finished hooking, check Log to spot any failures'

OpenRCE: Blog

Immunity Debugger Plugin