Immunity Debugger Plugin

리버싱/Immunity Debugger PyCommands 스크립트 정리

Immunity Debugger Plugin - BpHook 예제

1q 2017. 2. 7. 12:01

Bufferoverflow 예제로, 취약한 strcpy 함수를 후킹하여 두 번째 인자인 source(쉘코드!?)를 로그에 출력한다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import immlib
from immlib import BpHook
 
DESC = "BpHook Basic Demonstration for the SPSE course"
 
class StrcpyBpHook(BpHook):
    def _init_(self):
        BpHook.__init__(self)
 
    def run(self, regs):
        imm = immlib.Debugger()
        imm.log("StrcpyBpHook Called!")
 
        # strcpy(char *destination, char *source)
        
        eipOnStack = imm.readLong(regs['ESP'])
        strcpyFirstArg = imm.readLong(regs['ESP'] + 4)
        strcpySecondArg = imm.readLong(regs['ESP'] + 8)
 
        imm.log("EIP on Stack: 0x%08x" % eipOnStack)
        imm.log("First Arg: 0x%08x" % strcpyFirstArg)
        imm.log("Second Arg: 0x%08x" % strcpySecondArg)
 
        # print the source string
        receivedString = imm.readString(strcpySecondArg)
        imm.log(receivedString)
        imm.log("Received String: %s with length %d" % (str(receivedString), len(receivedString)))
 
def main(args):
    imm = immlib.Debugger()
 
    # find strcpy address
    functionToHook = "msvcrt.strcpy"
    
    functionAddress = imm.getAddress(functionToHook)
 
    newHook = StrcpyBpHook()
 
    newHook.add(functionToHook, functionAddress)
 
    imm.log("Hook for %s : 0x%08x added successfully !" % (functionToHook, functionAddress))
 
    return "Hook Installed"
 
Colored by Color Scripter
cs