PyHooks

Immunity Debugger ships with 13 different flavors of hooks, each of which you can implement as either a standalone script or inside a PyCommand at runtime. The following hook types can be used:

BpHook/LogBpHook

When a breakpoint is encountered, these types of hooks can be called. Both hook types behave the same way, except that when a BpHook is encountered it actually stops debuggee execution, whereas the LogBpHook continues execution after the hook is hit.

AllExceptHook

Any exception that occurs in the process will trigger the execution of this hook type.

2 For a full set of documentation on the Immunity Debugger Python library, refer to http:// debugger. immunityinc. com/update/Documentation/ref/.

PostAnalysisHo ok

After the debugger has finished analyzing a loaded module, this hook type is triggered. This can be useful if you have some static-analysis tasks you want to occur automatically once the analysis is finished. It is important to note that a module (including the primary executable) needs to be analyzed before you can decode functions and basic blocks using immlib.

AccessViolationHook

This hook type is triggered whenever an access violation occurs; it is most useful for trapping information automatically during a fuzzing run.

LoadDLLHook/UnloadDLLHook

This hook type is triggered whenever a DLL is loaded or unloaded.

CreateThreadHo ok/ExitThreadHo ok

This hook type is triggered whenever a new thread is created or destroyed.

CreateProcessHook/ExitProcessHook

This hook type is triggered when the target process is started or exited.

FastLogHook/STDCALLFastLogHook

These two types of hooks use an assembly stub to transfer execution to a small body of hook code that can log a specific register value or memory location at hook time. These types of hooks are useful for hooking frequently called functions; we will cover using them in Chapter 6.

To define a PyHook you can use the following template, which uses a LogBpHook as an example:

from immlib import *

class MyHook( LogBpHook ):

LogBpHook._init_( self )

# Executed when hook gets triggered

We overload the LogBpHook class and make sure that we define a run() function. When the hook gets triggered, the run() method accepts as its only argument all of the CPU's registers, which are all set at the exact moment the hook is triggered so that we can inspect or change the values as we see fit. The regs variable is a dictionary that we can use to access the registers by name, like so:

regs["ESP"]

Now we can either define a hook inside a PyCommand that can be set whenever we execute the PyCommand, or we can put our hook code in the PyHooks directory in the main Immunity Debugger directory, and our hook will automatically be installed every time Immunity Debugger is started. Now let's move on to some scripting examples using immlib, Immunity Debugger's built-in Python library.

Was this article helpful?

+3 -2

Post a comment