shows a simple script implemented as a PyCommand. This script can be used to prevent malware from deleting a file from the system.Example 9-3. PyCommand script to neuter DeleteFile
import immlib def Patch_DeleteFileA(imm): ❷ delfileAddress = imm.getAddress("kernel32.DeleteFileA") if (delfileAddress <= 0): imm.log("No DeleteFile to patch") return imm.log("Patching DeleteFileA") patch = imm.assemble("XOR EAX, EAX \n Ret 4") ❸ imm.writeMemory(delfileAddress, patch) def main(args): ❶ imm = immlib.Debugger() Patch_DeleteFileA(imm) return "DeleteFileA is patched..."
Example 9-3. PyCommand script to neuter DeleteFile
import immlib def Patch_DeleteFileA(imm): ❷ delfileAddress = imm.getAddress("kernel32.DeleteFileA") if (delfileAddress <= 0): imm.log("No DeleteFile to patch") return imm.log("Patching DeleteFileA") patch = imm.assemble("XOR EAX, EAX \n Ret 4") ❸ imm.writeMemory(delfileAddress, patch) def main(args): ❶ imm = immlib.Debugger() Patch_DeleteFileA(imm) return "DeleteFileA is patched..."
Malware often calls DeleteFile to remove files from the system before you can copy them to another location. If you run this script via !scriptname, it will patch the DeleteFileA function, rendering it useless. The main method defined at ❶ calls Patch_DeleteFileA. This is a function we have defined at ❷ that returns the address of DeleteFileA by calling the ImmDbg API function getAddress. Once we have that location, we can overwrite the function with our own code. In this case, we overwrite it with the patch code at ❸. This code sets EAX to 0 and returns from the DeleteFileA call. This patch will cause DeleteFile to always fail, thus preventing the malware from being able to remove files from the system.
For additional information about writing Python scripts, use the Python command scripts that ImmDbg has built for reference. For further in-depth commentary on writing Python scripts for ImmDbg, see Gray Hat Python by Justin Seitz (No Starch Press, 2009).
Войти в систему
Войти с помощью соц. сетей:
