4

This sounds like a very simple thing to accomplish but I can't seem to get it working.

I'd like to run a part of a program in ImmDbg instruction by instruction and keep track of some actions that it performs (which jumps it takes, when registers are modified, etc...). This is of course a tedious process to do by hand and sometimes I need to automate it and add some custom behavior based on the target.

I didn't find tracing facilities in the Python APIs, so I tried to step through the code. The sample code below should simply execute 10 instructions.

import immlib

imm = immlib.Debugger()

def main(args):
    for i in range(10):
        imm.stepIn()

    return "OK"

However, it appears to be executing sometimes less than 10 instructions and each stepIn() call freezes the program for about a second, rendering the script way too slow to perform anything useful.

Sigill
  • 41
  • 2
  • the answer is simple: just look at mike.py inside the pycommand subdirectory. it has the stepIn() loop. the reason why your execution take too long is because when you encountered system DLL you are supposed to stepover it, as shown in "mike.py". – Peter Teoh Apr 03 '14 at 01:03
  • and additionally, remember to enable tracing (via calling stepIn() above) only when a particular breakpoint is reached (use LogBpHook). – Peter Teoh Apr 05 '14 at 00:44

1 Answers1

1

If you just want to trace instructions to create a control flow graph (CFG) and even a fairly-accurate data flow graph (DFG), pyCommand is admittedly clunky compared to the tools we have available:

PLATFORM AGNOSTIC

  • pydbg (python)
  • capstone disassembly (python, with added taint analysis support)
  • Intel Pintools (C/C++, faster than all the above)
  • openREIL (highly experimental)

LINUX

  • perf (linux kernel module which already implements CFG creation)
  • valgrind/callgrind (callgrind is responsible for CFG creation)

Please note the python solutions with be slower (but easier to implement) than the C/C++ solutions.

grepNstepN
  • 368
  • 1
  • 13