Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 14:38

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 22 posts ] 
Author Message
 Post subject: Immunity Debugger
PostPosted: 15 Aug 2007 22:12 

Joined: 14 Aug 2007 13:32
Posts: 71
Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

A debugger with functionality designed specifically for the security industry
Cuts exploit development time by 50%
Simple, understandable interfaces
Robust and powerful scripting language for automating intelligent debugging
Lightweight and fast debugging to prevent corruption during complex analysis
Connectivity to fuzzers and exploit development tools

The Best of Both Worlds
Immunity Debugger's interfaces include the GUI and a command line. The command line is always available at the bottom of the GUI. It allows the user to type shortcuts as if they were in a typical text-based debugger, such as WinDBG or GDB. Immunity has implemented aliases to ensure that your WinDBG users do not have to be retrained and will get the full productivity boost that comes from the best debugger interface on the market.

Commands can be extended in Python as well, or run from the menu-bar.

Just copied a section from there web site check it out,The main thing is that you can write your own python plugin's.I've also uploaded some python plugin's that have been wrote by people in the openrce comunity.Great tool for any one that is into exploit development.Alot like olldbg but with a few bug fix's,The main thing's is it's completely free.

http://www.immunitysec.com/products-immdbg.shtml

================================================
Plugin's that have been created so far are listed below.

1).!ASLRdynamicbase.py

The ASLRdynamicbase.py PyCommand will inspect each loaded module, and report whether the PEHeader contains the relevant information indicating it is compatible with Vista's ASLR implementation (DLLCharacteristics). It is interesting to note some of the Microsoft Office 2007 modules, Groove in particular, have not be compiled with the /dynamicbase option set. The same goes for the Apple Bonjour service DLL installed with Safari for Windows 3.0, providing a nice, stable set of opcodes within the svchost.exe processes that also houses many RPC interfaces.

Install by copying this file into the PyCommands\ folder, and from within the running debugger issue the !ASLRdynamicbase command.


2).Findtrampoline.py

Findtrampoline.py is a simple Immunity Debugger 'PyCommand' script. It finds a suitable trampoline to the chosen register. These could be suitable addresses to use in overwriting the saved return address, when exploiting a classic stack overflow.

This is similar functionality to eEye's findjmp and Metasploit's msfpescan tools.

Install by copying this file into the PyCommands\ folder, and from within the running debugger issue the !findtrampoline <register> command. It will search for the basic jmp, call and push/ret combinations to direct execution into a register which points to our shellcode.

3).!funcdump.py
Some here may be interested in my first extension PyCommand script for the Immunity Debugger. funcdump.py allows a quick and clean report of the functions found within the loaded module. funcdump is designed to handle correctly those PE's which do not load at 0x00400000 in process address space.

I've realised it's handy having a window at the side recording all functions, and by simply highlighting and pressing Enter or double clicking the analyst can jump to the required function.

Installation simply involves copying the funcdump.py script into the PyCommands folder, and then issuing the !funcdump command within the debugger itself. I used this as an learning introduction to ID's Python API, and I look forward to seeing further extensions from this community.

All of these can be found in the zip file posted below.


Attachments:
File comment: Immunity Debugger plugin's.
python plugin's.rar [1.88 KiB]
Downloaded 519 times


Last edited by n00b on 16 Aug 2007 11:36, edited 1 time in total.
Top
 Profile  
 
 
 Post subject:
PostPosted: 16 Aug 2007 08:33 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I have moved this one and the other 2 threads in this new section where we can discuss just about anything which helps the realization of the research.

Have you tried this debugger?
Is it at Ollydbg levels?
I go to try it


Top
 Profile  
 
 Post subject:
PostPosted: 16 Aug 2007 11:33 

Joined: 14 Aug 2007 13:32
Posts: 71
No problem luigi i thought this was for your own tool's.:D ok yeh i tested it i like it basically exactly the same as olldbg but with bug fixes and Python API,I know you can make script's for ida pro,but the python api look's alot more user friendly and less code from what i've seen im waiting for a plug in called Stackvar which will be released by "nicowow"whn he has fixed some bug's in it.The plugin which im talking about will help people reverse engineer closed source applications by listing all the sprinf function's and the byte's size.Here is a little picture of the plug in.Im sure they fixed the format string bug that was in olly.

http://img410.imageshack.us/my.php?imag ... arsqi0.png


Top
 Profile  
 
 Post subject:
PostPosted: 16 Aug 2007 19:13 

Joined: 14 Aug 2007 10:06
Posts: 5
Well. I will try that debugger because i love python :d.
Anyway which is the best debugger?


Top
 Profile  
 
 Post subject:
PostPosted: 16 Aug 2007 22:15 

Joined: 14 Aug 2007 13:32
Posts: 71
I personally think it's just a matter of personal opinion,But also depend's on what platform like linux there is a few none gui debugger's,Suppose its what ever you feel comfortable with.But this is good for the python api.


Top
 Profile  
 
 Post subject:
PostPosted: 17 Aug 2007 10:20 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I have checked it quickly and, yes you are right, it seems Olly with bugfixes so the best debugger at the moment until Olly 2


Top
 Profile  
 
 Post subject:
PostPosted: 21 Aug 2007 17:57 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
at the moment I'm using only this debugger and I think it's main problem are the advertisement, everytime you start it, it connects to auth.immunityinc.com (solved through the hosts file).
I found also some other small or rare problems, for example if you try to open the 2.40 version of the Sockscap executable it crashes or yesterday the command-line bar vanished!


Top
 Profile  
 
 Post subject:
PostPosted: 31 Aug 2007 12:08 

Joined: 14 Aug 2007 13:32
Posts: 71
Version 1.1 has just been released hoooha.And the much awaited satckvar script is finished.

====
Fixes
====
1.1 Build 0
August 30, 2007

New Features:

o Interactive Python Shell added
o Lookaside enhanced output + Discovery option
o libdatatype "Get" Function
o Get OS information methods
o Ero Carrera's pefile.py (http://code.google.com/p/pefile/)
o Python engine rewritten to properly use thread locking/unlocking
o Added ignoreSingleStep method for immlib (TRANSPARENT + CONVENTIONAL)
o Attach process window is now dynamically searchable
o Added clean ID memory methods inside immlib
o Added Stack analyzation library (libstackanalyze)
o Fixed some memleak on Disasm
o Fixed wrong arguments on Disasm operand
o Improved Patch command
o Safeseh moved into a PyCommand

New Scripts:

o searchcrypt PyCommand
o stackvars PyCommand

Bug Fixes:

o Solved 'ij' issue inside attach window
o Fixed VCG parser (Blocks display complete address now)
o Fixed traceback error when trying to graph and not attached
o Fixed printfloat() format error
o Fixed ret value of Getaddrfromexp in case of non-existing expression


Top
 Profile  
 
 Post subject:
PostPosted: 08 Nov 2007 22:39 

Joined: 24 Oct 2007 18:18
Posts: 23
wow nice :)
but i am not an expert can u show us by pic something about how to make small program .. for chat fake player or something like that ,..
i will start and continue with u if u agree to learn me something about :)
thank you..


Top
 Profile  
 
 Post subject: Re:
PostPosted: 23 Jan 2009 16:52 

Joined: 18 Sep 2008 22:23
Posts: 32
aluigi wrote:
I have checked it quickly and, yes you are right, it seems Olly with bugfixes so the best debugger at the moment until Olly 2


So is there a plan for an OllyDbg 2 to be released?


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 23 Jan 2009 17:09 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
judging from http://www.ollydbg.de/version2.html I bet in February or March


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 03 Sep 2009 10:08 

Joined: 03 May 2009 04:22
Posts: 33
When i try to debug ET, it crash because Olly is detected.
I tried a HideDebugger.dll but id does not work because of PB.

How can i debugg the game ?


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 03 Sep 2009 22:04 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
try olly with some plugins that will make olly to run on stealth. those plugins are meant exactly for this purpose, to prevent PB and other crap like this from detecting it.


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 04 Sep 2009 12:44 

Joined: 03 May 2009 04:22
Posts: 33
i tried the HideDebugger.dll plugin but did not work

do you know the others ones?


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 04 Sep 2009 19:55 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
i have only hideOD and hidedebugger, i haven't used olly much, try googling for "how to hide olly" or "stealth plugins for olly" ..etc. im quite sure there's more than just 2 of them.


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 12 Sep 2009 05:10 

Joined: 03 May 2009 04:22
Posts: 33
Sethioz wrote:
i have only hideOD

Do you have a safe link to download it ?


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 13 Sep 2009 00:20 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
http://reversengineering.wordpress.com/ ... eod-v0182/
http://www.openrce.org/downloads/browse/OllyDbg_Plugins


Top
 Profile  
 
 Post subject: Re:
PostPosted: 14 Sep 2009 23:50 

Joined: 07 Jan 2009 08:30
Posts: 2
n00b wrote:
Version 1.1 has just been released hoooha.And the much awaited satckvar script is finished.

====
Fixes
====
1.1 Build 0
August 30, 2007

New Features:

o Interactive Python Shell added
o Lookaside enhanced output + Discovery option
o libdatatype "Get" Function
o Get OS information methods
o Ero Carrera's pefile.py (http://code.google.com/p/pefile/)
o Python engine rewritten to properly use thread locking/unlocking
o Added ignoreSingleStep method for immlib (TRANSPARENT + CONVENTIONAL)
o Attach process window is now dynamically searchable
o Added clean ID memory methods inside immlib
o Added Stack analyzation library (libstackanalyze)
o Fixed some memleak on Disasm
o Fixed wrong arguments on Disasm operand
o Improved Patch command
o Safeseh moved into a PyCommand

New Scripts:

o searchcrypt PyCommand
o stackvars PyCommand

Bug Fixes:

o Solved 'ij' issue inside attach window
o Fixed VCG parser (Blocks display complete address now)
o Fixed traceback error when trying to graph and not attached
o Fixed printfloat() format error
o Fixed ret value of Getaddrfromexp in case of non-existing expression


anyone know where i can get a copy of this? it looks great.


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 15 Sep 2009 09:51 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
http://debugger.immunityinc.com/register.html
you don't need to register, just type something in the "Full Name" entry and it's done


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 27 Oct 2009 07:06 

Joined: 03 May 2009 04:22
Posts: 33
Sethioz wrote:
http://reversengineering.wordpress.com/ ... eod-v0182/
http://www.openrce.org/downloads/browse/OllyDbg_Plugins


I'am testing it again but seems like even whit this HideDebugger.dll pugin ET.exe keeps detecting the tool and crash itself.

I really would like debugging it(et.exe) :(

PB is not even launched.

How can an old prog like ET.exe detected ollydbg whit a plugin hiding it(pluging whos is less than one year).


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 27 Oct 2009 16:11 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
sometimes it can be only an exception that you can skip with SHIFT+F9 and/or adding the exception in the list of those to skip (Options->Debugging Opptions->Exceptions->Ignore also following custom exceptions->Add last exception).

other times instead could be a small incompatibility if you start the program from the debugger in which case the "attach" method could be preferable.


Top
 Profile  
 
 Post subject: Re: Immunity Debugger
PostPosted: 29 Oct 2009 00:08 

Joined: 03 May 2009 04:22
Posts: 33
nice, luigi.

i was suspecting something like that

it works now

thank you.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 22 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: