这本书是这两天刚买到的,从前天开始看,然后到昨天晚上就看完了,整体的感觉就是书的内容虽然不错但是感觉有点太少了,一种意犹未尽的感觉。
轻轻松松当医生
不知道什么时候电脑上竟然还有这么一个东东,猛击此处下载,可以过一把当医生的瘾。嘎嘎,对啦登录密码是123
mona for Immunity Debugger v1.8x
This is the Corelan Team project page for ‘mona’, a PyCommand for Immunity Debugger.
This PyCommand replaces pvefindaddr, which is no longer supported as of mid june 2011.The PyCommand has been tested on Immunity Debugger 1.83. Older versions of Immunity Debugger are not supported and may not work.
Hide Debugger for Immunity Debugger v1.8x
"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby.}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")
import immlib
import immutils
def main(args):
imm = immlib.Debugger()
#hide debugger by wipe the BeingDebugged flag in PEB struct.
imm.writeMemory (imm.getPEBAddress() + 0x2,"\x00")
#disable the process enume
process32first = imm.getAddress("kernel32.Process32FirstW")
process32next = imm.getAddress("kernel32.Process32NextW")
function_list = [process32first, process32next]
patch_bytes = imm.assemble("SUB EAX,EAX\nRET 8")
for address in function_list:
opcode = imm.disasmForward(address,nlines = 8)
#imm.writeMemory(opcode.address,patch_bytes)
return "[*] PEB BeingDebugged flag cleared ! Debugger Hided~!"
该脚本用于去掉基于IsDebugPresent函数的调试检测。将上面的内容保存为hidedbg.py放入immdbg的PyCommands目录下,然后在immdbg的命令窗口中执行即可。 
OllyDbg v1.10 And Wow64
前一段时间在去除QQ国际版的弹窗的时候就发现了这个问题,在Windows 7 64位系统下无法正常使用OD进行调试,载入之后会直接提示无法处理的异常。
IDA SYNC For IDA 6.x
IDA Sync was written to allow multiple analysts to synchronize their reverse engineering efforts with IDA Pro in real time. Users connect to a central server through the ida_sync plugin. Once connected, all comments and name changes made with the registered hot keys are immediately transmitted to all other users working on the same project. The central server stores a copy of all changes as well, allowing new analysts to jump on the project and immediately receive up to date information.
generate_disasm_line 以及 generate_disassembly
但从字面上也很容易理解这两个函数的意思,但是事实在实际使用的时候效果却并不是想要的那样。 
idaman int ida_export generate_disassembly(
// Generate disassembly (many lines)
// and put them into a buffer
// Returns number of generated lines
ea_t ea, // address to generate disassembly for
char *lines[], // buffer to hold pointer to generated lines
int bufsize, // size of buffer
int *lnnum, // number of "the most interesting" line
// may be NULL
bool as_stack); // Display undefined items as 2/4/8 bytes
idaman bool ida_export generate_disasm_line(
// Generate one line of disassembly
// This function discards all "non-interesting" lines
// It is designed to generate one-line desriptions
// of addresses for lists, etc.
ea_t ea, // address to generate disassembly for
char *buf, // pointer to the output buffer
size_t bufsize, // size of the output buffer
int flags=0);
#define GENDSM_FORCE_CODE 1 // generate a disassembly line as if
// there is an instruction at 'ea'
#define GENDSM_MULTI_LINE 2 // if the instruction consists of several lines,
// produce all of them (useful for parallel instructions)
