Reverse Engineering b10g | REM

ImmunityDebugger 1.73 RemoveAD KuNgBiM November 19, 2008

Posted by reversengineering in DEBUGGER, TOOLS.
add a comment

RemoveAD.by.KuNgBiM/[CCG]

1.70 Build 0

New Features:

- Debugger
o Added support for variable decoding when second pass analysis enabled

- Immunity Debugger API
o Added getVariable/setVariable methods
o Added driverlib.py for analyzing drivers

- PyCommands
o activex.py for auditing ActiveX controls

- Bug Fixes
o Fixed Python pathing issue when JIT debugging/spawning from right-click
o Fixed Module.getName() method to return only the module name
o Fixed length check error in imm.Assemble()

1.60 Build 0

New Features:

- Debugger
o Added ‘Use Symbol Server’ option
[http://forum.immunityinc.com/index.php?topic=162]
o Improved Getallnames
o Added timestamp to log events

- Immunity Debugger API
o Added getAllSymbolsFromModule method
o Added libcontrolflow.py
Container for classes DominatorTree and ControlFlowAnalysis
o Added Clear function to FastLogHook.

- PyCommands
o Added findloop.py: Find natural loops given a function start.
o Added treedll.py: Creates imported dll tree.

- Bug Fixes:
o Fixed POST_ANALYSIS_HOOK “FATAL ERROR”
o Fixed Arguments overflow (Thanks David Wetson for reporting this one!)
o Local Symbol Path issue
o Analysis second pass option now works
o Getallsymbols now correctly creates the PyDict [Import/Export/Library issue]

1.50 Build 0

New Features:

- Debugger:
o Added “Servers” folder with specific pycommand listeners

- Memory Pages:
o Working on Windows Vista

Immunity Debugger API:
o Added imm.vmQuery() wrapper [Query Virtual Memory pages]
o The MemoryPage class has been improved.
- Protect and Allocation Protect Flags are queried realtime
- You can get a human readable flag passing human = 1 to
page.getAccess() and page.getInitAccess()
o Added:
- searchOnExecute()
- searchOnRead()
- searchOnWrite()
These methods will search in any memory page with access = any combination.
o Modified:
- Search()
- searchShort()
- searchLong()
to receive an extra flag parameter to specify memory protection type
when searching.
o Added imm.isAdmin() : is ID running as admin?
o Added Thread class to debugtypes.py
o Added imm.getAllThreads() method
o librecognition.py : Improved REGEXP support for the indexed register search
o Added Function.findRetValue Find all the possible values on a Function
o GFlags class Handle Windows Global Flags.

PyCommands:

o gflags.py: Enable/Disable Windows Global Flags
o recognize.py: Backward compatability
o Added hookssl.py
o Added ssl_listener.py to Servers directory
o Added hookndr.py Hooks the NDR unmarshalling routines and prints them
out so you can see which ones worked
o Added nohooks.py : remove all hooks from memory

Bug Fixes:

- Debugger Core
o The memory page protect information is correctly displayed now.
o Fixed Second Analisys pass repeated entries bug.
o Fixed thread state swap issue which was leading to a memleak.

1.40 Build 0

New Features:

- Debugger Core:
o Added Silent Debugging Flag [accesible via Debugging options ALT-O or via immlib]

http://forum.immunityinc.com/index.php?topic=157.0

o Added Analysis Second Pass [Decoding Functions]

http://forum.immunityinc.com/index.php?topic=163.0

- Debugger GUI Core:
o Now you can add headers + other useful information on every Row
displayed at the Disasm Window. The information will be saved
as part of dump struct.
o Dettach option added to File Menu: Go to File -> Dettach [You need to be attached to
gray out Dettach]

http://forum.immunityinc.com/index.php?topic=158.0

- Debugger GUI:
o Right click on disasm line -> Add Header will add headers to your line

- Immunity Debugger API:
o Row Headers / Adding Lines to CPU
- Added imm.addHeader() and imm.getHeader() methods.
- imm.addLine behaves like addHeader()
- Added imm.removeHeader()/imm.removeLine() && imm.getHeader()/imm.getLine()
- Added imm.getTraceArgs()

o Added imm.goSilent() method.
o Added imm.undecorateName() method: Undecorate symbol names

http://forum.immunityinc.com/index.php?topic=159.0

o Added imm.Dettach() method: Dettach current process from debugger
o Added imm.prepareForNewProcess() method: Prepare Debugger core for a fresh start
o Updated BoB’s UserDB.txt (http://peid.info/BobSoft/Downloads.html)

- PyCommands:
o Added namefunc.py : a simple samplescript that uses imm.addHeader to name
functions in module
o Added traceargs.py: find User supplied arguments into a given function.
o Added JMS’s Mike & Boo script
o User Contributed PyCommands:
- BoB (http://PEiD.info/BobSoft/)
* scanpe.py (http://forum.immunityinc.com/index.php?topic=137.0)
* hidedebug.py (http://forum.immunityinc.com/index.php?topic=140.0)
* bpxep.py (http://forum.immunityinc.com/index.php?topic=138.0)

Bug Fixes:

- Fixed error when adding knowledge and changing python enviroments later.
(__dict__ not accesible in restricted mode error)

1.30 Build 0
November 1, 2007

New Features:

- Immunity Debugger API
o Hooks
- Hooks can receive force flag to overwrite previously placed hooks
- Hooks can receive time to live in memory parameter when adding
(After the TTL expires, the hook is automatically removed from memory)
- Hooks has a runTimeout method to execute code after TTL expires
o Choose thread enviroment to execute the ttl code
- Added special kind of AccessViolation hook: RunUntilAV() class
o Added setHardwareBreakpoint method
o Address deleteBreakpoint method
o Process flow:
o Improved methods:
- stepOver
- stepIn
- Run
- Attach
o Added methods:
- openProcess
- restartProcess
- pause
- runTillReturn

- PyCommands
o search allows multiple line searching: !search add esp,const\nret
o Added sql_listener and sqlhooker
o Added Example processflow script

Bug Fixes:

- Fixed imm.ps() to correctly fetch udp port list

http://forum.immunityinc.com/index.php?topic=84.0

- Fixed Get references methods

1.20 Build 0
October 1, 2007

New Features:

- Immunity Debugger API
o immlib.getThreadId() method added: return the current debuggee thread id
o immlib.getCallTree() method added: return the call tree for given address
o immlib.setFocus() method added: focus ID window
o immlib.isValidHandle() method added: check if a HWND is still valid
o immlib.getInfoPanel() method added: get information from panel window
and optionally receives a type flag to force the kind of comment fetched.
o imm.findPacker() method added: find packers/cryptors on a file or a loaded
module
o imm.getMemoryPagebyOwner(): Find all the memory pages belonging to a module.
o immlib.ps() returns two extra objects: the tcp list and the udp list
o immlib.getComment() now will try to fetch all types of comments
o Added new HOOKTYPE: PRE_BP_HOOK, hooks exactly before the breakpoint is hit
(Decoding events timeline)
o New Vista support for libheap
o Custom Tables has “Clear Window” menu now
o Added several methods from librecognize

- PyCommands
o findpacker added. (Use of immlib.findPacker to get Packers from a module)
o recognize added. (Function Recognizing using heuristic patterns)
o Hippie now can filter by heap
o heap updated to work with new Vista Heap
o Optimized code for stackvars (Memory usage reduction during runtime)

- Core
o Pyshell can be focused once created with alt-F11
o Shortcut for attach process added: Ctrl+F1
o Added librecognition.py (Library for function recognizing)

- Graph
o immvcglib.generateGraphFromBuf() method added: play with your own vcg files!
o Redesign of VCG parser: easier to read, easier to use.

Bug Fixes:

o Return value (HWND) of createTable
o Fixed Attach Search Filtering :

http://forum.immunityinc.com/index.php?topic=49.0

o Grapher: Vertex lastline jumps correctly displayed now
o Fixed crash when searching on modules:

http://forum.immunityinc.com/index.php?topic=63.0

o Fixed search issue on protected binary:

http://forum.immunityinc.com/index.php?topic=34

o Fixed breakpoint/logpoint hooks issue (logic/stepping inside a hook)
o Fixed PyString_AsString() missbehaviour
o Fixed PyCommand Gui Arguments box to receive \x00 as argument
o Fixed imm.getModulebyAddress() to receive any module address and not only module entry point

http://forum.immunityinc.com/index.php?topic=74.0

1.1 Build 2
August 31, 2007

Python Thread entering the spiral zone has been fixed

1.1 Build 0
August 30, 2007

New Features:

o Interactive Python Shell added
o Lookaside enhanced output + Discovery option
o libdatatype “Get” Function
o Get OS information methods
o Ero Carrera’s pefile.py (http://code.google.com/p/pefile/)
o Python engine rewritten to properly use thread locking/unlocking
o Added ignoreSingleStep method for immlib (TRANSPARENT + CONVETIONAL)
o Attach process window is now dinamically searchable
o Added clean ID memory methods inside immlib
o Added Stack analize library (libstackanalize)
o Fixed some memleak on Disasm
o Fixed wrong arguments on Disasm operand
o Improved Patch command
o Safeseh moved into a PyCommand

New Scripts:

o searchcrypt PyCommand
o stackvars PyCommand
o search PyCommand

Bug Fixes:

o Solved ‘ij’ issue inside attach window
o Fixed VCG parser (Blocks display fully address now)
o Fixed traceback error when trying to graph and no attached
o Fixed printfloat() format error
o Fixed ret value of Getaddrfromexp in case of non-existand expression

1.0 Build 42
August 1, 2007

o Released as product
o Includes:
o Full Python API:
- immlib (main lib)
- internals
- immutils
- debugtypes
- libdatatype
- libanalize
- libhook
- libevent
-
libheap
- pelib
- immvcglib
- graphclass

o Command Box (with remote listener + command line client)
o Python Orthogonal Drawing
o Examples for PyCommands/PyHooks/PyScripts
o Ready to use PyCommands/PyHooks:

chunkanalizehook Analize a Specific Chunk at a specific moment
cmpmem Compare memory with a file (file been a dump from prettyhexprint)
dependencies Find a exported function on the loaded dll
duality Looks for mapped address that can be ‘transformed’ into opcodes
findantidep Find address to bypass software DEP
finddatatype funsniff
funsniff funsniff
getevent Get a log of current debugevent
getrpc Get the RPC information of a loaded dll
heap Immunity Heap Dump
hippie Syscall Fuzzer
hookheap – DESC is not defined for this command -
list List PyCommands
lookaside – DESC is not defined for this command -
mark Static Analysis: Mark the tiny ones
modptr !modptr Patch all Function Pointers and detect when they triggered
openfile Open a File
patch Patches anti-debugging protection , [-t TYPE_OF_PROTECTION]
pyexec Non interactive python shell [immlib already imported]
searchcode Search code in memory
searchheap Search the heap for specific chunks
safeseh Show exceptions handlers registered with SEH
pe_export Export Module

o Lib references and Documentation

http://rapidshare.com/files/165317164/ImmunityDebugger_1.73_RemoveAD_KuNgBiM.7z.002

http://rapidshare.com/files/165319412/ImmunityDebugger_1.73_RemoveAD_KuNgBiM.7z.001

ollydbg moded by DeRoX November 19, 2008

Posted by reversengineering in DEBUGGER, TOOLS.
1 comment so far

OllyDRX 1.0 Lite
Author DeRoX

+ New look
+ Modified code for almost perfect hiding
+ Modified code for expanded windows
+ Modified code for %s overflow RCE exploit
+ Modified code to make symbols load properly
+ OllyDRX Plugin Patcher

http://letitbit.net/download/9cde79762956/odbg110-Olly-DRX-Lite.rar.html