OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Friday, August 3 2007 19:33.17 CDT

Modified: Tuesday, August 7 2007 16:17.21 CDT

Printer Friendly ...

Immunity Debugger is now released!

Author: nicowow

# Views: 20818

Announcing Immunity Debugger v1.0

After almost a year of intensive development and internal use, we are
pleased to announce the public release of Immunity Debugger v1.0.

When we started developing Immunity Debugger our main objective was to
combine the best of the commandline based and GUI based debugger worlds.
The commandline because most of us come from a UNIX background, and it
just ends up being more efficient than clicking your way around. The GUI
because we understand that we are visual beings that often can
grasp more from a single look at a graphical layout than from two days
of x/x-ing memory pages.

The third feature we required was full flexible access to the debugging API,
the graphing engine, and the GUI API. Because having to Re-Compile
plugins is lame, we decided to make everything accessible from Python.
So we put everything together and developed something we feel very
comfortable using.

This means we ended up with a fully flexible and extendible Win32
debugger that has all of it's features, both debugging and graphical,
easily accessible from it's Python scripting engine.

And best of all, it's available for free. That's right, Immunity
Debugger is released for free, including free monthly updates.

Here's some cool features:

o The Python API ("Immlib/Lib reference" for full documentation)
o A full Python based graphing library
o Full debugger and GUI API access
o A flurry of cool example scripts such as:

- !heap         A fully working heap dumping script (try the -d option!)
- !searchheap   Searching the heap
- !hippie       Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr       Dynamic search for function pointers in pages
- !findantidep  Find address to bypass software DEP

o Writing your own scripts for your specific tasks is easy :)

Interested? Give Immunity Debugger a spin and download it from:
http://www.immunitysec.com/products-immdbg.shtml

For feedback or bug reports please contact [email protected].

Happy debugging!

Thanks,
Team Immunity

PS: Yes, we will be implementing an interactive Python shell too.

Blog Comments

dennis	Posted: Saturday, August 4 2007 05:51.46 CDT
Nice, thanks a lot for sharing. I'm really expecting lots of nice python scripts popping up. Time to learn python finally, I guess ;-) Btw: the "jobs" menu is a very good idea!

aLS	Posted: Monday, August 6 2007 07:56.55 CDT
Well, nico, as ive said you before.. awesome job. I love to see the Olly niceness merged with the speed of the commandline and the power of Python. I can say, for me at least, that this will be a damn useful tool. Congratz.

jms	Posted: Monday, August 6 2007 13:46.19 CDT
I gotta say, this thing is the bomb! Well done! I can't wait to see what kind of scripts start coming out of the community, thanks to you and all of Immunity.

MohammadHosein	Posted: Monday, August 6 2007 15:01.50 CDT
Time to learn python finally, I guess ;-) definitely

collie	Posted: Tuesday, August 7 2007 09:49.51 CDT

collie	Posted: Tuesday, August 7 2007 10:06.23 CDT
I used Immunity D. and have problems, It lucks like "Is debugger present" is needed and I do not know how to make it active. A good idea is a tutorial on how to construct plugins. (I think you made a good buisniss, if you cotinue to develop it.

jms	Posted: Tuesday, August 7 2007 11:30.16 CDT
If you are having problems with an IsDebuggerPresent check, its trivial to bypass: 1) Set a breakpoint on kernel32.IsDebuggerPresent 2) When the breakpoint is hit, look two lines down for the CMP EAX... line. 3) Merely assemble there with an XOR EAX,EAX to zero it out. 4) Remove your breakpoint and hit F9

collie	Posted: Tuesday, August 7 2007 11:36.35 CDT
jms: That's good but its much more frendly with a plugin.

collie	Posted: Tuesday, August 7 2007 11:48.40 CDT
I can not load the program, I get an error "Could not load the aplication, etc. in a diferent debugger it will load perfectely. I am only testing this debugger. If you can help I will be greatfull. Forgive my Inglish, I am doing my best.

nicowow Posted: Tuesday, August 7 2007 12:23.33 CDT

Collie,
It's a good idea, and we will make a small tutorial on how to write a simple script.
Mindtime, you can easily implement what jms said with a couple of lines of Python



import immlib

def main(args):

    imm = immlib.Debugger()

    ispresent = imm.getAddress( "kernel32.IsDebuggerPresent" )

    imm.writeMemory( ispresent, imm.Assemble("xor eax, eax\n ret")

Save those 5 lines of python into a file named bypassIDP.py into
c:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\

Now, on Immunity Debugger's command line you just run:



!bypassIDP

and it will work automatically for you.

jms	Posted: Tuesday, August 7 2007 14:30.24 CDT
Damn Nico, I gotta get on this Python API of yours :)

n00b	Posted: Wednesday, August 8 2007 07:24.45 CDT
nicowow Can you take a look in the forum i've posted a question about a plugin which was displayed on the web site and wanted to know if it was available to the public thank's.

neurogee	Posted: Thursday, August 9 2007 00:38.30 CDT
Looks damn nice, on the download :)

collie

Posted: Thursday, August 9 2007 11:12.51 CDT

nicowow:
I have been investigating a bit with "immunityDebugger" I must say it is a good intention of making a new olly, I would sugest you to take a look at "NSOLD" a complate version of olly that I got throgh Internet,I think it is RU, but I am not shore, It is the best I have used so far. It comes complate, plugins and other interesting features, Immunity will have to make many changes to make it popular, NSOLD las the same icon as olly but of a diferent color.
I will make a few constructive comments on Immunity.
1 It does not have plugins. (lack of instructions of how to make them.
2 I do not see any indication of when it is runing or when it is not.
3 It does not give me any indication of when a branch is to be taken before I execute the instruction.
4 Many more
As I see them corrected I will give you more
P/D It is not NSOLD it is MSDOLD.

collie	Posted: Thursday, August 9 2007 11:21.37 CDT
jms Do you know where 0012D000 (Stack of main thread)is stored so that I can modify it, your last help was wonderfull.

collie	Posted: Thursday, August 9 2007 11:49.50 CDT
jms: Do you thimk it could be posible with a change in olly plugin to make it available for immutityD. I really do not know if this is fulish question.

morel	Posted: Thursday, August 9 2007 13:15.39 CDT
"Immunity debugger" is a rather proud name. I'd call it "olly with python" :P

nicowow	Posted: Thursday, August 9 2007 15:25.18 CDT
collie: 1. Yes we do. Next version we will release the SDK, and support for Olly plugins (Although, no support for those) 2. Little box at the bottom 3. It does, it's probably minimized on your ID. Check the horizontal line between the Assembly code and the Dump Window WE appreciate all comments and testing!

collie	Posted: Friday, August 10 2007 10:18.22 CDT
nicowow: Sorry you are rigfht I must have confused it with a non conditional jump. From what I can see from MOREL's opinion I am going to have to learn Python. I will apreciate any information throgh my E-Mail (Tutorial's,etc.)

TQN

Posted: Saturday, August 11 2007 12:03.50 CDT

We can modify OllyDbg plugin for Immunity Debugger. Untill now, I have two addition plugins for ID, HideOD and Phantom. Because they did not have source code, so I have analysis them and decompiler Bookmark plugin of ID, and compare. They are almost same, with two change: _ODBG_xxx to _IMMDBG_xxx export functions and OllyDbg.exe to ImmunityDebugger.exe import entry. We can use a PE Editor to modify them.
If we have the source of a OllyDbg plugin, we can recompile them, add _IMMDBG_xxx export function (by new function code or by forward export), and they can be used in Immunity Debugger.
Regards,

collie	Posted: Sunday, August 12 2007 11:06.11 CDT
To Any one: I have managed to unpack a progran with Olly but when I dump It, It changes a few addresses in the dump. (I managed to corect manually the addreses). I do not know if I can mention the packer. beside it also changes the contents of .dll's. does any one know where these dll's are kept.

collie	Posted: Tuesday, August 14 2007 11:40.19 CDT
TQN: Your sugestion on Changing OllyDbg.exe for ImmunityDebugger.exe in olly's plugin, is Ok, but does not work because of the diference in size of the two names and the location of theese names are fixt.

RolfRolles

Posted: Tuesday, August 14 2007 14:03.45 CDT

Collie:

The locations of the names (as well as the exported function names) are not fixed: they're RVAs. So, you can write new strings either in a cave or in a new section, and then update the import descriptor's Name RVA and the export information's AddressOfNames RVAs to point to them. TQN is saying that a PE editor ought to take care of this for you.

Should work, assuming the only things that have changed about the plugin interface are the names of the functions and the fact that the plugins have to import ImmunityDebugger.exe instead of OllyDbg.exe. However, some plugins (such as OllyAdvanced) make extensive patches to OllyDbg in memory, and those patches rely upon addresses specific to particular versions of OllyDbg, so these will never work under Immunity Debugger.

Anyway, nicowow said that they'll support Olly plugins in the next version, so it sounds like your problems will disappear on their own if you wait.

There are 31,320 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit