Breaking Code

August 31, 2009

Using diStorm with Python 2.6 and Python 3.x, revisited

Filed under: Tools — Tags: , , , , , , , , , , — Mario Vilas @ 10:01 pm

In a previous post, we’ve seen how to wrap the diStorm disassembler library in Python, using ctypes. This still left us with the task of building the dynamic link library for our platform and installing it manually, which is not as easy as it may seem – among other small problems you may find, the new versions of Visual Studio try to force the use of the latest C++ runtime redistributables, which may not be present in most Windows installations.

Today, I’m introducing a new ctypes wrapper for diStorm, this time with all binaries prebuilt and packaged together. The installer script automatically detects the target platform and installs the right binary. It comes with the following prebuilt binaries:

  • Windows on x86 and AMD64 processors
  • Linux on x86 and AMD64 processors (built using Ubuntu, but should work in other distros)
  • Mac OS X on x86 and PowerPC processors (untested, I don’t have a Mac to play with yet)

Since the installer code is pretty much generic, it should be easy to add new platforms by simply creating the corresponding subdirectory and placing the python code and prebuilt binary in it. Contributions are welcome! 🙂

Download

Python 2.x

Python 3.x

June 16, 2009

WinAppDbg version 1.2 is out!

Filed under: Tools — Tags: , , , , , , , , , , , , — Mario Vilas @ 7:23 pm

What is WinAppDbg?

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

Where can I find WinAppDbg?

The WinAppDbg project is currently hosted at Sourceforge, and can be found at:

http://winappdbg.sourceforge.net/

It’s also hosted at the Python Package Index (PyPi):

http://pypi.python.org/pypi/winappdbg/1.2

May 27, 2009

Using diStorm with Python 2.6 and Python 3.x

Filed under: Tools — Tags: , , , , , , , — Mario Vilas @ 12:14 am

diStorm is currently my favorite disassember for Intel platforms. It’s small, fast, compiles virtually anywhere, and it’s got Python bindings for 2.3, 2.4 and 2.5. The only problem so far was trying to use it with Python 2.6 and above – the library has to be recompiled for each new version. To solve this problem a pure Python module using ctypes is shipped – but it’s interface is different from the C module, forcing us to code different routines.

So my solution was to code my own ctypes-based diStorm bindings. It’s compatible with the C version and it works in all Python 2.x versions. The DLL library has to be present in the path for it to work.

I’ve also ported it to Python 3.x. Both versions are tested under Windows only, however it should work correctly under Linux – let me know if you try it!

Here is also an example script using diStorm to disassemble a raw binary file. Could come in handy for example to disassemble the shellcode contained in an exploit, or to find anything that resembles shellcode in a packet capture.

Update

(more…)

May 18, 2009

WinAppDbg 1.1 released

Filed under: Tools — Tags: , , , , , , , , , , , , — Mario Vilas @ 1:18 am

New version of WinAppDbg!

New features include:

  • New tool: a simple command line debugger that supports plugins.
  • Added support for Microsoft debugging symbols.
  • Added support for py2exe, to generate standalone executables.
  • New Win32 API functions added to win32.py
  • Improvements to the breakpoints support, now “stalking” works for memory buffers and variables too.

This new version contains some bugfixes, so if you were using 1.0 I very much recommend to upgrade.

Download

April 21, 2009

WinAppDbg v1.0 is out!

Filed under: Tools — Tags: , , , , , , , , , , — Mario Vilas @ 4:51 pm

What is WinAppDbg?

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

Where can I find WinAppDbg?

The winappdbg project is currently hosted at Sourceforge, and can be found at:

http://winappdbg.sourceforge.net/

February 6, 2009

Manipulating windows belonging to other processes

Filed under: Tools — Tags: , , , , — Mario Vilas @ 4:51 pm

Hello again. 🙂

Here’s a Python script that can be used to write Windows UI fuzzers and testers. It requires the win32 python extensions that can be downloaded from here (already included in the ActiveState distribution).

Enjoy!

Download the code: Window.py

December 23, 2008

Working with Property List files in Python

Filed under: Tools — Tags: , , , — Mario Vilas @ 7:25 pm
Update: Python 2.6 now supports .plist files using the plistlib module, check it out!

Hi all. Today we have a tool I wrote some time ago to work with Mac OS Property List (.plist) files. This files have an XML based format, and can serialize high level objects like integers, floats, strings, arrays and dictionaries. There’s also a legacy plist format that doesn’t use XML and should also be easy to parse, but we won’t bother with it since it’s been deprecated in Mac OS 10.0. Here is the Wikipedia entry on Property List files for more details.

Here’s an example Property List file, taken from the Mac OS X Manual Page for plist:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
        "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
        <dict>
            <key>Year Of Birth</key>
            <integer>1965</integer>
            <key>Pets Names</key>
            <array/>
            <key>Picture</key>
            <data>
                PEKBpYGlmYFCPA==
            </data>
            <key>City of Birth</key>
            <string>Springfield</string>
            <key>Name</key>
            <string>John Doe</string>
            <key>Kids Names</key>
            <array>
                <string>John</string>
                <string>Kyra</string>
            </array>
        </dict>
    </plist>

As we can see, the data types supported by plist files are also supported natively by Python, so mapping Python objects as Property Lists should be quite straight forward, and it is. What I’m presenting here is a little tool that does the marshalling and unmarshalling, so you can use it pretty much like you would with Pickle, Shelve or Marshal.

A usage example. The following code reads the example plist file from above and produces a Python object, using the fromfile method.

    from PList import PList
    plist = PList.fromfile('example.plist')

Yeah, kinda simple, isn’t it 🙂

You can also load a plist from a string, using the fromstring method:

    from PList import PList
    data  = open('example.plist', 'r').read()
    plist = PList.fromstring(data)

Or from an ElementTree object, with the fromtree method:

    from PList import PList
    from xml.etree import ElementTree
    tree  = ElementTree.parse('example.plist')
    plist = PList.fromtree(tree)

In all cases the output is an ordinary Python object, tipically a dictionary or an array containing other objects. This is the Python object corresponding to the example plist shown above:

    {'City of Birth': 'Springfield',
     'Kids Names': ['John', 'Kyra'],
     'Name': 'John Doe',
     'Pets Names': [],
     'Picture': '<B\x81\xa5\x81\xa5\x99\x81B<',
     'Year Of Birth': 1965}

You can also write Python objects as Property List files. The output can be a string (the tostring method), an ElementTree tree (totree method) or a file (tofile method).

    from PList import PList
    PList.tofile('output.plist', plist)

Download the code: PList.py

bin2py.py

Filed under: Tools — Tags: , — Mario Vilas @ 6:14 pm

Hi there folks.

Here’s a little tool I coded quite some time ago, and probably we all have done the same at one time or another, maybe over and over again. It’s yet another binary-to-python-code converter. The catch is, this one has a few extra options that may come in handy…

  • Encodes using repr(), hexadecimal or base64
  • Compress with zlib or gzip
  • Also generates the code to uncompress and/or decode the data
  • Can work with a batch of files
  • Can generate multiple output files, or merge all output into one file
  • Cross-platform, of course, since it’s made in Python 🙂

The code kinda sucks (no classes, all functions, lots of copy paste) but it works. Anyway, a friend told me It’d be a good idea to post it here, so here it is. Enjoy.

Updated

Aug 3, 2011: Added some speed optimizations.

Download the code: bin2py.py

November 29, 2008

Ouroboros.py

Filed under: Just for fun — Tags: , , , — Mario Vilas @ 2:41 am

This is a little nonsense I just wrote after reading the Wikipedia entry for Ouroboros. Turns out this kind of programs already have a name too, Quine.

In this case it’s a Python script that uses InlineEgg to generate an ELF32 binary that generates a Python script that uses InlineEgg to generate an ELF32 binary that generates a Python script that uses InlineEgg to… well, you get the point. 🙂

Yeah, I know this is not really about computer security, but what the hell. It’s got Python and shellcode somewhere anyway.

A real Ouroboros!

A real Ouroboros!

Ouroboros.py

#!/usr/bin/python

from sys import argv, stdout
from inlineegg.inlineegg import InlineEgg, Linuxx86Syscall
from inlineegg.exelib import Elf32Program

script = open(argv[0], 'r').read()
egg = InlineEgg(Linuxx86Syscall)
egg.write(1, script, len(script))
egg.exit(0)
prg = Elf32Program()
prg.arch = prg.ARCH_I386
prg.addCode(str(egg))
stdout.write(prg.bytes())

November 28, 2008

Hello world!

Filed under: Just for fun — Tags: , , , , — Mario Vilas @ 2:01 am

Hello there, welcome to my blog. I’ll begin with some useless welcome post, like most blogs do 🙂 and make it worse with an incredibly nerdy thing to do:

31 db 43 68 21 0a 00 00
68 6f 72 6c 64 68 6f 2c
20 77 68 48 65 6c 6c 89
e1 6a 0e 5a 6a 04 58 cd
80 31 db 31 c0 40 cd 80

Nope, it’s not a Cthulhu chant in some strange and ancient Unicode encoding. I admit it might have been though – we all know Unicode is evil.

No… It’s nothing but a… green-and-black Matrix themed “Hello World” Linux shellcode! 😀

« Newer Posts

Blog at WordPress.com.

Design a site like this with WordPress.com
Get started