Howdy!<\/p>\n
I made some changes to my break point script to make it more modular and accept arguments and stuff. I normally steer clear of python due to its agonizingly strict syntax, but I suffered through it for you. I use this script every single day when I first load a piece of malware into the debugger as the breakpoints listed are the ones most commonly used by malware (or most any program really). <\/p>\n
<\/p>\n
"""JoeBP"""<\/span>\r\n\r\n# -*- coding: utf-8 -*-<\/span>\r\nimport<\/span> getopt<\/span>\r\nimport<\/span> immutils<\/span>\r\nfrom<\/span> immlib<\/span> import<\/span> *<\/span>\r\n\r\nAppName =<\/span> "JoeBP"<\/span>\r\nimm =<\/span> Debugger()\r\n\r\ndef<\/span> usage<\/span>(imm):\r\n imm.<\/span>log(" !joebp -options "<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" <\/span>%s<\/span> By Joe Giron >|< Gironsec.com "<\/span> %<\/span> (AppName),focus=<\/span>1<\/span>, highlight=<\/span>1<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" Description:"<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" Sets the proper common breakpoints useful for malware analysis. "<\/span>)\r\n imm.<\/span>log(" Breaks on file operations, registry, processes, threads, dlls, sleeping, memory manipulation, and more. "<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" Usage:"<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -n Set network operation breakpoints for winsock and wininet."<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -f Set file operation breakpoints."<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -p Set process creation \/ manipulation breakpoints"<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -t Set thread operation \/ creation breakpoints."<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -m Set memory allocation \/ manipulation breakpoints."<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -s Set sleep \/ timing breakpoints."<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -r Set registry operation breakpoints."<\/span>)\r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -e Set all options."<\/span>) \r\n imm.<\/span>log(" "<\/span>)\r\n imm.<\/span>log(" -h Shows help menu(this)."<\/span>)\r\n \r\ndef<\/span> FileBP<\/span>(imm):\r\n imm.<\/span>setBreakpointOnName("kernel32.CreateFileA"<\/span>) #file stuff<\/span>\r\n imm.<\/span>setBreakpointOnName("kernel32.CreateFileW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.WriteFileEx"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.WriteFile"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.MoveFileA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.MoveFileW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.MoveFileExA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.MoveFileExW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.CopyFileA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.CopyFileW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.CopyFileExA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.CopyFileExW"<\/span>) \r\n\r\ndef<\/span> ProcBP<\/span>(imm):\r\n imm.<\/span>setBreakpointOnName("kernel32.ExitProcess"<\/span>) #process stuff<\/span>\r\n imm.<\/span>setBreakpointOnName("kernel32.OpenProcess"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.CreateRemoteThread"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.TerminateProcess"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.CreateProcessA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.CreateProcessW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("CreateProcessWithLogonA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("CreateProcessWithLogonW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetModuleHandleA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetModuleHandleW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetModuleFileNameA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetModuleFileNameW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetModuleHandleExA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetModuleHandleExW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.LoadLibraryA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.LoadLibraryW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.LoadLibraryExA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.LoadLibraryExW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetProcAddress"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.LoadModule"<\/span>)\r\n if<\/span> imm.<\/span>findModuleByName("user32.dll"<\/span>):\r\n imm.<\/span>setBreakpointOnName("user32.EndTask"<\/span>)\r\n else<\/span>:\r\n return<\/span> "user32.dll is not loaded and thus, BP's cannot be set on it"<\/span>\r\n\r\ndef<\/span> ThreadBP<\/span>(imm):\r\n imm.<\/span>setBreakpointOnName("kernel32.CreateThread"<\/span>) #thread stuff<\/span>\r\n imm.<\/span>setBreakpointOnName("kernel32.ExitThread"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.TerminateThread"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.ResumeThread"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.SuspendThread"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetThreadContext"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.SetThreadContext"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.ZwResumeThread"<\/span>) \r\n imm.<\/span>setBreakpointOnName("ntdll.ZwSuspendThread"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.NtQueryInformationThread"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.NtQueueApcThread"<\/span>)\r\n\r\n\r\ndef<\/span> MemBP<\/span>(imm):\r\n imm.<\/span>setBreakpointOnName("kernel32.ReadProcessMemory"<\/span>) #memory stuff<\/span>\r\n imm.<\/span>setBreakpointOnName("kernel32.WriteProcessMemory"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.MapViewOfFile"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.MapViewOfFileEx"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.VirtualProtect"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.VirtualProtectEx"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.VirtualQuery"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.VirtualQueryEx"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.LocalAlloc"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.HeapAlloc"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetProcessHeap"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.ZwUnmapViewOfSection"<\/span>)#ntdll special<\/span>\r\n imm.<\/span>setBreakpointOnName("ntdll.ZwMapViewOfSection"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.ZwReadVirtualMemory"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.NtCreateSection"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.NtQueryInformationProcess"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.memcpy"<\/span>)\r\n imm.<\/span>setBreakpointOnName("ntdll.memset"<\/span>)\r\n\r\n \r\n\r\ndef<\/span> SleepBP<\/span>(imm):\r\n imm.<\/span>setBreakpointOnName("kernel32.Sleep"<\/span>) #sleep stuff<\/span>\r\n imm.<\/span>setBreakpointOnName("kernel32.SleepEx"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.QueryPerformanceCounter"<\/span>)\r\n imm.<\/span>setBreakpointOnName("kernel32.GetTickCount"<\/span>)\r\n #imm.setBreakpointOnName("kernel32.GetTickCount64") # only works on win7<\/span>\r\n\r\ndef<\/span> RegBP<\/span>(imm):\r\n \r\n if<\/span> imm.<\/span>findModuleByName("advapi32.dll"<\/span>):\r\n imm.<\/span>setBreakpointOnName("advapi32.RegDeleteValueA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("advapi32.RegDeleteValueW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("advapi32.RegEnumKeyA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("advapi32.RegEnumKeyExA"<\/span>)\r\n imm.<\/span>setBreakpointOnName("advapi32.RegEnumKeyExW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("advapi32.RegEnumKeyW"<\/span>)\r\n imm.<\/span>setBreakpointOnName("advapi32.RegEnumValueA"<\/span>)\r\n imm