Python/Gray Hat Python : reader's memo

"Gray Hat Python" is awesome book. This tells us how Python script language helps, extends, and automates reverse engineering and debugging works.
Python and reverse engineering tools presented in this book are almost opensource project (except IDA Pro), so you can begin your Gray-Hat-Python exercize without any moneys, dollers, yens.

But sadly, there's some errors in example script and unexpected runtime-errors. Some of them are purely mistaken, some of them are caused by tools/libs version ups (we can't stop these version ups, because it's open-source.).
So I left my reading memos, covering these errors and avoiding affections from version-ups per every chapters.

And 1st, I reccomend you to read update informations from official "Gray Hat Python" book site:

• Gray Hat Python:
  • http://nostarch.com/ghpython.htm

I bought this book at 2010.06.27. If you buy newer version than me, some problems/errors in this article may have been fixed.

And my environment:

OS : Windows XP SP3 Japanese
CPU : Intel PentiumM (cenntrino) 1.2GHz
RAM : 1GB
Python : Python 2.5 (MSI installer), C:\Python25\python.exe
(Python 2.5.2 (r252:60911, Feb 21 2008, 13:11:45) [MSC v.1310 32 bit (Intel)] on win32)

Compiler : Microsoft Visual C++ 2008 Express Edition SP1
> cl 
Microsoft(R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.
> link
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation.  All rights reserved.

• Chapter 3 : BUILDING A WINDOWS DEBUGGER
• Chapter 7 : DLL AND CODE INJECTION
• Chapter 9 : SULLEY
• Chapter 10 : FUZZING WINDOWS DRIVERS

Chapter 3 : BUILDING A WINDOWS DEBUGGER

Install PyDBG HowTo : see Python/Installing pydasm and pydbg with Python 2.5, WinXP, VC++2008 Express Edition

32p, my_test.py

debugger.attach(...)
debugger.detach()

→

debugger.attach(...)
debugger.run()
debugger.detach()

46p, printf_loop.py

while 1:
    msvcrt.printf("Loop iteration %d!\n" % counter)

→

while 1:
    msvcrt.printf("Loop iteration %d!\n", counter)

Later, in "Chapter 4" 58p printf_random.py exercise, upper version doesn't work as this book shows, but 2nd version works.
(This problem has been fixed in zip archive which you download from official site.)

46p - 47p, 0xCC is not restored

Software breakpoints, 0xCC is not restored yet, so execution flow becomes illegal errors.

46p - 47p, output messages

Displayed output messages are different from what you punched from source code in this book.
In this step, you should download source code from official site ( http://nostarch.com/ghpython.htm ).

49p, my_debugger.py

elif self.exception == exception_single_steop:
   self.exception_handler_single_step()

→

elif self.exception == exception_single_steop:
   continue_status = self.exception_handler_single_step()

50p, my_debugger.py

"DBG_EXCEPTION_NOT_HANDLED" 1st appears, but my_debugger_defines.py downloaded from official site doesn't include this definition.
Add to your my_debugger_defines.py by hand :

DBG_EXCEPTION_NOT_HANDLED = 0x80010001

53p, "VirtualQuery" prototype

SIZE_T WINAPI VirtualQuery(
    HANDLE hProcess,
    ...

→

SIZE_T WINAPI VirtualQueryEx(
    HANDLE hProcess,
    ...

"VirtualQuery()" doesn't take other process handle, but "VirtualQueryEx()" does.

Chapter 7 : DLL AND CODE INJECTION

102p, code_injection.py

kernel32      = windll.kernel32
pid           = int(sys.argv[1])
pid_to_kill   = sys.argv[2]

if not sys.argv[1] or not sys.argv[2]:
    print "Code Injector: ./code_injector.py <PID to inject> <PID to Kill>"
    sys.exit(0)

"sys.argv" check timing is wrong.
→

if len(sys.argv) < 3:
    print "Code Injector: ./codeinjector.py <PID to inject> <PID to kill>"
    sys.exit(0)

kernel32 = windll.kernel32
pid = sys.argv[1]
pid_to_kill = sys.argv[2]

106p, backdoor.py

In book version:

PAGE_EXECUTE_READWRITE = 0x40
...
    arg_address = kernel32.VirtualAllocEx(
        h_process, 0, len(data), VIRTUAL_MEM,  PAGE_EXECUTE_READWRITE)

It's correct. Memory area for code injection must be allocated with executable flag.

But zip archive version is wrong:

PAGE_READWRITE     =     0x04
...
    arg_address = kernel32.VirtualAllocEx( 
    h_process, 0, len(data), VIRTUAL_MEM, PAGE_READWRITE)

For backdoor.py, I recommend not to believe zip version backdoor.py.

Chapter 9 : SULLEY

How to install pcapy on my environment with WinPcap-4.1.x ? : Python/Compile & Installing Pcapy with latest WinPcap-4.1.x

131p, ftp_session.py

Book version is correct, but in zip archive version, double quotation became '“' and '”'. This result:

SyntaxError: Non-ASCII character '\xe2'

→ Fix it by hand, or, punch book version from scratch.

Chapter 10 : FUZZING WINDOWS DRIVERS

143p

C:\WINDOWS\System32\beep.sys

→ In my Windows XP SP3, beep.sys exists:

C:\WINDOWS\System32\drivers\beep.sys

142p -

(This is NOT book error, but driverlib.py error in ImmunityDebugger.)

In Nov.2010, I downloaded Immunity Debugger Ver 1.73.
driverlib.py included in v1.73 has some these log() lines :

self.imm.log("...(mes)...", address=...)

This makes errors.

"imm", "immlib.Debugger" class instance, has 2 log methods:

def log(self, msg)

and

def Log(self, msg, address = 0xbadf00d ,highlight = False, gray = False , focus = 0)

"log()" (all small case) takes only 1 string argument, but "Log()" (heading char is large case) takes other default arguments.

Now, grep "log" in your driverlib.py (C:\Program Files\Immunity Inc\Immunity Debugger\Libs\driverlib.py) and replace "log()" to "Log()" if it passes other arguments.