Immunity Debugger

Windows assembly debugger – useful for buffer overflows. It can also use Python scripts to automate tasks.

Layout

Assembly instructions of the application
Highlighted in blue: Next instruction to execute
CPU Registers
Memory content (3 columns):
mem addr, data (hex), data (ascii)
Stack content (4 columns):
mem addr, data (hex), data (ascii), comments
Immunity Debugger Layout

Open the vulnerable app

BEST OPTION – The application can be restarted from the debugger.

  • Click on menu File->Open
  • Select the application file.
  • Specify the program arguments in Arguments
  • Click on Open
  • Click on Debug->Run (twice, depending on the application).

Attach to an existing process

  • Click on File->Attach
  • Select the process and click on Attach. If there are many processes with the same name, use Microsoft TCPView
  • Click on Debug->Run (twice, depending on the application).

Debugging

After opening a file, the execution is paused at entry point which is not necessarily the main function.

Finding the main function

  • Right-click on the Assembly code window (upper left) and select Search for->All referenced text strings.
  • Look for a string from the main (usually something about the number of program arguments supplied).
  • Double-click on the string. The instruction will now be highlighted in blue in the Assembly code window.

Breakpoints

In the Assembly code window:

  • Right-click on the instruction and click Breakpoint->Toggle (F2). Instruction address in the Assembly code window will be highlighted in cyan.
  • Click on Debug->Run (F9) to get to the breakpoint.

Debugging

  • Debug->Step into (F7): one instruction at a time, enters in functions
  • Debug->Step over (F8): one instruction at a time, executes the functions (does not enter)
  • Debug->Run (F9): continue the execution flow of the program

Bad Characters

Send all possible characters in the buffer (part for the shellcode) from 0x00 to 0xFF. When the application crashes, right-click on ESP and select Follow in Dump to show the input buffer hex characters in memory.

Go to address in Disassembler window

  • Pause execution (if not already paused)
  • Click on the icon of a straight arrow pointing to the right with 4 vertical dots on the right
  • Enter the address in format 0x00000000

mona.py

When searching for a return address for buffer overflows (for EIP).

Show all DLLs/modules loaded by the application

At the bottom of the window, there is a textbox.

!mona modules

Search for opcode of assembly instruction

Example with JMP ESP instruction.

!mona find -s "\xff\xe4" -m "library_name.dll"

Do not forget to validate that the address does not contain any bad characters.