破解/汇编『Crack/Asm』

Hide Debugger for Immunity Debugger v1.8x

没有评论 
"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby.}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")

import immlib
import immutils
def main(args):
    imm = immlib.Debugger()
    #hide debugger by wipe the BeingDebugged flag in PEB struct.
    imm.writeMemory (imm.getPEBAddress() + 0x2,"\x00")
    #disable the process enume
    process32first = imm.getAddress("kernel32.Process32FirstW")
    process32next = imm.getAddress("kernel32.Process32NextW")
    function_list = [process32first, process32next]
    patch_bytes = imm.assemble("SUB EAX,EAX\nRET 8")
    for address in function_list:
        opcode = imm.disasmForward(address,nlines = 8)
        #imm.writeMemory(opcode.address,patch_bytes)
    
    return "[*] PEB BeingDebugged flag cleared ! Debugger Hided~!"

该脚本用于去掉基于IsDebugPresent函数的调试检测。将上面的内容保存为hidedbg.py放入immdbg的PyCommands目录下,然后在immdbg的命令窗口中执行即可。 🙂

☆文章版权声明☆

* 网站名称:obaby@mars
* 网址:http://h4ck.org.cn/
*本文标题: 《Hide Debugger for Immunity Debugger v1.8x》
* 本文链接:http://h4ck.org.cn/2012/06/hide-debugger-for-immunity-debugger-v1-8x/
* 转载文章请标明文章来源,原文标题以及原文链接。请遵从 《署名-非商业性使用-相同方式共享 2.5 中国大陆 (CC BY-NC-SA 2.5 CN) 》许可协议。

分享文章:

相关文章:

  1. mona for Immunity Debugger v1.8x
  2. Immunity Debugger 1.83 SDK
  3. Immunity Debugger 1.8x Wow64 Plugin v2.0.0.1
  4. MemViewer 1.0 for OllyDbg v1.0 and Immunity Debugger v1.8x
  5. Immunity Debugger 1.80
  6. Immunity Debugger v1.85
  7. Immunity Debugger 1.85 Wow64 Plugin v1.0.0.1
  8. FullDisasm : plugin OllyDbg & Immunity Debugger
  9. Starting to write Immunity Debugger PyCommands : my cheatsheet 『Rw』
  10. Multimate Assembler v1.7.Plugin for OllyDbg and Immunity Debugger

猜你喜欢:

发表回复

您的电子邮箱地址不会被公开。