Howdy all!
Been a great few weeks. Lots of ideas flowing and lots more malware to work on. I got it down to a science now. What I’ve been digging into lately is taking advantage of the Python shell inside immunity debugger. The library is feature rich and combines the capabilities of Immunity with the awesomeness of python.
For example, let’s set some breakpoints on the commonly used API’s that malware always seems to abuse.
"""mybp""" DESC="""Sets Joe's comprehensive malware breakpoints""" # -*- coding: utf-8 -*- import getopt import immutils import getopt from immlib import * def usage(): imm.log("!mybp, no args, just !mybp") def main(args): if args: usage() else: imm = Debugger() """logs and packers""" imm.setBreakpointOnName("kernel32.CreateFileA") imm.setBreakpointOnName("kernel32.CreateFileW") """packers""" imm.setBreakpointOnName("kernel32.MapViewOfFile") imm.setBreakpointOnName("kernel32.VirtualProtect") """process stop""" imm.setBreakpointOnName("kernel32.ExitProcess") imm.setBreakpointOnName("kernel32.TerminateProcess") """process and thread creation""" imm.setBreakpointOnName("kernel32.CreateThread") imm.setBreakpointOnName("kernel32.CreateProcessA") imm.setBreakpointOnName("kernel32.CreateProcessW") return "Set breakpoints for file creation, process creation, process exiting and thread creation."
Compile with idle and place it in the C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\ folder, then execute it with an exclamation point !cmd
In the case of my little script, it will set the appropriate breakpoints and let me know in the grey title window when its done:
Just searching through the ‘immlib.py’ file there’s a hundred other functions to make use of. There’s also a python shell within IDA Pro I use from time to time with a number of libraries and functions to take advantage of. Not only that there’s still pydasm which is awesome. I like to make use of pydasm for on the fly stuff like decoding shellcode:
import sys import os import pydasm # Open our specimen f = open("c:\\shellcoded_pdf.pdf","rb") # 0x97 is the start of the ascii encoded shellcode b = f.read(2) buff = "" while b != '': try: buff = buff+chr(int(b,16)) b = f.read(2) except ValueError: break offset = 0 while offset < len(buff): i = pydasm.get_instruction(buff[offset:],pydasm.MODE_32) print offset , ' ',pydasm.get_instruction_string(i,pydasm.FORMAT_INTEL, offset) if not i: break offset += i.length if offset == 17: offset += 1
I guess python and reverse engineering go together like peanut butter and jelly. Fine by me.
Happy hacking!
