Python arsenal for RE [beta]

DSecRG Research Center of ERPScan Company

Dmitriy Evdokimov DSecRG Email: [email protected]

Twitter: @evdokimovds

www.erpscan.com www.dsecrg.com

Content

Introduction...................................................................................................................................................................................... 4

Considered projects ...................................................................................................................................................................... 6

bochs-python-instrumentation ........................................................................................................................................... 7

Buggery.......................................................................................................................................................................................... 8

Ctypes ............................................................................................................................................................................................. 9

dislib ............................................................................................................................................................................................ 10 diStorm ....................................................................................................................................................................................... 11 IDAPython ................................................................................................................................................................................. 12 ImmLIB ....................................................................................................................................................................................... 14 libdisassemble ......................................................................................................................................................................... 15 lldb ................................................................................................................................................................................................ 16 OllyPython ................................................................................................................................................................................. 17 pefile ............................................................................................................................................................................................ 18 PIDA ............................................................................................................................................................................................. 19 ProcessTap ................................................................................................................................................................................ 20 pyasm .......................................................................................................................................................................................... 21

PyBox ........................................................................................................................................................................................... 22 PyCodin....................................................................................................................................................................................... 23

pydasm........................................................................................................................................................................................ 24

Pydb ............................................................................................................................................................................................. 25

PyDBG.......................................................................................................................................................................................... 26 PyDbgEng................................................................................................................................................................................... 27

pydbgr ......................................................................................................................................................................................... 28 pydot ............................................................................................................................................................................................ 29

PyEA ............................................................................................................................................................................................. 30

pygdb ........................................................................................................................................................................................... 33 www.erpscan.com www.dsecrg.com

PyEMU ......................................................................................................................................................................................... 31

pyHIEW....................................................................................................................................................................................... 34 pykd.............................................................................................................................................................................................. 35

pyew............................................................................................................................................................................................. 32 2

Pylibemu .................................................................................................................................................................................... 36

pyMem ........................................................................................................................................................................................ 37 pyREtic ........................................................................................................................................................................................ 38

PySTP........................................................................................................................................................................................... 39 pytracer ...................................................................................................................................................................................... 42 radapy ......................................................................................................................................................................................... 43 uhooker....................................................................................................................................................................................... 44 PythonGdb ................................................................................................................................................................................. 40 python-ptrace .......................................................................................................................................................................... 41

Vivisect........................................................................................................................................................................................ 45

vtrace ........................................................................................................................................................................................... 46 WinAppDbg ............................................................................................................................................................................... 47

Note ................................................................................................................................................................................................... 49 About Author................................................................................................................................................................................. 50 About DSecRG Research center of ERPScan ............................................................................................................... 52

Z3-python .................................................................................................................................................................................. 48

About ERPScan ............................................................................................................................................................................. 51 Our Contacts .................................................................................................................................................................................. 53

www.erpscan.com www.dsecrg.com

Introduction
This whitepaper is a collection of various python engines, extensions, libraries, shells, that aids in the surprising, because it has all the necessary qualities: Powerful OOP Portable Free Developer productivity Built-in tools job code for understanding, analyzing and sometimes breaking. PRAEMONITUS PRAEMUNITUS

Quite ordinary, but the Python programming language has become a language of hackers. And it is not

A great role in this were played by such projects as IDA Pro, WinDBG, OllyDebug, gdb, which, being a a small number of them, but exactly with the appearance of the Python support they received a strong only hacker spirit and idea. engines in Python. Of course, they had maintained their own API for plug-in developing, and it was not

de-facto standard among disassemblers and debuggers, eventually began to support the scripting applications, using the best aspects of each other. But in the beginning of the path there was naturally But everything step by step went to this: with the increasing of technologies complexity the software in this situation (XXI century after all). www.erpscan.com www.dsecrg.com complexity is growing too, and specialists in information security need to keep pace with this development (and sometimes even be ahead). It is almost impossible to qualitatively examine the push in the development: increased the number of plug-in, increased community, and of course their

Easy to learn

Mixable

Third-party utilities

Programming-in-the-large support

Library utilities

Dynamic typing

Built-in object types

Automatic memory management

flexibility also increased, which allowed them to interact both with each other and with other

application for an adequate time by hand with a disassembler or a debugger. And automation can help 4

We live in a very rapidly developing world, in which it is very difficult to keep track of everything useful Python projects for reverse engineering. our case, in the field of reverse engineering) for an experienced specialist, not to mention the beginners, who make their first steps. So here I tried to collect and review the most interesting and

happening therefore it is very difficult to be always aware of all. Sometimes even in a specific area (in In my opinion today there is very few structured knowledge about hacking, reversing engineering, I hope that you will learn something new or remember the forgotten and possibly breathe new life into to make a small step in the direction of awareness and systematization.

software exploitation techniques. If many of the older sciences are very well structured and well

Here 41 python projects will be considered. And python tools for disassembling, debugging, For description of each of the projects 11 characteristics were allocated: Project Author Tags Site project License Platforms Tools presented here, to show the original idea and bring them to the attention. site of the project, from which you can download it the list of platforms supported by the project short description of the project concerning this project

of the above projects are actively developed in the case of certain circumstances, and they were name of the engine, expansion, library, shell and etc author(s) of the project (many thanks to these guys) other versions if you know, please let me know)

visualization will be reviewed, without which today it is quite difficult and so on. Unfortunately, not all

one of these projects, because some of them are unfortunately do not develop for quite a long time.

oriented in, in our field it is very difficult to make the first steps. By means of this whitepaper I will try

Python versions Processors (Architecture) Base project Description Useful links

a list of tags, which on my mind characterize the project more common the type of license under which this project is spread the list of processor architecture supported by the project

a set of python versions with which this project compatible (may work and on this is the name of the program for which it is intended (depends)

here are the most famous and interesting tools which use this project

references to the manuals, documentation or simply interesting blog entries

If there is the ??? sign in the line, then this information is not known to me and I would be glad to get it. This article is by no means exhaustive. If there is anything that I may have missed or have misstated, please email me at [email protected] and I will edit this post accordingly. I hope for your help in www.erpscan.com www.dsecrg.com its correction, updating and improvement. 5

Considered projects
The list of considered projects: 2. Buggery 3. Ctypes 4. Dislib 9. lldb 5. diStorm 7. ImmLIB 11. Pefile 1. bochs-python-instrumentation 6. IDAPython 21. Pydbgr

8. libdisassemble 10. OllyPython

17. Pydasm 18. Pydb 19. PyDBG

15. PyBox

12. PIDA

16. PyCodin

13. ProcessTap 14. Pyasm

20. PyDbgEng Let's start consideration of projects.

37. Uhooker 38. vivisect 39. vtrace

36. radapy

33. PythonGdb 35. pytracer

34. python-ptrace

32. PySTP

29. Pylibemu 30. pyMem 31. pyREtic

28. Pykd

26. Pygdb

23. PyEA

27. pyHIEW

24. PyEMU 25. Pyew

22. Pydot

40. WinAppDbg 41. Z3-python

www.erpscan.com www.dsecrg.com

bochs-python-instrumentation
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

bochs-python-instrumentation Ero Carrera (@erocarrera) debugger, emulator ??? 2.5 win/lin

https://github.com/zynamics/bochs-python-instrumentation

x86/x64

Bochs (2.4.5 and 2.4.6)

This patch for Bochs provides a Python interpreter instead of Bochs' own debugger, yet still providing the debugger functionality. It also allows to interact with the instrumentation interface on-demand, by dynamically associating Python methods to handle instrumentation events. ???

Useful links:

https://github.com/zynamics/bochs-python-instrumentation/wiki wiki http://blog.zynamics.com/2010/07/16/recon-slides-packer-genetics-theselfish-code-bochspython/ presentation

www.erpscan.com www.dsecrg.com

Buggery
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Tools: Base project: Description: Useful links:

Buggery

Grugq (@thegrugq) ???

https://github.com/grugq/Buggery scripting engine, debugger 2.7 win

x86/x64 WinDbg

Python wrapper for DbgEng.

SWFRETools (https://github.com/sporst/SWFREtools) http://pastebin.com/HB4H2gPu example

www.erpscan.com www.dsecrg.com

Ctypes
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools: Useful links:

Ctypes

Thomas Heller wrapper MIT License x86/x64

http://sourceforge.net/projects/ctypes/ (In Python 2.5 it is already included) more than 2.3 win/lin/mac

ctypes is a Python module allowing to create and manipulate C data types in Python. These can then be passed to C-functions loaded from dynamic link libraries. PyMem, WinAppDBG http://docs.python.org/library/ctypes.html official documentation Using Cython to optimize Python and interface with C API Hooking in Python

http://www.mso.anu.edu.au/~tiago/talks_papers/Cython.pdf presentation http://www.rohitab.com/discuss/topic/37018-api-hooking-in-python/

www.erpscan.com www.dsecrg.com

dislib

Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Tools: Base project: Description: Useful links:

dislib

distorm, Gil Dabah ([email protected]) http://code.google.com/p/distorm/ PE+ reader 2.5 win GNU GPL v3 x86/x64 ??? ???

A Fast Python Library for Reading PE+ Files.

www.erpscan.com www.dsecrg.com

10

diStorm
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Tools: Base project: Description: Useful links:

diStorm

distorm, Gil Dabah ([email protected]) http://code.google.com/p/distorm/ disassembler 2.x, 3.x win/lin/mac GNU GPL v3 and commercial license x86/x64/PowerPC ??? ???

diStorm3 binary stream disassembler library project.

www.erpscan.com www.dsecrg.com

11

IDAPython
Project: Author: Tags:

IDAPython

Site project: License: Python versions: Platforms: Processors: Base project: Description:

Gergely Erdelyi (http://gergelyerdelyi.com/) Elias Bachaalany (@0xeb) New BSD License 2.4-2.7 x86 win/mac http://code.google.com/p/idapython/ scripting engine, disassemble, debugger

IDA Pro (from 5.1)

IDAPython is an IDA Pro plugin that integrates the Python programming and other research tools. Dr. Gadget

language, allowing scripts to run in IDA Pro. These programs have access to mynav http://code.google.com/p/mynav/

Tools:

IDA Plugin API, IDC and all modules available for Python. The power of IDA Pro and Python provides a platform for easy prototyping of reverse engineering http://www.openrce.org/blog/view/1570/Dr._Gadget_IDAPython_plugin rtti-helper-scripts https://github.com/zynamics/rtti-helper-scripts msdn-plugin-ida https://github.com/zynamics/msdn-plugin-ida Idagrapher https://code.google.com/p/idagrapher/ ida2sql-plugin-ida https://github.com/zynamics/ida2sql-plugin-ida

IDA file Patcher http://code.google.com/p/reverse-engineering-scripts/

www.erpscan.com www.dsecrg.com

12

IDAPython
Useful links:

http://www.hex-rays.com/idapro/idapython_docs/ official documentation http://gergelyerdelyi.com/publication/IDAPython.pdf IDAPython: User Scripting for a Complex Application http://defcon.org/images/defcon-18/dc-18-presentations/PridgenWollenweber/DEFCON-18-Pridgen-Wollenweber-IDA-Bridge.pdf TOOLSMITHING AN IDA BRIDGE: A TOOL BUILDING CASE STUDY IDAPython book.pdf Reverse Engineer's Cookbook presentation from OpenRCE

http://magiclantern.wikia.com/wiki/IDAPython blog entries about

http://dvlabs.tippingpoint.com/pub/chotchkies/SeattleToorcon2008_RECook

http://www.openrce.org/articles/full_view/11 Introduction to IDAPython

www.erpscan.com www.dsecrg.com

13

ImmLIB
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

ImmLIB

Immunity, Inc.

http://www.immunityinc.com/products-immdbg.shtml scripting engine, disassemble, debugger Immunity Debugger License 2.5 and 2.7.1 win x86

ImmunityDebugger

Immunity Debugger's Python API includes many useful utilities and functions. Your scripts can be as integrated into the debugger as the native code. This that remain within the Immunity Debugger user experience. mona http://redmine.corelan.be/projects/mona presentation pvefindaddr http://redmine.corelan.be:8800/projects/pvefindaddr http://beist.org/research/public/immunity1/imm_present_jff.pdf debugger-pycommands-my-cheatsheet/ cheatsheet by Corelan https://forum.immunityinc.com/board/ forum means your code can create custom tables, graphs, and interfaces of all sorts

Useful links:

http://debugger.immunityinc.com/Documentation/ official documentation http://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-

www.erpscan.com www.dsecrg.com

14

libdisassemble
Project: Author: Tags:

libdisassemble

Site project: License: Python versions: Platforms: Processors: Base project: Description:

Immunity Inc. , atlas ([email protected]) disassembler GNU GPL v2 2.5 win/lin x86

Matthew Carpenter ([email protected])

http://www.immunitysec.com/resources-freesoftware.shtml

Libdisassembly is simply a python library for disassembling x86 opcodes. It has been made for Immunity's PDB Project (a vulnerability development return as much information it can get off of an opcode. ??? ??? There is still a lot of work to do with the Metadata, but the library tries to

Tools:

focused debugger), and is partially based on mammon libdisasm opcode list.

Useful links:

www.erpscan.com www.dsecrg.com

15

lldb

Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

lldb

University of Illinois/NCSA http://lldb.llvm.org/ 2.6

scripting engine, debugger, disassembler mac/lin LLDB

University of Illinois/NCSA Open Source License x86/x64/ARM

lldb also has a built-in Python interpreter, which is accessible by the "script" command. All the functionality of the debugger is available as classes in the Python interpreter, so the more complex commands that in gdb you would using the lldb-Python library, then loading the scripts into your running session and accessing them with the "script" command. Example http://llvm.org/svn/llvmproject/lldb/trunk/examples/python/disasm.py Debugging Infrastructure presentation http://llvm.org/svn/llvm-project/lldb/trunk/test/python_api/ API,

Tools:

introduce with the "define" command can be done by writing Python functions

Useful links:

http://llvm.org/devmtg/2010-11/Clayton-LLDB.pdf LLDB Modular

www.erpscan.com www.dsecrg.com

16

OllyPython
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

OllyPython

Scott Knight ([email protected]) scripting engine, debugger New BSD License 2.4 win x86

http://code.google.com/p/ollypython/

OllyDbg ???

OllyPython is an OllyDbg plugin that integrates the Python programming language, allowing scripts to run in OllyDbg. sample of use in entry blog http://www.team509.com/modules.php?name=News&file=article&sid=48

Useful links:

www.erpscan.com www.dsecrg.com

17

pefile

Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

pefile

Ero Carrera (@erocarrera) PE+ reader 2.x MIT License x86/x64

http://code.google.com/p/pefile/

win/lin/mac pefile is a multi-platform Python module to read and work with Portable Executable (aka PE) files. Most of the information in the PE Header is possible to explore nearly every single feature of the file. IDA PEiD http://code.google.com/p/reverse-engineering-scripts/ extract-embedded-code/ usage examples

Tools:

accessible, as well as all the sections, section's information and data. pefile http://code.google.com/p/pefile/wiki/UsageExamples usage examples python.pdf Win32 Static Analysis in Python presentation https://www.blackhat.com/presentations/bh-usaEngineering Automation with Python presentation http://www.recon.cx/en/f/lightning-ecarrera-win32-static-analysis-in-

requires some basic understanding of the layout of a PE file. Armed with it it's

Useful links:

http://www.gerryeisenhaur.com/2011/01/04/using-python-and-pefile-to-

07/Carrera/Presentation/bh-usa-07-carrera.pdf 4 x 5: Reverse

www.erpscan.com www.dsecrg.com

18

PIDA

Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

PIDA

Pedram Amini (@pedramamini) visualization 2.? win/mac x86 GNU GPL v2 or later

http://code.google.com/p/paimei/ (part of PaiMei)

IDAPython, pGRAPH

Built on top of pGRAPH, PIDA aims to provide an abstract and persistent the entire original binary.

interface over binaries (DLLs and EXEs) with separate classes for representing functions, basic blocks and instructions. The end result is the creation of a PaiMei (http://code.google.com/p/paimei/) http://pedram.redhive.com/PyDbg/docs/ official overview portable file that when loaded allows you to arbitrarily navigate throughout

Tools:

Useful links:

www.erpscan.com www.dsecrg.com

19

ProcessTap
Project: Author:

ProcessTap

Roberto Paleari (@rpaleari)

Site project: Tags: License: Python versions: Platforms: Processors: Base project: Description:

Lorenzo Martignoni (@martignlo) scripting engine, DBI GNU GPL v3 2.5, 2.6 lin x86/x64

Lorenzo Cavallaro (http://www.few.vu.nl/~sullivan/) http://code.google.com/p/processtap/

PinTool, (Valgrind, QEMU, DinamoRIO)

ProcessTap is a dynamic tracing framework for analyzing closed sourcedynamic binary instrumentation to intercept the events of interest (e.g., Python. ???

applications. ProcessTap is inspired by DTrace and SystemTap, but it is specific for analyzing closed-source user-space applications. ProcessTap leverages Although the current implementation relies on PinTool, alternative back-ends for instrumentation (e.g., Valgrind, Qemu, or DynamoRIO) can be used. The

function calls, system call, memory accesses, and conditional control transfers). language used in ProcessTap for writing scripts to instrument applications is mples examples

Tools:

Useful links:

http://code.google.com/p/processtap/source/browse/#svn%2Ftrunk%2Fexa

www.erpscan.com www.dsecrg.com

20

pyasm
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

pyasm

Grant Olson ([email protected]) dynamic assembler GNU AGPL v3 2.4 and 2.6 win/lin x86

http://www.grant-olson.net/python/pyasm

Pyasm is a full-featured dynamic assembler written entirely in Python. By It essentially allow 'inline' assembly in python modules on x86 platforms. available assemblers if this is you primary goal. ??? example

dynamic, I mean that it can be used to generate and execute machine code in assembler, although you're probably better off using one of the many freely

python at runtime without requiring the generation of object files and linkage.

Tools:

Pyasm can also generate object files (for windows) like a traditional standalone http://codeflow.org/entries/2009/jul/31/pyasm-python-x86-assembler/ http://www.docstoc.com/docs/29701848/PyASM-Users-Guide-V-03 PyASM User's Guide

Useful links:

www.erpscan.com www.dsecrg.com

21

PyBox

Project: Author: Tags: Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

PyBox

Felix Leder ([email protected]) http://code.google.com/p/pyboxed/ monitoring of processes, sandbox GNU GPL v3 win x86 2.6 or above

Daniel Plohmann ([email protected])

PyBox (short for "Python Sandbox") is a flexible and light-weight process and of processes. ??? https://eldorado.tu-

system analysis framework. A user-level framework for rootkit-like monitoring dortmund.de/bitstream/2003/27336/1/BookOfAbstracts_Spring5_2010.pdf PyBox A Python approach to sandboxing , http://www.troopers.de/wphttp://code.google.com/p/pyboxed/wiki/WikiStart wiki, content/uploads/2011/04/TR11_Leder_What_is_happening_in_your.pdf

Useful links:

Do you know whats happening in your <put app title here>? presentation

www.erpscan.com www.dsecrg.com

22

PyCodin
Project: Author:

PyCodin

Site project: Tags: License:

Adrin Manrique (@n0km, [email protected]), =tool&name=PyCodin DBI 2.5 GNU GPL v2 win x86/x64 QEMU

Andrs Lpez Luksenberg ([email protected])

http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type

Python versions: Platforms: Processors: Base project: Description:

PyCodin is an open source Python library that allows instrumentation of lowlevel code for different architectures. It came out from the necessity of developing a testing environment for low-level code that exploits scenarios, giving the developer new tools to control the execution. PyCodin

vulnerabilities (a.k.a. shellcode). The library provides a virtual CPU front-end, instrumented program. The first version of the tool uses Qemu as the virtualization back-end. ???

allowing the manipulation of a virtualized memory space and creating different also allows runtime inspection and modification of the execution context of the http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachmen t&type=researcher&page=Adrian_Manrique&file=publication%2FPyCodin__Instrumentando_codigo_sin_dolor%2Fpycodin-ManriqueLuksenbergpresentation (spanish) PyconArgentina2010.pdf Pycodin: Instrumentando cdigo sin dolor

Tools:

Useful links:

www.erpscan.com www.dsecrg.com

23

pydasm
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

pydasm

Ero Carrera (@erocarrera) disassembler ??? 2.? win/lin x86

http://dkbza.org/pydasm.html

libdasm

pydasm is a python wrapper for libdasm. It attempts to capture all the functionality of libdasm and bring its versatility to Python. PaiMei (http://code.google.com/p/paimei/) http://www.recon.cx/en/f/lightning-ecarrera-win32-static-analysis-inpython.pdf Win32 Static Analysis in Python presentation https://www.blackhat.com/presentations/bh-usaEngineering Automation with Python presentation 07/Carrera/Presentation/bh-usa-07-carrera.pdf 4 x 5: Reverse

Useful links:

www.erpscan.com www.dsecrg.com

24

Pydb

Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

Pydb

Rocky Bernstein GNU GPL lin x86

http://bashdb.sourceforge.net/pydb/ scripting engine , debugger less than 2.5 gdb

pydb is an expanded version of the Python debugger loosely based on the gdb command set and the stock Python debugger. It also has all of the features GUI ddd. ??? http://bashdb.sourceforge.net/pydb/pydb/lib/index.html official documentation found in an earlier version of pydb.py that was distributed with the debugger

Useful links:

www.erpscan.com www.dsecrg.com

25

PyDBG
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

PyDBG

Pedram Amini (@pedramamini) debugger 2.4-2.5 x86 win/mac GNU GPL v2

http://code.google.com/p/paimei/ (part of PaiMei)

PyDbg exposes most of the expected debugger functionality and then some. Hardware / software / memory breakpoints, process / module / thread enumeration and instrumentation, system DLL tracking, memory and restore functionality, disassembly (libdasm) engine. The abstracted interface allows for painless development of custom debugger scripts. PaiMei http://code.google.com/p/paimei/ memory-fuzzing/, Blocks http://nsense.dk/tools/ reading/writing and intelligent dereferencing, stack and SEH unwinding, exception and event handling, endian manipulation routines, memory snapshot In Memory Fuzzing http://www.corelan.be/index.php/2010/10/20/in-

Tools: Useful links:

http://pedram.redhive.com/PaiMei/docs/PyDbg/ official documentation PaiMei on Snow Leopard

https://www.blackhat.com/presentations/bh-usa-07/Miller/Whitepaper/bhhttp://www.securitytube.net/video/1630 PaiMei on python25 (video) 0.8.0/Ida4.9Free, And Python 2.7.1 (video)

usa-07-miller-WP.pdf Hacking Leopard: Tools and Techniques for Attacking http://www.piemontewireless.net/Install_PaiMei_on_Snow_Leopard Install http://www.securitytube.net/video/1638 Paimei From Svn, Idapython

www.erpscan.com www.dsecrg.com

26

PyDbgEng
Project: Author: Tags:

PyDbgEng

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

Botten, Michael Eddington (http://phed.org/) Peter Silberman (@petersilberman) scripting engine, debugger GNU GPL 2.5 win x86/x64 WinDdg http://sourceforge.net/projects/pydbgeng/

PyDbgEng is a Python Wrapper For Microsoft Debug Engine. Its features include: user mode debugging, kernel mode debugging, soft and hw breakpoints, symbol server and etc. PyDbgExt http://sourceforge.net/projects/pydbgext/ KStalker http://pydbgeng.sourceforge.net/kstalker.htm

Useful links:

http://pydbgeng.sourceforge.net/examples.htm usage examples

http://flierlu.blogspot.com/search?q=PyDbgEng series of records in blog

www.erpscan.com www.dsecrg.com

27

pydbgr
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Tools: Base project: Description: Useful links:

pydbgr

Rocky Bernstein debugger 2.6-2.7 lin x86 ??? gdb GNU GPL v3

http://code.google.com/p/pydbgr/

A rewrite of pydb from the ground up. pydbgr

http://code.google.com/p/pydbgr/wiki/Tutorial Installing and Using

www.erpscan.com www.dsecrg.com

28

pydot

Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

pydot

Ero Carrera (@erocarrera) visualization MIT License 2.5

http://code.google.com/p/pydot/

win/lin/mac

up to Graphviz 2.26.3 ???

Python interface to Graphviz's Dot language. pydot allows to easily create both directed and non directed graphs from Python. http://pythonhaven.wordpress.com/2009/12/09/generating_graphs_with_py dot/ Generating Graph Visualizations with pydot and Graphviz (blog post) http://www.graphviz.org/Documentation.php graphviz documentation https://www.ohloh.net/p/pydot homepage of pydot

Useful links:

www.erpscan.com www.dsecrg.com

29

PyEA

Project: Author: Tags: Site project: License: Python versions: Platforms: Processors: Base project: Description:

PyEA

Roberto Paleari (@rpaleari)

Lorenzo Martignoni (@martignlo) static/dynamic code analyser GNU GPL v2 or later 2.5, 2.6 win x86/x64

http://roberto.greyhats.it/projects.html

PyEA (Python Executable Analyser) is a hybrid static/dynamic code analyser IA-32 malicious programs, but has soon evolved into a generic analyser for compiled programs. PyEA currently supports PE and ELF executables, ??? ???

written in Python. The analyser was originally developed to statically analyse disassembles executables using a recursive disassembler, and translates each machine instruction into an intermediate form, that makes side effects explicit.

Tools:

Useful links:

www.erpscan.com www.dsecrg.com

30

PyEMU
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

PyEMU

Cody Pierce (@codypierce) emulator 2.5 win x86 New BSD License

http://code.google.com/p/pyemu/

PyEmu tries to provide a fully scriptable IA-32 emulator in python. The aim is scripts to solve common problems. ???

for security researchers and malware analysis. By having a flexible community

driven emulator in a high level language one can roll their own purpose driven https://www.blackhat.com/presentations/bh-usa-07/Pierce/Whitepaper/bhusa-07-pierce-WP.pdf whitepaper from BH USA 07 http://www.youtube.com/watch?v=nkTb6m96cio video from BH USA 07 http://www.inreverse.net/?p=223 entry in blog about usage PyEMU

Useful links:

www.erpscan.com www.dsecrg.com

31

pyew

Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

pyew

Joxean Piti

http://code.google.com/p/pyew/ GNU GPL v2 ??? win/lin x86/x64

scripting engine , analyze malware

Pyew is a (command line) python tool like radare and *iew oriented, mainly, to analyze malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it does code analysis the ??? right way), following direct call/jmp instructions, OLE2 format, PDF format (limited) and more. It also supports plugins to add more features to the tool. http://joxeankoret.com/blog/?s=pyew entries in blog about usage pyew

Tools:

Useful links:

www.erpscan.com www.dsecrg.com

32

pygdb

Project: Author: Tags: Site project: License: Python versions: Platforms: Processors: Base project: Description:

pygdb

Michael Eddington ([email protected]) Frank Laub ([email protected]) http://code.google.com/p/pygdb/ scripting engine , debugger MIT License 2.5 lin/mac x86 gdb

This is a simple python wrapper around GDB. pygdb is a pygtk interface to gdb. It offers two terminal windows, one for gdb, one for the process to be gvim (by using gvim --servername calls). ??? ??? debugged. On the top it has standard buttons like run, continue, step in, step over, step out and quit. On a second window you can add watches and breakpoints. Furthermore, you can inspect the backtrace and launch gvim on the current executed line by pressing a button. pygdb stays synchronized with

Tools:

Useful links:

www.erpscan.com www.dsecrg.com

33

pyHIEW
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

pyHIEW

Elias Bachaalany (@0xeb) Artistic License/GPL 2.5 and 2.7 win x86/x64 HIEW ???

http://code.google.com/p/pyhiew/ scripting engine, disassembler

PyHiew is a Hiew External Module that allows users to write Python scripts that interface with Hiew. pyHIEW https://0xeb.wordpress.com/?s=pyHiew entries in blog about usage

Useful links:

www.erpscan.com www.dsecrg.com

34

pykd

Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

pykd

Team (http://pykd.codeplex.com/team/view) http://pykd.codeplex.com/ scripting engine, debugger Microsoft Public License 2.6.5 win x86/x64 WinDdg ???

Python extension for WinDbg. pykd not repeat functional from Debug Engine, and implements the API, convenient for daily work in WinDbg. http://pykd.blogspot.com/ blog about pykd (RU) http://pykd.codeplex.com/documentation official documentation ,

Useful links:

www.erpscan.com www.dsecrg.com

35

Pylibemu
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Tools: Base project: Description: Useful links:

Pylibemu emulator win/lin x86 ??? ???

Angelo Dell'Aera ([email protected], @angelodellaera) https://github.com/buffer/pylibemu 2.5 or later Libemu GNU Lesser General Public License, version 3 or later

Pylibemu is a wrapper for the Libemu library.

www.erpscan.com www.dsecrg.com

36

pyMem
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

pyMem

Fabien Reboia ([email protected]) wrapper win THE POSTCARD LICENSE more than 2.5 x86/x64

https://github.com/srounet/Pymem

Pymem is a memory wrapper built on top of python ctypes and windll imports and much more. ???

to facilitate process memory access in Read or Write. It has functionalities such http://www.mmowned.com/forums/world-of-warcraft/botsediting.html code example

as Opening a process in debug mode, hijacking threads, listing process modules programs/memory-editing/285120-pymem-python-process-memory-

Useful links:

www.erpscan.com www.dsecrg.com

37

pyREtic
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

pyREtic

Rich Smith ([email protected]) http://code.google.com/p/pyretic/ debugger ??? GNU GPL v3 x86/x64

win/lin/mac pyREtic and the REpdb debugger allow easier access to obtaining source from memory back to source code, without needing access to the bytecode directly of many ways. ??? whitepaper

closed source Python applications. In a nutshell it allows you to take a object in on disk. This can be useful if the applictions pyc's on disk are obfuscated in one http://pyretic.googlecode.com/files/pyREtic%20%20In%20memory%20reve rse%20engineering%20for%20obfuscated%20Python%20bytecode.pdf slides from BlackHat/Defcon 2010 http://prezi.com/kmyvgiobsl1d/pyretic-rich-smith-blackhatdefcon-2010/

Tools:

Useful links:

www.erpscan.com www.dsecrg.com

38

PySTP

Project: Author: Tags: Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

PySTP

Roberto Paleari (@rpaleari) STP, solver 2.5 win/lin STP ??? ???

Lorenzo Martignoni (@martignlo) GNU GPL v2

http://security.dico.unimi.it/~roberto/pystp/

PySTP is a Python extension module that interfaces with STP. STP is a decision procedure for the theory of fixed-width bitvectors and arrays, and PySTP enables Python scripts to use STP.

Useful links:

www.erpscan.com www.dsecrg.com

39

PythonGdb
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Tools: Base project: Description:

PythonGdb ???

http://sourceware.org/gdb/wiki/PythonGdb (In gdb 7 it is already included) scripting engine, debugger GNU GPL 2.x Lin x86/x64 Gdb

Integrate Python scripting into Gdb.

gdbx http://www.cinsk.org/wiki/En:_Debugging_with_GDB:_gdbx.py gdb-heap https://fedorahosted.org/gdb-heap/ mod

runFuzzer http://www.groundworkstech.com/projects/dynamips-gdbhttp://sourceware.org/gdb/wiki/PythonGdbTutorial official tutorial http://sourceware.org/gdb/onlinedocs/gdb/Python-API.html API in-GDB entry in blog PyCON US 2011 http://dmalcolm.fedorapeople.org/presentations/PyCon-US-

Useful links:

tmalloc_gdb http://localhostr.com/download/wBNwUx1/tcmalloc_gdb.tar https://www.wzdftpd.net/blog/index.php?post/2010/12/20/Python-scripts2011/GdbPythonPresentation/GdbPython.html#1 presentation from

www.erpscan.com www.dsecrg.com

40

python-ptrace
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

python-ptrace

Victor Stinner (@victor_stinner) debugger , wrapper GNU GPL v2 2.5,3.0 x86/x64 lin/bsd/Darwin

http://pypi.python.org/pypi/python-ptrace

python-ptrace is a debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python. Fuzil https://bitbucket.org/haypo/fusil/wiki/Home https://bitbucket.org/haypo/python-ptrace/wiki/Home wiki

Useful links:

www.erpscan.com www.dsecrg.com

41

pytracer
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

pytracer

Rocky Bernstein ([email protected]) debugger 2.5-2.7 x86 win/lin GNU GPL v3

http://code.google.com/p/pytracer/

A more flexible interface to sys.settrace allowing, for example, chained trace hooks. We allow several trace hooks to get registered and unregistered and allow tracing to be turned on and off temporarily without losing the trace and mark methods that should automatically be ignored. ??? ???

Tools:

hooks. You can also indicate filters on events for which trace hooks should fire

Useful links:

www.erpscan.com www.dsecrg.com

42

radapy
Project: Author:

radapy

pancake (http://nopcode.org) nibble.ds scripting win/lin earada (@earada) GNU GPL v3 2.5 and 2.6 x86/x64 radare2 http://radare.org/doc/html/Section10.6.html#python

Site project: Tags: License: Python versions: Platforms: Processors: Base project: Description: Tools:

The second scripting language implemented in radare was 'python'. The list of libraries and modules to extend your script. ???

python interface for C is not as nice as the LUA one, and it is obviously not as optimal as LUA, but it gives a very handy syntax and provides a full-featured http://radare.nopcode.org/y/ radare official site

Useful links:

www.erpscan.com www.dsecrg.com

43

uhooker
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

uhooker hooker win x86

Core Security Technologies

http://oss.coresecurity.com/projects/uhooker.htm more than 2.3 OllyDBG 1.10 ???

Core Security Technologies (for non-commercial use)

The Universal Hooker is a tool to intercept execution of programs. It enables within the executable file in memory. documentation http://oss.coresecurity.com/uhooker/doc/index.html official http://www.irmplc.com/downloads/whitepapers/HighLevel_Reverse_Engineering.pdf usage

the user to intercept calls to API calls inside DLLs, and also arbitrary addresses

Useful links:

www.erpscan.com www.dsecrg.com

44

Vivisect
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Tools: Base project: Description: Useful links:

Vivisect

invisigoth kenshoto (@invisig0th) static analysis, emulator ??? ??? win/lin/mac x86/x64 ???

https://www.kenshoto.com/wiki/index.php/Main_Page

Python based static analysis and emulation framework.

http://visi.kenshoto.com/wiki/index.php/VivisectExamples example

www.erpscan.com www.dsecrg.com

45

vtrace
Author: Tags:

Project:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

vtrace

invisigoth kenshoto (@invisig0th) debugger ??? MIT License x86/x64

http://code.google.com/p/vtrace-mirror/

win/lin/darwin/freebsd/solaris vtrace is a cross-platform debugging api written in python. Each supported platform has it's own support module. entry in blog vdebug http://code.google.com/p/vdebug/ http://www.morenops.com/blog/2011/02/24/fuzzing-engine-with-vtrace/ https://github.com/pdasilva/vtrace_scripts vtrace script examples

Useful links:

www.erpscan.com www.dsecrg.com

46

WinAppDbg
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description: Tools:

WinAppDbg ??? debugger win

http://winappdbg.sourceforge.net/ BSD license 2.4-2.7 , 3.x (experimental) x86/x64(partial)

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. http://winappdbg.sourceforge.net/Tools.html guide http://winappdbg.sourceforge.net/ProgrammingGuide.html programming

Useful links:

www.erpscan.com www.dsecrg.com

47

Z3-python
Project: Author: Tags:

Site project: License: Python versions: Platforms: Processors: Base project: Description:

Z3-python

Sascha Bhme ???

http://www4.in.tum.de/~boehmes/z3-python.html solver, SMT, binding, interface 2.5.1 and 2.5.2 win Z3 X86/x64

This is a Python binding to the SMT solver Z3. Since it is based on Python's arrays, uninterpreted functions, and quantifiers. Z3 is integrated with a formats. ??? number of program analysis, testing, and verification tools from Microsoft

dynamic foreign function interface ctypes, no compilation is required. Z3 is a

high-performance theorem prover being developed at Microsoft Research. Z3 supports linear real and integer arithmetic, fixed-size bit-vectors, extensional Research. These include: Spec#/Boogie, Pex, Yogi, Vigilante, SLAM, F7, SAGE, VS3, FORMULA, and HAVOC. It can read problems in SMT-LIB and Simplify http://research.microsoft.com/en-us/um/redmond/projects/z3/ site Z3

Tools:

Useful links:

www.erpscan.com www.dsecrg.com

48

Note

In addition, I would like to note the outstanding book GRAY HAT recommend everyone to read.

the laboratory TippingPoint (http://dvlabs.tippingpoint.com) in the section MindshaRE.

A lot of useful tips for using IDAPython and automation RE can be found at

PYTHON (http://nostarch.com/ghpython.htm) by Justin Seits, which I

(http://dirk-loss.de/python-tools.htm) on python, designed to help security researchers. help me for sure. Good luck with your research!

I would like to note, that it will be quite wrong to think that python is popular only for the purposes of RE because there is a large number of fuzzers (Peach, Sulley, PI) and web-utilities (http://www.gdssecurity.com/l/constricting_the_web_final.pdf), tools for penetration testers Unfortunately I still did not manage to use all of this, but if the need arises, then I will know what can P.S. Later I will try to arrange it as a website and promptly update.

www.erpscan.com www.dsecrg.com

49

About Author

project.

software for static and dynamic code analysis written in Python. He is a contributor to the OWASP-EAS

from SAP and Oracle for the vulnerabilities found. His interests cover reverse engineering, software verification/program analysis (SMT, DBI, IL), vulnerability research and development of exploits,

on SAP security, particularly on Kernel, BASIS and ABAP security. He has official acknowledgements

The student of St. Petersburg State Polytechnic University, computer science department, he focuses

Research areas: SAP (ABAP) security, reverse engineering, and source code analysis.

Dmitriy Evdokimov Researcher.

Contacts

Email: [email protected] Twitter: @evdokimovds

www.erpscan.com www.dsecrg.com

50

About ERPScan

ERPScan is an innovative company engaged in the research of ERP security particularly in SAP and for secure configuration, development and implementation of SAP systems, and conducts comprehensive assessments and penetration testing of custom solutions. assessment of SAP platform security and standard compliance.

develops products for SAP system security. Apart from this the company renders consulting services Our flagship product "ERPScan Security Scanner for SAP" is innovative product for automatic

www.erpscan.com www.dsecrg.com

51

About DSecRG Research center of ERPScan

DSecRG Leading SAP AG partner in discovering and solving security vulnerabilities. ERPScan from DSecRG almost every month on their site. Now DSecRG experts are on the first place in SAP DSecRG experts are frequent speakers in prime International conferences held in USA, EUROPE, public acknowledgements chart. expertise is based on research conducted by the DSecRG research center - a subdivision of ERPScan in SAP and publishes whitepapers about it. SAP AG gives acknowledgements for security researchers

company. It deals with vulnerability research and analysis in business critical applications particularly

SAP, Oracle, IBM, VMware, Adobe, HP, Kasperskiy, Apache, Alcatel and others for finding vulnerabilities in their solutions. DSecRG has high-qualified experts in staff who have experience in different fields of security, from conduct research in SAP system security.

InfoSecurity. DSecRG researchers gain multiple acknowledgements from biggest software vendors like

CEMEA and ASIA such as BlackHat, HITB, SourceBarcelona, DeepSEC, Confidence, Troopers, T2,

Web applications and reverse engineering to SCADA systems, accumulating their experience to

www.erpscan.com www.dsecrg.com

52

Our Contacts

Web: www.dsecrg.com

E-mail: [email protected]

www.erpscan.com www.dsecrg.com

53