Sunday, May 3, 2009

Gray Hat Python: Python Programming for Hackers and Reverse Engineers


Gray Hat Python: Python Programming for Hackers and Reverse Engineers (Paperback)
by Justin Seitz

Publisher Description

Python is fast becoming the programming language of choice for hackers, reverse engineers, and software testers because it's easy to write quickly, and it has the low-level support and libraries that make hackers happy. But until now, there has been no real manual on how to use Python for a variety of hacking tasks. You had to dig through forum posts and man pages, endlessly tweaking your own code to get everything working. Not anymore.

Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators. But author Justin Seitz goes beyond theory, showing you how to harness existing Python-based security tools - and how to build your own when the pre-built ones won't cut it.


My Take

I have to start off by saying that I've been looking forward to this book being published for months now. Since it initially popped up on the No Starch website I've been following it and nagging the publishers about it's release. I was fortunate enough to get a copy last Friday and I dove into it full force, even my final exam suffered because I was a little too focused on this book. I have mixed feelings about the book overall, there was definitely a few things I gained from it. On the other hand, there were many more things that could have been added. If you are new to Reverse Engineering then you will most likely obtain a leap of knowledge from the book. Packed with code examples on various open source tools and concepts to create your own, you'll be waste deep in python for a while. If you've been around for the last few years and have already checked out many of the open source tools discussed in the book you may only get a few things out of it. I don't understand CG's rating system so I'm not going to give you a star formula, or even a numeric rating.


Justin does a great job elaborating through the the code examples used throughout the book. The sheer scope of this book makes it difficult to cover everything but Justin definitely attempts to give you a taste for the more common scenarios you may find yourself in. Below I highlight a few chapters that I found interesting and useful. Overall the entire book is useful but a large portion covers open source tools that have a plethora of documentation and examples in existence.

Chapter 3 is just downright awesome. This chapter walks you through creating your own python based debugger that is similar to pydbg. Between the concepts and actual implementation you obtain a solid understanding of what is going on in a Windows based debugger.

Chapter 6 goes over Hooking in 5 pages. This topic could easily fill a few chapters by itself but Justin sums everything up quite nicely with plenty of examples.

Chapter 7 discusses DLL and Code injection which was a pretty interesting topic. The chapter even gets a little "Evil" by showing you how to hide files on a filesystem using python. It goes one step deeper into evilness by demonstrating how to code a back door into files.

Chapter 8 goes into fuzzing concepts and the demonstration is very practical for anyone doing exploitation. Justin shows us how to create a file format fuzzer which I thought was pretty slick.

The last chapter I found pretty interesting was chapter 10 titled "Fuzzing Windows Drivers." This chapter outlines methods of identifying Device names and IOCTL codes using Immunity Debugger. It continues to show examples of an IOCTL Fuzzer that can be used in conjunction with the rest of the scripts outlined in the chapter. Definately some cool stuff. Personally, I'm not quite up to a Drive level fuzzing level but I still found the knowledge very useful and was able to translate some of the immunity scripts into IDAPython scripts for static analysis to find the device names and IOCTL Codes.


The Cons

The entire book was based off Dynamic analysis. This is great for those out there doing RE through execution, but it really sucks for people like me who only does dynamic analysis 10% of the time.

The entire book is windows specific. Yes, most RE work is done on windows, for windows binaries. However, there are closed source applications and even embedded stuff that is Linux based. Would have definitely been useful to have some examples for these types of cases.

At times I found the book drifting into the direction of exploitation. Granted, RE and exploitation go hand in hand but I feel those of us who perform RE for the purpose of compatibility, protocol analysis, and other crap were left out a bit.

The chapter on debugger design did not have all that much to say about designing a debugger. In fact, it was probably more inline with a quick introduction to x86 architecture, specifically registers and stacks. It was not until chapter 3 that you really understand the elements involved.

Overall, I equate this book to Hacking the art of exploitation first edition but for Reverse Engineering. The book is packed with useful information for both the novice to the professional but I hope a second edition comes out with more information, that covers both static and dynamic analysis.


E. Hulse

17 comments:

Cl@rity_533k4 said...

What you say is true, but also ruby is pretty popular among the hackers community (metasploit). If only one language were chosen so to concentrate the efforts on it.
We'll see if we'll have a winner.

Gwen said...

If is it so then its very bad.Is there any option to prevent those hackers?

CG said...

@GWEN

unplug...

Pento said...

> The entire book is windows specific.
WTF?!

Ficti0n said...

I have this on order, I have also been looking forward to this book for a good year now.. From what i read there is loads of stuff that this book could have included.. I was under the impression the focus was more exploitation and penetration oriented not RE though... But whatever, its all good I am looking forward to reading it... Thanks for the review..
I figured it would be a linux specific book.. hmmm oh well..

Anonymous said...

Uhm, the title "Gray Hat Python" wasn't enough of a hint? ;)

Seems pretty obvious it wasn't going to be about reversing file formats for compatibility and whatnot.

Anonymous said...

Okay so where can I get a free pdf version?

I can't find it anywhere...

CG said...

or you could support the author and pay for it...

Ficti0n said...

haha well the terms grey hat python to me generally means hacking.. not really reversing.. but I enjoy both...

Oh and Yea go PURCHASE the book.... its very worthwhile book if you put the time in and are interested in a low level aspect of python for a good overview of debugging and exploitation.. Its not that expensive on amazon...

Anonymous said...

a free PDF version? CG and Ficiti0n are right maybe BUY the book. amazon has it listed and i got a copy from barnes and noble

str0ke said...

Please support this piece of literature,
I own it since it was released (shipped to europe) and it was a very good read even though i was new to python.

jbmoore said...

Quite a few of the code example are broken and the mistakes don't show up on NoStarch's errata page for the book. Some of the code depends upon the installation of PyDbg. The IDAPro plugins need IDAPro version 5. You can use the demo, but it only last for 30 days and IDAPro Freeware is version 4.0. You could have mentioned these issues. Contrast this book with Jon Erickson's book called Hacking: The Art of Exploitation (http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=dp_ob_title_bk) where a LiveCD is included and ALL of the code works.

Syniack said...

I am new to python and its really easy to understand who really wants to learn how debugging works.

Awesome book. Please include some linux debugging methods in your next upcoming launch if you are planning to.
Point 10/10 excellent

Ficti0n said...

yea I am also looking forward to this book if they make a Second Edition and add in some linux related stuff... but the windows stuff was good and very useful for understanding debugging processes at a programmatic level...
Hopefully a second edition fixes some of the setup and code error issues though.... Some of the stuff took a bit of playing with to get right..

Anonymous said...

jbmoore points out a very important bit of information, code is broken in this book, and it is not corrected on the companion website nor even mentioned, so if you are not proficient at coding, you may find yourself lost with nowhere to go!

apart from that, so far the book is excellent, perhaps the code is purposefully broken to promote self learning....doubtfull

Anonymous said...

jbmoore points out something very important here, the code in this book is broken, and incomplete in some places, for a novice this could leave them stranded with no hope.
unless they find this site and read jbmoores comment.

apart from that, farily major problem, the book is excellent.

firesofmay said...

Hey
I have a question. I got this book, and I just started learning Python.

The problem is, I don't know whether I should learn 3.0 or 2.6?

As the Book is using 2.5, but according the review it works for 2.4?

I am really confused...
Also is there any forum where I can learn the basics of Python for hacking?

Thanks for your review.