Dailydave mailing list archives

By Date By Thread Release: Immunity Debugger v1.80 From: Sean Heelan <sean () immunityinc com>

Date: Mon, 06 Dec 2010 17:03:09 -0500

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, We have just uploaded Immunity Debugger v1.80 to the website [1] (How the auto-updater works has changed so please update by hand and rm the old Immunity Debugger entirely prior to installation). New Features: * Analysis engine for converting x86 code to SMT formulae (see Libs/x86smt/sequenceanalyzer.py). For now we use CVC3 to provide the backend SMT solver API. (You must add Libs/x86smt/ to your PATH as two required dlls reside there). * Preliminary DEPLIB v2 scripts built on top of the above analysis engine for finding ROP gadgets (see PyCommands/deplib/findpivot.py and PyCommands/deplib/find_gadget.py). * Early versions of libraries for building static analysis tools on top of ID (See Libs/pathgenerator.py). These are independent of the x86smt libraries but combinations of both can work well (see Libs/x86smt/pathwalker.py, PyCommands/x86smt/find_int_overflow.py and PyCommands/pathogen.py). Bug Fixes: * The advertisements have been tamed somewhat and have a 78% lower chance of popping out and tearing your eyes out. * Lots of other cleanups and annoyance removals that we didn't make note of but probably should have for a more impressive looking 'Bug Fixes' list Usage Notes: * The list of instructions handled by the SequenceAnalyzer doesn't include the entire x86 instruction set. A large number of commonly used instructions are there but those that aren't handled will result in an exception being raised by the analyze() function if they are encountered. If you're wondering why some scripts aren't working as you might think over a particular code sequence then it's possible one such instruction exists in the code. Setting the _debug flag of the SequenceAnalyzer for that script will dump info to the log window if this is the case. Anything with a REP prefix isn't handled as looping constructs can't be directly represented in a SMT formula. For these instructions the usual approach is to 'unroll' the instruction by repeating it multiple times. For other instructions feel free to submit a patch :) * find_int_overflow.py is an early proof-of-concept script. You'll notice that many false positives occur on additions to ESP, for example. Before it's really usable the rest of the arithmetic instructions need to be added to Libs/x86smt/bugcheckers/intoverflow.py and ideally some mechanism for preloading the checker with knowledge such as 'X < ESP < Y' where X and Y are some sane values. Also the handling of call instructions should support pre/post conditions so as to avoid re-analysing the same calls in the same context and to avoid insane interprocedural run times. * Documentation on the new features is currently in the form of scripts found in PyCommands/deplib and PyCommands/x86smt. We'll document these APIs in a slightly more sensible way in the future but for now the variety of scripts in those directories provide good coverage of what is possible. In particular: - - Libs/deplib/libgadgets.py, PyCommands/deplib/finder.py and PyCommands/deplib/findpivot.py (for DEPLIB stuff) - - Libs/x86smt/pathwalker.py (for dealing with conditional jumps via the solver) - - PyCommands/x86smt/varbounds.py (for basic solver usage) - - PyCommands/deplib/find_gadget.py (for slightly more involved usage) For !findpivot (and any scripts you may write that rely on the deplib20.py backend) you first need to run !gadgets_db to build a gadget database. For find_gadgets.py a simpler/more primitive format is used for now. For this script you first run !gadgets DLLNAME which will find all gadgets in the given .dll and log the name of a pickle file containing the details to the log window. This filename can then be passed to !find_gadget -g NAME ... etc. For some of the higher level ideas behind some of the new features check out Pablo's Ekoparty presentation and my Ruxcon/Kiwicon presentation [2]. Bug reports can be logged on the forums at http://forum.immunityinc.com or sent to immunitydebugger () immunityinc com. Any feedback, feature requests, patches or whatever are also greatly appreciated. Thanks, The Immunity Debugger team (Btw, the Python API docs aren't *entirely* accurate right now. We'll upload an update addressing that soon enough but for now we're more interested in getting the code out in the world) [1] http://www.immunityinc.com/products-immdbg.shtml [2] http://www.immunityinc.com/resources-papers.shtml -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJM/V2cAAoJEMW6jFWLazyQZq8H/2ID/Fdo9s9T2BRtUqinpvs1 fQ3P5yPWfPEcjGiVyn/AReCJQVU2ZAM6+3U2UtBgt3v3vWD0dgdAA+LG/hFZJZ6f 232opyaAcr80F73H24XnjBxIqhBKIoWUjcGyVoKcF6mK771N4uCU7AsbqJJXunJO JgXrWGcad5QHWRpL9j7SSV9VeqbwF+bzcr19CZpygTKp5NlaVWTFAotA6EJ3hWEt 7BpeMr841wI4o9z2ZMlysWG9eWpZt8A/2AHqXRzm+AlbFt4n3UMi9TAFLy0vwulW zDI4U1yYtTyn/9wWm+49sAMukpdwc0Ld2PrEwph8dw5RTvRvzut7I4Vhsj6LSfQ= =Zj2p -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave By Date By Thread Current thread: Release: Immunity Debugger v1.80 Sean Heelan (Dec 06)