Immunity Debugger Study Notes

Source: Internet
Author: User

Figure 1::immunity Main interface

Note: The bottom pycommands pane can execute both debug commands and Python footstep files.

1, pycommands Study

The way to execute Python in Immunity is to use Pycommands. Pycommands is a Python script file that is stored in the Pycommands folder of the Immunity installation directory. Each Python script performs a task (hooking, static analysis Wait), which is equivalent to a pycommand. Each pycommand has a specific structure. The following is a basic model:

from immlib import * def main(args):    # Instantiate a immlib.Debugger instance     imm = Debugger()    return "[*] PyCommand Executed!"

There are two prerequisites for a pycommand. A main () function that receives only one parameter (a python list of all parameters). Another prerequisite is that you must return a string at the completion of the function, and finally update the status bar in the debugger's main interface. You must precede the command with an exclamation mark before executing the command.

!<scriptname>

2, Pyhooks

The Immunity debugger contains 13 different types of hooks. Each hook can be implemented individually or embedded in the Pycommand.

BpHook/LogBpHook

When a breakpoint is triggered, the hook is called. Two hooks are similar, except that the bphook is triggered and the process is stopped, and Logbphook does not stop the process being debugged.

AllExceptHook

All the anomalies will trigger the hook.

PostAnalysisHook

This hook will be triggered when a module is analyzed and completed. This is useful when you need to perform further static analysis after the module analysis is complete. Remember that this module must be parsed before a module can be decoded with immlib for functions and base blocks.

AccessViolationHook

This hook is triggered by an access violation. Often used to automate the capture of information when fuzz.

LoadDLLHook/UnloadDLLHook

Triggered when a DLL is loaded or unloaded.

CreateThreadHook/ExitThreadHook

Triggered when a new thread is created or destroyed.

CreateProcessHook/ExitProcessHook

triggered when the target process starts or ends.

FastLogHook/STDCALLFastLogHook

Both hooks use a compilation jump to transfer execution permissions to a piece of hook code to record specific registers, and memory data. This hook is useful when the function is frequently called, and the sixth chapter will explain it in detail.

The following Logbphook example code block can be used as a template for Pyhook.

from immlib import *class MyHook( LogBpHook ):     def init ( self ):        LogBpHook. init ( self )    def run( regs ):        # Executed when hook gets triggered

We overloaded the Logbphook class and established the Run () function (required). When the hook is triggered, all the CPU registers, and instructions will be stored in the regs, and we can modify them now. Regs is a dictionary that accesses the values of the corresponding registers as follows:

regs["ESP"]

Hooks can be defined in the Pycommand and called at any time. You can also write a script into the Pyhooks directory. These directories are braked every time the Immunity is started. Next look at some examples.

Immunity Debugger Study Notes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.