Table of Contents

Foreword Dave Aitel xiii

Acknowledgments xvii

Introduction xix

1 Setting up Your Development Environment 1

1.1 Operating System Requirements 2

1.2 Obtaining and Installing Python 2.5 2

1.2.1 Installing Python on Windows 2

1.2.2 Installing Python for Linux 3

1.3 Setting Up Eclipse and PyDev 4

1.3.1 The Hacker's Best Friend: ctypes 5

1.3.2 Using Dynamic Libraries 6

1.3.3 Constructing C Datatypes 8

1.3.4 Passing Parameters by Reference 9

1.3.5 Defining Structures and Unions 9

2 Debuggers and Debugger Design 13

2.1 General-Purpose CPU Registers 14

2.2 The Stack 16

2.3 Debug Events 18

2.4 Breakpoints 18

2.4.1 Soft Breakpoints 19

2.4.2 Hardware Breakpoints 21

2.4.3 Memory Breakpoints 23

3 Building A Windows Debugger 25

3.1 Debuggee, Where Art Thou? 25

3.2 Obtaining CPU Register State 33

3.2.1 Thread Enumeration 33

3.2.2 Putting It All Together 35

3.3 Implementing Debug Event Handlers 39

3.4 The Almighty Breakpoint 43

3.4.1 Soft Breakpoints 43

3.4.2 Hardware Breakpoints 47

3.4.3 Memory Breakpoints 52

3.5 Conclusion 55

4 Pydbg-A Pure Python Windows Debugger 57

4.1 Extending Breakpoint Handlers 58

4.2 Access Violation Handlers 60

4.3 Process Snapshots 63

4.3.1 Obtaining Process Snapshots 63

4.3.2 Putting It All Together 65

5 Immunity Debugger-The Best Of Both Worlds 69

5.1 Installing Immunity Debugger 70

5.2 Immunity Debugger 101 70

5.2.1 PyCommands 71

5.2.2 PyHooks 71

5.3 Exploit Development 73

5.3.1 Finding Exploit-Friendly Instructions 73

5.3.2 Bad-Character Filtering 75

5.3.3 Bypassing DEP on Windows 77

5.4 Defeating Anti-Debugging Routines in Malware 81

5.4.1 IsDebuggerPresent 81

5.4.2Defeating Process Iteration 82

6 Hooking 85

6.1 Soft Hooking with PyDbg 86

6.2 Hard Hooking with Immunity Debugger 90

7 DLL and Code Injection 97

7.1 Remote Thread Creation 98

7.1.1 DLL Injection 99

7.1.2 Code Injection 101

7.2 Getting Evil 104

7.2.1 File Hiding 104

7.2.2 Coding the Backdoor 105

7.2.3 Compiling with py2exe 108

8 Fuzzing 111

8.1 Bug Classes 112

8.1.1 Buffer Overflows 112

8.1.2 Integer Overflows 113

8.1.3 Format String Attacks 114

8.2 File Fuzzer 115

8.3 Future Considerations 122

8.3.1 Code Coverage 122

8.3.2 Automated Static Analysis 122

9 Sulley 123

9.1 Sulley Installation 124

9.2 Sulley Primitives 125

9.2.1 Strings 125

9.2.2 Delimiters 125

9.2.3 Static and Random Primitives 126

9.2.4 Binary Data 126

9.2.5 Integers 126

9.2.6 Blocks and Groups 127

9.3 Slaying WarFTPD with Sulley 129

9.3.1 FTP 101 129

9.3.2 Creating the FTP Protocol Skeleton 130

9.3.3 Sulley Sessions 131

9.3.4 Network and Process Monitoring 132

9.3.5 Fuzzing and the Sulley Web Interface 133

10 Fuzzing Windows Drivers 137

10.1 Driver Communication 138

10.2 Driver Fuzzing with Immunity Debugger 139

10.3 Driverlib-The Static Analysis Tool for Drivers 142

10.3.1 Discovering Device Names 143

10.3.2 Finding the IOCTL Dispatch Routine 144

10.3.3 Determining Supported IOCTL Codes 145

10.4 Building a Driver Fuzzer 147

11 Idapython-Scripting Ida Pro 153

11.1 IDAPython Installation 154

11.2 IDAPython Functions 155

11.2.1 Utility Functions 155

11.2.2 Segments 155

11.2.3 Functions 156

11.2.4 Cross-References 156

11.2.5 Debugger Hooks 157

11.3 Example Scripts 158

11.3.1 Finding Dangerous Function Cross-References 158

11.3.2 Function Code Coverage 160

11.3.3 Calculating Stack Size 161

12 Pyemu-The Scriptable Emulator 163

12.1 Installing PyEmu 164

12.2 PyEmu Overview 164

12.2.1 PyCPU 164

12.2.2 PyMemory 165

12.2.3 PyEmu 165

12.2.4 Execution 165

12.2.5 Memory and Register Modifiers 165

12.2.6 Handlers 166

12.3 IDAPyEmu 171

12.3.1 Function Emulation 172

12.3.2 PEPyEmu 175

12.3.3 Executable Packers 176

12.3.4 UPX Packer 176

12.3.5 Unpacking UPX with PEPyEmu 177

Index 183