Python and Immunity Debugger

Howdy all!

Been a great few weeks. Lots of ideas flowing and lots more malware to work on. I got it down to a science now. What I’ve been digging into lately is taking advantage of the Python shell inside immunity debugger. The library is feature rich and combines the capabilities of Immunity with the awesomeness of python.

For example, let’s set some breakpoints on the commonly used API’s that malware always seems to abuse.

"""mybp"""

DESC="""Sets Joe's comprehensive malware breakpoints"""

# -*- coding: utf-8 -*-
import getopt
import immutils
import getopt
from immlib import *

def usage():
	imm.log("!mybp, no args, just !mybp")
	
	
	def main(args):
		if args:
			usage()
		else:
			imm = Debugger()
			
			"""logs and packers"""
			imm.setBreakpointOnName("kernel32.CreateFileA")
			imm.setBreakpointOnName("kernel32.CreateFileW")
			"""packers"""
			imm.setBreakpointOnName("kernel32.MapViewOfFile") 
			imm.setBreakpointOnName("kernel32.VirtualProtect")
			"""process stop"""
			imm.setBreakpointOnName("kernel32.ExitProcess")
			imm.setBreakpointOnName("kernel32.TerminateProcess")
			"""process and thread creation"""
			imm.setBreakpointOnName("kernel32.CreateThread")
			imm.setBreakpointOnName("kernel32.CreateProcessA")
			imm.setBreakpointOnName("kernel32.CreateProcessW") 
			
			return "Set breakpoints for file creation, process creation, process exiting and thread creation."

Compile with idle and place it in the C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\ folder, then execute it with an exclamation point !cmd
In the case of my little script, it will set the appropriate breakpoints and let me know in the grey title window when its done:
screeny

Just searching through the ‘immlib.py’ file there’s a hundred other functions to make use of. There’s also a python shell within IDA Pro I use from time to time with a number of libraries and functions to take advantage of. Not only that there’s still pydasm which is awesome. I like to make use of pydasm for on the fly stuff like decoding shellcode:

import sys
import os
import pydasm
# Open our specimen 
f = open("c:\\shellcoded_pdf.pdf","rb")
# 0x97 is the start of the ascii encoded shellcode
b = f.read(2)

buff = ""
while b != '':
	try:
		buff = buff+chr(int(b,16))
		b = f.read(2)
	except ValueError:
		break
		offset = 0
		while offset < len(buff):
			i = pydasm.get_instruction(buff[offset:],pydasm.MODE_32)
			print offset , ' ',pydasm.get_instruction_string(i,pydasm.FORMAT_INTEL, offset)
			if not i:
				break
				offset +=  i.length
			if offset == 17:
				offset += 1

I guess python and reverse engineering go together like peanut butter and jelly. Fine by me.
Happy hacking!
DJXUw

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.