Jump to content
Tuts 4 You

16 files

  1. ASProtect 2.xx Deobfuscation Script

    Tracing ASProtect 2 SKE stolen and poly code is very difficult because of lots of short obfuscation jumps. This script written by me makes this code much easier to read and trace. There is some more to be done but i switching to immunity so i can make a better script and remove more code.

    To use it you should run it at the start of obfuscated code because it will deobfuscate an entire section.

    44 downloads

    0 comments

    Updated

  2. BlackManta

    This script should be used within Immunity Debugger. It monitors API calls associated with malicious activity and reports it to a window.

    19 downloads

    0 comments

    Submitted

  3. !hidedebug PyCommand

    HideDebug script, hides from most common Anti-debug tricks while still allowing normal use (e.g. FindWindow works except for ImmDbg)
    Patches:
    IsDebuggerPresent (With Poly-patch code, as too easy to detect Xor EAX, EAX) ZwQueryInformationProcess CheckRemoteDebuggerPresent PEB.IsDebugged PEB.ProcessHeap.Flag PEB.NtGlobalFlag PEB.Ldr 0xFEEEFEEE filling GetTickCount (With poly-patch code, as too easy to detect Mov EAX, xxxxxxxx) ZwQuerySystemInformation (Used by CreateToolHelp32Snapshot / Process32First / Process32Next and others) FindWindowA FindWindowW FindWindowExA FindWindowExW EnumWindows Types:
    Anti-Debug Types: IsDebuggerPresent ZwQueryInformationProcess CheckRemoteDebuggerPresent PEB (All PEB patches are done) GetTickCount All_Debug - Applies ALL Debug detect patches Anti-Process-finding Types: ZwQuerySystemInformation (All other process apis use this) All_Process - Applies the debugger-process finding Api patch Anti-Window-finding Types: FindWindowA FindWindowW FindWindowExA FindWindowExW EnumWindows All_Window - Applies ALL debugger-window finding Api patches Also a few packer types are included, but most packers protection is defeated by just the PEB patches. This is by no means a complete list, it's not even a good beginning.
    Packer Types:
    Escargot RLPack (still there is guard page detection to bypass though) NsPack ExeStealth Upx-Lock The list is at the bottom of the source code, add to it as you find the patches that bypass the protections. Sorry for any weird code, I've only been using Python for 2 weeks.
    Description:
    Most of the functions are patched to return Debugger Found = False. The PEB patches are to the various flags in PEB used by anti-debug. Patch for ZwQueryInformationProcess is if DebugPort is checked, returns not debugged. Patch for GetTickCount is to return same number everytime. Patch for ZwQuerySystemInformation is to replace all ImmunityDebugger.exe with SVCHost.EXE. Patch for Window finding apis call Api and if "ID" is classname then return not found. Maybe ToDo:
    Patch CreateThread ?

    18 downloads

    0 comments

    Submitted

  4. !bpxep PyCommand

    This is a small script for use with packers that have weird headers and that don't load properly into ImmDbg, eg UPack, [MSLRH], ASDPack. It simply places a temporary breakpoint at entrypoint, ensuring that ImmDbg will stop there (except with ASDPack - that overwrites the EntryPoint, you must stop at TLS and trace until Entrypoint written, then run script again to set Bpx).
    Also useful if you have a target that runs code from TLS, or that stops at system breakpoint.

    Includes a little code from JMS in the TLS code.
    The script will also add comments to the code to tell you which callback you are at, and attempt to analyse the code (if -go option is specified)

    17 downloads

    0 comments

    Submitted

  5. !patch IsDebuggerPresent

    Based on Dami's patch but with a couple of modifications.

    This will automagically patch the IsDebuggerPresent not to detect ID.

    ex:
    !patch -t IsDebuggerPresent

    16 downloads

    0 comments

    Submitted

  6. !apilookup PyCommand

    Win32API Function Finder Locator. This Immunity Debugger PyCommand can be used to get quick access to Win32 API functions based in the old Win32API.HLP file.

    15 downloads

    0 comments

    Submitted

  7. !unmidl PyCommand

    Goes through an executable and gets the IDL file from it that MIDL compiled into it.

    To install, just unzip inside your Immunity Debugger root directory.

    15 downloads

    0 comments

    Submitted

  8. !sqlhooker PyCommand

    This script supports the SQLOLEDB method of executing queries and, when combined with sql_listener.py will send you all the queries executed by a web application. Server-side filtering (necessary to avoid sending thousands of queries a second to you on a busy server) is stubbed in for later. We hooked IIS rather than SQL Server because common practice is to have your SQL tier unroutable, but the web tier is likely to have Internet access.

    Somewhat later we'll have this integrate into SPIKE Proxy and other tools to automate detection of blind-sql attacks/detection and sql injection in general.

    In order to use this script:
    Run a few queries against your target server, this will start up two dllhost.exe's Load Immunity Debugger and attach to the second dllhost.exe (this can be slightly tricky if the PID for the second one is lower than the first, but eventually we'll automate it) run !sqlhooker -s myhostip:myport. For example, I use !sqlhooker 192.168.1.1:8081, and then on my .1 machine I run "python sql_listener.py 8081". Here's an example snippet of ASP script this would work against:
    _start cut_ set conn = server.createObject("ADODB.Connection") set rs = server.createObject("ADODB.Recordset") query = "select count(*) from users where userName='" & userName & "' and userPass='" & password & "'" conn.Open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=myDB; User Id=sa; Password=" rs.activeConnection = conn rs.open query _end cut_ We currently support:
    WinXPPro Sp2, IIS 5.0 SQLServer 2000 Win2K3, IIS 6.0, SQLServer 2000 Win2K, IIS 5.0, SQLServer 2000 Win2K Old,IIS 5

    13 downloads

    0 comments

    Submitted

  9. !tickcount PyCommand

    Patches the kernel32.GetTickCount() routine.

    13 downloads

    0 comments

    Submitted

  10. !getrpc PyCommand

    I modified the !getrpc PyCommand to allow you to specify "all" which will iterate through all non-system DLL's loaded in the process and look for RPC interface information. Dave et. al you are welcome to redistribute this with ID in the next release.

    11 downloads

    0 comments

    Submitted

  11. !scanpe PyCommand

    Scans the main module with UserDB.txt, whole file or just the EntryPoint (MUCH faster). Displays the Address and offset of detected signature, also the section name and index.

    See !usage scanpe for information

    9 downloads

    0 comments

    Submitted

  12. !itunes7_antiantidebug PyCommand

    Rather than merely hooking on IsDebuggerPresent(), and still allowing both SoftICE detection techniques to complete, this method adjusts the relevant register after the wrapper function iTunes.checkForDebuggers() returns, thus preventing a call to Kernel32.ExitProcess(0).

    8 downloads

    0 comments

    Submitted

  13. !itunes7_universal_antiantidebug PyCommand

    Rather than merely hooking on IsDebuggerPresent(), and still allowing both SoftICE detection techniques to complete, this method adjusts the relevant register after the wrapper function iTunes.checkForDebuggers() returns, thus preventing a call to Kernel32.ExitProcess(0).

    This PyScript will scan the process address space, looking for thelikely location to hook; just after iTunes.checkForDebuggers() returns.

    8 downloads

    0 comments

    Submitted

  14. !search PyCommand

    A very simple pycommand which uses the searchCommands() method.

    8 downloads

    0 comments

    Submitted

  15. !loadmap PyCommand

    This command loads a map file generated by IDA. It should work better than MapConv, as MapConv loads only symbols present in the first section. Moreover you can load map files for all modules loaded.

    7 downloads

    0 comments

    Submitted

  16. !packets PyCommand

    This script was an exercise in learning the hooking mechanisms and GUI control in ImmLib. The command simply sets breakpoints on some common routines that are used for receiving packets off the network (I didn't hook all of them, but it will be trivial to add more).

    It will create a new window called "Captured Packets" which you can access from the Window menu.

    6 downloads

    0 comments

    Submitted


×
×
  • Create New...