Release: Immunity Debugger v1.80

[Sean Heelan <sean () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi guys,

We have just uploaded Immunity Debugger v1.80 to the website [1] (How
the auto-updater works has changed so please update by hand and rm the
old Immunity Debugger entirely prior to installation).

New Features:
* Analysis engine for converting x86 code to SMT formulae (see
Libs/x86smt/sequenceanalyzer.py). For now we use CVC3 to provide the
backend SMT solver API. (You must add Libs/x86smt/ to your PATH as two
required dlls reside there).

* Preliminary DEPLIB v2 scripts built on top of the above analysis
engine for finding ROP gadgets (see PyCommands/deplib/findpivot.py and
PyCommands/deplib/find_gadget.py).

* Early versions of libraries for building static analysis tools on top
of ID (See Libs/pathgenerator.py). These are independent of the x86smt
libraries but combinations of both can work well (see
Libs/x86smt/pathwalker.py, PyCommands/x86smt/find_int_overflow.py and
PyCommands/pathogen.py).

Bug Fixes:
* The advertisements have been tamed somewhat and have a 78% lower
chance of popping out and tearing your eyes out.

* Lots of other cleanups and annoyance removals that we didn't make note
of but probably should have for a more impressive looking 'Bug Fixes' list

Usage Notes:

* The list of instructions handled by the SequenceAnalyzer doesn't
include the entire x86 instruction set. A large number of commonly used
instructions are there but those that aren't handled will result in an
exception being raised by the analyze() function if they are
encountered. If you're wondering why some scripts aren't working as you
might think over a particular code sequence then it's possible one such
instruction exists in the code. Setting the _debug flag of the
SequenceAnalyzer for that script will dump info to the log window if
this is the case. Anything with a REP prefix isn't handled as looping
constructs can't be directly represented in a SMT formula. For these
instructions the usual approach is to 'unroll' the instruction by
repeating it multiple times. For other instructions feel free to submit
a patch :)

* find_int_overflow.py is an early proof-of-concept script. You'll
notice that many false positives occur on additions to ESP, for example.
Before it's really usable the rest of the arithmetic instructions need
to be added to Libs/x86smt/bugcheckers/intoverflow.py and ideally some
mechanism for preloading the checker with knowledge such as 'X < ESP <
Y' where X and Y are some sane values. Also the handling of call
instructions should support pre/post conditions so as to avoid
re-analysing the same calls in the same context and to avoid insane
interprocedural run times.

* Documentation on the new features is currently in the form of scripts
found in PyCommands/deplib and PyCommands/x86smt. We'll document these
APIs in a slightly more sensible way in the future but for now the
variety of scripts in those directories provide good coverage of what is
possible. In particular:

- - Libs/deplib/libgadgets.py, PyCommands/deplib/finder.py and
PyCommands/deplib/findpivot.py (for DEPLIB stuff)
- - Libs/x86smt/pathwalker.py (for dealing with conditional jumps via the
solver)
- - PyCommands/x86smt/varbounds.py (for basic solver usage)
- - PyCommands/deplib/find_gadget.py (for slightly more involved usage)

For !findpivot (and any scripts you may write that rely on the
deplib20.py backend) you first need to run !gadgets_db to build a gadget
database. For find_gadgets.py a simpler/more primitive format is used
for now. For this script you first run !gadgets DLLNAME which will find
all gadgets in the given .dll and log the name of a pickle file
containing the details to the log window. This filename can then be
passed to !find_gadget -g NAME ... etc.

For some of the higher level ideas behind some of the new features check
out Pablo's Ekoparty presentation and my Ruxcon/Kiwicon presentation [2].

Bug reports can be logged on the forums at http://forum.immunityinc.com
or sent to immunitydebugger () immunityinc com. Any feedback, feature
requests, patches or whatever are also greatly appreciated.

Thanks,
The Immunity Debugger team


(Btw, the Python API docs aren't *entirely* accurate right now. We'll
upload an update addressing that soon enough but for now we're more
interested in getting the code out in the world)

[1] http://www.immunityinc.com/products-immdbg.shtml
[2] http://www.immunityinc.com/resources-papers.shtml
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJM/V2cAAoJEMW6jFWLazyQZq8H/2ID/Fdo9s9T2BRtUqinpvs1
fQ3P5yPWfPEcjGiVyn/AReCJQVU2ZAM6+3U2UtBgt3v3vWD0dgdAA+LG/hFZJZ6f
232opyaAcr80F73H24XnjBxIqhBKIoWUjcGyVoKcF6mK771N4uCU7AsbqJJXunJO
JgXrWGcad5QHWRpL9j7SSV9VeqbwF+bzcr19CZpygTKp5NlaVWTFAotA6EJ3hWEt
7BpeMr841wI4o9z2ZMlysWG9eWpZt8A/2AHqXRzm+AlbFt4n3UMi9TAFLy0vwulW
zDI4U1yYtTyn/9wWm+49sAMukpdwc0Ld2PrEwph8dw5RTvRvzut7I4Vhsj6LSfQ=
=Zj2p
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave