Results 1 to 1 of 1

Thread: ImmDbg getXrefTo API call

  1. #1
    RalenBek
    Guest

    ImmDbg getXrefTo API call

    Hey guys,

    I'm working on a script for Immunity Debugger at the moment, the aim of which is just to automate some repeated breakpointing I seem to do all the time. Anyways, the following script illustrates a problem I'm having finding, and setting breakpoints on, the callsites of a given function.

    Everything appears to work fine until about 8 lines from the end, where getXrefTo() is called. This consistently returns no xrefs for functions I have verified are called. The functions are found at the same addresses that are used if I just right click on the function name and set a breakpoint on all call sites, but passing that value to getXrefTo returns an empty list.

    Any help is appeciated. Cheers.

    Code:
    """
    callsitebp.py - Set breakpoints at the callsites of a given function
    """
    
    __VERSION__ = '0.1'
    
    import getopt
    import immlib
    
    
    DESC = "Set breakpoints at the callsites of a given function"
    HEAD = "### PyCommand CallsiteBP ###"
    USAGE = "!callsitebp [-m module] -f function"
    
    def usage(imm):
        imm.Log(USAGE)
        return "For usage information see Log Window"
    
    def findFunction(imm, mod, funcName, foundFuncs):
        modAddr = mod.getBaseAddress() 
    
        imm.Log("Getting functions from %s" % mod.getName())
        
        for funcAddr in imm.getAllFunctions(modAddr):
            func = imm.getFunction(funcAddr)
            foundName = func.getName().split('.')[-1]
            if foundName == funcName:
                imm.Log("Found %s in %s at 0x%x" % (funcName, mod.getName(),
                    func.getStart()))
                foundFuncs.append((func, mod))
    
    def main(args):
        if not args:
            return USAGE 
    
        imm = immlib.Debugger()
        funcName = None 
        numBps = 0
        foundFuncs = []
        modName = None
    
        imm.Log(HEAD)
    
        try:
            opts, extra = getopt.getopt(args, "m:f:")
        except getopt.GetoptError:
            imm.setStatusBar("Bad argument %s" % str(args))
            usage(imm)
            return 0
    
        for flag, val in opts:
            if flag == "-m":
                modName = val
            elif flag == "-f":
                funcName = val
    
        imm.Log("Setting breakpoints on callsites of %s" % funcName)
    
        if funcName is None:
            imm.Log(USAGE)
            return "No function specified. Check log for usage details"
    
        if modName is None:
            for mod in imm.getAllModules():
                if not mod.isAnalysed():
                    imm.Log("Analysing %s" % mod.getName())
                    imm.analyseCode(mod.getCodebase())
                
                findFunction(imm, mod, funcName, foundFuncs)
        else:
            mod = imm.getModule(modName)
            if mod is None:
                return "Module %s not found" % modName
    
            if not mod.isAnalysed():
                imm.Log("Analysing %s" % mod.getName())
                imm.analyseCode(mod.getCodebase())
                
            findFunction(imm, mod, funcName, foundFuncs)
    
        if len(foundFuncs) == 0:
            imm.Log("%s not found in any loaded modules! Check spelling and case." %
                    funcName)
            return "Function not found. Check log"
    
        imm.Log("Found %d functions matching that description" % len(foundFuncs))
        for func, mod in foundFuncs:
            funcAddr = func.getStart()
            imm.Log("Looking for XREFs to 0x%x" % funcAddr)
            xrefs = imm.getXrefTo(funcAddr)
            imm.Log("Found %d XREFs to %s" % (len(xrefs), funcName))
    
            for xref in xrefs:
                imm.Log("Setting breakpoint at 0x%x" % xref.getStart())
                imm.setBreakpoint(xref.getStart())
                numBps += 1
    
        return "Breakpoints set on %d callsites" % numBps
    And some sample output....

    Code:
    0BADF00D  ### PyCommand CallsiteBP ###
    0BADF00D  Setting breakpoints on callsites of VirtualAlloc
    0BADF00D  Getting functions from kernel32.dll
    0BADF00D  Found VirtualAlloc in kernel32.dll at 0x7c809a61
    0BADF00D  Found 1 functions matching that description
    0BADF00D  Looking for XREFs to 0x7c809a61
    0BADF00D  Found 0 XREFs to VirtualAlloc
    UPDATE: It does appear the following two lines don't actually get passed every function defined in the module either. For example, in the debugger I can set see the function msvcrt.free is imported, and set breakpoints on all its call sites, but the only 'free' function that imm.getAllFunctions() returns is msvcrt._aligned_free.

    Code:
        for funcAddr in imm.getAllFunctions(modAddr):
            func = imm.getFunction(funcAddr)
    Last edited by RalenBek; July 19th, 2009 at 13:22.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Logging an API call
    By SteM in forum OllyDbg Support Forums
    Replies: 2
    Last Post: January 7th, 2009, 11:40
  2. call $+5 ?
    By mcensamuel in forum OllyDbg Support Forums
    Replies: 2
    Last Post: August 29th, 2005, 22:19
  3. How to find out, what the call does ?
    By van_Hauser in forum The Newbie Forum
    Replies: 6
    Last Post: February 9th, 2004, 08:54
  4. call [eax+xx]
    By The Keeper in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 2nd, 2002, 15:03
  5. how to add a api call ?
    By SpeKKeL in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: October 29th, 2001, 02:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •