Dr. Dobb's Digest June 2009
Examining Gray Hat Python: Python Programming for Hackers and Reverse Engineers
Justin Seitz
No Starch Press, $39.95
ISBN: 978-1-59327-192-3
Being a fan of the Python programming language, I immediately gravitate toward any new book title with Python in the title. Gray Hat Python explores the relatively easy security penetration testing and, in particular, Windows-centric hacking using Python and several free security testing libraries. Does it deliver the goods? Read on to find out.
Author Justin Seitz, a senior security researcher for Immunity, Inc., clearly enjoys his job and the freedom to use the Python language to achieve his company's security testing objectives. The techniques described in his book are real-world exploits covering a wide array of Windows OS-centric hacks.
The book starts off with setting up the necessary test bench tools including various debugging tools (such as the popular PyDbg and the author's contributed Immunity debugger) and learning how to leverage the ctypes library to call upon DLL's and manipulate stacks, breakpoints and event handlers. The third chapter delivers a walkthrough construction of a home-made Python-based debugger that helps readers understand how more sophisticated debuggers work. The next chapter focuses on using the PyDbg tool with examples of extending breakpoints, handling access violations and and generating buffer overflows and obtaining process snapshots. The Immunity debugger is introduced in Chapter 5 as a smarter replacement for the PyDbg tool, and after seeing how easy it is to use compared to PyDbg, the free Immunity Debugger, available at http://debugger.immunityinc.com, is demonstrated. The chapter opens with a tour of setting up and using the tool, activating its functions with the PyCommands library and the 13 debugging hooks that include: BpHook/LogBpHook, AllExceptHook, PostAnalysisHook, AccessViolationHook, LoadDLLHook/UnloadDLLHook, CreateThreadHook/ExitThreadHook, CreateProcessHook/ExitProcessHook ,and FastLogHook/STDCALLFastLogHook.
Once the Immunity Debugger is configured, the hack attacks begin. Bad character filtering, Data Execution Prevention (DEP) bypass, malware anti-debug routines, and a chapter devoted to soft hooking (using PyDbg) and hard hooking (via Immunity Debugger) are discussed (incidentally, hooking is the term used for attaching to a target process and intercepting its flow of execution).
Chapter 7 covers remote thread creation, DLL injection, file hiding and backdoor coding. Chapter 8 is all about fuzzing (creating and sending malformed data to an application, making that application fail), and Chapter 9 discloses the Sulley (named after the Monsters, Inc character) python-based fuzzing framework. Chapter 10 is about fuzzing Windows drivers via the Immunity Debugger with the help of DriverLib, a Python-based driver static analysis tool. Chapter 11 covers scripting Ida Pro (a professional-grade disassembly tool) via the Idapython library. The book concludes with a chapter on PyEmu, a scriptable, pure Python IA32 emulator, allowing Python developers the ability to emulate CPU tasks.
Overall, Gray Hat Python achieves its objective, albeit primarily for Windows security researchers versed in the Python language. While it certainly makes sense for the author to focus the discussion around the dominant Windows platform, I hoped he would share a bit more hacking knowledge leveraging (or penetration testing) the Linux and Mac OS X platforms. At the very least, show how these non-Windows platforms can be used in forensics, diagnostics and hacking the Windows platform. However, even without such demonstrations, each chapter is packed with Python code, clear disections, and a serious education in taking control of what was previously considered untouchable OS territory. The book succeeded in showing me with relative ease how a trained security researcher or determined hacker could use relatively straightforward Python scripts to infiltrate the most prevalent consumer operating system today.