其实上一篇文章完全是拷贝来的,目的是做个本地备份。 😀 最近开始将一些工作转移到ImmDbg,在此之前是想在OD的脚本中做一些简单的工作来实现一些内存数据的修改以及写入功能,但是事实上由于OD脚本的API函数有限,要实现诸如文件读取之类的工作发现基本没什么可能,当然了也有可能是因为自己孤陋寡闻, :8 如果谁知道相关的APi还望不吝赐教。 
Starting to write Immunity Debugger PyCommands : my cheatsheet 『Rw』
When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience.
Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc…. Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules… Not an easy task.
It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them to work, and would still not solve some issues I was having while writing exploits.
OllyDbg and Immunity Debugger are quite different than windbg. Not only the GUI is very much different, the number of plugins for these debuggers is substantially higher. After evaluating both of them (they pretty much have the same look and feel), and evaluating the way plugins can be added, I made the decision to focus on Immunity Debugger.
That does not mean OllyDbg is a bad debugger or is limited in what you can do in terms of writing plugins… I just found it harder to “quickly tweak a plugin” while building an exploit. OllyDbg plugins are compiled into dll’s, so changing a plugin would require me to recompile and test. Immunity Debugger uses python scripts. I can go into the script, make a little change, and see the results right away. Simple.
IDA Sync Plugin v3.0.1 for IDA Pro 6.x
基于IDA的逆向分析协同工具目前还没有发现比较好用的东西,而像传统的基于源代码的开发IDE则有比较多的选择。对于大型项目和代码的分析,仅靠一人之力其实是比较困难的,并且需要分析的内容太多。这也是这个插件开发出来的原因。
ida-sync-plugin for ida 6.x opensource
公开ida sync plugin源代码,项目地址:http://code.google.com/p/ida-sync-plugin/。
IDA_SYNC_PLUGIN (v2.0.0.1) for IDA 6.x
这个插件已经有很多年的历史了,话说也好几百年没更新了。不知道还有冇淫用这个东西,前一段时间曾经编译了支持6.x的插件,http://www.h4ck.org.cn/2012/06/ida-sync-for-ida-6-x/。但是在使用的过程中发现还是有很多问题的,比如函数名称push的问题。
PyDbg安装(《Python 灰帽子》)
这本书是这两天刚买到的,从前天开始看,然后到昨天晚上就看完了,整体的感觉就是书的内容虽然不错但是感觉有点太少了,一种意犹未尽的感觉。
Calling IDA APIs from IDAPython with ctypes
IDAPython 提供了一些列封装好的ida sdk函数,但是由于SWIG的限制或者一切其他的原因有一部分api并没有封装到这个库中。为了能够调用在idapython中没有封装的api函数get_loader_name(),但是又不想因为调用这么一个简单的函数而编写一个插件进行测试,那么此时就可以使用ctypes 来实现了。
所有IDA API都是由ida的核心动态库来提供的,在Windows系统下这个库为ida.wll(或者ida64.wll),在linux系统下为libida[64].so,在os x系统下为libida[64].dylib. ctypes提供了一个非常好的功能来创建一个封装的Dll到处函数类,可以把他们看成一个类实例的属性来调用。下面的代码用于获取不同系统下的ida实例:
import ctypes
import sys
idaname = "ida64" if __EA64__ else "ida"
if sys.platform == "win32":
dll = ctypes.windll[idaname + ".wll"]
elif sys.platform == "linux2":
dll = ctypes.cdll["lib" + idaname + ".so"]
elif sys.platform == "darwin":
dll = ctypes.cdll["lib" + idaname + ".dylib"]
我们使用windll是因为ida的api在windows系统下是使用stdcall调用约定的(可以通过查看pro.h中队用的idaapi的定义来确定调用类型)
现在我们只需要像调用一个dll对象的一个属性一样来调用我们的函数,但是首先我们要准备好我们函数需要的参数,下面是从loader.hpp中得到的函数的定义:
idaman ssize_t ida_export get_loader_name(char *buf, size_t bufsize);
ctypes提供了一个非常方便的函数来创建字符buffer:
buf = ctypes.create_string_buffer(256)