Immunity Debugger's interfaces include the GUI and a command line. The command line is always available at the bottom of the GUI. It allows the user to type shortcuts as if they were in a typical text-based debugger, such as WinDBG or GDB. Immunity has implemented aliases to ensure that your WinDBG users do not have to be retrained and will get the full productivity boost that comes from the best debugger interface on the market.
Immunity Debugger's Python API includes many useful utilities and functions. Your scripts can be as integrated into the debugger as the native code. This means your code can create custom tables, graphs, and interfaces of all sorts that remain within the Immunity Debugger user experience. For example, when the Immunity SafeSEH script runs, it outputs the results into a table within the Immunity Debugger window.
Often you will want to run a Python script on certain program events, for example when a breakpoint is hit or an exception is caused. Immunity Debugger's hook support includes many debugger events, and more are added with every release.
Immunity Debugger strives to absorb as few resources on the system as possible. Being too CPU-heavy will cause heap overflows and other complex vulnerabilities to behave differently than they would under normal load. Likewise, fuzzing and other vulnerability analysis is only possible when the debugger is not causing undue system strain.
Most debuggers offer only one method to allow you to attach to a process of interest - the pid and the process name. Immunity Debugger offers the pid, process name, services within that process, TCP/UDP ports listened to by that process, complete binary name, and window name. This allows quick and easy access to the exact process you wish to analyze.
The Just-In-Time Debugger gives you the option to launch Visual Studio to debug the error. You must have Visual Studio or another selected debugger installed to view detailed information about the error or try to debug it.
Before we look at IDA Pro (Free), Immunity Debugger (ImmDBG) and Olly Debugger (OllyDBG). We must first understand the differences between a debugger and a disassembler. I have heard these terms used interchangeably, but, they are two separate tools. A disassembler will take a binary and break it down into human readable assembly. With a disassembler you can take a binary and see exactly how it functions (static analysis). Whereas, with a debugger we can step through, break and edit the assembly while it is executing (dynamic analysis).
ImmDBG is another graphical user-mode debugger that is exactly like OllyDBG. The main difference is that ImmDBG uses python as a scripting/plugin language. Another difference is the annoying ad in the top right hand corner of the main window. Personally, ImmDBG is my favorite. Having a python background the ability to script simple, repetitive tasks is great. This makes reversing large binaries a bit easier on the eyes. The other huge plus for ImmDBG is !pvefindaddr plug-in written by Peter Van Eeckhoutte ( ). With a focus on exploitation, this plug-in simplifies a great deal of the process!
I remember MacsBug as a System wide debugger \"INIT\". It could be activated by pressing the NMI-Button on the programmer's switch on real hardware (or else by keyboard with Cmd-PowerOn, if I remember right).
To debug D programs you need to use a debugger that understands the format of the debug symbols information that your chosen compiler produces.The quality of the debug symbols information might vary depending on which compiler you use and its underlying debug format. For example, some compiler configurations may present the names of variables and/or functions in it's C mangled form, instead of the natural D name.
Some video resources on learning debugging can be found here: Debugging with GDB (Linux demonstration), Debugging with lldb (Mac demonstration with LDC2 and DMD) (Note, as the quality of debug information improves you may get more information/abilities through your debugger over time). Please visit the Tutorials which may contain further resources.
User defined textual identifiers, such as variable names, label names, and macros are removed by the assembly process. They may still be present in generated object files, for use by tools like debuggers and relocating linkers, but the direct connection is lost and re-establishing that connection requires more than a mere disassembler. Especially small constants may have more than one possible name. Operating system calls (like DLLs in MS-Windows, or syscalls in Unices) may be reconstructed, as their names appear in a separate segment or are known beforehand. Many disassemblers allow the user to attach a name to a label or constant based on his understanding of the code. These identifiers, in addition to comments in the source file, help to make the code more readable to a human, and can also shed some clues on the purpose of the code. Without these comments and identifiers, it is harder to understand the purpose of the source code, and it can be difficult to determine the algorithm being used by that code. When you combine this problem with the possibility that the code you are trying to read may, in reality, be data (as outlined above), then it can be even harder to determine what is going on. Another challenge is posed by modern optimising compilers; they inline small subroutines, then combine instructions over call and return boundaries. This loses valuable information about the way the program is structured.
IDA that is Interactive DisAssembler in an undpisupted king among tools used in reverse engineering. IDA is a disassembler and debugger with built-in code analysis for over 60 types of processors. It has its own script language, large base of signatures of the most popular programming libraries as well as support for plug-ins that additionally enhance functionality e.g. by support for Python scripts.
Every programmer sooner or later gets to know the functioning of a debugger in his favourite programming environment. Thanks to debugger we are able to track application running in real time, see how instructions affect contents of memory or variables and detect potential errors. However debugging of our own software, when we have access to information about source code and usually debug high-level code, straight from programming environment, is a piece of cake compared to debugging of application without access to source code. This is where dedicated debuggers, with advanced analysis of binary application structures, come in handy, but their use requires knowledge of low-level languages as well as basis of functioning of processor, for which this application was compiled.
This is de facto a standard debugger for Windows in the world of reverse engineering (alongside built-in debugger for IDA disassembler). It has capabilities of application code analysis and allows for interference with almost every aspect of application running.
Other interesting functions include OllyDbg that allows for conditional code tracing, has vast plugins database, including those hiding its presence from anti-debug methods (Phant0m plugin), or plugins that allow for controlling of debugger running from the script level (ODbgScript plugin), while those scripts, most often used for unpacking of unprotected applications, come in hundreds.
Popularity of OllyDbg is obvious with the fact, that no other debugger, including legendary SoftICE system debugger has had so many plugins and modified versions like OllyDbg. It is interesting that a special version OllyDbg was created under the name of Immunity Debugger with built-in Python script support, meant for analyzing malware and creating exploits
x64dbg are basically two debuggers, one dedicated for 64 bit software debugging and second for 32 bit applications. It features modern interface, plenty of configuration options, internal engine based on modern programming libraries like TitanEngine, Capstone Engine, Keystone Engine.
Number of supported features is really impressing, plugins, built-in scripting language, Yara signatures scanning, built-in decompiler and many more. And it's development is very active. Taking the fact that 64 bit OllyDbg never left the development stage, x64dbg has become de facto standard debugger for 64 bit applications.
Debugger for .NET Framework applications. It is quite a robust tool, but sometimes invaluable. It looks a bit like Visual Studio built-in debugger, I'm mentioning it only because it is one of very few debuggers for .NET applications without access to source codes, there are also plugins for .NET Reflector for the purpose of debugging (Deblector plugin).
If you have analyzed your application in disassembler, traced its running in debugger, there may be a need to interfere with program code in order to input corrections or to change some text strings, fix values or other information included in application's binary file.
Analysis of unknown software can be risky, especially when we have to run the software and just doing this with debugger can end up badly if the software runs a thread in the background which can install a rootkit or other malware. It is a good idea to be protected against such accidents and run suspicious software under the supervision of a virtual machine.
For deeper analysis, you are entering reverse engineering territory and you will have to learn to use a debugger. There is even a stack exchange site devoted to reversing. Examples are: Immunity, Ollydbg, IDA, and WinDBG. A debugger is what a malware analyst would use. (I am just name dropping here. I have no experience with any debugger.) 076b4e4f54