Gray Hat Python

Python Programming for Hackers and Reverse Engineers GRAY HAT PYTHON. Copyright 2009 by Justin Seitz. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10 1-59327-192-1 ISBN-13 978-1-59327-192-3 Publisher William Pollock Production Editor Megan...

Coding the Backdoor

Let's start by building our execution redirection code, which very simply starts up an application of our choosing. The reason it's called execution redirection is because we will name our backdoor calc.exe and move the original calc.exe to a different location. When the user attempts to use the calculator, she will be inadvertently running our backdoor, which in turn will start the proper calculator and thus not alert the user that anything is amiss. Note that we are including the...

Pyemu The Scriptable Emulator

PyEmu was released at BlackHat 20071 by Cody Pierce, one of the talented members of the TippingPoint DVLabs team. PyEmu is a pure Python IA32 emulator that allows a developer to use Python to drive CPU emulation tasks. Using an emulator can be very beneficial for reverse engineering malware, when you don't necessarily want the real malware code to execute. And it can be useful for a whole host of other reverse engineering tasks as well. PyEmu has three methods to enable emulation IDAPyEmu,...

Unpacking UPX with PEPyEmu

The UPX packer uses a fairly straightforward method for compressing executables it re-creates the executable's entry point so that it points to the unpacking routine and adds two custom sections to the binary. These sections are named UPX0 and UPX1. If you load the compressed executable into Immunity Debugger and examine the memory layout alt-M , you'll see that the executable has a memory map similar to what's shown in Listing 12-3 Listing 12-3 Memory layout of a UPX compressed executable....

Sulley Installation

Before we dig into the nuts and bolts of Sulley, we first have to get it installed and working. I have provided a zipped copy of the Sulley source code for download at Once you have the zip file downloaded, extract it to any location you choose. From the extracted Sulley directory, copy the sulley, utils, and requests folders to C Python25 Lib site-packages . This is all that is required to get the core of Sulley installed. There are a few more prerequisite packages that we must install, and...

Driver Fuzzing with Immunity Debugger

We can harness Immunity Debugger's hooking prowess to trap valid DeviceIoControl calls before they reach our target driver as a quick-and-dirty mutation-based fuzzer. We will write a simple PyCommand that will trap all DeviceIoControl calls, mutate the buffer that is contained within, log all relevant information to disk, and release control back to the target application. We write the values to disk because a successful fuzzing run when working with drivers means that we will most definitely...

Soft Hooking with PyDbg

The first example we will explore involves sniffing encrypted traffic at the application layer. Normally to understand how a client or server application interacts with the network, we would use a traffic analyzer like Wireshark.1 Unfortunately, Wireshark is limited in that it can only see the data post encryption, which obfuscates the true nature of the protocol we are studying. Using a soft hooking technique, we can trap the data before it is encrypted and trap it again after it has been...

Fuzzing and the Sulley Web Interface

Now we are actually going to fire up Sulley, and we'll use its built-in web interface to keep an eye on its progress. To begin, run ftp_session.py, like so It will begin producing output, as shown here 07 42.47 current fuzz path - gt user 07 42.47 fuzzed 0 of 6726 total cases If you see this type of output, then life is good. Sulley is busily sending data to the WarFTPD daemon, and if it hasn't reported any errors, then it is also successfully communicating with our monitoring agents. Now let's...

Building a Driver Fuzzer

The first step is to create our IOCTL-dumping PyCommand to run inside Immunity Debugger. Crack open a new Python file, name it ioctl_dump.py, and enter the following code. import pickle import driverlib from immlib import def main args ioctl_list device_list imm Debugger driver driverlib.Driver Grab the list of I0CTL codes and device names 6 For more information on Python pickles, see ioctl_list driver.getIOCTLCodes if not len ioctl_list return ERROR Couldn t find any IOCTL codes. device_list...