Howdy!
I made some changes to my break point script to make it more modular and accept arguments and stuff. I normally steer clear of python due to its agonizingly strict syntax, but I suffered through it for you. I use this script every single day when I first load a piece of malware into the debugger as the breakpoints listed are the ones most commonly used by malware (or most any program really).
"""JoeBP""" # -*- coding: utf-8 -*- import getopt import immutils from immlib import * AppName = "JoeBP" imm = Debugger() def usage(imm): imm.log(" !joebp -options ") imm.log(" ") imm.log(" %s By Joe Giron >|< Gironsec.com " % (AppName),focus=1, highlight=1) imm.log(" ") imm.log(" Description:") imm.log(" ") imm.log(" Sets the proper common breakpoints useful for malware analysis. ") imm.log(" Breaks on file operations, registry, processes, threads, dlls, sleeping, memory manipulation, and more. ") imm.log(" ") imm.log(" Usage:") imm.log(" ") imm.log(" -n Set network operation breakpoints for winsock and wininet.") imm.log(" ") imm.log(" -f Set file operation breakpoints.") imm.log(" ") imm.log(" -p Set process creation / manipulation breakpoints") imm.log(" ") imm.log(" -t Set thread operation / creation breakpoints.") imm.log(" ") imm.log(" -m Set memory allocation / manipulation breakpoints.") imm.log(" ") imm.log(" -s Set sleep / timing breakpoints.") imm.log(" ") imm.log(" -r Set registry operation breakpoints.") imm.log(" ") imm.log(" -e Set all options.") imm.log(" ") imm.log(" -h Shows help menu(this).") def FileBP(imm): imm.setBreakpointOnName("kernel32.CreateFileA") #file stuff imm.setBreakpointOnName("kernel32.CreateFileW") imm.setBreakpointOnName("kernel32.WriteFileEx") imm.setBreakpointOnName("kernel32.WriteFile") imm.setBreakpointOnName("kernel32.MoveFileA") imm.setBreakpointOnName("kernel32.MoveFileW") imm.setBreakpointOnName("kernel32.MoveFileExA") imm.setBreakpointOnName("kernel32.MoveFileExW") imm.setBreakpointOnName("kernel32.CopyFileA") imm.setBreakpointOnName("kernel32.CopyFileW") imm.setBreakpointOnName("kernel32.CopyFileExA") imm.setBreakpointOnName("kernel32.CopyFileExW") def ProcBP(imm): imm.setBreakpointOnName("kernel32.ExitProcess") #process stuff imm.setBreakpointOnName("kernel32.OpenProcess") imm.setBreakpointOnName("kernel32.CreateRemoteThread") imm.setBreakpointOnName("kernel32.TerminateProcess") imm.setBreakpointOnName("kernel32.CreateProcessA") imm.setBreakpointOnName("kernel32.CreateProcessW") imm.setBreakpointOnName("CreateProcessWithLogonA") imm.setBreakpointOnName("CreateProcessWithLogonW") imm.setBreakpointOnName("kernel32.GetModuleHandleA") imm.setBreakpointOnName("kernel32.GetModuleHandleW") imm.setBreakpointOnName("kernel32.GetModuleFileNameA") imm.setBreakpointOnName("kernel32.GetModuleFileNameW") imm.setBreakpointOnName("kernel32.GetModuleHandleExA") imm.setBreakpointOnName("kernel32.GetModuleHandleExW") imm.setBreakpointOnName("kernel32.LoadLibraryA") imm.setBreakpointOnName("kernel32.LoadLibraryW") imm.setBreakpointOnName("kernel32.LoadLibraryExA") imm.setBreakpointOnName("kernel32.LoadLibraryExW") imm.setBreakpointOnName("kernel32.GetProcAddress") imm.setBreakpointOnName("kernel32.LoadModule") if imm.findModuleByName("user32.dll"): imm.setBreakpointOnName("user32.EndTask") else: return "user32.dll is not loaded and thus, BP's cannot be set on it" def ThreadBP(imm): imm.setBreakpointOnName("kernel32.CreateThread") #thread stuff imm.setBreakpointOnName("kernel32.ExitThread") imm.setBreakpointOnName("kernel32.TerminateThread") imm.setBreakpointOnName("kernel32.ResumeThread") imm.setBreakpointOnName("kernel32.SuspendThread") imm.setBreakpointOnName("kernel32.GetThreadContext") imm.setBreakpointOnName("kernel32.SetThreadContext") imm.setBreakpointOnName("ntdll.ZwResumeThread") imm.setBreakpointOnName("ntdll.ZwSuspendThread") imm.setBreakpointOnName("ntdll.NtQueryInformationThread") imm.setBreakpointOnName("ntdll.NtQueueApcThread") def MemBP(imm): imm.setBreakpointOnName("kernel32.ReadProcessMemory") #memory stuff imm.setBreakpointOnName("kernel32.WriteProcessMemory") imm.setBreakpointOnName("kernel32.MapViewOfFile") imm.setBreakpointOnName("kernel32.MapViewOfFileEx") imm.setBreakpointOnName("kernel32.VirtualProtect") imm.setBreakpointOnName("kernel32.VirtualProtectEx") imm.setBreakpointOnName("kernel32.VirtualQuery") imm.setBreakpointOnName("kernel32.VirtualQueryEx") imm.setBreakpointOnName("kernel32.LocalAlloc") imm.setBreakpointOnName("kernel32.HeapAlloc") imm.setBreakpointOnName("kernel32.GetProcessHeap") imm.setBreakpointOnName("ntdll.ZwUnmapViewOfSection")#ntdll special imm.setBreakpointOnName("ntdll.ZwMapViewOfSection") imm.setBreakpointOnName("ntdll.ZwReadVirtualMemory") imm.setBreakpointOnName("ntdll.NtCreateSection") imm.setBreakpointOnName("ntdll.NtQueryInformationProcess") imm.setBreakpointOnName("ntdll.memcpy") imm.setBreakpointOnName("ntdll.memset") def SleepBP(imm): imm.setBreakpointOnName("kernel32.Sleep") #sleep stuff imm.setBreakpointOnName("kernel32.SleepEx") imm.setBreakpointOnName("kernel32.QueryPerformanceCounter") imm.setBreakpointOnName("kernel32.GetTickCount") #imm.setBreakpointOnName("kernel32.GetTickCount64") # only works on win7 def RegBP(imm): if imm.findModuleByName("advapi32.dll"): imm.setBreakpointOnName("advapi32.RegDeleteValueA") imm.setBreakpointOnName("advapi32.RegDeleteValueW") imm.setBreakpointOnName("advapi32.RegEnumKeyA") imm.setBreakpointOnName("advapi32.RegEnumKeyExA") imm.setBreakpointOnName("advapi32.RegEnumKeyExW") imm.setBreakpointOnName("advapi32.RegEnumKeyW") imm.setBreakpointOnName("advapi32.RegEnumValueA") imm.setBreakpointOnName("advapi32.RegEnumValueW") imm.setBreakpointOnName("advapi32.RegOpenKeyA") imm.setBreakpointOnName("advapi32.RegOpenKeyExA") imm.setBreakpointOnName("advapi32.RegOpenKeyExW") imm.setBreakpointOnName("advapi32.RegOpenKeyW") imm.setBreakpointOnName("advapi32.RegQueryMultipleValuesA") imm.setBreakpointOnName("advapi32.RegQueryMultipleValuesW") imm.setBreakpointOnName("advapi32.RegQueryValueA") imm.setBreakpointOnName("advapi32.RegQueryValueExA") imm.setBreakpointOnName("advapi32.RegQueryValueExW") imm.setBreakpointOnName("advapi32.RegQueryValueW") imm.setBreakpointOnName("advapi32.RegReplaceKeyA") imm.setBreakpointOnName("advapi32.RegReplaceKeyW") imm.setBreakpointOnName("advapi32.RegRestoreKeyA") imm.setBreakpointOnName("advapi32.RegRestoreKeyW") imm.setBreakpointOnName("advapi32.RegSaveKeyA") imm.setBreakpointOnName("advapi32.RegSaveKeyExA") imm.setBreakpointOnName("advapi32.RegSaveKeyExW") imm.setBreakpointOnName("advapi32.RegSaveKeyW") imm.setBreakpointOnName("advapi32.RegSetValueA") imm.setBreakpointOnName("advapi32.RegSetValueExA") imm.setBreakpointOnName("advapi32.RegSetValueExW") imm.setBreakpointOnName("advapi32.RegSetValueW") imm.setBreakpointOnName("advapi32.RegUnLoadKeyA") imm.setBreakpointOnName("advapi32.RegUnLoadKeyW") else: return "advapi32.dll is not loaded, thus registry actions cannot be logged for BP's" def NetBP(imm): if imm.findModuleByName("wininet.dll"): imm.setBreakpointOnName("wininet.InternetReadFile")# http imm.setBreakpointOnName("wininet.InternetOpenUrlA") imm.setBreakpointOnName("wininet.InternetOpenUrlW") imm.setBreakpointOnName("wininet.InternetOpenA") imm.setBreakpointOnName("wininet.InternetOpenW") imm.setBreakpointOnName("wininet.InternetCrackUrlA") imm.setBreakpointOnName("wininet.InternetCrackUrlW") imm.setBreakpointOnName("wininet.InternetQueryOptionW") imm.setBreakpointOnName("wininet.InternetQueryOptionA") imm.setBreakpointOnName("wininet.InternetQueryDataAvailable") imm.setBreakpointOnName("wininet.InternetReadFile") imm.setBreakpointOnName("wininet.InternetReadFileEx") imm.setBreakpointOnName("wininet.InternetSetOptionW") imm.setBreakpointOnName("wininet.InternetSetOptionA") imm.setBreakpointOnName("wininet.InternetConnectA") imm.setBreakpointOnName("wininet.InternetConnectW") imm.setBreakpointOnName("wininet.InternetCloseHandle") imm.setBreakpointOnName("wininet.HttpSendRequestA") imm.setBreakpointOnName("wininet.HttpSendRequestW") imm.setBreakpointOnName("wininet.HttpOpenRequestA") imm.setBreakpointOnName("wininet.HttpOpenRequestW") imm.setBreakpointOnName("wininet.HttpQueryInfoA") imm.setBreakpointOnName("wininet.HttpQueryInfoW") else: return "wininet / winsock not loaded. Cannot set net breakpoints!" if imm.findModuleByName("ws2_32.dll"): imm.setBreakpointOnName("ws2_32.WSAStartup") # internet imm.setBreakpointOnName("ws2_32.inet_add") imm.setBreakpointOnName("ws2_32.inet_ntoa") imm.setBreakpointOnName("ws2_32.send") imm.setBreakpointOnName("ws2_32.recv") imm.setBreakpointOnName("ws2_32.WSASend") imm.setBreakpointOnName("ws2_32.WSARecv") imm.setBreakpointOnName("ws2_32.WSACleanup") else: return "wininet / winsock not loaded. Cannot set net breakpoints!" def DoEmAll(imm): ProcBP(imm) RegBP(imm) MemBP(imm) ThreadBP(imm) FileBP(imm) SleepBP(imm) NetBP(imm) def main(args): if not args: usage(imm) try: opts, filler = getopt.getopt(args, "nfptmsreh:") for o,a in opts: if o == "-n": NetBP(imm) return "Network operation breakpoints set." if o == "-f": FileBP(imm) return "File Operation breakpoints set." if o == "-p": ProcBP(imm) return "Process creation / manipulation breakpoints set." if o == "-t": ThreadBP(imm) return "Thread creation / manipulation breakpoints set." if o == "-m": MemBP(imm) return "Memory allocation / manipulation breakpoints set." if o == "-s": SleepBP(imm) return "Timing and sleep operations will now be watched." if o == "-r": RegBP(imm) return "Registry accesses will now be hit." if o == "-e": DoEmAll(imm) return "All options set. Have a nice day!" if o == "-h": usage(imm) except: usage(imm) return ""
Not a fan of copy / paste? Just download it here.
Until next time, happy hacking!
One more thing – in an effort to join the 21st century, this site now has an ipv6 address – 2001:470:1f06:116::2. Join the botnet!