Immunity Debugger

Immunity Debugger is a Windows debugger designed for vulnerability analysis and exploit development. It’s particularly powerful for finding and exploiting buffer overflows, format string vulnerabilities, and other memory corruption bugs.

Installation

Download and Setup

# Download from Immunity Security
# https://www.immunityinc.com/products/debugger/

# Extract installation
unzip Immunity\ Debugger\ x64.zip

# Run ImmunityDebugger.exe
cd "Immunity Debugger"
./ImmunityDebugger.exe

PyCommand and Plugins

# Install plugins in Immunity
# Copy .py files to: Immunity Debugger\PyCommands\

# Mona.py - exploitation and ROP gadget finder
# Download from: https://github.com/corelan/mona

# Common plugin directories:
# - PyCommands: Custom commands
# - PyHooks: Hooks and breakpoints
# - modules: Additional libraries

Basic Debugging

Attaching to Processes

# Menu: File > Attach
# Or via command window
!attach PID

# Attach to process by name
!attach explorer.exe

# View attached process
!detach    # Disconnect debugger

Setting Breakpoints

; Software breakpoint (INT 3)
; Set via menu: Breakpoints > Software
; Or right-click in disassembly

; Hardware breakpoint (limited to 4)
!bpr address     ; Breakpoint on read
!bpw address     ; Breakpoint on write
!bpx address     ; Breakpoint on execute

; Conditional breakpoints
!bpx address "eax == 0x41414141"    ; Break if eax equals shellcode marker

; Remove breakpoints
!bc all          ; Clear all breakpoints
!bd id           ; Disable breakpoint
!be id           ; Enable breakpoint

Running and Stepping

; Commands in Immunity debugger
F2              ; Set breakpoint
F7              ; Step into
F8              ; Step over
F9              ; Run
Shift+F9        ; Run until user input

Exploit Development Workflow

Finding Overflows

; Monitor stack for pattern
; 1. Generate pattern with Mona
!mona pattern -l 2000       ; Generate 2000-byte pattern

; 2. Feed pattern to vulnerable program
; 3. Analyze crash:
!mona findmsp -distance 2000     ; Find EIP offset

; Output example:
; EIP offset: 1064
; ESP offset: 1068

EIP Control Verification

# Python script to verify EIP control
import socket

pattern = "Aa0Aa1Aa2Aa3..." # Generate with mona
payload = "A" * 1064        # Padding to EIP
payload += "B" * 4          # EIP control (0x42424242)
payload += "C" * (2000 - len(payload))  # Remaining padding

# Test payload
sock = socket.socket()
sock.connect(("target", port))
sock.send(payload)

ROP Gadget Analysis with Mona

; Find ROP gadgets
!mona rop -m "kernel32.dll,ntdll.dll"   ; Find gadgets in specific modules

; Find specific gadget patterns
!mona find -type instr -s "pop eax; ret"

; Generate ROP chain
!mona rop -m "msvcrt.dll,kernel32.dll" -c "win exec cmd.exe"

; Common gadget types:
; - pop reg; ret          (stack pivoting)
; - xchg reg1, reg2; ret  (register setup)
; - mov dword [reg], val; ret (write primitive)

Memory Analysis and Inspection

Viewing Memory

; View memory contents
; Address bar: Enter address (0x401000, eip, esp)

; Common views:
; - CPU window: Disassembly
; - Memory dump: Raw bytes
; - Stack: esp pointer contents
; - Registers: Current register values

; Hex view at address
!dump address        ; Show hex dump

; Search memory
!search byte 41 42 43 44    ; Find byte sequence
!search ascii "malware"     ; Find ASCII string

Stack Analysis

; Display stack
; Default lower pane shows stack

; Stack pivot
; When ESP is not controlled, look for "leave; ret" gadget
; Or "add esp, value; ret" gadgets

; Stack canary bypass
; Look for information leak gadgets
!mona rop -c "leak ebp stack gadgets"

Register Monitoring

; Watch register values
; View > Windows > Info windows > History

; Trace register changes
!trace eax           ; Monitor eax changes
!trace edx, ecx      ; Monitor multiple registers

; Compare register states
; Before/after function calls

Shellcode Development

Null Byte Removal

# Python shellcode encoder - remove nulls
import re

def remove_nulls(shellcode):
    # XOR encoding to eliminate nulls
    null_free = []
    for byte in shellcode:
        if byte == 0x00:
            # Use multi-byte instruction instead
            null_free.extend([0x83, 0xc4, 0x00])  # add esp, 0
    return null_free

# Alternative: Use mona to generate null-free shellcode
# !mona egg -m "malware.exe" -p "eggs" -e xor

Shellcode Testing

; Set EIP to shellcode address
; Restart program with shellcode in memory
; F7/F8 through shellcode execution

; Verify API calls
; Use Log window to see API calls
; View > Windows > Info windows > Log

; Check shellcode output
; Monitor process creation, registry changes, etc.

Advanced Techniques

Format String Exploitation

; Analyze format string vulnerabilities
; Monitor printf-like functions:
!bpx printf
!bpx sprintf
!bpx fprintf

; When breakpoint hit:
; - Check stack for format string
; - Look for %x, %n in string
; - Identify memory read/write gadgets

Heap Analysis

; Monitor heap operations
!bpx malloc
!bpx free
!bpx realloc

; Find heap overflow targets
!mona heap          ; Analyze heap

; Heap spray
; Use mona to generate heap spray
!mona egg -m "module" -p "marker" -e "xor"

SEH (Structured Exception Handling) Exploitation

; SEH chain inspection
; Windows > Info windows > SEH chain

; Find SEH overwrite gadget
!mona seh

; Typical SEH exploit:
; 1. Overflow to reach SEH record
; 2. Overwrite handler with POP-POP-RET gadget
; 3. Next SEH = JMP to shellcode

payload = "A" * offset_to_seh
payload += "pop; pop; ret"  # Handler address
payload += "jmp back"        # Next SEH
payload += shellcode

ASLR Bypass Techniques

; Information leak to defeat ASLR
; Find gadgets that leak addresses
!mona rop -c "leak stack ebp"

; ROP chain to calculate base addresses
; Use known offsets from leaked pointers

; Partial overwrite
; Overwrite lower bytes of address (often static)
!mona rop -m "kernel32" -c "win exec cmd" -b "\x00"

Debugging Scripts and Automation

Python Scripts for Immunity

# Custom script for Immunity Debugger
# Save in PyCommands folder

def main(args):
    # Access debugger API
    imm = Debugger()

    # Get current registers
    registers = imm.getRegs()
    eip = registers["EIP"]
    esp = registers["ESP"]

    # Disassemble at address
    imm.Disasm(eip)

    # Search for gadgets
    for addr in imm.Search("58 c3"):  # pop eax; ret
        imm.Log(f"Found gadget at: 0x{addr:08x}")

    # Modify memory
    imm.writeLong(esp, 0x41414141)

    # Read memory
    data = imm.read(esp, 100)

    return "Script executed"

Breakpoint Automation

# Auto-break on specific condition
def check_condition():
    imm = Debugger()
    regs = imm.getRegs()

    # Break if eax contains user input
    if regs["EAX"] == 0x41414141:
        return True
    return False

# Use in conditional breakpoint
!bpx function_address "check_condition()"

Debugging Common Vulnerabilities

Stack Overflow Detection

; Look for:
; - Buffer copies without bounds checking (strcpy, sprintf)
; - Stack canaries (typical pattern: 0xcccccccc)
; - Saved EBP and return address

; Use pattern to identify overflow amount:
!mona pattern -l buffer_size
!mona findmsp -distance buffer_size

Use-After-Free

; Monitor object lifetime
!bpx free    ; Break on free
!bpx delete  ; Break on delete

; Track object address
; Set watch on freed memory
; Look for access after free

; Vulnerability characteristics:
; - Object freed
; - But pointer still references freed memory
; - Memory reallocated to attacker-controlled data
; - Use-after-free dereference

Integer Overflow

; Monitor arithmetic operations
!bpx mul    ; Multiplication
!bpx imul   ; Signed multiplication
!bpx add    ; Addition

; Check overflow flags
; Look for result smaller than expected
; Bypass size checks using integer overflow

Best Practices

• Iterate incrementally: Test small payload changes
• Monitor all IO: Watch file/network activity
• Use version control: Track exploit version evolution
• Document gadgets: Note gadget locations and function
• Test on multiple versions: Exploit portability testing
• Verify crashes: Ensure reproducible crashes before development

Reference Commands

Command	Purpose
!bpx address	Set execution breakpoint
!bpw address	Break on memory write
!bpr address	Break on memory read
!mona pattern	Generate offset pattern
!mona findmsp	Find EIP offset
!mona rop	Find ROP gadgets
!search	Search memory
!dump	Hex dump memory
!trace	Trace register changes

Related Tools

• OllyDbg: Alternative x86 debugger
• Windbg: Microsoft kernel debugger
• Ghidra: NSA reverse engineering tool
• IDA Pro: Commercial disassembler
• Radare2: Open-source RE framework

---

Last updated: 2026-03-30