不知道什么时候电脑上竟然还有这么一个东东,猛击此处下载,可以过一把当医生的瘾。嘎嘎,对啦登录密码是123
mona for Immunity Debugger v1.8x
This is the Corelan Team project page for ‘mona’, a PyCommand for Immunity Debugger.
This PyCommand replaces pvefindaddr, which is no longer supported as of mid june 2011.The PyCommand has been tested on Immunity Debugger 1.83. Older versions of Immunity Debugger are not supported and may not work.
Hide Debugger for Immunity Debugger v1.8x
"""
(c) Mars Security. 2009-2012
Institute Of Information Serurity From Mars
Email:root@h4ck.ws
U{By obaby.}
"""
#sys.path.append("C:\\Program Files\\Immunity Inc\\Immunity Debugger\\Libs")
import immlib
import immutils
def main(args):
imm = immlib.Debugger()
#hide debugger by wipe the BeingDebugged flag in PEB struct.
imm.writeMemory (imm.getPEBAddress() + 0x2,"\x00")
#disable the process enume
process32first = imm.getAddress("kernel32.Process32FirstW")
process32next = imm.getAddress("kernel32.Process32NextW")
function_list = [process32first, process32next]
patch_bytes = imm.assemble("SUB EAX,EAX\nRET 8")
for address in function_list:
opcode = imm.disasmForward(address,nlines = 8)
#imm.writeMemory(opcode.address,patch_bytes)
return "[*] PEB BeingDebugged flag cleared ! Debugger Hided~!"
该脚本用于去掉基于IsDebugPresent函数的调试检测。将上面的内容保存为hidedbg.py放入immdbg的PyCommands目录下,然后在immdbg的命令窗口中执行即可。 