"""JoeBP""" # -*- coding: utf-8 -*- import getopt import immutils from immlib import * AppName = "JoeBP" imm = Debugger() def usage(imm): imm.log(" !joebp -options ") imm.log(" ") imm.log(" %s By Joe Giron >|< Gironsec.com " % (AppName),focus=1, highlight=1) imm.log(" ") imm.log(" Description:") imm.log(" ") imm.log(" Sets the proper common breakpoints useful for malware analysis. ") imm.log(" Breaks on file operations, registry, processes, threads, dlls, sleeping, memory manipulation, and more. ") imm.log(" ") imm.log(" Usage:") imm.log(" ") imm.log(" -n Set network operation breakpoints for winsock and wininet.") imm.log(" ") imm.log(" -f Set file operation breakpoints.") imm.log(" ") imm.log(" -p Set process creation / manipulation breakpoints") imm.log(" ") imm.log(" -t Set thread operation / creation breakpoints.") imm.log(" ") imm.log(" -m Set memory allocation / manipulation breakpoints.") imm.log(" ") imm.log(" -s Set sleep / timing breakpoints.") imm.log(" ") imm.log(" -r Set registry operation breakpoints.") imm.log(" ") imm.log(" -x Set breaks for exploit codes.") imm.log(" ") imm.log(" -e Set all options.") imm.log(" ") imm.log(" -h Shows help menu(this).") def FileBP(imm): imm.setBreakpointOnName("kernel32.CreateFileA") #file stuff imm.setBreakpointOnName("kernel32.CreateFileW") imm.setBreakpointOnName("kernel32.WriteFileEx") imm.setBreakpointOnName("kernel32.WriteFile") imm.setBreakpointOnName("kernel32.MoveFileA") imm.setBreakpointOnName("kernel32.MoveFileW") imm.setBreakpointOnName("kernel32.MoveFileExA") imm.setBreakpointOnName("kernel32.MoveFileExW") imm.setBreakpointOnName("kernel32.CopyFileA") imm.setBreakpointOnName("kernel32.CopyFileW") imm.setBreakpointOnName("kernel32.CopyFileExA") imm.setBreakpointOnName("kernel32.CopyFileExW") def ProcBP(imm): imm.setBreakpointOnName("kernel32.ExitProcess") #process stuff imm.setBreakpointOnName("kernel32.OpenProcess") imm.setBreakpointOnName("kernel32.CreateRemoteThread") imm.setBreakpointOnName("kernel32.TerminateProcess") imm.setBreakpointOnName("kernel32.CreateProcessA") imm.setBreakpointOnName("kernel32.CreateProcessW") imm.setBreakpointOnName("kernel32.CreateProcessWithLogonW") imm.setBreakpointOnName("kernel32.GetModuleHandleA") imm.setBreakpointOnName("kernel32.GetModuleHandleW") imm.setBreakpointOnName("kernel32.GetModuleFileNameA") imm.setBreakpointOnName("kernel32.GetModuleFileNameW") imm.setBreakpointOnName("kernel32.GetModuleHandleExA") imm.setBreakpointOnName("kernel32.GetModuleHandleExW") imm.setBreakpointOnName("kernel32.LoadLibraryA") imm.setBreakpointOnName("kernel32.LoadLibraryW") imm.setBreakpointOnName("kernel32.LoadLibraryExA") imm.setBreakpointOnName("kernel32.LoadLibraryExW") imm.setBreakpointOnName("kernel32.GetProcAddress") imm.setBreakpointOnName("kernel32.LoadModule") imm.setBreakpointOnName("kernel32.CreateToolhelp32Snapshot") imm.setBreakpointOnName("kernel32.Toolhelp32ReadProcessMemory") #if imm.findModuleByName("user32.dll"): # imm.setBreakpointOnName("user32.EndTask") #else: # return "user32.dll is not loaded and thus, BP's cannot be set on it" def ThreadBP(imm): imm.setBreakpointOnName("kernel32.CreateThread") #thread stuff imm.setBreakpointOnName("kernel32.ExitThread") imm.setBreakpointOnName("kernel32.TerminateThread") imm.setBreakpointOnName("kernel32.ResumeThread") imm.setBreakpointOnName("kernel32.SuspendThread") imm.setBreakpointOnName("kernel32.GetThreadContext") imm.setBreakpointOnName("kernel32.SetThreadContext") imm.setBreakpointOnName("ntdll.ZwResumeThread") imm.setBreakpointOnName("ntdll.ZwSuspendThread") imm.setBreakpointOnName("RtlCreateUserThread") def MemBP(imm): imm.setBreakpointOnName("kernel32.ReadProcessMemory") #memory stuff imm.setBreakpointOnName("kernel32.WriteProcessMemory") imm.setBreakpointOnName("kernel32.MapViewOfFile") imm.setBreakpointOnName("kernel32.MapViewOfFileEx") imm.setBreakpointOnName("kernel32.VirtualProtect") imm.setBreakpointOnName("kernel32.VirtualProtectEx") imm.setBreakpointOnName("kernel32.VirtualQuery") imm.setBreakpointOnName("kernel32.VirtualQueryEx") imm.setBreakpointOnName("kernel32.VirtualAlloc") imm.setBreakpointOnName("kernel32.VirutalAllocEx") imm.setBreakpointOnName("kernel32.LocalAlloc") imm.setBreakpointOnName("kernel32.GetProcessHeap") imm.setBreakpointOnName("ntdll.ZwUnmapViewOfSection")#ntdll special imm.setBreakpointOnName("ntdll.ZwMapViewOfSection") imm.setBreakpointOnName("ntdll.ZwReadVirtualMemory") imm.setBreakpointOnName("ntdll.ZwWriteVirtualMemory") imm.setBreakpointOnName("ntdll.memcpy") imm.setBreakpointOnName("ntdll.memset") #if IsItXP() != True: # imm.setBreakpointOnName("kernel32.HeapAlloc") # only works on win7 # imm.setBreakpointOnName("ntdll.NtCreateSection") # only works on win7 # imm.setBreakpointOnName("ntdll.NtQueryInformationProcess") # only works on win7 def SleepBP(imm): imm.setBreakpointOnName("kernel32.Sleep") #sleep stuff imm.setBreakpointOnName("kernel32.SleepEx") imm.setBreakpointOnName("kernel32.QueryPerformanceCounter") imm.setBreakpointOnName("kernel32.GetTickCount") #if IsItXP() != True: # imm.setBreakpointOnName("kernel32.GetTickCount64") # only works on win7 def RegBP(imm): if imm.findModuleByName("advapi32.dll"): imm.setBreakpointOnName("advapi32.RegDeleteValueA") imm.setBreakpointOnName("advapi32.RegDeleteValueW") imm.setBreakpointOnName("advapi32.RegEnumKeyA") imm.setBreakpointOnName("advapi32.RegEnumKeyExA") imm.setBreakpointOnName("advapi32.RegEnumKeyExW") imm.setBreakpointOnName("advapi32.RegEnumKeyW") imm.setBreakpointOnName("advapi32.RegEnumValueA") imm.setBreakpointOnName("advapi32.RegEnumValueW") imm.setBreakpointOnName("advapi32.RegOpenKeyA") imm.setBreakpointOnName("advapi32.RegOpenKeyExA") imm.setBreakpointOnName("advapi32.RegOpenKeyExW") imm.setBreakpointOnName("advapi32.RegOpenKeyW") imm.setBreakpointOnName("advapi32.RegQueryMultipleValuesA") imm.setBreakpointOnName("advapi32.RegQueryMultipleValuesW") imm.setBreakpointOnName("advapi32.RegQueryValueA") imm.setBreakpointOnName("advapi32.RegQueryValueExA") imm.setBreakpointOnName("advapi32.RegQueryValueExW") imm.setBreakpointOnName("advapi32.RegQueryValueW") imm.setBreakpointOnName("advapi32.RegReplaceKeyA") imm.setBreakpointOnName("advapi32.RegReplaceKeyW") imm.setBreakpointOnName("advapi32.RegRestoreKeyA") imm.setBreakpointOnName("advapi32.RegRestoreKeyW") imm.setBreakpointOnName("advapi32.RegSaveKeyA") imm.setBreakpointOnName("advapi32.RegSaveKeyExA") imm.setBreakpointOnName("advapi32.RegSaveKeyExW") imm.setBreakpointOnName("advapi32.RegSaveKeyW") imm.setBreakpointOnName("advapi32.RegSetValueA") imm.setBreakpointOnName("advapi32.RegSetValueExA") imm.setBreakpointOnName("advapi32.RegSetValueExW") imm.setBreakpointOnName("advapi32.RegSetValueW") imm.setBreakpointOnName("advapi32.RegUnLoadKeyA") imm.setBreakpointOnName("advapi32.RegUnLoadKeyW") else: return "advapi32.dll is not loaded, thus registry actions cannot be logged for BP's" def ExploitBPS(imm): imm.setBreakpointOnName("kernel32.WinExec") imm.setBreakpointOnName("kernel32.CreateProcessA") imm.setBreakpointOnName("kernel32.CreateProcessW") imm.setBreakpointOnName("kernel32.VirtualAlloc") imm.setBreakpointOnName("kernel32.VirtualAllocEx") imm.setBreakpointOnName("kernel32.VirtualProtect") imm.setBreakpointOnName("kernel32.VirtualProtectEx") imm.setBreakpointOnName("kernel32.WriteProcessMemory") imm.setBreakpointOnName("kernel32.CreateRemoteThread") imm.setBreakpointOnName("kernel32.CreateFileA") imm.setBreakpointOnName("kernel32.CreateFileW") imm.setBreakpointOnName("kernel32.WriteFile") imm.setBreakpointOnName("kernel32.ReadProcessMemory") if imm.findModuleByName("shell32.dll"): imm.setBreakpointOnName("shell32.ShellExecuteA") imm.setBreakpointOnName("shell32.ShellExecuteExA") imm.setBreakpointOnName("shell32.ShellExecuteW") imm.setBreakpointOnName("shell32.ShellExecuteExW") else: return "shell32.dll not loaded" if imm.findModuleByName("wininet.dll"): imm.setBreakpointOnName("wininet.closesocket") imm.setBreakpointOnName("wininet.accept") imm.setBreakpointOnName("wininet.listen") imm.setBreakpointOnName("wininet.send") imm.setBreakpointOnName("wininet.recv") imm.setBreakpointOnName("wininet.bind") imm.setBreakpointOnName("wininet.WSASocketW") imm.setBreakpointOnName("wininet.WSAStartup") else: return "wininet.dll not loaded" if imm.findModuleByName("urlmon.dll"): imm.setBreakpointOnName("urlmon.URLDownloadToFileA") imm.setBreakpointOnName("urlmon.URLDownloadToFileW") else: return "urlmon.dll not loaded" def NetBP(imm): if imm.findModuleByName("wininet.dll"): imm.setBreakpointOnName("wininet.InternetReadFile")# http imm.setBreakpointOnName("wininet.InternetOpenUrlA") imm.setBreakpointOnName("wininet.InternetOpenUrlW") imm.setBreakpointOnName("wininet.InternetOpenA") imm.setBreakpointOnName("wininet.InternetOpenW") imm.setBreakpointOnName("wininet.InternetCrackUrlA") imm.setBreakpointOnName("wininet.InternetCrackUrlW") imm.setBreakpointOnName("wininet.InternetQueryOptionW") imm.setBreakpointOnName("wininet.InternetQueryOptionA") imm.setBreakpointOnName("wininet.InternetQueryDataAvailable") imm.setBreakpointOnName("wininet.InternetReadFile") imm.setBreakpointOnName("wininet.InternetReadFileEx") imm.setBreakpointOnName("wininet.InternetSetOptionW") imm.setBreakpointOnName("wininet.InternetSetOptionA") imm.setBreakpointOnName("wininet.InternetConnectA") imm.setBreakpointOnName("wininet.InternetConnectW") imm.setBreakpointOnName("wininet.InternetCloseHandle") imm.setBreakpointOnName("wininet.HttpSendRequestA") imm.setBreakpointOnName("wininet.HttpSendRequestW") imm.setBreakpointOnName("wininet.HttpOpenRequestA") imm.setBreakpointOnName("wininet.HttpOpenRequestW") imm.setBreakpointOnName("wininet.HttpQueryInfoA") imm.setBreakpointOnName("wininet.HttpQueryInfoW") else: imm.log("wininet / winsock not loaded. Cannot set net breakpoints!") if imm.findModuleByName("ws2_32.dll"): imm.setBreakpointOnName("ws2_32.WSAStartup") # internet imm.setBreakpointOnName("ws2_32.inet_add") imm.setBreakpointOnName("ws2_32.inet_ntoa") imm.setBreakpointOnName("ws2_32.send") imm.setBreakpointOnName("ws2_32.recv") imm.setBreakpointOnName("ws2_32.WSASend") imm.setBreakpointOnName("ws2_32.WSARecv") imm.setBreakpointOnName("ws2_32.WSACleanup") else: imm.log("wininet / winsock not loaded. Cannot set net breakpoints!") if imm.findModuleByName("winhttp.dll"): imm.setBreakpointOnName("winhttp.WinHttpQueryDataAvailable") # internet imm.setBreakpointOnName("winhttp.WinHttpReceiveResponse") imm.setBreakpointOnName("winhttp.WinHttpSendRequest") imm.setBreakpointOnName("winhttp.WinHttpOpenRequest") imm.setBreakpointOnName("winhttp.WinHttpConnect") imm.setBreakpointOnName("winhttp.WinHttpOpen") imm.setBreakpointOnName("winhttp.WinHttpReadData") imm.setBreakpointOnName("winhttp.WinHttpSetOption") def DoEmAll(imm): ProcBP(imm) RegBP(imm) MemBP(imm) ThreadBP(imm) FileBP(imm) SleepBP(imm) NetBP(imm) def main(args): if not args: usage(imm) try: opts, filler = getopt.getopt(args, "xnfptmsreh:") for o,a in opts: if o == "-x": ExploitBPS(imm) return "Exploit BP's have been set." if o == "-n": NetBP(imm) return "Network operation breakpoints set." if o == "-f": FileBP(imm) return "File Operation breakpoints set." if o == "-p": ProcBP(imm) return "Process creation / manipulation breakpoints set." if o == "-t": ThreadBP(imm) return "Thread creation / manipulation breakpoints set." if o == "-m": MemBP(imm) return "Memory allocation / manipulation breakpoints set." if o == "-s": SleepBP(imm) return "Timing and sleep operations will now be watched." if o == "-r": RegBP(imm) return "Registry accesses will now be hit." if o == "-e": DoEmAll(imm) return "All options set. Have a nice day!" if o == "-h": usage(imm) except: usage(imm) return "" # vvvvvvvvv FUCKING WORTHLESS AND BUSTED def IsItXP(): import platform if(Platform.win32_ver()[0]) == "XP": return True else: return False