That does not mean OllyDbg is a bad debugger or is limited in what you can do in terms of writing plugins\u2026 I just found it harder to \u201cquickly tweak a plugin\u201d while building an exploit. OllyDbg plugins are compiled into dll\u2019s, so changing a plugin would require me to recompile and test. Immunity Debugger uses python scripts. I can go into the script, make a little change, and see the results right away. Simple.<\/p>\n
Both OllyDbg and Immunity Debugger have a good amount of plugins (either contributed by the community or made available when you installed the product). While there is nothing wrong with these plugins (or PyCommands in case of Immunity Dbg), I really wanted to have a single plugin that would help me building all (stack based) exploits, from A to Z. This idea got translated into my pvefindaddr<\/a> PyCommand.<\/p>\n My obvious choice was Immunity & Python. I\u2019m not a great python developer (at all), but I have been able to build my own PyCommand in a relatively short amount of time. This proves that it\u2019s really easy to build custom PyCommands for Immunity, even if you are not an expert developer. If I can do it, then you can for sure.<\/p>\n The only issue I faced (apart from learning python syntax and getting used to python\u2019s hmmmm \u201cslightly annoying\u201d indentation requirement) was finding out how the Immunity-specific API\u2019s\/methods\/attributes work. To be honest, the API help included with Immunity Debugger was not a great help. It basically only lists the available methods\/attributes\/\u2026 and that\u2019s it. No explanation on what these methods & attributes behave, on what they\u2019re supposed to do, or how to use them for that matter. Ok, once you start understanding how things work, they are still a good reference, but when you are learning from scratch, a little persistence may be required.<\/p>\n Luckily, since Immunity comes with a lot of PyCommands, those can be used as a reference.<\/p>\n Anyways, it\u2019s still a good idea to use the ImmDbg Python API help file too. You can get access to the API help in Immunity by navigating to \u201cHelp\u201d, select \u201cSelect API help file\u201d, and selecting the IMMLIB.HLP file from the Documentation folder.<\/p>\n From that point forward, you can access this help file via \u201cHelp\u201d - \u201cOpen API help file\u201d<\/p>\n Immunity also has an online version of the API : http:\/\/debugger.immunityinc.com\/update\/Documentation\/ref\/ (online version contains a little bit more information)<\/p>\n My main goal today is putting together a reference\/cheatsheet for anyone interested in writing pycommands, so you can start building your own plugins faster than I did \ud83d\ude42 ). This is not going to be \u201cthe complete reference\u201d, but it should help you start to build your own plugins.<\/p>\n First of all, the python syntax that you will need to write (or learn and write) is based on python 2.x (If you are not familiar with python : v2.x and v3.x are quite different in certain areas, so if you want to get yourself a reference\/book on writing python, make sure to pick one that is based on the 2.x branch)<\/p>\n <\/p>\n <\/p>\n Start by creating a file in the Immunity Debugger PyCommands folder : <filename>.py<\/p>\n This filename is important, because you will need to launch the PyCommand based on the filename.<\/p>\n Launching a PyCommand is really easy : just type in the filename (without the .py extension, but prepended with an exclamation mark), in the command box at the bottom of Immunity Debugger<\/p>\n So if you named your plugin \u201cplugin1.py\u201d, then you can launch the script by executing<\/p>\n The basic structure of a plugin looks like this :<\/p>\n - load the Immunity Libraries (and perhaps other libraries, depending on what you want to do)<\/p>\n - write a main() function that will read the command line arguments (if any) and call functions based on what you want the plugins to do<\/p>\n - write the functions that will perform the required actions<\/p>\n Next, you will need to specify you want to use the Immunity Debugger libraries and use them in your script. The best way to do is by declaring a variable that hooks into the Immunity debugger class:<\/p>\n I usually make this one global, so I keep it outside of the main() function. (You can put it directly below the \u201cimport\u201d statements for example)<\/p>\n The list of available classes are :<\/p>\n <\/p>\n <\/p>\n The arguments\/parameters specified when launching the PyCommand are captured in the \u201cargs\u201d array.<\/p>\n You can get the number of arguments using <\/p>\n Accessing the arguments themselves is as easy as iterating through the args[] array and getting the contents of an element in the array:<\/p>\n <\/p>\n <\/p>\n You may have noticed that the script above does not seem to output anything. While the syntax is perfectly correct, there is no visible default output window, so you will have to tell the plugin where to write the output to.<\/p>\n There are a couple of options : you can write to the Immunity Log window (which is the most commonly used technique), a new\/separate table (which is nothing more than a new window that can list the information in a table), or to a file (which may be a good idea if the amount of output you are generating would overflow the Log window buffer.<\/p>\n The Log Window is a part of the debugger. So we will need to use the debugger instance that we have declared earlier (imm) to write to the Log.<\/p>\n The method to do so is simple : imm.Log()<\/p>\n There are a couple of things you can do, so let\u2019s have a look at this example :<\/p>\n You can specify a custom memory address in the left column of the Log Window. (If nothing is specified, this address will be 0BADF00D.) All you need to do is specify the memory address (integer !) as second argument for the Log() method :<\/p>\n <\/p>\n A good way to start your plugin, handling \u201cno arguments\u201d by displaying a \u201cUsage\u201d text, could be something like this :<\/p>\n <\/p>\n You will notice, as you continue to build your plugin, that when you search through memory (or perform any other CPU intensive task), the log window may not get updated right away. Immunity may appear to be hanging for a while, and when everything completes, everything is shown in the log window (or table for that matter).<\/p>\n There is a way to influence this behaviour. After each imm.Log() call, you can force Immunity Debugger to update the log window. This is as easy as writing the following statement in your code :<\/p>\n The only (big) disadvantage is that it will also slow down the CPU intensive task that you were performing. So it\u2019s a trade off between seeing what happens in real time, and speed. It\u2019s up to you to decide.<\/p>\n <\/p>\n <\/p>\n Writing data to the Log allows you to display both structured and unstructured data. First, you must define the table (Table title + colum titles), and then you can use the .add() method on the table object to add data to the table :<\/p>\n <\/p>\n Writing output to the Log or a table works fine, as long as the amount of data doesn\u2019t overflow the available amount of Log buffer space. If that is the case, you could consider writing output to file as well as to Log or a table.<\/p>\n This is not Immunity specific in any way - it\u2019s just python code.<\/p>\n When writing files, by default, the files will be written into the Immunity Debugger program folder. The technique is simple :<\/p>\n What I usually do is this : First, I clear the contents of the file, then I append data to the file using a function (tofile())<\/p>\n Clearing the contents of a file can be done like this :<\/p>\n At the beginning of a function, I reset the file, and in the function, I use the tofile() function to write data into the file<\/p>\n When you have to display a memory address, or use a memory address in a function, then you must verify what the required format of the address should be : either a string (if you only want to display the address) or an integer (if the address is used in Immunity methods)<\/p>\n When Immunity returns an address or expects you to provide an address, it will be an integer. If you want to display this address on screen, write to a log file, etc\u2026 you\u2019ll have to use a format string to convert it to readable format :<\/p>\n Remember : anytime the Immunity API says a method uses \u201caddress\u201d, you need to specify an integer value.<\/p>\n<\/blockquote>\n Ok, that\u2019s all we need to know for now \u2013 we can start writing code that will actually do something usefull and display the output to log, table, file, \u2026<\/p>\n<\/p>\n One of the most common things you\u2019ll probably want to do is search through memory, looking for specific type of information. Some examples could be<\/p>\n \u2013 finding jump addresses (jump, call, push+ret, pop pop ret, etc)<\/p>\n \u2013 comparing bytes in memory with bytes in a file (so step through memory locations, read bytes, and do something with it)<\/p>\n \u2013 etc<\/p>\n In certain cases, you\u2019ll probably also want to convert opcodes to instructions, and vice versa.<\/p>\n Let\u2019s take it step by step. Suppose you want to search for all jmp esp instructions available in memory. First of all, there has to be a process attached to Immunity before your search will produce results. No process = no results \ud83d\ude42<\/p>\n There are 2 ways to perform a search. You can provide the asm code, use Immunity to convert it to opcodes, and perform the search; or you can provide the opcode and perform the search.<\/p>\n Example 1 : search for \u201cjmp esp\u201d<\/p>\n That wasn\u2019t too bad, was it ?<\/p>\n Example 2 : If you want to search for a serie of instructions (such as \u201cpush esp + ret\u201d), then the instructions must be separated by \\n :<\/p>\n Example 3 :<\/p>\n If you want to use opcode directly (instead of instructions), then<\/p>\n \u2013 the search looks a little bit different (no need to Assemble first)<\/p>\n \u2013 you can disassemble the instruction at the found address using the Disasm() + getDisasm() functions<\/p>\n Note : when you search through memory, it will search all process memory (loaded modules and outside loaded modules, but always limited to the memory that is used in the process). As stated earlier, searching through memory can make your CPU spike to 100%.<\/p>\n<\/p>\n \u2026 is as easy as doing this :<\/p>\n (I added \u201cimport re\u2019\u201d at the beginning of the script so I could use the splitter (re.compile()))<\/p>\n There may be a case where you would like to read memory from a given start location and get the bytes in memory. This can be done using the following technique :<\/p>\n The readMemory() method requires 2 arguments : the location where you want to read, and the amount of bytes to read.<\/p>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb52.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb53.png\" "\\"image\\"")
<\/a><\/p>\nBuilding a PyCommand from scratch<\/h3>\n
Launching a PyCommand<\/h4>\n
![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb54.png\" "\\"image\\"")
<\/a><\/p>\n!plugin1<\/pre>\n
Basic structure<\/h4>\n
#!\/usr\/bin\/env python \"<\/span>\"\" (c) Peter Van Eeckhoutte 2009 U{Peter Van Eeckhoutte - corelan.imm = immlib.Debugger()<\/pre>\n
![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb55.png\" "\\"image\\"")
<\/a><\/p>\nHandling arguments<\/h4>\n
len(args)<\/pre>\n
def<\/span> main(args): if<\/span> not args: usage() else<\/span>: print<\/span> \"Number of arguments : <\/span>\" + str(len(args)) cnt=0 while (cnt < len(args)): print<\/span> \" Argument <\/span>\" + str(cnt+1)+\" : <\/span>\" + args[cnt]<\/font><\/strong> cnt=cnt+1<\/pre>\nWriting to log, tables, files<\/h3>\n
Writing output to the Log Window<\/h4>\n
![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb56.png\" "\\"image\\"")
<\/a><\/p>\ndef<\/span> main(args): print<\/span> \"Number of arguments : <\/span>\" + str(len(args)) imm.Log(\"Number of arguments : %d <\/span>\" % len(args)) cnt=0 while (cnt < len(args)): imm.Log(\" Argument %d : %s<\/span>\" % (cnt+1,args[cnt])) if<\/span> (args[cnt] == \"world<\/span>\"): imm.Log(\" You said %s !<\/span>\" % (args[cnt]),focus=1, highlight=1) cnt=cnt+1<\/pre>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb57.png\" "\\"image\\"")
<\/a><\/p>\ndef<\/span> main(args): print<\/span> \"Number of arguments : <\/span>\" + str(len(args)) imm.Log(\"Number of arguments : %d <\/span>\" % len(args)) cnt=0 while (cnt < len(args)): imm.Log(\" Argument %d : %s<\/span>\" % (cnt+1,args[cnt]),12345678<\/font><\/strong>) if<\/span> (args[cnt] == \"world<\/span>\"): imm.Log(\" You said %s !<\/span>\" % (args[cnt]),focus=1, highlight=1) cnt=cnt+1<\/pre>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb58.png\" "\\"image\\"")
<\/a><\/p>\n__VERSION__ = '1.0' import<\/span> immlib import<\/span> getopt import<\/span> immutils from immutils import<\/span> * imm = immlib.Debugger() \"<\/span>\"\" Functions \"<\/span>\"\" def<\/span> usage(): imm.Log(\" ** No arguments specified ** <\/span>\") imm.Log(\" Usage : <\/span>\") imm.Log(\" blah blah<\/span>\") \"<\/span>\"\" Main application \"<\/span>\"\" def<\/span> main(args): if<\/span> not args: usage() else<\/span>: imm.Log(\"Number of arguments : %d <\/span>\" % len(args)) cnt=0 while (cnt < len(args)): imm.Log(\" Argument %d : %s<\/span>\" % (cnt+1,args[cnt])) if<\/span> (args[cnt] == \"world<\/span>\"): imm.Log(\" You said %s !<\/span>\" % (args[cnt]),focus=1, highlight=1) cnt=cnt+1<\/pre>\nUpdating log\/table<\/h4>\n
imm.updateLog()<\/pre>\n
Writing output to a table<\/h4>\n
def<\/span> main(args): if<\/span> not args: usage() else<\/span>: #create table table=imm.createTable('Argument table',['Number','Argument']) imm.Log(\"Number of arguments : %d <\/span>\" % len(args)) cnt=0 while (cnt < len(args)): table.add<\/span>(0,[\"%d<\/span>\"%(cnt+1),\"%s<\/span>\"%(args[cnt])]) cnt=cnt+1<\/pre>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb59.png\" "\\"image\\"")
<\/a><\/p>\nWriting output to a file<\/h4>\n
filename=\"myfile.txt<\/span>\" FILE=open<\/span>(filename,\"a<\/span>\") #this will append to the file FILE.write<\/span>(\"Blah blah<\/span>\" + \"\\n<\/span>\") FILE.close<\/span>()<\/pre>\ndef<\/span> resetfile(file1): FILE=open<\/span>(file1,\"w<\/span>\") FILE.write<\/span>(\"<\/span>\") FILE.close<\/span>() return<\/span> \"<\/span>\" <\/pre>\ndef<\/span> tofile(info,filename): info=info.replace<\/span>('\\n',' - ') FILE=open<\/span>(filename,\"a<\/span>\") FILE.write<\/span>(info+\"\\n<\/span>\") FILE.close<\/span>() return<\/span> \"<\/span>\"<\/pre>\n<\/p>\nWorking with addresses<\/h4>\n
def<\/span> usage(): imm.Log(\" ** No arguments specified ** <\/span>\") imm.Log(\" Usage : <\/span>\") imm.Log(\" blah blah<\/span>\") def<\/span> tohex(intAddress): return<\/span> \"%08X<\/span>\" % intAddress \"<\/span>\"\" Main application \"<\/span>\"\" def<\/span> main(args): if<\/span> not args: usage() else<\/span>: myAddress=1234567 #integer address imm.Log(\" Integer : %d <\/span>\" % myAddress,address=myAddress) imm.Log(\" Readable hex : 0x%08X<\/span>\" % myAddress,address=myAddress) hexAddress = tohex(myAddress) imm.Log(\" Readable string : 0x%s<\/span>\" % hexAddress,address=myAddress) imm.Log(\" Back to integer : %d<\/span>\" % int(hexAddress,16),address=int(hexAddress,16))<\/pre>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb61.png\" "\\"image\\"")
<\/a><\/p>\n\n
Using opcodes, assemble and disassemble, and searching memory<\/h3>\n
def<\/span> main(args): imm.Log(\"Started search for jmp esp...<\/span>\") imm.updateLog() searchFor=\"jmp esp<\/span>\" results=imm.Search( imm.Assemble (searchFor) ) for result in results: imm.Log(\"Found %s at 0x%08x <\/span>\" % (searchFor, result), address = result) <\/pre>\ndef<\/span> main(args): imm.Log(\"Started search for push esp \/ ret...<\/span>\") imm.updateLog() searchFor=\"push esp\\nret<\/span>\" results=imm.Search( imm.Assemble (searchFor) ) for result in results: imm.Log(\"Found %s at 0x%08x <\/span>\" % (searchFor.replace<\/span>('\\n',' - '), result), address = result)<\/pre>\n<\/p>\ndef<\/span> main(args): imm.Log(\"Started search for mov ebp,esp <\/span>\") imm.updateLog() searchFor=\"\\x8b\\xec<\/span>\" #mov ebp,esp \/ ret results=imm.Search( searchFor ) for result in results: opc = imm.Disasm( result ) opstring=opc.getDisasm() imm.Log(\"Found %s at 0x%08x <\/span>\" % (opstring, result), address = result)<\/pre>\nWriting your own assembler\u2026<\/h4>\n
__VERSION__ = '1.0' import<\/span> immlib import<\/span> getopt import<\/span> immutils from immutils import<\/span> * imm = immlib.Debugger() import<\/span> re<\/span> \"<\/span>\"\" Main application \"<\/span>\"\" def<\/span> main(args): if<\/span> (args[0]==\"assemble<\/span>\"): if<\/span> (len(args) < 2): imm.Log(\" Usage : !plugin1 compare instructions<\/span>\") imm.Log(\" separate multiple instructions with #<\/span>\") else<\/span>: cnt=1 cmdInput=\"<\/span>\" while (cnt < len(args)): cmdInput=cmdInput+args[cnt]+\" <\/span>\" cnt=cnt+1 cmdInput=cmdInput.replace<\/span>(\"'<\/span>\",\"<\/span>\") cmdInput=cmdInput.replace<\/span>('\"','') <\/span> splitter=re<\/span>.compile('#') instructions=splitter.split<\/span>(cmdInput) for instruct in instructions: try: assembled=imm.Assemble( instruct ) strAssembled=\"<\/span>\" for assemOpc in assembled: strAssembled = strAssembled+hex(ord(assemOpc)).replace<\/span>('0x', '\\\\x') imm.Log(\" %s = %s<\/span>\" % (instruct,strAssembled)) except: imm.Log(\" Could not assemble %s <\/span>\" % instruct) continue<\/pre>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb62.png\" "\\"image\\"")
<\/a><\/p>\n<\/p>\nStepping through memory<\/h4>\n
if<\/span> (args[0]==\"readmem<\/span>\"): if<\/span> (len(args) > 1): imm.Log(\"Reading 8 bytes of memory at %s <\/span>\" % args[1]) cnt=0 memloc=int(args[1],16) while (cnt < 8): memchar = imm.readMemory(memloc+cnt,1) memchar2 = hex(ord(memchar)).replace<\/span>('0x','') imm.Log(\"Byte %d : %s<\/span>\" % (cnt+1,memchar2)) cnt=cnt+1<\/pre>\n
![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb65.png\" "\\"image\\"")
<\/a><\/p>\n<\/p>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb64.png\" "\\"image\\"")
<\/a><\/p>\n<\/p>\n