Immunity Debugger Study Notes

Figure 1::immunity Main interface

Note: The bottom pycommands pane can execute both debug commands and Python footstep files.

1, pycommands Study

The way to execute Python in Immunity is to use Pycommands. Pycommands is a Python script file that is stored in the Pycommands folder of the Immunity installation directory. Each Python script performs a task (hooking, static analysis Wait), which is equivalent to a pycommand. Each pycommand has a specific structure. The following is a basic model:

from immlib import * def main(args):    # Instantiate a immlib.Debugger instance     imm = Debugger()    return "[*] PyCommand Executed!"

There are two prerequisites for a pycommand. A main () function that receives only one parameter (a python list of all parameters). Another prerequisite is that you must return a string at the completion of the function, and finally update the status bar in the debugger's main interface. You must precede the command with an exclamation mark before executing the command.

!<scriptname>

2, Pyhooks

The Immunity debugger contains 13 different types of hooks. Each hook can be implemented individually or embedded in the Pycommand.

BpHook/LogBpHook

When a breakpoint is triggered, the hook is called. Two hooks are similar, except that the bphook is triggered and the process is stopped, and Logbphook does not stop the process being debugged.

AllExceptHook

All the anomalies will trigger the hook.

PostAnalysisHook

This hook will be triggered when a module is analyzed and completed. This is useful when you need to perform further static analysis after the module analysis is complete. Remember that this module must be parsed before a module can be decoded with immlib for functions and base blocks.

AccessViolationHook

This hook is triggered by an access violation. Often used to automate the capture of information when fuzz.

LoadDLLHook/UnloadDLLHook

Triggered when a DLL is loaded or unloaded.

CreateThreadHook/ExitThreadHook

Triggered when a new thread is created or destroyed.

CreateProcessHook/ExitProcessHook

triggered when the target process starts or ends.

FastLogHook/STDCALLFastLogHook

Both hooks use a compilation jump to transfer execution permissions to a piece of hook code to record specific registers, and memory data. This hook is useful when the function is frequently called, and the sixth chapter will explain it in detail.

The following Logbphook example code block can be used as a template for Pyhook.

from immlib import *class MyHook( LogBpHook ):     def init ( self ):        LogBpHook. init ( self )    def run( regs ):        # Executed when hook gets triggered

We overloaded the Logbphook class and established the Run () function (required). When the hook is triggered, all the CPU registers, and instructions will be stored in the regs, and we can modify them now. Regs is a dictionary that accesses the values of the corresponding registers as follows:

regs["ESP"]

Hooks can be defined in the Pycommand and called at any time. You can also write a script into the Pyhooks directory. These directories are braked every time the Immunity is started. Next look at some examples.

Immunity Debugger Study Notes