immunity debugger & python(office97~2003)
TRANSCRIPT
![Page 1: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/1.jpg)
Beistlab장민창 ([email protected])
![Page 2: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/2.jpg)
Immunity Debugger’s summary & feature
Structure & Instruction of Immunity Debugger’s Python Script
How to use Python Script
Practice & Etc
![Page 3: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/3.jpg)
![Page 4: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/4.jpg)
Simple, understandable interface
Robust and powerful scripting language for automating intelligent debugging
Lightweight and fast debugging to prevent corruption during complex analysis
Connectivity to fuzzers and exploit development tools
![Page 5: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/5.jpg)
![Page 6: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/6.jpg)
Easy visualization of debugee context, which reminds of Olly Debugger
The capability of creating function graphs
Easier to learn complex commands
![Page 7: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/7.jpg)
![Page 8: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/8.jpg)
![Page 9: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/9.jpg)
Immunity Debugger’s Command line plug-in has a simple interface
We can debug remotely from another computer using remote Command line server
Examples - A 401000, XOR EAX, EAX - Assemble at address
![Page 10: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/10.jpg)
Immunity Debugger’s Python API includes many useful utilities and function
We can do the most of things that we can think of with Python Script
Familiar and easy to learn
Open source
![Page 11: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/11.jpg)
![Page 12: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/12.jpg)
Basic Frame
![Page 13: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/13.jpg)
![Page 14: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/14.jpg)
PyCommands -Immunity Debugger\PyCommands
PyHooks -Immunity Debugger\PyHooks
PyScripts -Immunity Debugger\PyScripts
![Page 15: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/15.jpg)
PyCommands - Can be executed from the command bar and main toolbar - If the PyCommand needs extra argument
Example - !scanpe - Detect a Packer/Cryptor of Main module,
also scan just EntryPoint
![Page 16: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/16.jpg)
![Page 17: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/17.jpg)
PyHooks - Python Hooks that are loaded at startup, they look exactly as a python plug-in,
only that they are placed inside PyHooks- directory
Example - myhook = imm.AccessViolationHook() - myhook.disable() << - myhook.add()
![Page 18: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/18.jpg)
PyScripts - PyScripts are called when ALT+F3 or the PyScript icon located at main toolbar are pressed
![Page 19: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/19.jpg)
![Page 20: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/20.jpg)
We need knowledges about Immunity Debugger’s API and Python
Immunity Debugger API - http://debugger.immunityinc.com/update/ Documentation/ref
![Page 21: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/21.jpg)
Display BreakPoint Assemble/Disasm Memory Flow Fetch Information Search Hook Misc
![Page 22: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/22.jpg)
Display API - Used for making visual effects on
Immunity Debugger
Example - Error(msg) - setStatusBar(msg)
![Page 23: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/23.jpg)
BreakPoint API - Used for setting up BreakPoint
Example - setBreakpoint(address) - disableBreakpoint(address) - setMemBreakpoint(address, type, size)
![Page 24: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/24.jpg)
![Page 25: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/25.jpg)
Memory API - Used for reading and writing values from the Memory address
Example - readMemory(address, size) - writeMemory(address, buffer)
![Page 26: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/26.jpg)
![Page 27: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/27.jpg)
Flow API - Used for executing and stepping (Run/StepOver/StepIn)
Example - Run(address) - StepOver(address) - StepIn(address)
![Page 28: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/28.jpg)
Search API - Used for searching about code
Example - Search(buffer) - searchCommands(cmd) - searchCommandsOnModule(address,
cmd)
![Page 29: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/29.jpg)
![Page 30: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/30.jpg)
PyCommands - Can be executed from the command bar and main toolbar
Example - bpxep - hidedebug - searchcode - packets
![Page 31: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/31.jpg)
bpxep - Sets a breakpoint on EP of main module
![Page 32: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/32.jpg)
hidedebug - Used for patch a lot of anti-debugging
trick (Anti-Debug, Anti-Process-finding, Anti-Window-finding)
![Page 33: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/33.jpg)
![Page 34: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/34.jpg)
Example - IsDebuggerPresent
![Page 35: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/35.jpg)
![Page 36: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/36.jpg)
hidedebug.py Line 225 ~ 237
![Page 37: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/37.jpg)
Original -IsDebuggerPresent
I = 1
I = 2
I = 3
I = 4
![Page 38: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/38.jpg)
![Page 39: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/39.jpg)
patch.py - Used for patch a IsDebuggerPresent
![Page 40: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/40.jpg)
packets - Creates a table that displays packets received on the network.
![Page 41: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/41.jpg)
127.0.0.1:5555
![Page 42: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/42.jpg)
![Page 43: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/43.jpg)
Forking & Finding Mine - Target file : system32\winmine.exe - Using API : readMemory, writeMemory -
![Page 44: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/44.jpg)
![Page 45: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/45.jpg)
0x01005340 ~0x0100548A
Size = 0x14A
0x01005340 ~0x0100556F
Size = 0x22F
0x01005340 ~0x0100557F
Size = 0x23F
0x01005340 ~0x0100567F
Size = 0x33F
![Page 46: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/46.jpg)
mine_finder.py
![Page 47: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/47.jpg)
![Page 48: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/48.jpg)
Thank you - IsDebuggerPresent.exe http://zesrever.xstone.org/9 - Winmine.exe Microsoft Windows
![Page 49: Immunity Debugger & Python(office97~2003)](https://reader035.vdocuments.net/reader035/viewer/2022081502/551d35b04979594b198b497f/html5/thumbnails/49.jpg)
Thank you - IsDebuggerPresent.exe http://zesrever.xstone.org/9 - Winmine.exe Microsoft Windows