"Gray Hat Python" is awesome book. This tells us how Python script language helps, extends, and automates reverse engineering and debugging works.
Python and reverse engineering tools presented in this book are almost opensource project (except IDA Pro), so you can begin your Gray-Hat-Python exercize without any moneys, dollers, yens.
But sadly, there's some errors in example script and unexpected runtime-errors. Some of them are purely mistaken, some of them are caused by tools/libs version ups (we can't stop these version ups, because it's open-source.).
So I left my reading memos, covering these errors and avoiding affections from version-ups per every chapters.
And 1st, I reccomend you to read update informations from official "Gray Hat Python" book site:
I bought this book at 2010.06.27. If you buy newer version than me, some problems/errors in this article may have been fixed.
And my environment:
OS : Windows XP SP3 Japanese CPU : Intel PentiumM (cenntrino) 1.2GHz RAM : 1GB Python : Python 2.5 (MSI installer), C:\Python25\python.exe (Python 2.5.2 (r252:60911, Feb 21 2008, 13:11:45) [MSC v.1310 32 bit (Intel)] on win32) Compiler : Microsoft Visual C++ 2008 Express Edition SP1 > cl Microsoft(R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. > link Microsoft (R) Incremental Linker Version 9.00.30729.01 Copyright (C) Microsoft Corporation. All rights reserved.
Install PyDBG HowTo : see Python/Installing pydasm and pydbg with Python 2.5, WinXP, VC++2008 Express Edition
debugger.attach(...) debugger.run() debugger.detach()
while 1: msvcrt.printf("Loop iteration %d!\n" % counter)
while 1: msvcrt.printf("Loop iteration %d!\n", counter)
Later, in "Chapter 4" 58p printf_random.py exercise, upper version doesn't work as this book shows, but 2nd version works.
(This problem has been fixed in zip archive which you download from official site.)
Software breakpoints, 0xCC is not restored yet, so execution flow becomes illegal errors.
Displayed output messages are different from what you punched from source code in this book.
In this step, you should download source code from official site ( http://nostarch.com/ghpython.htm ).
elif self.exception == exception_single_steop: self.exception_handler_single_step()
elif self.exception == exception_single_steop: continue_status = self.exception_handler_single_step()
"DBG_EXCEPTION_NOT_HANDLED" 1st appears, but my_debugger_defines.py downloaded from official site doesn't include this definition.
Add to your my_debugger_defines.py by hand :
DBG_EXCEPTION_NOT_HANDLED = 0x80010001
SIZE_T WINAPI VirtualQuery( HANDLE hProcess, ...
SIZE_T WINAPI VirtualQueryEx( HANDLE hProcess, ...
"VirtualQuery()" doesn't take other process handle, but "VirtualQueryEx()" does.
kernel32 = windll.kernel32 pid = int(sys.argv) pid_to_kill = sys.argv if not sys.argv or not sys.argv: print "Code Injector: ./code_injector.py <PID to inject> <PID to Kill>" sys.exit(0)
"sys.argv" check timing is wrong.
if len(sys.argv) < 3: print "Code Injector: ./codeinjector.py <PID to inject> <PID to kill>" sys.exit(0) kernel32 = windll.kernel32 pid = sys.argv pid_to_kill = sys.argv
In book version:
PAGE_EXECUTE_READWRITE = 0x40 ... arg_address = kernel32.VirtualAllocEx( h_process, 0, len(data), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE)
It's correct. Memory area for code injection must be allocated with executable flag.
But zip archive version is wrong:
PAGE_READWRITE = 0x04 ... arg_address = kernel32.VirtualAllocEx( h_process, 0, len(data), VIRTUAL_MEM, PAGE_READWRITE)
For backdoor.py, I recommend not to believe zip version backdoor.py.
How to install pcapy on my environment with WinPcap-4.1.x ? : Python/Compile & Installing Pcapy with latest WinPcap-4.1.x
Book version is correct, but in zip archive version, double quotation became '“' and '”'. This result:
SyntaxError: Non-ASCII character '\xe2'
→ Fix it by hand, or, punch book version from scratch.
→ In my Windows XP SP3, beep.sys exists:
(This is NOT book error, but driverlib.py error in ImmunityDebugger.)
In Nov.2010, I downloaded Immunity Debugger Ver 1.73.
driverlib.py included in v1.73 has some these log() lines :
This makes errors.
"imm", "immlib.Debugger" class instance, has 2 log methods:
def log(self, msg)
def Log(self, msg, address = 0xbadf00d ,highlight = False, gray = False , focus = 0)
"log()" (all small case) takes only 1 string argument, but "Log()" (heading char is large case) takes other default arguments.
Now, grep "log" in your driverlib.py (C:\Program Files\Immunity Inc\Immunity Debugger\Libs\driverlib.py) and replace "log()" to "Log()" if it passes other arguments.