Gray Hat Python - Python Programming for Hackers and Reverse Engineers

Python is fast becoming the programming language of choice for hackers, reverse engineers, and software testers because it's easy to write quickly, and it has the low-level support and libraries that make hackers happy. But until now, there has been no real manual on how to use Python for a variety of hacking tasks. You had to dig through forum posts and man pages, endlessly tweaking your own code to get everything working. Not anymore. Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators. But author Justin Seitz goes beyond theory, showing you how to harness existing Python-based security tools - and how to build your own when the pre-built ones won't cut it. You'll learn how to: Automate tedious reversing and security tasks Design and program your own debugger Learn how to fuzz Windows drivers and create powerful fuzzers from scratch Have fun with code and library injection, soft and hard hooking techniques, and other software trickery Sniff secure traffic out of an encrypted web browser session Use PyDBG, Immunity Debugger, Sulley, IDAPython, PyEMU, and more The world's best hackers are using Python to do their handiwork. Shouldn't you? Foreword 15 Acknowledgments 19 Introduction 21 1: Setting Up Your Development Environment 23 1.1 Operating System Requirements 24 1.2 Obtaining and Installing Python 2.5 24 1.2.1 Installing Python on Windows 24 1.2.2 Installing Python for Linux 25 1.3 Setting Up Eclipse and PyDev 26 1.3.1 The Hacker’s Best Friend: ctypes 27 1.3.2 Using Dynamic Libraries 28 1.3.3 Constructing C Datatypes 30 1.3.4 Passing Parameters by Reference 31 1.3.5 Defining Structures and Unions 31 2: Debuggers and Debugger Design 35 2.1 General-Purpose CPU Registers 36 2.2 The Stack 38 2.3 Debug Events 40 2.4 Breakpoints 40 2.4.1 Soft Breakpoints 41 2.4.2 Hardware Breakpoints 43 2.4.3 Memory Breakpoints 45 3: Building a Windows Debugger 47 3.1 Debuggee, Where Art Thou? 47 3.2 Obtaining CPU Register State 55 3.2.1 Thread Enumeration 55 3.2.2 Putting It All Together 57 3.3 Implementing Debug Event Handlers 61 3.4 The Almighty Breakpoint 65 3.4.1 Soft Breakpoints 65 3.4.2 Hardware Breakpoints 69 3.4.3 Memory Breakpoints 74 3.5 Conclusion 77 4: PyDbg -- A Pure Python Windows Debugger 79 4.1 Extending Breakpoint Handlers 80 4.2 Access Violation Handlers 82 4.3 Process Snapshots 85 4.3.1 Obtaining Process Snapshots 85 4.3.2 Putting It All Together 87 5: Immunity Debugger -- The Best of Both Worlds 91 5.1 Installing Immunity Debugger 92 5.2 Immunity Debugger 101 92 5.2.1 PyCommands 93 5.2.2 PyHooks 93 5.3 Exploit Development 95 5.3.1 Finding Exploit-Friendly Instructions 95 5.3.2 Bad-Character Filtering 97 5.3.3 Bypassing DEP on Windows 99 5.4 Defeating Anti-Debugging Routines in Malware 103 5.4.1 IsDebuggerPresent 103 5.4.2 Defeating Process Iteration 104 6: Hooking 107 6.1 Soft Hooking with PyDbg 108 6.2 Hard Hooking with Immunity Debugger 112 7: DLL and Code Injection 119 7.1 Remote Thread Creation 120 7.1.1 DLL Injection 121 7.1.2 Code Injection 123 7.2 Getting Evil 126 7.2.1 File Hiding 126 7.2.2 Coding the Backdoor 127 7.2.3 Compiling with py2exe 130 8: Fuzzing 133 8.1 Bug Classes 134 8.1.1 Buffer Overflows 134 8.1.2 Integer Overflows 135 8.1.3 Format String Attacks 136 8.2 File Fuzzer 137 8.3 Future Considerations 144 8.3.1 Code Coverage 144 8.3.2 Automated Static Analysis 144 9: Sulley 145 9.1 Sulley Installation 146 9.2 Sulley Primitives 147 9.2.1 Strings 147 9.2.2 Delimiters 147 9.2.3 Static and Random Primitives 148 9.2.4 Binary Data 148 9.2.5 Integers 148 9.2.6 Blocks and Groups 149 9.3 Slaying WarFTPD with Sulley 151 9.3.1 FTP 101 151 9.3.2 Creating the FTP Protocol Skeleton 152 9.3.3 Sulley Sessions 153 9.3.4 Network and Process Monitoring 154 9.3.5 Fuzzing and the Sulley Web Interface 155 10: Fuzzing Windows Drivers 159 10.1 Driver Communication 160 10.2 Driver Fuzzing with Immunity Debugger 161 10.3 Driverlib-The Static Analysis Tool for Drivers 164 10.3.1 Discovering Device Names 165 10.3.2 Finding the IOCTL Dispatch Routine 166 10.3.3 Determining Supported IOCTL Codes 167 10.4 Building a Driver Fuzzer 169 11: IDAPython -- Scripting IDA Pro 175 11.1 IDAPython Installation 176 11.2 IDAPython Functions 177 11.2.1 Utility Functions 177 11.2.2 Segments 177 11.2.3 Functions 178 11.2.4 Cross-References 178 11.2.5 Debugger Hooks 179 11.3 Example Scripts 180 11.3.1 Finding Dangerous Function Cross-References 180 11.3.2 Function Code Coverage 182 11.3.3 Calculating Stack Size 183 12: PyEmu -- The Scriptable Emulator 185 12.1 Installing PyEmu 186 12.2 PyEmu Overview 186 12.2.1 PyCPU 186 12.2.2 PyMemory 187 12.2.3 PyEmu 187 12.2.4 Execution 187 12.2.5 Memory and Register Modifiers 187 12.2.6 Handlers 188 12.3 IDAPyEmu 193 12.3.1 Function Emulation 194 12.3.2 PEPyEmu 197 12.3.3 Executable Packers 198 12.3.4 UPX Packer 198 12.3.5 Unpacking UPX with PEPyEmu 199 Index 205 Updates 218 Python is the high-level language of choice for hacking, vulnerability discovery, and security research. 'Gray Hat Python' explains the intricacies of using Python to assist in a range of security analysis tasks