{"id":727,"date":"2014-02-17T23:15:19","date_gmt":"2014-02-17T23:15:19","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=727"},"modified":"2014-02-17T23:17:01","modified_gmt":"2014-02-17T23:17:01","slug":"python-and-immunity-debugger","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2014\/02\/python-and-immunity-debugger\/","title":{"rendered":"Python and Immunity Debugger"},"content":{"rendered":"

Howdy all!<\/p>\n

Been a great few weeks. Lots of ideas flowing and lots more malware to work on. I got it down to a science now. What I’ve been digging into lately is taking advantage of the Python shell inside immunity debugger. The library is feature rich and combines the capabilities of Immunity with the awesomeness of python. <\/p>\n

For example, let’s set some breakpoints on the commonly used API’s that malware always seems to abuse. <\/p>\n

<\/p>\n

\n
"""mybp"""<\/span>\r\n\r\nDESC=<\/span>"""Sets Joe's comprehensive malware breakpoints"""<\/span>\r\n\r\n# -*- coding: utf-8 -*-<\/span>\r\nimport<\/span> getopt<\/span>\r\nimport<\/span> immutils<\/span>\r\nimport<\/span> getopt<\/span>\r\nfrom<\/span> immlib<\/span> import<\/span> *<\/span>\r\n\r\ndef<\/span> usage<\/span>():\r\n\timm.<\/span>log("!mybp, no args, just !mybp"<\/span>)\r\n\t\r\n\t\r\n\tdef<\/span> main<\/span>(args):\r\n\t\tif<\/span> args:\r\n\t\t\tusage()\r\n\t\telse<\/span>:\r\n\t\t\timm =<\/span> Debugger()\r\n\t\t\t\r\n\t\t\t"""logs and packers"""<\/span>\r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.CreateFileA"<\/span>)\r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.CreateFileW"<\/span>)\r\n\t\t\t"""packers"""<\/span>\r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.MapViewOfFile"<\/span>) \r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.VirtualProtect"<\/span>)\r\n\t\t\t"""process stop"""<\/span>\r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.ExitProcess"<\/span>)\r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.TerminateProcess"<\/span>)\r\n\t\t\t"""process and thread creation"""<\/span>\r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.CreateThread"<\/span>)\r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.CreateProcessA"<\/span>)\r\n\t\t\timm.<\/span>setBreakpointOnName("kernel32.CreateProcessW"<\/span>) \r\n\t\t\t\r\n\t\t\treturn<\/span> "Set breakpoints for file creation, process creation, process exiting and thread creation."<\/span>\r\n<\/pre>\n<\/div>\n
Compile with idle and place it in the C:\\Program Files (x86)\\Immunity Inc\\Immunity Debugger\\PyCommands\\ folder, then execute it with an exclamation point !cmd
\nIn the case of my little script, it will set the appropriate breakpoints and let me know in the grey title window when its done:
\n\"screeny\"<\/a><\/p>\n
Just searching through the ‘immlib.py’ file there’s a hundred other functions to make use of. There’s also a python shell within IDA Pro I use from time to time with a number of libraries and functions to take advantage of. Not only that there’s still pydasm<\/a> which is awesome. I like to make use of pydasm for on the fly stuff like decoding shellcode:
\n<\/p>\n
\n
import<\/span> sys<\/span>\r\nimport<\/span> os<\/span>\r\nimport<\/span> pydasm<\/span>\r\n# Open our specimen <\/span>\r\nf =<\/span> open<\/span>("c:<\/span>\\\\<\/span>shellcoded_pdf.pdf"<\/span>,"rb"<\/span>)\r\n# 0x97 is the start of the ascii encoded shellcode<\/span>\r\nb =<\/span> f.<\/span>read(2<\/span>)\r\n\r\nbuff =<\/span> ""<\/span>\r\nwhile<\/span> b !=<\/span> ''<\/span>:\r\n\ttry<\/span>:\r\n\t\tbuff =<\/span> buff+<\/span>chr<\/span>(int<\/span>(b,16<\/span>))\r\n\t\tb =<\/span> f.<\/span>read(2<\/span>)\r\n\texcept<\/span> ValueError<\/span>:\r\n\t\tbreak<\/span>\r\n\t\toffset =<\/span> 0<\/span>\r\n\t\twhile<\/span> offset <<\/span> len<\/span>(buff):\r\n\t\t\ti =<\/span> pydasm.<\/span>get_instruction(buff[offset:],pydasm.<\/span>MODE_32)\r\n\t\t\tprint<\/span> offset , ' '<\/span>,pydasm.<\/span>get_instruction_string(i,pydasm.<\/span>FORMAT_INTEL, offset)\r\n\t\t\tif<\/span> not<\/span> i:\r\n\t\t\t\tbreak<\/span>\r\n\t\t\t\toffset +=<\/span>  i.<\/span>length\r\n\t\t\tif<\/span> offset ==<\/span> 17<\/span>:\r\n\t\t\t\toffset +=<\/span> 1<\/span>\r\n<\/pre>\n<\/div>\n
I guess python and reverse engineering go together like peanut butter and jelly. Fine by me.
\nHappy hacking!
\n\"DJXUw\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Howdy all! Been a great few weeks. Lots of ideas flowing and lots more malware to work on. I got it down to a science now. What I’ve been digging into lately is taking advantage of the Python shell inside immunity debugger. The library is feature rich and combines the capabilities of Immunity with the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[88],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/727"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=727"}],"version-history":[{"count":2,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/727\/revisions"}],"predecessor-version":[{"id":731,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/727\/revisions\/731"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}