This is the Corelan Team project page for ‘mona’, a PyCommand for Immunity Debugger.
This PyCommand replaces pvefindaddr, which is no longer supported as of mid june 2011.The PyCommand has been tested on Immunity Debugger 1.83. Older versions of Immunity Debugger are not supported and may not work.
Hide Debugger for Immunity Debugger v1.8x
"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby.}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")
import immlib
import immutils
def main(args):
imm = immlib.Debugger()
#hide debugger by wipe the BeingDebugged flag in PEB struct.
imm.writeMemory (imm.getPEBAddress() + 0x2,"\x00")
#disable the process enume
process32first = imm.getAddress("kernel32.Process32FirstW")
process32next = imm.getAddress("kernel32.Process32NextW")
function_list = [process32first, process32next]
patch_bytes = imm.assemble("SUB EAX,EAX\nRET 8")
for address in function_list:
opcode = imm.disasmForward(address,nlines = 8)
#imm.writeMemory(opcode.address,patch_bytes)
return "[*] PEB BeingDebugged flag cleared ! Debugger Hided~!"
该脚本用于去掉基于IsDebugPresent函数的调试检测。将上面的内容保存为hidedbg.py放入immdbg的PyCommands目录下,然后在immdbg的命令窗口中执行即可。
Visual DuxDebugger 3.9
The first 64-bit visual debugger for Windows
Visual DuxDebugger is a disassembler especially created to use all the resources provided by Windows 64-bit.
基于 Visual Studio 和虚拟机的驱动调试
Immunity Debugger v1.85
猛击此处下载!
PEBrowseDbg64 Interactive v2.9.0
PEBrowse Professional Interactive and PEBrowseDbg64 Interactive build upon the framework presented by PEBrowse Professional to create very powerful, versatile, and customizable Win32 and Win64 user mode debuggers/disassemblers, respectively. PEBrowse Interactive is not a source code debugger, but operates at the Intel x86 instruction level and therefore at the lowest level where your program executes. The debugger fully supports Microsoft .NET managed processes and seamlessly allows interop or mixed-mode debugging. PEBrowseDbg64 Interactive is an x64 native-code debugger that fully supports 32 and 64-bit .NET programs, includes using pre-JITted metadata to set breakpoints and steps through .NET thunks. PEBrowse Interactive can be set as the startup debugger using the system registry Image File Execution Options key – useful for debugging ASP.NET applications.
Download link:http://www.smidgeonsoft.prohosting.com/pebrowse-pro-interactive-debugger.html
IT IS HARD TO CHOSE A 64BIT DEBUGGER,ANY OTHER CHOICE?
MDbg 32Bit Version 1.0
大家一定厌倦了Windbg或Ollydbg吧?现在向大家提供一款调试器,你用他可以得到全新的调试体验。
MyDebug不是一个演示程序或调试器原型。MyDebug是一个切实可用、功能丰富的调试器。感谢那些支持MyDebug和VMPDebugger的人们,祝大家调试愉快!
目前暂时只提供32位版本,bug报告或任何的建议、意见,请及时反馈。
作者blog链接:http://hi.baidu.com/vmpdebugger 猛击此处直接下载,猛击此处到看雪页面!用了一下感觉做的非常不错,期待64位版本, :8 :8