这个东西更新的速度确实很快,比Linux的QQ更新速度快多了。其实这个Today去除基本没什么难度。版本就是上面看到的那个样子~
Immunity Debugger 1.83 SDK
虽然知道ImmDbg的调试器是从OD的源代码的基础上改进来的,SDK差别也不是很大,但是从网上找了一下却始终没有找到下载的地方。直到今天下载一个Imm插件的时候从源代码里找到了1.83的SDK,当然对于最新的ImmDbg这个sdk开发的插件也是可以用的。
其实整个SDk在OD的基础上对一些函数进行了封装,如是而已,那么如果有源代码将代码从OD迁徙到Imm还是比较容易的:
////////////////////////////////////////////////////////////////////////////////
//////////////////////////// IMPORTANT INFORMATION /////////////////////////////
// 1. Export all callback functions by name, NOT by ordinal!
// 2. Force 4 byte alignment of immDbg structures!
// 3. Set default char type to unsigned!
// 4. Read documentation!
#ifndef __PLUGIN_H__
#define __PLUGIN_H__
#pragma pack(push, 4) // Force 4 byte alignment of structures
#ifndef _CHAR_UNSIGNED // Verify that character is unsigned
#error Please set default char type to unsigned (option /J)
#endif
#define ODBG_Plugindata IMMDBG_Plugindata
#define ODBG_Plugininit IMMDBG_Plugininit
#define ODBG_Pluginmainloop IMMDBG_Pluginmainloop
#define ODBG_Pluginsaveudd IMMDBG_Pluginsaveudd
#define ODBG_Pluginuddrecord IMMDBG_Pluginuddrecord
#define ODBG_Pluginmenu IMMDBG_Pluginmenu
#define ODBG_Pluginaction IMMDBG_Pluginaction
#define ODBG_Pluginshortcut IMMDBG_Pluginshortcut
#define ODBG_Pluginreset IMMDBG_Pluginreset
#define ODBG_Pluginclose IMMDBG_Pluginclose
#define ODBG_Plugindestroy IMMDBG_Plugindestroy
#define ODBG_Paused IMMDBG_Paused
#define ODBG_Pausedex IMMDBG_Pausedex
#define ODBG_Plugincmd IMMDBG_Plugincmd
////////////////////////////////////////////////////////////////////////////////
Multimate Assembler v1.7.Plugin for OllyDbg and Immunity Debugger
General:
– MUltimate Assembler is a multiline (and ultimate) assembler (and
disassembler)
– To disassemble code, select it, and choose “MUltimate Assembler” from
the right click menu
– To assemble code, click the Assemble button in the assembler window
Python加载的文件哪里去了?(2)
其实这个标题并不确切,其实应该是ImmDbg调试器加载的文件哪里去了。加载文件脚本还是下面的样子:
"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby. http: //www.h4ck.org.cn}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")
DESC="""Load Binary file test!"""
import immlib
import immutils
import os
def main(args):
imm = immlib.Debugger()
imm.log ("--------------------------------------------------------------------------------" )
imm.log ("[*] Start Loading file " )
imm.log ("--------------------------------------------------------------------------------" )
rcFileHandle = open ('C:\\test.bin','rb')
rcFileData = rcFileHandle.read()
rcFileLength = len(rcFileData)
imm.log ("[*] FileLength is 0x%08x and filedata is loaded at address 0x%08x" %(rcFileLength,id(rcFileData)))
imm.log ("[*] Finished Loading " )
imm.log ("--------------------------------------------------------------------------------" )
return "[*] Data has been Loaded!"
Python加载的文件哪里去了?
在上一篇文章中提到一个问题就是加载的文件不知道哪里去了,虽然用id()函数可以看到加载的地址。但是这个地址在访问的时候却是要么地址不可用,要么就是和文件中的数据不同。于是直接用Python测试了一下。测试代码就是上面的样子。
基于ImmDbg的Python内存注射
其实上一篇文章完全是拷贝来的,目的是做个本地备份。 😀 最近开始将一些工作转移到ImmDbg,在此之前是想在OD的脚本中做一些简单的工作来实现一些内存数据的修改以及写入功能,但是事实上由于OD脚本的API函数有限,要实现诸如文件读取之类的工作发现基本没什么可能,当然了也有可能是因为自己孤陋寡闻, :8 如果谁知道相关的APi还望不吝赐教。 
Starting to write Immunity Debugger PyCommands : my cheatsheet 『Rw』
When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience.
Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc…. Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules… Not an easy task.
It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them to work, and would still not solve some issues I was having while writing exploits.
OllyDbg and Immunity Debugger are quite different than windbg. Not only the GUI is very much different, the number of plugins for these debuggers is substantially higher. After evaluating both of them (they pretty much have the same look and feel), and evaluating the way plugins can be added, I made the decision to focus on Immunity Debugger.
That does not mean OllyDbg is a bad debugger or is limited in what you can do in terms of writing plugins… I just found it harder to “quickly tweak a plugin” while building an exploit. OllyDbg plugins are compiled into dll’s, so changing a plugin would require me to recompile and test. Immunity Debugger uses python scripts. I can go into the script, make a little change, and see the results right away. Simple.
IDA Sync Plugin v3.0.1 for IDA Pro 6.x
基于IDA的逆向分析协同工具目前还没有发现比较好用的东西,而像传统的基于源代码的开发IDE则有比较多的选择。对于大型项目和代码的分析,仅靠一人之力其实是比较困难的,并且需要分析的内容太多。这也是这个插件开发出来的原因。