Hide Debugger for Immunity Debugger v1.8x

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby.<http: //www.h4ck.org.cn>}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")
 
import immlib
import immutils
def main(args):
    imm = immlib.Debugger()
    #hide debugger by wipe the BeingDebugged flag in PEB struct.
    imm.writeMemory (imm.getPEBAddress() + 0x2,"\x00")
    #disable the process enume
    process32first = imm.getAddress("kernel32.Process32FirstW")
    process32next = imm.getAddress("kernel32.Process32NextW")
    function_list = [process32first, process32next]
    patch_bytes = imm.assemble("SUB EAX,EAX\nRET 8")
    for address in function_list:
        opcode = imm.disasmForward(address,nlines = 8)
        #imm.writeMemory(opcode.address,patch_bytes)
 
    return "[*] PEB BeingDebugged flag cleared ! Debugger Hided~!"
</http:>

""" (c) Mars Security. 2009-2012 Institute Of Information Serurity From Mars Email:root@h4ck.ws U{By obaby.<http: //www.h4ck.org.cn>} """ #sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs") import immlib import immutils def main(args): imm = immlib.Debugger() #hide debugger by wipe the BeingDebugged flag in PEB struct. imm.writeMemory (imm.getPEBAddress() + 0x2,"\x00") #disable the process enume process32first = imm.getAddress("kernel32.Process32FirstW") process32next = imm.getAddress("kernel32.Process32NextW") function_list = [process32first, process32next] patch_bytes = imm.assemble("SUB EAX,EAX\nRET 8") for address in function_list: opcode = imm.disasmForward(address,nlines = 8) #imm.writeMemory(opcode.address,patch_bytes) return "[*] PEB BeingDebugged flag cleared ! Debugger Hided~!" </http:>