Driver Communication

Almost every driver on a Windows system registers with the operating system with a specific device name and a symbolic link that enables user mode to obtain a handle to the driver so that it can communicate with it. We use the CreateFileW3 call exported from kernel32.dll to obtain this handle. The function prototype looks like the following HANDLE WINAPI CreateFileW( LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD...

Gray Hat Python

Python Programming for Hackers and Reverse Engineers GRAY HAT PYTHON. Copyright 2009 by Justin Seitz. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10 1-59327-192-1 ISBN-13 978-1-59327-192-3 Publisher William Pollock Production Editor Megan...

The Ida Pro Book

The Unofficial Guide to the World's Most Popular Disassembler Hailed by the creator of IDA Pro as the long-awaited and information-packed guide to IDA, The IDA Pro Book covers everything from the very first steps with IDA to advanced automation techniques. You'll learn to identify known library routines and how to extend IDA to support new processors and filetypes, making disassembly possible for new or obscure architectures. The book also covers the popular plug-ins that make writing IDA...

Locate Pydev Interpretter Centos Eclipse Tutorial

SETTING UP YOUR DEVELOPMENT ENVIRONMENT Before you can experience the art of gray hat Python programming, you must work through the least exciting portion of this book, setting up your development environment. It is essential that you have a solid development environment, which allows you to spend time absorbing the interesting information in this book rather than stumbling around trying to get your code to execute. This chapter quickly covers the installation of Python 2.5, configuring your...

IDAPython Installation

To install IDAPython you first need to download the binary package use the following link Once you have the zip file downloaded, unzip it to a directory of your choosing. Inside the decompressed folder you will see a plugins directory, and contained within it is a file named python.plw. You need to copy python .plw into IDA Pro's plugins directory on a default installation it would be located in C Program FilesMDA plugins. From the decompressed IDAPython folder copy the python directory into...

Unpacking UPX with PEPyEmu

The UPX packer uses a fairly straightforward method for compressing executables it re-creates the executable's entry point so that it points to the unpacking routine and adds two custom sections to the binary. These sections are named UPX0 and UPX1. If you load the compressed executable into Immunity Debugger and examine the memory layout alt-M , you'll see that the executable has a memory map similar to what's shown in Listing 12-3 Listing 12-3 Memory layout of a UPX compressed executable....

Installing PyEmu

Installing PyEmu is quite simple just download the zip file from http www . nostarch. com ghpython. htm. Once you have the zip file downloaded, extract it to C PyEmu. Each time you create a PyEmu script, you will have to set the path to the PyEmu codebase using the following two Python lines That's it Now let's dig into the architecture of the PyEmu system and then move into creating some sample scripts.

Sulley Installation

Before we dig into the nuts and bolts of Sulley, we first have to get it installed and working. I have provided a zipped copy of the Sulley source code for download at Once you have the zip file downloaded, extract it to any location you choose. From the extracted Sulley directory, copy the sulley, utils, and requests folders to C Python25 Lib site-packages . This is all that is required to get the core of Sulley installed. There are a few more prerequisite packages that we must install, and...

Driver Fuzzing with Immunity Debugger

We can harness Immunity Debugger's hooking prowess to trap valid DeviceIoControl calls before they reach our target driver as a quick-and-dirty mutation-based fuzzer. We will write a simple PyCommand that will trap all DeviceIoControl calls, mutate the buffer that is contained within, log all relevant information to disk, and release control back to the target application. We write the values to disk because a successful fuzzing run when working with drivers means that we will most definitely...

Soft Hooking with PyDbg

The first example we will explore involves sniffing encrypted traffic at the application layer. Normally to understand how a client or server application interacts with the network, we would use a traffic analyzer like Wireshark.1 Unfortunately, Wireshark is limited in that it can only see the data post encryption, which obfuscates the true nature of the protocol we are studying. Using a soft hooking technique, we can trap the data before it is encrypted and trap it again after it has been...

Driver Dispatch Routine Finder For Fuzzing

Access violation handlers, 60 AccessViolationHook, 72 accumulator register. See EAX register AddBpt function, 158 AllExceptHook, 71 analysis, automated static, 122 anti-debugging routines in malware, 81 appliances, VMware, 2 associating processes, debuggers, 25-33 attaching processes, 26 attacks, format string, 114 automated static analysis, 122 base pointer, EBP register, 15 binary data, Sulley primitives, 126 black-box debuggers, vs. white-box, 13 blocks, Sulley primitives, 127 BpHook, 71...

Network and Process Monitoring

One of the sweetest features of Sulley is its ability to monitor fuzz traffic on the wire as well as handle any crashes that occur on the target system. This is extremely important, because you can map a crash back to the actual network traffic that caused it, which greatly reduces the time it takes to go from crash to working exploit. Both the network- and process-monitoring agents are Python scripts that ship with Sulley and are extremely easy to run. Let's start with the process monitor,...

Building a Driver Fuzzer

The first step is to create our IOCTL-dumping PyCommand to run inside Immunity Debugger. Crack open a new Python file, name it ioctl_dump.py, and enter the following code. import pickle import driverlib from immlib import def main args ioctl_list device_list imm Debugger driver driverlib.Driver Grab the list of I0CTL codes and device names 6 For more information on Python pickles, see ioctl_list driver.getIOCTLCodes if not len ioctl_list return ERROR Couldn t find any IOCTL codes. device_list...