"""mybp""" DESC="""Sets Joe's Common Malware Breakpoints""" # -*- coding: utf-8 -*- import getopt import immutils import getopt from immlib import * def usage(): imm.log("!mybp, no args, just !mybp") def main(args): if args: usage() else: imm = Debugger() imm.setBreakpointOnName("kernel32.CreateFileA") #file stuff imm.setBreakpointOnName("kernel32.CreateFileW") imm.setBreakpointOnName("kernel32.WriteFileEx") imm.setBreakpointOnName("kernel32.WriteFile") imm.setBreakpointOnName("kernel32.MoveFileA") imm.setBreakpointOnName("kernel32.MoveFileW") imm.setBreakpointOnName("kernel32.MoveFileExA") imm.setBreakpointOnName("kernel32.MoveFileExW") imm.setBreakpointOnName("kernel32.CopyFileA") imm.setBreakpointOnName("kernel32.CopyFileW") imm.setBreakpointOnName("kernel32.ExitProcess") #process stuff imm.setBreakpointOnName("kernel32.CreateRemoteThread") imm.setBreakpointOnName("kernel32.TerminateProcess") imm.setBreakpointOnName("kernel32.CreateProcessA") imm.setBreakpointOnName("kernel32.CreateProcessW") imm.setBreakpointOnName("msvcrt.exit") imm.setBreakpointOnName("kernel32.CreateThread") #thread stuff imm.setBreakpointOnName("kernel32.ExitThread") imm.setBreakpointOnName("kernel32.TerminateThread") imm.setBreakpointOnName("kernel32.ResumeThread") imm.setBreakpointOnName("kernel32.SuspendThread") imm.setBreakpointOnName("kernel32.ReadProcessMemory") #memory stuff imm.setBreakpointOnName("kernel32.WriteProcessMemory") imm.setBreakpointOnName("kernel32.MapViewOfFile") imm.setBreakpointOnName("kernel32.VirtualProtect") imm.setBreakpointOnName("kernel32.VirtualProtectEx") imm.setBreakpointOnName("kernel32.VirtualQuery") imm.setBreakpointOnName("kernel32.VirtualQueryEx") imm.setBreakpointOnName("kernel32.LocalAlloc") imm.setBreakpointOnName("msvcrt.malloc") imm.setBreakpointOnName("msvcrt.memcpy") imm.setBreakpointOnName("ntdll.memcpy") imm.setBreakpointOnName("kernel32.Sleep") #sleep stuff imm.setBreakpointOnName("kernel32.SleepEx") imm.setBreakpointOnName("kernel32.LoadLibraryA") #DLLS imm.setBreakpointOnName("kernel32.LoadLibraryW") imm.setBreakpointOnName("kernel32.GetProcAddress") #sleep stuff imm.setBreakpointOnName("kernel32.DebugBreak") #MISC imm.setBreakpointOnName("kernel32.OutputDebugStringA") imm.setBreakpointOnName("kernel32.OutputDebugStringW") imm.setBreakpointOnName("advapi32.RegCloseKey") #registry imm.setBreakpointOnName("advapi32.RegCreateKeyExW") imm.setBreakpointOnName("advapi32.RegCreateKeyExA") imm.setBreakpointOnName("advapi32.RegDeleteKeyW") imm.setBreakpointOnName("advapi32.RegDeleteKeyA") imm.setBreakpointOnName("advapi32.RegDeleteValueW") imm.setBreakpointOnName("advapi32.RegDeleteValueA") imm.setBreakpointOnName("advapi32.RegEnumValueW") imm.setBreakpointOnName("advapi32.RegEnumValueA") imm.setBreakpointOnName("advapi32.RegOpenKeyExA") imm.setBreakpointOnName("advapi32.RegOpenKeyExW") imm.setBreakpointOnName("advapi32.RegQueryInfoKeyW") imm.setBreakpointOnName("advapi32.RegQueryInfoKeyA") imm.setBreakpointOnName("advapi32.RegQueryValueExW") imm.setBreakpointOnName("advapi32.RegQueryValueExA") imm.setBreakpointOnName("advapi32.RegQueryValueW") imm.setBreakpointOnName("advapi32.RegQueryValueA") imm.setBreakpointOnName("advapi32.RegSetKeySecurity") imm.setBreakpointOnName("advapi32.RegSetValueExW") imm.setBreakpointOnName("advapi32.RegSetValueExA") imm.setBreakpointOnName("advapi32.RegSetValueW") imm.setBreakpointOnName("advapi32.RegSetValueA") return "Set breakpoints for file creation and moving, process creation, process exiting and thread creation, and memory manipulation, registry, etc"