Gray Hat Python

Python Programming for Hackers and Reverse Engineers GRAY HAT PYTHON. Copyright 2009 by Justin Seitz. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10 1-59327-192-1 ISBN-13 978-1-59327-192-3 Publisher William Pollock Production Editor Megan...

DLL Injection

DLL injection has been used for both good and evil for quite some time. Everywhere you look you will see DLL injection occurring. From fancy Windows shell extensions that give you a glittering pony for a mouse cursor to a piece of malware stealing your banking information, DLL injection is everywhere. Even security products inject DLLs to monitor processes for malicious behavior. The nice thing about DLL injection is that we can write a compiled binary, load it into a process, and have it...

Coding the Backdoor

Let's start by building our execution redirection code, which very simply starts up an application of our choosing. The reason it's called execution redirection is because we will name our backdoor calc.exe and move the original calc.exe to a different location. When the user attempts to use the calculator, she will be inadvertently running our backdoor, which in turn will start the proper calculator and thus not alert the user that anything is amiss. Note that we are including the...

Pyemu The Scriptable Emulator

PyEmu was released at BlackHat 20071 by Cody Pierce, one of the talented members of the TippingPoint DVLabs team. PyEmu is a pure Python IA32 emulator that allows a developer to use Python to drive CPU emulation tasks. Using an emulator can be very beneficial for reverse engineering malware, when you don't necessarily want the real malware code to execute. And it can be useful for a whole host of other reverse engineering tasks as well. PyEmu has three methods to enable emulation IDAPyEmu,...

IDAPython Installation

To install IDAPython you first need to download the binary package use the following link Once you have the zip file downloaded, unzip it to a directory of your choosing. Inside the decompressed folder you will see a plugins directory, and contained within it is a file named python.plw. You need to copy python .plw into IDA Pro's plugins directory on a default installation it would be located in C Program FilesMDA plugins. From the decompressed IDAPython folder copy the python directory into...

Unpacking UPX with PEPyEmu

The UPX packer uses a fairly straightforward method for compressing executables it re-creates the executable's entry point so that it points to the unpacking routine and adds two custom sections to the binary. These sections are named UPX0 and UPX1. If you load the compressed executable into Immunity Debugger and examine the memory layout alt-M , you'll see that the executable has a memory map similar to what's shown in Listing 12-3 Listing 12-3 Memory layout of a UPX compressed executable....

Sulley Installation

Before we dig into the nuts and bolts of Sulley, we first have to get it installed and working. I have provided a zipped copy of the Sulley source code for download at Once you have the zip file downloaded, extract it to any location you choose. From the extracted Sulley directory, copy the sulley, utils, and requests folders to C Python25 Lib site-packages . This is all that is required to get the core of Sulley installed. There are a few more prerequisite packages that we must install, and...

Hard Hooking with Immunity Debugger

Now we get to the interesting stuff, the hard hooking technique. This technique is more advanced, but it also has far less impact on the target process because our hook code is written directly in x86 assembly. With the case of the soft hook, there are many events and many more instructions that occur between the time the breakpoint is hit, the hook code gets executed, and the process resumes execution. With a hard hook you are really just extending a particular piece of code to run your hook...

Driver Fuzzing with Immunity Debugger

We can harness Immunity Debugger's hooking prowess to trap valid DeviceIoControl calls before they reach our target driver as a quick-and-dirty mutation-based fuzzer. We will write a simple PyCommand that will trap all DeviceIoControl calls, mutate the buffer that is contained within, log all relevant information to disk, and release control back to the target application. We write the values to disk because a successful fuzzing run when working with drivers means that we will most definitely...

Soft Hooking with PyDbg

The first example we will explore involves sniffing encrypted traffic at the application layer. Normally to understand how a client or server application interacts with the network, we would use a traffic analyzer like Wireshark.1 Unfortunately, Wireshark is limited in that it can only see the data post encryption, which obfuscates the true nature of the protocol we are studying. Using a soft hooking technique, we can trap the data before it is encrypted and trap it again after it has been...

Building a Driver Fuzzer

The first step is to create our IOCTL-dumping PyCommand to run inside Immunity Debugger. Crack open a new Python file, name it ioctl_dump.py, and enter the following code. import pickle import driverlib from immlib import def main args ioctl_list device_list imm Debugger driver driverlib.Driver Grab the list of I0CTL codes and device names 6 For more information on Python pickles, see ioctl_list driver.getIOCTLCodes if not len ioctl_list return ERROR Couldn t find any IOCTL codes. device_list...