Created
March 31, 2016 09:44
-
-
Save extremecoders-re/196a65bdbbbbc984a5438a1e5ca59895 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import immlib | |
| imm = immlib.Debugger() | |
| OEP = 0x44F308 | |
| def killWatchDogThreads(): | |
| global imm | |
| for i in xrange(3): | |
| # Get return address | |
| esp = imm.getRegs()['ESP'] | |
| returnAddress = imm.readLong(esp) | |
| # Adjust stack | |
| imm.setReg('ESP', (imm.getRegs())['ESP'] + 0x18) | |
| # Force early return | |
| imm.setReg('EIP', returnAddress) | |
| # Continue Execution | |
| imm.run() | |
| def main(args): | |
| imm.ignoreSingleStep('DISABLE') | |
| imm.setHardwareBreakpoint(OEP) | |
| imm.log('[*] Breakpoint set on OEP') | |
| addrCreateThread = imm.getAddress('kernel32.CreateThread') | |
| imm.setHardwareBreakpoint(addrCreateThread) | |
| imm.log('[*] Breakpoint set on CreateThread') | |
| imm.log('[*] Running') | |
| imm.run() | |
| # Due to somw weird problem the previous imm.run() call | |
| # return early, so we need to run again, but imm.run() | |
| # does not work without pausing the process first | |
| imm.pause() | |
| imm.run() | |
| # We break when we are in CreateThread | |
| imm.log('[*] First breakpoint on CreateThread reached...') | |
| # Allow this thread to be created | |
| imm.run() | |
| # nip other watchdog threads in the bud | |
| killWatchDogThreads() | |
| # Now we are at OEP | |
| imm.log('[*] At OEP --> %08X' %(OEP), highlight = True) | |
| return 'At OEP...' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment