• 本文作者: 阿尔法, 实验室
  • |
  • 2017年1月19日
  • |
  • 未分类
  • |

xrkmon-基于ImmunityDebugger的api调用监控脚本

github地址:https://github.com/humblepride/xrkmon

简述

基于调试器Immunity Debugger的一套Python脚本,可以监控API调用、修改API调用参数及结果,可以很方便的解决调试中遇到的很多小问题,在一定程度上提高调试效率。 事实上,在熟悉代码的基础上,可以很容易的添加更多高级的功能。

What is this:

a set of py scripts for Immunity Debugger, to to monitor api calls, modify api rets, etc… u can add functionalities of your own.

disadvantags:

  • buggy. not fully tested.
  • slow. it doesn’t matter how many api hooks are installed, but it does matter if hooked apis too frequently invoked.
  • sometimes might not work. it depends on “hooking system” of Immunity Debugger. if imm fails, this will fail too.
  • this is not some “ONE CLICK” thing, u’re recommanded to read source code, to create functionality of your own.

features:

  • api call monitor, but only pre-defined apis. of course, u can easily add apis of your own.
  • call stack filter. only apis directly invoked by interested dlls will be logged/displyed.
  • use “symbol” exported by ida.

file structures:

  • x.py: write code for specific sample, and type: !x
  • xrkcloud.py: get/set data from/to “cloud”
  • xrkcst.py: some const data
  • xrkcstk.py: call stack functionality
  • xrkdbg.py: sync between xrkmon and debugger
  • xrkdef.py: classes and basic methods
  • xrkhook.py: hook classes and basic methods
  • xrklog.py: logging
  • xrkmd.py: memory module
  • xrkmon.py: main entry
  • xrkmonapis.py: pre-defined apis and categories
  • xrkmoncfg.py: pre-defined config for xrkmon
  • xrkmonctrl.py: control class and methods
  • xrkmonrun.py: run_cbk of all apis, and some common methods
  • xrkpefilex.py: wrapper of pefile.py
  • xrksym.py: symbol thing(dbghelp.dll and ida)
  • xrkutil.py: utility

setup:

usage:

  1. imm cmd line, apply pre-defined configs:

    to list all pre-defined configs, type:

    for details, read the code. u can add config of your own, and use it in the same way.
  2. imm cmd line, operate on hook or cloud(control behaviour of hooked api indirectly):

    for more details, type:
  3. by coding:

    u can put code in x.py, and type:

examples:

  • checkout global config:

  • change work mode

  • force all ws2_32 apis return success

  • shorten sleep mescs

  • pause when modify file system and process creation

  • hook all ws2_32 apis and pause when hit

  • remove all ws2_32 apis and install wininet apis and not pause when hit

  • not pause all hooked/hooking apis

api category:

apis are divided into categories, check out xrkmonapis.py:

add api:

  1. define run_xxx in xrkmonrun.py:
  2. add api config to xrkmonctrl.py(existing category or category of your own):
  3. if u have special config for this api, add to xrkmonctrl.py(ctrlCmn.dft_api_config:

    and access config at run_xxx in xrkmonrun.py:

add category:

  1. define category in xrkmonapis.py:

    add a name to it in global variable api_cat_dict:

    then u can use it by typing:

add config:

  1. add configItem obj to variable v_config_dict in xrkmoncfg.py:

    then u can use it by typing:

ida “symbol”:

  1. ida script to export “symbol”:

  1. rename exported file as xxxx_ida_names.txt, and place it under same dir of debuggee, xrkmon will parse it automatically(when resolving symbol).

working mode:

  1. 2 “work_mode”:
  2. debug(default)
    • api call log to “Log Window”
  3. log
    • api call log to “cloud”, and u print summary by typing:

  4. “work_mode” only takes effect in ‘xrkmonrun.py(xrk_api_call)’:

  5. u can easily modify “work_mode” on the fly by typing:

output

  1. api call will print in “Log Window” only in “debug” mode
  2. api call is always printed, but params and call stack are optional(default is yes)
  3. u can config this by typing:  !xrkmon -k global --attr is_log_cstk --false !xrkmon -k global --attr is_log_params --true 

bug report:

please report an issues, or email to 763090709@qq.com

TODO:

  1. integrate with pydbg
  2. compatiable with x64dbg
Written by 阿尔法, 实验室