Tuesday, November 5, 2013

!apilookup - Win32 API Function Reference Locator for ImmunityDebugger

Hidey-ho everyone!

Well, after long time while I've been busy with a lot of stuff, finally I am back with a very nice goodie for you. As you have seen I am a big fan of ImmunityDebugger -but also of the old friend OllyDBG of course- and after some time I finally decided to put hands-on and make a plug-in.

Let me introduce you to the "!apilookup - Win32 API Function Reference Locator for ImmunityDebugger". The aim of this PyCommand is to provide quick access to Win32 API functions which are commonly required when performing debugging sessions. Yep!, NO MORE - Google => getprocaddress win32 api - Instead, on the ImmunityDebugger command bar just type this command: !apilookup getprocaddress and you will get direct-access to the required function. - Applauses!

Actually, one good point to note is the ability to provide not the whole word of a function, so you can do either !apilookup isdebuggerpresent or !apilookup isdebug, giving back the same results. RegEx r0x XD

For instance:

At this time I am pretty sure that you are wondering How The F**k I got the Win32.HLP as .CHM? Well, after a lot of time in searching Win32API.chm with no success, I've decided to make it. The support of .HLP files are no longer active for new versions of Windows, so many of the good old help files such as OllyDBG, ImmDBG and others are under this format. No PANIC. I've the CHM version for them too, but for a different post.

OK, so you know how the !apilookup works, this is how to get it. ]¬)

Installation steps:
  1. Download the package from my git repo here.
  2. Unrar and run the executable as Admin. - The exe looks malicious but it is not - promise. XD
  3. Open ImmunityDebugger and in the command bar type: !apilookup <function>
  4. Enjoy!
I know that there's an almost the same tool made by the master @MarioVilas, which offer on-line and updated references to APIs, so maybe you can use my "off-line" version when you don't have Inet access like my case when debugging on the bus or from any isolated location. 

That's all. Comment and share!