Gray Hat Python

Python Programming for Hackers and Reverse Engineers GRAY HAT PYTHON. Copyright 2009 by Justin Seitz. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10 1-59327-192-1 ISBN-13 978-1-59327-192-3 Publisher William Pollock Production Editor Megan...

Info

Debuggers are the apple of the hacker's eye. Debuggers enable you to perform runtime tracing of a process, or dynamic analysis. The ability to perform dynamic analysis is absolutely essential when it comes to exploit development, fuzzer assistance, and malware inspection. It is crucial that you understand what debuggers are and what makes them tick. Debuggers provide a whole host of features and functionality that are useful when assessing software for defects. Most come with the ability to...

Coding the Backdoor

Let's start by building our execution redirection code, which very simply starts up an application of our choosing. The reason it's called execution redirection is because we will name our backdoor calc.exe and move the original calc.exe to a different location. When the user attempts to use the calculator, she will be inadvertently running our backdoor, which in turn will start the proper calculator and thus not alert the user that anything is amiss. Note that we are including the...

Locate Pydev Interpretter Centos Eclipse Tutorial

SETTING UP YOUR DEVELOPMENT ENVIRONMENT Before you can experience the art of gray hat Python programming, you must work through the least exciting portion of this book, setting up your development environment. It is essential that you have a solid development environment, which allows you to spend time absorbing the interesting information in this book rather than stumbling around trying to get your code to execute. This chapter quickly covers the installation of Python 2.5, configuring your...

Pyemu The Scriptable Emulator

PyEmu was released at BlackHat 20071 by Cody Pierce, one of the talented members of the TippingPoint DVLabs team. PyEmu is a pure Python IA32 emulator that allows a developer to use Python to drive CPU emulation tasks. Using an emulator can be very beneficial for reverse engineering malware, when you don't necessarily want the real malware code to execute. And it can be useful for a whole host of other reverse engineering tasks as well. PyEmu has three methods to enable emulation IDAPyEmu,...

Unpacking UPX with PEPyEmu

The UPX packer uses a fairly straightforward method for compressing executables it re-creates the executable's entry point so that it points to the unpacking routine and adds two custom sections to the binary. These sections are named UPX0 and UPX1. If you load the compressed executable into Immunity Debugger and examine the memory layout alt-M , you'll see that the executable has a memory map similar to what's shown in Listing 12-3 Listing 12-3 Memory layout of a UPX compressed executable....

Installing PyEmu

Installing PyEmu is quite simple just download the zip file from http www . nostarch. com ghpython. htm. Once you have the zip file downloaded, extract it to C PyEmu. Each time you create a PyEmu script, you will have to set the path to the PyEmu codebase using the following two Python lines That's it Now let's dig into the architecture of the PyEmu system and then move into creating some sample scripts.

Sulley Installation

Before we dig into the nuts and bolts of Sulley, we first have to get it installed and working. I have provided a zipped copy of the Sulley source code for download at Once you have the zip file downloaded, extract it to any location you choose. From the extracted Sulley directory, copy the sulley, utils, and requests folders to C Python25 Lib site-packages . This is all that is required to get the core of Sulley installed. There are a few more prerequisite packages that we must install, and...

Driver Fuzzing with Immunity Debugger

We can harness Immunity Debugger's hooking prowess to trap valid DeviceIoControl calls before they reach our target driver as a quick-and-dirty mutation-based fuzzer. We will write a simple PyCommand that will trap all DeviceIoControl calls, mutate the buffer that is contained within, log all relevant information to disk, and release control back to the target application. We write the values to disk because a successful fuzzing run when working with drivers means that we will most definitely...

Soft Hooking with PyDbg

The first example we will explore involves sniffing encrypted traffic at the application layer. Normally to understand how a client or server application interacts with the network, we would use a traffic analyzer like Wireshark.1 Unfortunately, Wireshark is limited in that it can only see the data post encryption, which obfuscates the true nature of the protocol we are studying. Using a soft hooking technique, we can trap the data before it is encrypted and trap it again after it has been...

Driver Dispatch Routine Finder For Fuzzing

Access violation handlers, 60 AccessViolationHook, 72 accumulator register. See EAX register AddBpt function, 158 AllExceptHook, 71 analysis, automated static, 122 anti-debugging routines in malware, 81 appliances, VMware, 2 associating processes, debuggers, 25-33 attaching processes, 26 attacks, format string, 114 automated static analysis, 122 base pointer, EBP register, 15 binary data, Sulley primitives, 126 black-box debuggers, vs. white-box, 13 blocks, Sulley primitives, 127 BpHook, 71...

Building a Driver Fuzzer

The first step is to create our IOCTL-dumping PyCommand to run inside Immunity Debugger. Crack open a new Python file, name it ioctl_dump.py, and enter the following code. import pickle import driverlib from immlib import def main args ioctl_list device_list imm Debugger driver driverlib.Driver Grab the list of I0CTL codes and device names 6 For more information on Python pickles, see ioctl_list driver.getIOCTLCodes if not len ioctl_list return ERROR Couldn t find any IOCTL codes. device_list...