PDA

View Full Version : Immunity Debugger is now released!


nicolas.waisman
August 3rd, 2007, 20:19
Announcing Immunity Debugger v1.0

After almost a year of intensive development and internal use, we are
pleased to announce the public release of Immunity Debugger v1.0.

When we started developing Immunity Debugger our main objective was to
combine the best of the commandline based and GUI based debugger worlds.
The commandline because most of us come from a UNIX background, and it
just ends up being more efficient than clicking your way around. The GUI
because we understand that we are visual beings that often can
grasp more from a single look at a graphical layout than from two days
of x/x-ing memory pages.

The third feature we required was full flexible access to the debugging API,
the graphing engine, and the GUI API. Because having to Re-Compile
plugins is lame, we decided to make everything accessible from Python.
So we put everything together and developed something we feel very
comfortable using.

This means we ended up with a fully flexible and extendible Win32
debugger that has all of it's features, both debugging and graphical,
easily accessible from it's Python scripting engine.

And best of all, it's available for free. That's right, Immunity
Debugger is released for free, including free monthly updates.

Here's some cool features:

o The Python API ("Immlib/Lib reference" for full documentation)
o A full Python based graphing library
o Full debugger and GUI API access
o A flurry of cool example scripts such as:

- !heap A fully working heap dumping script (try the -d option!)
- !searchheap Searching the heap
- !hippie Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr Dynamic search for function pointers in pages
- !findantidep Find address to bypass software DEP

o Writing your own scripts for your specific tasks is easy

Interested? Give Immunity Debugger a spin and download it from:
http://www.immunitysec.com/products-immdbg.shtml

For feedback or bug reports please contact support@immunityinc.com.

Happy debugging!

Thanks,
Team Immunity

PS: Yes, we will be implementing an interactive Python shell too.

LLXX
August 4th, 2007, 03:49
"Immunity". And no mention of any antiē facilities.
Quote:
Python
One word, the forced indentation of code, thread over.

deroko
August 4th, 2007, 14:06
Is this yet another Olly clone?

rendari
August 4th, 2007, 16:09
Very good. Might come in handy one day for scripting Did you make your own disasm engine or...?

Thug4Lif3
August 5th, 2007, 00:04
The GUI is 99,99% the same as Olly. Maybe the author take the disasm engine from Olly, cuz when you use ImmDBG to analyze Themida 1.9.1.0, it crashes exactly like Olly's famous instruction analysis bug (http://www.woodmann.com/forum/showthread.php?t=10134). Havent digged in further yet.

It seems like a Olly+Python debugger. It might be very useful in scripting and finding/writting exploits (as ImmunityInc stated)

nicolas.waisman
August 5th, 2007, 09:19
As you guys easily guess, we license some of Ollydbg's Module and we put a some effort into our Python API for easy scripting.
We did fix some bugs, but apparently we miss the one that Thug4Lif3 mention, I will report it to the team and get it fixed for next release.

Thanks
Nico

Cthulhu
August 13th, 2007, 15:10
Copied from another forum:

Quote:

Ricardo Narvaja
para crackslatinos

mostrar detalhes
9 Ago (4 dias atrás)
Infosec researchers with the Greater Alliance of PHP
Programmers, headed by goudatr0n and in cooperation
with David Marcus, have discovered a backdoor in the
new Immunity Debugger.

1. PRODUCTS AFFECTED
Immunity Debugger (Immunity Security,
http://www.immunitysec.com/products-immdbg.shtml), All
Versions

2. OVERVIEW
The Immunity Debugger contains a backdoor that emails
session history, running applications and other system
information (location, IP address, machine Owner Name)
to
an email address at immunitysec.com

3. ANALYSYS
Immunity Security provides a lightweight debugger for
Windows, presumably to aid in discovering 0-day
security vulnerabilities. The debugger is distributed
freely on
the immunitysec.com website, requiring the user to
register when they download it.

Presumably, this debugger is intended to be used by
people searching for weaknesses in various proprietary
products, due to the unsafe nature of how they are
develope
d, where the source is not frequently audited. Since
David Aitel is an attention whore who only is rivaled
by Gadi Evron, and his lack of skills as evident,
Immunity
Security is only able to reveal 0-days by stealing
them from other hackers attempting to find them.

The backdoor emails detailed system information, along
with detailed debugging session information. In one
such email that was intercepted, it was seen that the
entir
e session was attached, as well as the Owner Name,
external IP address, a list of running services and
their versions.

4. SOLUTION
Do not trust Immunity Security's debugger. They will
steal your 0-day and parade it around like they are
the ones who discovered it. This will only continue to
feed i
nto David Aitel's massive ego, compensating for his
tiny penis.

BROUGHT TO YOU BY GOUDATR0N AND THE GREATER ALLIANCE
OF PHP PROGRAMMERS
DON'T BE DUMB
BE A SMARTY
COME AND JOIN
THE PISS PARTY

goudatr0n can be found online at irc.perl.org #perl
using the nick TimToady.

--
Ricardo Narvaja

nicolas.waisman
August 13th, 2007, 15:17
As I said on the other forum, that is not true, let me forward the information:
-------------------
NO, THERE IS NO BACKDOOR AT ALL IN IMMUNITY DEBUGGER. We don't get any
system information or "debugging sessions" (???) or anything else
weird like that.

Immunity Debugger does make an HTTP connection to Immunity to look for updates
much the way Firefox or any other modern software updates.

Again, NO, we don't do any data mining.

In any case, thanks for the free advertisement "goudatr0n".

If you are still afraid, here is the list of md5 hashes:
437152d25787a1a06597f387d8f4811f ImmunityDebugger_setup.exe

00ff5ccf4b35fa9117bef2f23e108f61 Bookmark.dll
20152f8682a9b103ae3e41e1075048a4 Cmdline.dll
1aa2be74e77da0370986222efd794edd debugger.pyd
88d1df93fdb89dfbf5f9dd9b617ef28e ImmunityDebugger.exe
10acf61aa4046b1fc8c8e434fbd291d6 ImmunityDebugger.ini
c739f6a204665c05ee75f9b8a4f10d2f LICENSE.txt
89d432e3e47cb9546bf4d9a91f6fda79 loaddll.exe
7d5221499f25014169d555ea428e6053 uninstall.exe
f102ee2438bf9bdf1e6e84627d927909 updater.exe

Cheers,
Nico
--------------

You can check it yourself if you want, but there is no such a thing as a backdoor, we don't log any 'debugging' information from our clients.

Nico

LLXX
August 13th, 2007, 23:56
Well, explain these strings found around 000FA400 or so:

- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" (base64 encoding array, for those less knowledgeable in this...)
- "POST http://auth.immunityinc.com/ImmunityDebugger/ID_auth.py HTTP/1.1"
- "Referer: http://auth.immunityinc.com/immauth.html" (doesn't exist, how curious)
- "dbgid="
- "&integritycheck=0"
- "POST http://auth.immunityinc.com/ImmunityDebugger/ID_reg.py HTTP/1.1"
- "Referer: http://auth.immunityinc.com/auth.html" (also doesn't exist)
- "POST /ImmunityDebugger/ID_getads.py HTTP/1.1" (WTF?)
- "&version=%d%d%d%d %s%s%d%s%s%s&lic=%s%s"
- "http://debugger.immunityinc.com/ID_adref.py?referer=%s" (WTFx2)
- some sort of advertisement in several languages

File properties:

ImmunityDebugger.exe 1501184 bytes
MD5: 88d1df93fdb89dfbf5f9dd9b617ef28e
SHA1: dcbc68b22f152fccbf21b2b500c41682f0715c11
SHA256: f5e61159c3348dfb2b033780a0e488519513b762adcb8f9e46532710ccd8f32e

I don't care why you're doing it, any program that phones home is unacceptable.

nicolas.waisman
August 14th, 2007, 06:13
Stop looking for a conspirancy here.
It's simple, the bussiness model of the software is "Ads" based, basically company hire ads to offer job to professional using a debugger (It's a way to give an extra-service to user and to companies), it's not harmful in any sense.
You can easily check that out, by clicking on any of the ads on the top right of the debugger.
On the other side, we sent the version of the product to the update server to check for new version and to inform the client about it. Yo, check your firefox, your itunes, your java extensions, etc, etc, they all do the same.
And if you still paranoid, it's simple. Sniff it and you will see.

Cheers
Nico
Immunity, Inc

LLXX
August 14th, 2007, 21:47
In other words, adware? Major DO NOT WANT.

You basically took OllyDbg and added some crap to it.
Quote:
Yo, check your firefox, your itunes, your java extensions, etc, etc, they all do the same.
I use none of those.

...and I'll let the other users here make up their own minds on what to think of this:
Quote:
We collect, use, and sell any information you send us, within the bounds of law. This may include Apache log information, or any other information you send to this server or other Immunity servers.


Thread over.

Woodmann
August 14th, 2007, 23:18
Howdy,

I have the highest regards for LLXX. I respect LLXX's opinion greatly.

There are not many people I have higher respect of BUT, If the Nico I know (We have met) were to voice his opinion on this I would be very happy.

Woodmann

blabberer
August 15th, 2007, 02:34
Immunity Debugger is olly with python, that's all it is same bugs

nothing more nothing less and python addition is a bit sloppy too
i ve seen a few included .pys crashing and taking down immdbg along with it (simply not expected from a buffer overflow detecting,fuzzing,exploiting,advisoring team of so called experts who sell canvas kinda things for lots and lots of $$$$$$$ )

if this was a professional work that makes the makers swell with pride in releasing a top class product then i doubt it

for example if you read the help file a bit closely you would see it was given to a third class funky dude sweating out in sweatshops for peanuts like a monkey with an explicit order to find ollydbg and replace it with immdbg

Quote:

Version 1.0 is a final release. This project is closed and I will
no longer support it. But don.t be afraid: Immunity Debugger 2.00,
redesigned from scratch, will come soon!

so is this for real ? putting out a debugger and closing it on
first release ?


and to echo the sentiments of many ive heard and talked with this phoning home and advertising in incomprehensible languages is simply undesireable and unwanted

sure addition of python is cool ( a few .pys have popped up here and there so there is a potential )the integration of graphing is cool giving it out free is cool (this graphing hasnt gone into rigourous testing simply try graphing without an exe doesnt handle the exception gracefully)

also there are a few glitches try hitting f4 while its actual hot key is alt+f3 (if you are mucking around a malware this kind of things are simply unacceptable )

hope the team of authors are reading this and would possibly try to eliminate and improve upon

LLXX
August 15th, 2007, 23:25
Quote:
[Originally Posted by Woodmann;67790]Howdy,

I have the highest regards for LLXX. I respect LLXX's opinion greatly.

There are not many people I have higher respect of BUT, If the Nico I know (We have met) were to voice his opinion on this I would be very happy.

Woodmann
I doubt this "nicolas.waisman" is the same as the Nico you know. (I know that one (http://www.woodmann.com/forum/member.php?u=11754) you're talking about.)

disavowed
August 16th, 2007, 00:30
Woodmann, perhaps you're thinking about Nico Brulez.
Nico Waisman, I personally don't have any problems with adware or auto-updating, however, since many people do, you may want to include an option to disable auto-update-checking (perhaps present the user with this option the first time they run your program).

ColdWinterWind
August 16th, 2007, 03:18
That's why I make sure that my firewall monitors/blocks both incoming and outgoing connection attempts. Nothing on my system phones home or anywhere but what I allow.

As for Immunity, I d/l'd it, but didn't see any notices clearly stating that the developer's business model is based upon ads-based revenue generation.

At it's most innocuous, careless. At it's worst, intentionally hiding something that would naturally turn us off.

Nico
August 17th, 2007, 08:20
Hey Woodmann; i think you were talking about me, since we met at Recon

IMO, this debugger should have been tested a bit more before release, in order to fix the bugs that were mentionned before.
Also, none of the bugs that i know of in Ollydbg, were fixed. (that fpu instruction bug, the first ctrl+g showing incorrect address, "disassemble" menu not always available etc).
This is sad, since they do debug a lot to find exploits, i am sure they have met some bugs and have fixed them. (which they apparently did, but the most basic ones are still present).

Would be cool if they had released a changelog to see what was fixed, and if it would affect us in anyway.

I haven't seen much changes beside cosmetics and the python integration (which is a nice idea, but this isn't enough for people to switch to it as i hardly use python anyway).

Imo, they should have kept the olly plugin "straight" compatibility, rather than changing the name to Immunity stuff.
It really looks like they changed all strings to Immunity.. The help file is a funny example.

Regarding the ADware Feature, i am sure some people have already patched it. I didn't because i don't need the debugger.. I'll use Olly until This one brings something really new.

blabberer
August 17th, 2007, 11:53
hehe talking about funny help file here is a lol sentance

Quote:

Plugins

Plugin is a DLL that resides in Immunity Debugger directory and adds functionality to Immunity Debugger. You can download free plugin development kit plug110.zip from the Immunity Debugger's homepage (http://home.t-online.de/home/Immunity Debugger).

Plugins can set breakpoints, add labels and comments, modify registers and memory. They can add menu items to main menu and many windows, like Disassembler, or Memory, intercept global and window-dependent shortcuts. They also can create own MDI windows. Plugins can write plugin-specific data to .udd files with module-dependent information and Immunity Debugger.ini and access different data structures that describe debugged application. Plugin API includes more that 170 functions.

Many third-party plugins are available in Internet, for example, on Immunity Debugger forum http://Immunity Debugger.win32asmcommunity.net, created and moderated by TBD.

To install plugin, copy DLL (and, if necessary, related files) to the plugin directory and restart Immunity Debugger. By default, this is the directory where main Immunity Debugger file Immunity Debugger.exe resides.

Current distribution includes two "native" plugins: Bookmark and Command line. Their source is available in plug110.zip. These plugins are freeware, you can freely modify and redistribute them.


all those links are were dead for ages now

LLXX
August 17th, 2007, 19:34
Looks like they really did just rename the thing blindly...
Code:
s/Ollydbg/Immunity/g

L. Spiro
August 21st, 2007, 09:18
I always hate to see people so excited about their releases only to get gunned down, but you always know whose fault it is.
You really need to be open about everything your software is doing, and you should really make it more of your own thing rather than replacing a bunch of strings.

You really can’t hide things from the people in this field and anything you don’t reveal upfront just comes off as a sneeky trick.

I am sure you will learn from this lesson for your 2.0 release.

Better luck next time.


L. Spiro

ancev
August 23rd, 2007, 19:49
Hey,

Who need Python, when we have ollyperl.dll

vecna

Thug4Lif3
August 25th, 2007, 10:38
@ancev/vecna:

IMHO, Both Python and Perl are scripts, has similar approaches .. but I think Python is better supported in RE nowaday. There're IDAPython, PaiMei Framework, etc. and recently Sulley Fuzzing Framework. Now its ImmDBG with intergrated Python. Hookin APIs with ImmDbg via Python ImmLib is somehow comfortable in watchin the execution follow of the debugged program.

Python or Perl, its up to the user to choose which language is more familiar with him

And btw, are you Vecna from 29A? 29A guys always had the coolest idea for viruses I have ever seen :P

babar0ga
August 26th, 2007, 13:30
Quote:
[Originally Posted by Thug4Lif3;68062]And btw, are you Vecna from 29A? 29A guys always had the coolest idea for viruses I have ever seen :P


Just a little OT...
Something to read.
https://www.openrce.org/articles/full_view/29

Ricardo Narvaja
August 27th, 2007, 07:26
Well I post this in a private list, for the users have little care when use, i don't know if this post is true or not, i post in crackslatinos only for personal care, most people say is a crap notice, but other donīt like the idea the a debugger sending info to a company who works in security and make money with this.(if you are looking a vulnerability zero day, i donīt think is a good idea, use a debugger who send info to this company)

But really i donīt know if this is true or not, i think is not true, but donīt use perhaps, hehehee.

Ricardo Narvaja