Python加载的文件哪里去了?(2)

其实这个标题并不确切,其实应该是ImmDbg调试器加载的文件哪里去了。加载文件脚本还是下面的样子:

"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby. http: //www.h4ck.org.cn}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")

DESC="""Load Binary file test!"""

import immlib
import immutils
import os

def main(args):
    imm = immlib.Debugger()
    imm.log ("--------------------------------------------------------------------------------" )
    imm.log ("[*] Start Loading file " )
    imm.log ("--------------------------------------------------------------------------------" )
             
    rcFileHandle = open ('C:\\test.bin','rb')
    rcFileData = rcFileHandle.read()
    
    rcFileLength = len(rcFileData)
        
    imm.log ("[*] FileLength is 0x%08x and filedata is loaded at address 0x%08x" %(rcFileLength,id(rcFileData)))    

    imm.log ("[*] Finished Loading " )
    imm.log ("--------------------------------------------------------------------------------" )
        
    return "[*] Data has been Loaded!"
Continue Reading

基于ImmDbg的Python内存注射

其实上一篇文章完全是拷贝来的,目的是做个本地备份。 😀 最近开始将一些工作转移到ImmDbg,在此之前是想在OD的脚本中做一些简单的工作来实现一些内存数据的修改以及写入功能,但是事实上由于OD脚本的API函数有限,要实现诸如文件读取之类的工作发现基本没什么可能,当然了也有可能是因为自己孤陋寡闻, :8 如果谁知道相关的APi还望不吝赐教。 smile

Continue Reading

Starting to write Immunity Debugger PyCommands : my cheatsheet 『Rw』

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience.

Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc….  Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules…   Not an easy task.

It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them to work, and would still not solve some issues I was having while writing exploits.

OllyDbg and Immunity Debugger are quite different than windbg.  Not only the GUI is very much different, the number of plugins for these debuggers is substantially higher.  After evaluating both of them (they pretty much have the same look and feel), and evaluating the way plugins can be added, I made the decision to focus on Immunity Debugger.

That does not mean OllyDbg is a bad debugger or is limited in what you can do in terms of writing plugins… I just found it harder to “quickly tweak a plugin” while building an exploit.   OllyDbg plugins are compiled into dll’s, so changing a plugin would require me to recompile and test.   Immunity Debugger uses python scripts.  I can go into the script, make a little change, and see the results right away.  Simple.

Continue Reading

Hide Debugger for Immunity Debugger v1.8x

"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby.}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")

import immlib
import immutils
def main(args):
    imm = immlib.Debugger()
    #hide debugger by wipe the BeingDebugged flag in PEB struct.
    imm.writeMemory (imm.getPEBAddress() + 0x2,"\x00")
    #disable the process enume
    process32first = imm.getAddress("kernel32.Process32FirstW")
    process32next = imm.getAddress("kernel32.Process32NextW")
    function_list = [process32first, process32next]
    patch_bytes = imm.assemble("SUB EAX,EAX\nRET 8")
    for address in function_list:
        opcode = imm.disasmForward(address,nlines = 8)
        #imm.writeMemory(opcode.address,patch_bytes)
    
    return "[*] PEB BeingDebugged flag cleared ! Debugger Hided~!"

该脚本用于去掉基于IsDebugPresent函数的调试检测。将上面的内容保存为hidedbg.py放入immdbg的PyCommands目录下,然后在immdbg的命令窗口中执行即可。 smile