• Foreword

  Page XIII

• Acknowledgments

  Page XVII

• Introduction

  Page XIX

• + 1: Setting Up Your Development Environment

  Page 1

  • 1.1 Operating System Requirements

    Page 2

  • + 1.2 Obtaining and Installing Python 2.5

    Page 2

    • 1.2.1 Installing Python on Windows

      Page 2

    • 1.2.2 Installing Python for Linux

      Page 3

  • + 1.3 Setting Up Eclipse and PyDev

    Page 4

    • 1.3.1 The Hacker’s Best Friend: ctypes

      Page 5

    • 1.3.2 Using Dynamic Libraries

      Page 6

    • 1.3.3 Constructing C Datatypes

      Page 8

    • 1.3.4 Passing Parameters by Reference

      Page 9

    • 1.3.5 Defining Structures and Unions

      Page 9

• + 2: Debuggers and Debugger Design

  Page 13

  • 2.1 General-Purpose CPU Registers

    Page 14

  • 2.2 The Stack

    Page 16

  • 2.3 Debug Events

    Page 18

  • + 2.4 Breakpoints

    Page 18

    • 2.4.1 Soft Breakpoints

      Page 19

    • 2.4.2 Hardware Breakpoints

      Page 21

    • 2.4.3 Memory Breakpoints

      Page 23

• + 3: Building a Windows Debugger

  Page 25

  • 3.1 Debuggee, Where Art Thou?

    Page 25

  • + 3.2 Obtaining CPU Register State

    Page 33

    • 3.2.1 Thread Enumeration

      Page 33

    • 3.2.2 Putting It All Together

      Page 35

  • 3.3 Implementing Debug Event Handlers

    Page 39

  • + 3.4 The Almighty Breakpoint

    Page 43

    • 3.4.1 Soft Breakpoints

      Page 43

    • 3.4.2 Hardware Breakpoints

      Page 47

    • 3.4.3 Memory Breakpoints

      Page 52

  • 3.5 Conclusion

    Page 55

• + 4: PyDbg -- A Pure Python Windows Debugger

  Page 57

  • 4.1 Extending Breakpoint Handlers

    Page 58

  • 4.2 Access Violation Handlers

    Page 60

  • + 4.3 Process Snapshots

    Page 63

    • 4.3.1 Obtaining Process Snapshots

      Page 63

    • 4.3.2 Putting It All Together

      Page 65

• + 5: Immunity Debugger -- The Best of Both Worlds

  Page 69

  • 5.1 Installing Immunity Debugger

    Page 70

  • + 5.2 Immunity Debugger 101

    Page 70

    • 5.2.1 PyCommands

      Page 71

    • 5.2.2 PyHooks

      Page 71

  • + 5.3 Exploit Development

    Page 73

    • 5.3.1 Finding Exploit-Friendly Instructions

      Page 73

    • 5.3.2 Bad-Character Filtering

      Page 75

    • 5.3.3 Bypassing DEP on Windows

      Page 77

  • + 5.4 Defeating Anti-Debugging Routines in Malware

    Page 81

    • 5.4.1 IsDebuggerPresent

      Page 81

    • 5.4.2 Defeating Process Iteration

      Page 82

• + 6: Hooking

  Page 85

  • 6.1 Soft Hooking with PyDbg

    Page 86

  • 6.2 Hard Hooking with Immunity Debugger

    Page 90

• + 7: DLL and Code Injection

  Page 97

  • + 7.1 Remote Thread Creation

    Page 98

    • 7.1.1 DLL Injection

      Page 99

    • 7.1.2 Code Injection

      Page 101

  • + 7.2 Getting Evil

    Page 104

    • 7.2.1 File Hiding

      Page 104

    • 7.2.2 Coding the Backdoor

      Page 105

    • 7.2.3 Compiling with py2exe

      Page 108

• + 8: Fuzzing

  Page 111

  • + 8.1 Bug Classes

    Page 112

    • 8.1.1 Buffer Overflows

      Page 112

    • 8.1.2 Integer Overflows

      Page 113

    • 8.1.3 Format String Attacks

      Page 114

  • 8.2 File Fuzzer

    Page 115

  • + 8.3 Future Considerations

    Page 122

    • 8.3.1 Code Coverage

      Page 122

    • 8.3.2 Automated Static Analysis

      Page 122

• + 9: Sulley

  Page 123

  • 9.1 Sulley Installation

    Page 124

  • + 9.2 Sulley Primitives

    Page 125

    • 9.2.1 Strings

      Page 125

    • 9.2.2 Delimiters

      Page 125

    • 9.2.3 Static and Random Primitives

      Page 126

    • 9.2.4 Binary Data

      Page 126

    • 9.2.5 Integers

      Page 126

    • 9.2.6 Blocks and Groups

      Page 127

  • + 9.3 Slaying WarFTPD with Sulley

    Page 129

    • 9.3.1 FTP 101

      Page 129

    • 9.3.2 Creating the FTP Protocol Skeleton

      Page 130

    • 9.3.3 Sulley Sessions

      Page 131

    • 9.3.4 Network and Process Monitoring

      Page 132

    • 9.3.5 Fuzzing and the Sulley Web Interface

      Page 133

• + 10: Fuzzing Windows Drivers

  Page 137

  • 10.1 Driver Communication

    Page 138

  • 10.2 Driver Fuzzing with Immunity Debugger

    Page 139

  • + 10.3 Driverlib-The Static Analysis Tool for Drivers

    Page 142

    • 10.3.1 Discovering Device Names

      Page 143

    • 10.3.2 Finding the IOCTL Dispatch Routine

      Page 144

    • 10.3.3 Determining Supported IOCTL Codes

      Page 145

  • 10.4 Building a Driver Fuzzer

    Page 147

• + 11: IDAPython -- Scripting IDA Pro

  Page 153

  • 11.1 IDAPython Installation

    Page 154

  • + 11.2 IDAPython Functions

    Page 155

    • 11.2.1 Utility Functions

      Page 155

    • 11.2.2 Segments

      Page 155

    • 11.2.3 Functions

      Page 156

    • 11.2.4 Cross-References

      Page 156

    • 11.2.5 Debugger Hooks

      Page 157

  • + 11.3 Example Scripts

    Page 158

    • 11.3.1 Finding Dangerous Function Cross-References

      Page 158

    • 11.3.2 Function Code Coverage

      Page 160

    • 11.3.3 Calculating Stack Size

      Page 161

• + 12: PyEmu -- The Scriptable Emulator

  Page 163

  • 12.1 Installing PyEmu

    Page 164

  • + 12.2 PyEmu Overview

    Page 164

    • 12.2.1 PyCPU

      Page 164

    • 12.2.2 PyMemory

      Page 165

    • 12.2.3 PyEmu

      Page 165

    • 12.2.4 Execution

      Page 165

    • 12.2.5 Memory and Register Modifiers

      Page 165

    • 12.2.6 Handlers

      Page 166

  • + 12.3 IDAPyEmu

    Page 171

    • 12.3.1 Function Emulation

      Page 172

    • 12.3.2 PEPyEmu

      Page 175

    • 12.3.3 Executable Packers

      Page 176

    • 12.3.4 UPX Packer

      Page 176

    • 12.3.5 Unpacking UPX with PEPyEmu

      Page 177

• Index

  Page 183

• Updates

  Page 196

Python is fast becoming the programming language of choice for hackers, reverse engineers, and software testers because it's easy to write quickly, and it has the low-level support and libraries that make hackers happy. But until now, there has been no real manual on how to use Python for a variety of hacking tasks. You had to dig through forum posts and man pages, endlessly tweaking your own code to get everything working. Not anymore.

Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators. But author Justin Seitz goes beyond theory, showing you how to harness existing Python-based security tools - and how to build your own when the pre-built ones won't cut it.

You'll learn how to:

* Automate tedious reversing and security tasks
* Design and program your own debugger
* Learn how to fuzz Windows drivers and create powerful fuzzers from scratch
* Have fun with code and library injection, soft and hard hooking techniques, and other software trickery
* Sniff secure traffic out of an encrypted web browser session
* Use PyDBG, Immunity Debugger, Sulley, IDAPython, PyEMU, and more

The world's best hackers are using Python to do their handiwork. Shouldn't you?