Hide Debugger for Immunity Debugger v1.8x

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby.<http: //www.h4ck.org.cn>}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")
 
import immlib
import immutils
def main(args):
    imm = immlib.Debugger()
    #hide debugger by wipe the BeingDebugged flag in PEB struct.
    imm.writeMemory (imm.getPEBAddress() + 0x2,"\x00")
    #disable the process enume
    process32first = imm.getAddress("kernel32.Process32FirstW")
    process32next = imm.getAddress("kernel32.Process32NextW")
    function_list = [process32first, process32next]
    patch_bytes = imm.assemble("SUB EAX,EAX\nRET 8")
    for address in function_list:
        opcode = imm.disasmForward(address,nlines = 8)
        #imm.writeMemory(opcode.address,patch_bytes)
 
    return "[*] PEB BeingDebugged flag cleared ! Debugger Hided~!"
</http:>

该脚本用于去掉基于IsDebugPresent函数的调试检测。将上面的内容保存为hidedbg.py放入immdbg的PyCommands目录下,然后在immdbg的命令窗口中执行即可。 smile

You may also like

发表评论

电子邮件地址不会被公开。 必填项已用*标注