{"id":126,"date":"2018-01-15T00:44:17","date_gmt":"2018-01-15T00:44:17","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=126"},"modified":"2018-01-15T00:44:17","modified_gmt":"2018-01-15T00:44:17","slug":"immunitydbg-api-breakpoints-script","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/01\/15\/immunitydbg-api-breakpoints-script\/","title":{"rendered":"ImmunityDbg API breakpoints script"},"content":{"rendered":"<p>This is a python script for\u00a0<a href=\"https:\/\/www.immunityinc.com\/products\/debugger\/\">Immunity debugger<\/a>\u00a0that sets breakpoints on &#8220;interesting&#8221; APIs.<\/p>\n<p>Here is the list of APIs (in no particular order):<\/p>\n<p>&#8220;ZwRaiseHardError&#8221;<br \/>\n&#8220;bind&#8221;<br \/>\n&#8220;listen&#8221;<br \/>\n&#8220;socket&#8221;<br \/>\n&#8220;DeviceIoControl&#8221;<br \/>\n&#8220;ZwCreateFile&#8221;<br \/>\n&#8220;ZwCreateSection&#8221;<br \/>\n&#8220;ZwQueryInformationFile&#8221;<br \/>\n&#8220;ZwQueryAttributesFile&#8221;<br \/>\n&#8220;ZwCreateUserProcess&#8221;<br \/>\n&#8220;ZwOpenKeyEx&#8221;<br \/>\n&#8220;ZwOpenKey&#8221;<br \/>\n&#8220;ResumeThread&#8221;<br \/>\n&#8220;CopyFileA&#8221;<br \/>\n&#8220;CopyFileExW&#8221;<br \/>\n&#8220;CopyFileW&#8221;<br \/>\n&#8220;CreateDirectoryA&#8221;<br \/>\n&#8220;CreateDirectoryW&#8221;<br \/>\n&#8220;CreateMutexA&#8221;<br \/>\n&#8220;CreateMutexW&#8221;<br \/>\n&#8220;CreateFileA&#8221;<br \/>\n&#8220;CreateFileW&#8221;<br \/>\n&#8220;CreateProcessA&#8221;<br \/>\n&#8220;CreateProcessW&#8221;<br \/>\n&#8220;CreateProcessInternalA&#8221;<br \/>\n&#8220;CreateRemoteThread&#8221;<br \/>\n&#8220;WinExec&#8221;<br \/>\n&#8220;OpenProcess&#8221;<br \/>\n&#8220;Sleep&#8221;<br \/>\n&#8220;IsDebuggerPresent&#8221;<br \/>\n&#8220;WriteProcessMemory&#8221;<br \/>\n&#8220;_write&#8221;<br \/>\n&#8220;ZwWriteFile&#8221;<br \/>\n&#8220;ZwWriteVirtualMemory&#8221;<br \/>\n&#8220;SetThreadContext&#8221;<br \/>\n&#8220;RegOpenKeyExA&#8221;<br \/>\n&#8220;SysFreeString&#8221;<br \/>\n&#8220;RtlFillMemory&#8221;<br \/>\n&#8220;InternetCrackUrlA&#8221;<br \/>\n&#8220;InternetConnectA&#8221;<br \/>\n&#8220;InternetOpenUrlA&#8221;<br \/>\n&#8220;InternetSetOptionW&#8221;<br \/>\n&#8220;HttpOpenRequestW&#8221;<br \/>\n&#8220;HttpSendRequestW&#8221;<br \/>\n&#8220;UrlDownloadToFileA&#8221;<br \/>\n&#8220;UrlDownloadToFileW&#8221;<br \/>\n&#8220;connect&#8221;<br \/>\n&#8220;send&#8221;<br \/>\n&#8220;__vbaFreeStr&#8221;<br \/>\n&#8220;__vbaFreeStrList&#8221;<br \/>\n&#8220;__vbaStrMove&#8221;<br \/>\n&#8220;__vbaStrCopy&#8221;<br \/>\n&#8220;__vbaStrCat&#8221;<\/p>\n<p>The script is available on <a href=\"https:\/\/github.com\/asaygo\/malwrforensics\/blob\/master\/scripts\/bpapi.py\">github<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is a python script for\u00a0Immunity debugger\u00a0that sets breakpoints on &#8220;interesting&#8221; APIs. Here is the list of APIs (in no particular order): &#8220;ZwRaiseHardError&#8221; &#8220;bind&#8221; &#8220;listen&#8221; &#8220;socket&#8221; &#8220;DeviceIoControl&#8221; &#8220;ZwCreateFile&#8221; &#8220;ZwCreateSection&#8221; &#8220;ZwQueryInformationFile&#8221; &#8220;ZwQueryAttributesFile&#8221; &#8220;ZwCreateUserProcess&#8221; &#8220;ZwOpenKeyEx&#8221; &#8220;ZwOpenKey&#8221; &#8220;ResumeThread&#8221; &#8220;CopyFileA&#8221; &#8220;CopyFileExW&#8221; &#8220;CopyFileW&#8221; &#8220;CreateDirectoryA&#8221; &#8220;CreateDirectoryW&#8221; &#8220;CreateMutexA&#8221; &#8220;CreateMutexW&#8221; &#8220;CreateFileA&#8221; &#8220;CreateFileW&#8221; &#8220;CreateProcessA&#8221; &#8220;CreateProcessW&#8221; &#8220;CreateProcessInternalA&#8221; &#8220;CreateRemoteThread&#8221; &#8220;WinExec&#8221; &#8220;OpenProcess&#8221; &#8220;Sleep&#8221; &#8220;IsDebuggerPresent&#8221; &#8220;WriteProcessMemory&#8221; &#8220;_write&#8221; &#8220;ZwWriteFile&#8221; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[30,31,18,6,4],"class_list":["post-126","post","type-post","status-publish","format-standard","hentry","category-security","tag-debugger","tag-immunity","tag-malware","tag-tool","tag-windows"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"<p>This is a python script for\u00a0Immunity debugger\u00a0that sets breakpoints on &#8220;interesting&#8221; APIs. Here is the list of APIs (in no particular order): &#8220;ZwRaiseHardError&#8221; &#8220;bind&#8221; &#8220;listen&#8221; &#8220;socket&#8221; &#8220;DeviceIoControl&#8221; &#8220;ZwCreateFile&#8221; &#8220;ZwCreateSection&#8221; &#8220;ZwQueryInformationFile&#8221; &#8220;ZwQueryAttributesFile&#8221; &#8220;ZwCreateUserProcess&#8221; &#8220;ZwOpenKeyEx&#8221; &#8220;ZwOpenKey&#8221; &#8220;ResumeThread&#8221; &#8220;CopyFileA&#8221; &#8220;CopyFileExW&#8221; &#8220;CopyFileW&#8221; &#8220;CreateDirectoryA&#8221; &#8220;CreateDirectoryW&#8221; &#8220;CreateMutexA&#8221; &#8220;CreateMutexW&#8221; &#8220;CreateFileA&#8221; &#8220;CreateFileW&#8221; &#8220;CreateProcessA&#8221; &#8220;CreateProcessW&#8221; &#8220;CreateProcessInternalA&#8221; &#8220;CreateRemoteThread&#8221; &#8220;WinExec&#8221; &#8220;OpenProcess&#8221; &#8220;Sleep&#8221; &#8220;IsDebuggerPresent&#8221; &#8220;WriteProcessMemory&#8221; &#8220;_write&#8221; &#8220;ZwWriteFile&#8221; &#8220;ZwWriteVirtualMemory&#8221; &#8220;SetThreadContext&#8221; &#8220;RegOpenKeyExA&#8221; &#8220;SysFreeString&#8221; &#8220;RtlFillMemory&#8221; &#8220;InternetCrackUrlA&#8221; &#8220;InternetConnectA&#8221; &#8220;InternetOpenUrlA&#8221; &#8220;InternetSetOptionW&#8221; &#8220;HttpOpenRequestW&#8221; &#8220;HttpSendRequestW&#8221; &#8220;UrlDownloadToFileA&#8221; &#8220;UrlDownloadToFileW&#8221; &#8220;connect&#8221; &#8220;send&#8221; &#8220;__vbaFreeStr&#8221; &#8220;__vbaFreeStrList&#8221; &#8220;__vbaStrMove&#8221; &#8220;__vbaStrCopy&#8221; &#8220;__vbaStrCat&#8221; The script is available on github.<\/p>\n","category_list_v2":"<a href=\"https:\/\/malwrforensics.com\/en\/category\/security\/\" rel=\"category tag\">Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=126"}],"version-history":[{"count":1,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/126\/revisions"}],"predecessor-version":[{"id":127,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/126\/revisions\/127"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}