Scripts
16 files
-
ASProtect 2.xx Deobfuscation Script
By Teddy Rogers
Tracing ASProtect 2 SKE stolen and poly code is very difficult because of lots of short obfuscation jumps. This script written by me makes this code much easier to read and trace. There is some more to be done but i switching to immunity so i can make a better script and remove more code.
To use it you should run it at the start of obfuscated code because it will deobfuscate an entire section.
214 downloads
0 comments
Updated
-
!apilookup PyCommand
By Teddy Rogers
Win32API Function Finder Locator. This Immunity Debugger PyCommand can be used to get quick access to Win32 API functions based in the old Win32API.HLP file.
49 downloads
0 comments
Submitted
-
!bpxep PyCommand
By Teddy Rogers
This is a small script for use with packers that have weird headers and that don't load properly into ImmDbg, eg UPack, [MSLRH], ASDPack. It simply places a temporary breakpoint at entrypoint, ensuring that ImmDbg will stop there (except with ASDPack - that overwrites the EntryPoint, you must stop at TLS and trace until Entrypoint written, then run script again to set Bpx).
Also useful if you have a target that runs code from TLS, or that stops at system breakpoint.
Includes a little code from JMS in the TLS code.
The script will also add comments to the code to tell you which callback you are at, and attempt to analyse the code (if -go option is specified)
52 downloads
0 comments
Submitted
-
!getrpc PyCommand
By Teddy Rogers
I modified the !getrpc PyCommand to allow you to specify "all" which will iterate through all non-system DLL's loaded in the process and look for RPC interface information. Dave et. al you are welcome to redistribute this with ID in the next release.
43 downloads
0 comments
Submitted
-
!hidedebug PyCommand
By Teddy Rogers
HideDebug script, hides from most common Anti-debug tricks while still allowing normal use (e.g. FindWindow works except for ImmDbg)
Patches:
IsDebuggerPresent (With Poly-patch code, as too easy to detect Xor EAX, EAX) ZwQueryInformationProcess CheckRemoteDebuggerPresent PEB.IsDebugged PEB.ProcessHeap.Flag PEB.NtGlobalFlag PEB.Ldr 0xFEEEFEEE filling GetTickCount (With poly-patch code, as too easy to detect Mov EAX, xxxxxxxx) ZwQuerySystemInformation (Used by CreateToolHelp32Snapshot / Process32First / Process32Next and others) FindWindowA FindWindowW FindWindowExA FindWindowExW EnumWindows Types:
Anti-Debug Types: IsDebuggerPresent ZwQueryInformationProcess CheckRemoteDebuggerPresent PEB (All PEB patches are done) GetTickCount All_Debug - Applies ALL Debug detect patches Anti-Process-finding Types: ZwQuerySystemInformation (All other process apis use this) All_Process - Applies the debugger-process finding Api patch Anti-Window-finding Types: FindWindowA FindWindowW FindWindowExA FindWindowExW EnumWindows All_Window - Applies ALL debugger-window finding Api patches Also a few packer types are included, but most packers protection is defeated by just the PEB patches. This is by no means a complete list, it's not even a good beginning.
Packer Types:
Escargot RLPack (still there is guard page detection to bypass though) NsPack ExeStealth Upx-Lock The list is at the bottom of the source code, add to it as you find the patches that bypass the protections. Sorry for any weird code, I've only been using Python for 2 weeks.
Description:
Most of the functions are patched to return Debugger Found = False. The PEB patches are to the various flags in PEB used by anti-debug. Patch for ZwQueryInformationProcess is if DebugPort is checked, returns not debugged. Patch for GetTickCount is to return same number everytime. Patch for ZwQuerySystemInformation is to replace all ImmunityDebugger.exe with SVCHost.EXE. Patch for Window finding apis call Api and if "ID" is classname then return not found. Maybe ToDo:
Patch CreateThread ?70 downloads
0 comments
Submitted
-
!itunes7_antiantidebug PyCommand
By Teddy Rogers
Rather than merely hooking on IsDebuggerPresent(), and still allowing both SoftICE detection techniques to complete, this method adjusts the relevant register after the wrapper function iTunes.checkForDebuggers() returns, thus preventing a call to Kernel32.ExitProcess(0).
40 downloads
0 comments
Submitted
-
!itunes7_universal_antiantidebug PyCommand
By Teddy Rogers
Rather than merely hooking on IsDebuggerPresent(), and still allowing both SoftICE detection techniques to complete, this method adjusts the relevant register after the wrapper function iTunes.checkForDebuggers() returns, thus preventing a call to Kernel32.ExitProcess(0).
This PyScript will scan the process address space, looking for thelikely location to hook; just after iTunes.checkForDebuggers() returns.
43 downloads
0 comments
Submitted
-
!loadmap PyCommand
By Teddy Rogers
This command loads a map file generated by IDA. It should work better than MapConv, as MapConv loads only symbols present in the first section. Moreover you can load map files for all modules loaded.
40 downloads
0 comments
Submitted
-
!packets PyCommand
By Teddy Rogers
This script was an exercise in learning the hooking mechanisms and GUI control in ImmLib. The command simply sets breakpoints on some common routines that are used for receiving packets off the network (I didn't hook all of them, but it will be trivial to add more).
It will create a new window called "Captured Packets" which you can access from the Window menu.
39 downloads
0 comments
Submitted
-
!patch IsDebuggerPresent
By Teddy Rogers
Based on Dami's patch but with a couple of modifications.
This will automagically patch the IsDebuggerPresent not to detect ID.
ex:
!patch -t IsDebuggerPresent
60 downloads
0 comments
Submitted
-
!scanpe PyCommand
By Teddy Rogers
Scans the main module with UserDB.txt, whole file or just the EntryPoint (MUCH faster). Displays the Address and offset of detected signature, also the section name and index.
See !usage scanpe for information
42 downloads
0 comments
Submitted
-
!search PyCommand
By Teddy Rogers
A very simple pycommand which uses the searchCommands() method.
41 downloads
0 comments
Submitted
-
!sqlhooker PyCommand
By Teddy Rogers
This script supports the SQLOLEDB method of executing queries and, when combined with sql_listener.py will send you all the queries executed by a web application. Server-side filtering (necessary to avoid sending thousands of queries a second to you on a busy server) is stubbed in for later. We hooked IIS rather than SQL Server because common practice is to have your SQL tier unroutable, but the web tier is likely to have Internet access.
Somewhat later we'll have this integrate into SPIKE Proxy and other tools to automate detection of blind-sql attacks/detection and sql injection in general.
In order to use this script:
Run a few queries against your target server, this will start up two dllhost.exe's Load Immunity Debugger and attach to the second dllhost.exe (this can be slightly tricky if the PID for the second one is lower than the first, but eventually we'll automate it) run !sqlhooker -s myhostip:myport. For example, I use !sqlhooker 192.168.1.1:8081, and then on my .1 machine I run "python sql_listener.py 8081". Here's an example snippet of ASP script this would work against:
_start cut_ set conn = server.createObject("ADODB.Connection") set rs = server.createObject("ADODB.Recordset") query = "select count(*) from users where userName='" & userName & "' and userPass='" & password & "'" conn.Open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=myDB; User Id=sa; Password=" rs.activeConnection = conn rs.open query _end cut_ We currently support:
WinXPPro Sp2, IIS 5.0 SQLServer 2000 Win2K3, IIS 6.0, SQLServer 2000 Win2K, IIS 5.0, SQLServer 2000 Win2K Old,IIS 547 downloads
0 comments
Submitted
-
0 comments
Submitted
-
!unmidl PyCommand
By Teddy Rogers
Goes through an executable and gets the IDL file from it that MIDL compiled into it.
To install, just unzip inside your Immunity Debugger root directory.
48 downloads
0 comments
Submitted
-
BlackManta
By Teddy Rogers
This script should be used within Immunity Debugger. It monitors API calls associated with malicious activity and reports it to a window.
57 downloads
0 comments
Submitted
-
Download Statistics