joebp – immuninty debugger script

Howdy!

I made some changes to my break point script to make it more modular and accept arguments and stuff. I normally steer clear of python due to its agonizingly strict syntax, but I suffered through it for you. I use this script every single day when I first load a piece of malware into the debugger as the breakpoints listed are the ones most commonly used by malware (or most any program really).

"""JoeBP"""

# -*- coding: utf-8 -*-
import getopt
import immutils
from immlib import *

AppName = "JoeBP"
imm = Debugger()

def usage(imm):
    imm.log(" !joebp -options ")
    imm.log(" ")
    imm.log(" %s By Joe Giron >|< Gironsec.com " % (AppName),focus=1, highlight=1)
    imm.log(" ")
    imm.log(" Description:")
    imm.log(" ")
    imm.log(" Sets the proper common breakpoints useful for malware analysis.  ")
    imm.log(" Breaks on file operations, registry, processes, threads, dlls, sleeping, memory manipulation, and more. ")
    imm.log(" ")
    imm.log(" Usage:")
    imm.log(" ")
    imm.log(" -n    Set network operation breakpoints for winsock and wininet.")
    imm.log(" ")
    imm.log(" -f    Set file operation breakpoints.")
    imm.log(" ")
    imm.log(" -p    Set process creation / manipulation breakpoints")
    imm.log(" ")
    imm.log(" -t    Set thread operation / creation breakpoints.")
    imm.log(" ")
    imm.log(" -m    Set memory allocation / manipulation breakpoints.")
    imm.log(" ")
    imm.log(" -s    Set sleep / timing breakpoints.")
    imm.log(" ")
    imm.log(" -r    Set registry operation breakpoints.")
    imm.log(" ")
    imm.log(" -e    Set all options.")    
    imm.log(" ")
    imm.log(" -h    Shows help menu(this).")
    
def FileBP(imm):
    imm.setBreakpointOnName("kernel32.CreateFileA") #file stuff
    imm.setBreakpointOnName("kernel32.CreateFileW")
    imm.setBreakpointOnName("kernel32.WriteFileEx")
    imm.setBreakpointOnName("kernel32.WriteFile")
    imm.setBreakpointOnName("kernel32.MoveFileA")
    imm.setBreakpointOnName("kernel32.MoveFileW")
    imm.setBreakpointOnName("kernel32.MoveFileExA")
    imm.setBreakpointOnName("kernel32.MoveFileExW")
    imm.setBreakpointOnName("kernel32.CopyFileA")
    imm.setBreakpointOnName("kernel32.CopyFileW")
    imm.setBreakpointOnName("kernel32.CopyFileExA")
    imm.setBreakpointOnName("kernel32.CopyFileExW")        

def ProcBP(imm):
    imm.setBreakpointOnName("kernel32.ExitProcess") #process stuff
    imm.setBreakpointOnName("kernel32.OpenProcess")
    imm.setBreakpointOnName("kernel32.CreateRemoteThread")
    imm.setBreakpointOnName("kernel32.TerminateProcess")
    imm.setBreakpointOnName("kernel32.CreateProcessA")
    imm.setBreakpointOnName("kernel32.CreateProcessW")
    imm.setBreakpointOnName("CreateProcessWithLogonA")
    imm.setBreakpointOnName("CreateProcessWithLogonW")
    imm.setBreakpointOnName("kernel32.GetModuleHandleA")
    imm.setBreakpointOnName("kernel32.GetModuleHandleW")
    imm.setBreakpointOnName("kernel32.GetModuleFileNameA")
    imm.setBreakpointOnName("kernel32.GetModuleFileNameW")
    imm.setBreakpointOnName("kernel32.GetModuleHandleExA")
    imm.setBreakpointOnName("kernel32.GetModuleHandleExW")
    imm.setBreakpointOnName("kernel32.LoadLibraryA")
    imm.setBreakpointOnName("kernel32.LoadLibraryW")
    imm.setBreakpointOnName("kernel32.LoadLibraryExA")
    imm.setBreakpointOnName("kernel32.LoadLibraryExW")
    imm.setBreakpointOnName("kernel32.GetProcAddress")
    imm.setBreakpointOnName("kernel32.LoadModule")
    if imm.findModuleByName("user32.dll"):
        imm.setBreakpointOnName("user32.EndTask")
    else:
        return "user32.dll is not loaded and thus, BP's cannot be set on it"

def ThreadBP(imm):
    imm.setBreakpointOnName("kernel32.CreateThread") #thread stuff
    imm.setBreakpointOnName("kernel32.ExitThread")
    imm.setBreakpointOnName("kernel32.TerminateThread")
    imm.setBreakpointOnName("kernel32.ResumeThread")
    imm.setBreakpointOnName("kernel32.SuspendThread")
    imm.setBreakpointOnName("kernel32.GetThreadContext")
    imm.setBreakpointOnName("kernel32.SetThreadContext")
    imm.setBreakpointOnName("ntdll.ZwResumeThread") 
    imm.setBreakpointOnName("ntdll.ZwSuspendThread")
    imm.setBreakpointOnName("ntdll.NtQueryInformationThread")
    imm.setBreakpointOnName("ntdll.NtQueueApcThread")


def MemBP(imm):
    imm.setBreakpointOnName("kernel32.ReadProcessMemory") #memory stuff
    imm.setBreakpointOnName("kernel32.WriteProcessMemory")
    imm.setBreakpointOnName("kernel32.MapViewOfFile")
    imm.setBreakpointOnName("kernel32.MapViewOfFileEx")
    imm.setBreakpointOnName("kernel32.VirtualProtect")
    imm.setBreakpointOnName("kernel32.VirtualProtectEx")
    imm.setBreakpointOnName("kernel32.VirtualQuery")
    imm.setBreakpointOnName("kernel32.VirtualQueryEx")
    imm.setBreakpointOnName("kernel32.LocalAlloc")
    imm.setBreakpointOnName("kernel32.HeapAlloc")
    imm.setBreakpointOnName("kernel32.GetProcessHeap")
    imm.setBreakpointOnName("ntdll.ZwUnmapViewOfSection")#ntdll special
    imm.setBreakpointOnName("ntdll.ZwMapViewOfSection")
    imm.setBreakpointOnName("ntdll.ZwReadVirtualMemory")
    imm.setBreakpointOnName("ntdll.NtCreateSection")
    imm.setBreakpointOnName("ntdll.NtQueryInformationProcess")
    imm.setBreakpointOnName("ntdll.memcpy")
    imm.setBreakpointOnName("ntdll.memset")

    

def SleepBP(imm):
    imm.setBreakpointOnName("kernel32.Sleep")  #sleep stuff
    imm.setBreakpointOnName("kernel32.SleepEx")
    imm.setBreakpointOnName("kernel32.QueryPerformanceCounter")
    imm.setBreakpointOnName("kernel32.GetTickCount")
    #imm.setBreakpointOnName("kernel32.GetTickCount64")    # only works on win7

def RegBP(imm):
    
    if imm.findModuleByName("advapi32.dll"):
        imm.setBreakpointOnName("advapi32.RegDeleteValueA")
        imm.setBreakpointOnName("advapi32.RegDeleteValueW")
        imm.setBreakpointOnName("advapi32.RegEnumKeyA")
        imm.setBreakpointOnName("advapi32.RegEnumKeyExA")
        imm.setBreakpointOnName("advapi32.RegEnumKeyExW")
        imm.setBreakpointOnName("advapi32.RegEnumKeyW")
        imm.setBreakpointOnName("advapi32.RegEnumValueA")
        imm.setBreakpointOnName("advapi32.RegEnumValueW")
        imm.setBreakpointOnName("advapi32.RegOpenKeyA")
        imm.setBreakpointOnName("advapi32.RegOpenKeyExA")
        imm.setBreakpointOnName("advapi32.RegOpenKeyExW")
        imm.setBreakpointOnName("advapi32.RegOpenKeyW")
        imm.setBreakpointOnName("advapi32.RegQueryMultipleValuesA")
        imm.setBreakpointOnName("advapi32.RegQueryMultipleValuesW")
        imm.setBreakpointOnName("advapi32.RegQueryValueA")
        imm.setBreakpointOnName("advapi32.RegQueryValueExA")
        imm.setBreakpointOnName("advapi32.RegQueryValueExW")
        imm.setBreakpointOnName("advapi32.RegQueryValueW")
        imm.setBreakpointOnName("advapi32.RegReplaceKeyA")
        imm.setBreakpointOnName("advapi32.RegReplaceKeyW")
        imm.setBreakpointOnName("advapi32.RegRestoreKeyA")
        imm.setBreakpointOnName("advapi32.RegRestoreKeyW")
        imm.setBreakpointOnName("advapi32.RegSaveKeyA")
        imm.setBreakpointOnName("advapi32.RegSaveKeyExA")
        imm.setBreakpointOnName("advapi32.RegSaveKeyExW")
        imm.setBreakpointOnName("advapi32.RegSaveKeyW")
        imm.setBreakpointOnName("advapi32.RegSetValueA")
        imm.setBreakpointOnName("advapi32.RegSetValueExA")
        imm.setBreakpointOnName("advapi32.RegSetValueExW")
        imm.setBreakpointOnName("advapi32.RegSetValueW")
        imm.setBreakpointOnName("advapi32.RegUnLoadKeyA")
        imm.setBreakpointOnName("advapi32.RegUnLoadKeyW")
    else:
        return "advapi32.dll is not loaded, thus registry actions cannot be logged for BP's"
        
def NetBP(imm):
    if imm.findModuleByName("wininet.dll"):
        imm.setBreakpointOnName("wininet.InternetReadFile")# http
        imm.setBreakpointOnName("wininet.InternetOpenUrlA")
        imm.setBreakpointOnName("wininet.InternetOpenUrlW")
        imm.setBreakpointOnName("wininet.InternetOpenA")
        imm.setBreakpointOnName("wininet.InternetOpenW")
        imm.setBreakpointOnName("wininet.InternetCrackUrlA")
        imm.setBreakpointOnName("wininet.InternetCrackUrlW")
        imm.setBreakpointOnName("wininet.InternetQueryOptionW")
        imm.setBreakpointOnName("wininet.InternetQueryOptionA")
        imm.setBreakpointOnName("wininet.InternetQueryDataAvailable")
        imm.setBreakpointOnName("wininet.InternetReadFile")
        imm.setBreakpointOnName("wininet.InternetReadFileEx")
        imm.setBreakpointOnName("wininet.InternetSetOptionW")
        imm.setBreakpointOnName("wininet.InternetSetOptionA")
        imm.setBreakpointOnName("wininet.InternetConnectA")
        imm.setBreakpointOnName("wininet.InternetConnectW")
        imm.setBreakpointOnName("wininet.InternetCloseHandle")
        imm.setBreakpointOnName("wininet.HttpSendRequestA")
        imm.setBreakpointOnName("wininet.HttpSendRequestW")
        imm.setBreakpointOnName("wininet.HttpOpenRequestA")
        imm.setBreakpointOnName("wininet.HttpOpenRequestW")
        imm.setBreakpointOnName("wininet.HttpQueryInfoA")
        imm.setBreakpointOnName("wininet.HttpQueryInfoW")
    else:
        return "wininet / winsock not loaded. Cannot set net breakpoints!"
    if imm.findModuleByName("ws2_32.dll"):
        imm.setBreakpointOnName("ws2_32.WSAStartup") # internet
        imm.setBreakpointOnName("ws2_32.inet_add")
        imm.setBreakpointOnName("ws2_32.inet_ntoa")
        imm.setBreakpointOnName("ws2_32.send")
        imm.setBreakpointOnName("ws2_32.recv")
        imm.setBreakpointOnName("ws2_32.WSASend")
        imm.setBreakpointOnName("ws2_32.WSARecv")
        imm.setBreakpointOnName("ws2_32.WSACleanup")
    else:
        return "wininet / winsock not loaded. Cannot set net breakpoints!"

    
def DoEmAll(imm):
    ProcBP(imm)
    RegBP(imm)
    MemBP(imm)
    ThreadBP(imm)
    FileBP(imm)
    SleepBP(imm)
    NetBP(imm)
	
def main(args):
    if not args:
        usage(imm)
    try:
        opts, filler = getopt.getopt(args, "nfptmsreh:")
        for o,a in opts:
            if o == "-n":
                NetBP(imm)
                return "Network operation breakpoints set."
            if o == "-f":
                FileBP(imm)
                return "File Operation breakpoints set."
            if o == "-p":
                ProcBP(imm)
                return "Process creation / manipulation breakpoints set."
            if o == "-t":
                ThreadBP(imm)
                return "Thread creation / manipulation breakpoints set."
            if o == "-m":
                MemBP(imm)
                return "Memory allocation / manipulation breakpoints set."
            if o == "-s":
                SleepBP(imm)
                return "Timing and sleep operations will now be watched."
            if o == "-r":
                RegBP(imm)
                return "Registry accesses will now be hit."
            if o == "-e":
                DoEmAll(imm)
                return "All options set. Have a nice day!"
            if o == "-h":
                usage(imm)
    except:
        usage(imm)
    return ""

Not a fan of copy / paste? Just download it here.
Until next time, happy hacking!
1397771687215

One more thing – in an effort to join the 21st century, this site now has an ipv6 address – 2001:470:1f06:116::2. Join the botnet!

Leave a Reply