Gray Hat Python

Gray Hat Python

Python Programming for Hackers and Reverse Engineers
by Justin Seitz
April 2009, 216 pp.
ISBN-13: 
978-1-59327-192-3

Python is fast becoming the programming language of choice for hackers, reverse engineers, and software testers because it's easy to write quickly, and it has the low-level support and libraries that make hackers happy. But until now, there has been no real manual on how to use Python for a variety of hacking tasks. You had to dig through forum posts and man pages, endlessly tweaking your own code to get everything working. Not anymore.

Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators. But author Justin Seitz goes beyond theory, showing you how to harness existing Python-based security tools - and how to build your own when the pre-built ones won't cut it.

You'll learn how to:

  • Automate tedious reversing and security tasks
  • Design and program your own debugger
  • Learn how to fuzz Windows drivers and create powerful fuzzers from scratch
  • Have fun with code and library injection, soft and hard hooking techniques, and other software trickery
  • Sniff secure traffic out of an encrypted web browser session
  • Use PyDBG, Immunity Debugger, Sulley, IDAPython, PyEMU, and more

The world's best hackers are using Python to do their handiwork. Shouldn't you?

Author Bio 

Justin Seitz is a Senior Security Researcher for Immunity, Inc., where he spends a great deal of time bughunting, reverse engineering, and doing Python development and malware analysis.

Table of contents 

Introduction

Chapter 1: Setting Up Your Development Environment
Chapter 2: Debuggers and Debugger Design
Chapter 3: Building a Windows Debugger
Chapter 4: PYDBG: A Pure Python Windows Debugger
Chapter 5: Immunity Debugger: The Best of Both Worlds
Chapter 6: Hooking
Chapter 7: DLL and Code Injection
Chapter 8: Fuzzing
Chapter 9: Sulley
Chapter 10: Fuzzing Windows Drivers
Chapter 11: IDAPython—Scripting IDAPro
Chapter 12: Pyemu—The Scriptable Emulator

Index

View the detailed Table of Contents (PDF)
View the Index (PDF)

Reviews 

"I can recommend Gray Hat Python to all people who want to get an overview of hacking tools and hacking techniques that make use of Python. It is a no-nonsense book which follows a simple recipe: give a brief overview of a hacking technique and then dive straight into a real-world example."
The-Interweb.com (Read More)

"A headfirst dive into the day-to-day coding all app pentesters end up doing."
Thomas Ptacek

Gray Hat Python "succeeded in showing me with relative ease how a trained security researcher or determined hacker could use relatively straightforward Python scripts to infiltrate the most prevalent consumer operating system today."
Dr. Dobb's CodeTalk (Read More)

"Justin does a great job elaborating the code examples used throughout [Gray Hat Python]. . . Chapter 3 is just downright awesome."
Carnal0wnage (Read More)

Gray Hat Python "is a must for all people who deal with security on a technical level."
Geek at Large (Read More)

"This book was a joy to read."
Kramses blog (Read More)

Gray Hat Python "is really well-written and has a nice structure which is common among No Starch Press books; that is, more code less talk."
Xorl.wordpress.com (Read More)

"If you use python for your day-to-day scripting and perform some reverse engineering/debugging/fuzzing tasks, then this definitely a book that is bound to catch your attention."
int 2Eh (Read More)

"I recommend the book. . . It's a good book to help security engineers use python to begin analyzing software vulnerabilities. Primarily it's a book about using python to debug and to a lesser degree fuzz. It's a good insight into how Immunity does things and will help you look at CANVAS code a little easier. For that alone it's definitely worth buying."
cyberwart (Read More)

Updates 

Page 31:
In function attach(): remove the self.run()

Page 31:
In function "open_process" the parameters need to be flipped
so that it reads like this: "kernel32.OpenProcess( PROCESS_ALL_ACCESS,
False, pid)

Page 37:
In function enumerate_threads(): the following two lines need
to be indented BACK to be in line with the "while success:" line

kernel32.CloseHandle(snapshot)
return thread_list

Page 37:
The declaration "def get_thread_context( self, thread_id ):"
needs to be changed to "def get_thread_context( self,thread_id=None,
h_thread=None)"

Page 37:
The get_thread_context function should include a check if the h_thread
parameter isn't passed to it:

def get_thread_context(self, thread_id=None, h_thread=None):
context = CONTEXT()
context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS

if not h_thread:
self.open_thread(thread_id)

Page 42:
In function get_debug_event() the line that reads:
"self.context = self.get_thread_context(self.h_thread)" needs to be
changed to "self.context = self.get_thread_context(h_thread=self.h_thread)"

Page 42:
In function get_debug_event(): all the lines from "if
exception == EXCEPTION_ACCESS_VIOLATION:" to "print "Single Stepping""
need to be indented IN so they are inside the "if
debug_event.dwDebugEventCode == EXCEPTION_DEBUG_EVENT:"

Page 42:
In function get_debug_event(): all instances of "ec" variable
should be changed to "exception"

Page 42:
The function declaration "def exception_handler_breakpoint()"
needs to include the "self" parameter, like so: "def
exception_handler_breakpoint(self)"

Page 44:
The function bp_set(), the line "self.breakpoints[address] =
(address,original_byte) needs to be changed to
"self.breakpoints[address] = (original_byte)

Page 48:
In function bp_set_hw() the lines starting at "if available ==
0:" and ending at "kernel32.SetThreadContext( h_thread, byref(context))"
need to be indented IN so that they are inside the preceding "for
thread_id in self.enumerate_threads():" loop