introduction writing c extension for python specically for...
TRANSCRIPT
Introduction C Extension for python Python for reverse engineering
Introduction writing C extension for PythonSpecically for Reverse Engineering
Xing Wang
CSE Department of TAMU
Mar 10, 2015
Introduction C Extension for python Python for reverse engineering
1 Introduction
2 C Extension for pythonPrint a stringPrint a string and an integerAdd 1 to each element in array
3 Python for reverse engineeringIDAPythonPyXEDPython Ollydbg
Introduction C Extension for python Python for reverse engineering
Motivation
Script - Integration, Batchable task
Python
Like shell script, but more powerfulWith many third party librariesExtension by writing C codes,
Direct memory management (pointer)Complex data structureFast
Introduction C Extension for python Python for reverse engineering
Environment Setup
Linux Machine, linux2.cse.tamu.edu
g++, C compiler
Python2.6 and python development package( sudo apt-getinstall python-dev)
python-numpy, sudo pip install numpy, for scientific computing
make, for compile management
Introduction C Extension for python Python for reverse engineering
Learning materials
Python: http://www.learnpython.org/,http://learnpythonthehardway.org/book/
Python C extension :https://docs.python.org/2/extending/extending.html
Introduction C Extension for python Python for reverse engineering
Print a string
# comments s t a r t s w i th ## This i s the package name we w r i t e# we need impor t i t b e f o r e useimport demopackage
p r i n t ’# o n l y r e c e i v e one s t r i n g and p r i n t #’demopackage . p r i n t s t r i n g ( ” a b c d e f ” )
Introduction C Extension for python Python for reverse engineering
Related files
Input
demo.hdemo.cMakefile
Output
demopackage.so
Introduction C Extension for python Python for reverse engineering
Demo.h
s t a t i c PyObject ∗ p l u s o n e ( PyObject ∗ s e l f , PyObject ∗a r g s ) ;
s t a t i c PyObject ∗ p r i n t s t r i n g ( PyObject ∗ s e l f , PyObject∗ a r g s ) ;
s t a t i c PyObject ∗ p r i n t s t r i n g i n t ( PyObject ∗ s e l f ,PyObject ∗ a r g s ) ;
Introduction C Extension for python Python for reverse engineering
Demo.c
#inc lude ” s t d i o . h”#inc lude ” Python . h”#inc lude ”demo . h”
s t a t i c PyMethodDef demopackageMethods [ ] = {{” p l u s o n e ” , p l u s o n e , METH VARARGS, ” P l u s one to
a l l e l em e n t i n a r r a y ” } ,{” p r i n t s t r i n g ” , p r i n t s t r i n g , METH VARARGS, ” P r i n t
s t r i n g on s c r e e n ” } ,{” p r i n t s t r i n g i n t ” , p r i n t s t r i n g i n t , METH VARARGS,
” R e c e i v i n g two parameter s , s t r i n g and i n t , thenp r i n t them on s c r e e n ” } ,
{NULL , NULL , 0 , NULL}} ;
vo id i n i t d e m o p a c k a g e ( ) {( vo id ) P y I n i t M o d u l e ( ” demopackage ” ,
demopackageMethods ) ;}
Introduction C Extension for python Python for reverse engineering
Demo.c
s t a t i c PyObject ∗ p r i n t s t r i n g ( PyObject ∗ s e l f , PyObject∗ a r g s ) {
const char ∗ i n p u t ;i f ( ! PyArg ParseTup le ( args , ” s ” , &i n p u t ) ) re tu rn
Py None ;p r i n t f ( ”%s \n” , i n p u t ) ;re tu rn Py None ;
}
Introduction C Extension for python Python for reverse engineering
Makefile
a l l : demopackage . so demo2package . so
demopackage . so : demo . ogcc −s h a r e d −o demopackage . so demo . o
demo . o : demo . cgcc −c − f p i c demo . c − I / u s r / i n c l u d e / python2 . 6 /
demo2package . so : demo2 . ogcc −s h a r e d −o demo2package . so demo2 . o
demo2 . o : demo2 . cgcc −c − f p i c demo2 . c − I / u s r / i n c l u d e / python2 . 6 / − I / u s r / l i b 6 4 / python2 . 6 / s i t e −packages /numpy/ c o r e / i n c l u d e /numpy/
Introduction C Extension for python Python for reverse engineering
Print a string and an integer
import demopackage
p r i n t ’# r e c e i v e one s t r i n g and one i n t e g e r #’demopackage . p r i n t s t r i n g i n t ( ” s t r i n g p a r t ” , 100 )
Introduction C Extension for python Python for reverse engineering
C code
s t a t i c PyObject ∗ p r i n t s t r i n g i n t ( PyObject ∗ s e l f ,PyObject ∗ a r g s ) {
const char ∗ i n p u t ;i n t i ;i f ( ! PyArg ParseTup le ( args , ” s i ” , &i n p u t ,& i ) ) re tu rn
NULL ;p r i n t f ( ”%s %d\n” , i n p u t , i ) ;re tu rn Py None ;
}
Introduction C Extension for python Python for reverse engineering
Add one to each element in array
import demopackageimport numpy as npimport demo2package
p r i n t ’# r e c e i v e one l i s t o f i n t e g e r ’+\’ , add each e l em e n t by one#’
a = [ 1 , 2 , 3 ]p r i n t ab = demopackage . p l u s o n e ( a )p r i n t b
p r i n t ’# r e c e i v e one a r r a y o f d o u b l e ’+\’ i n numpy format , add each e l em e n t by one#’
a = np . a r r a y ( [ 1 , 2 , 3 ] ) . a s t y p e ( np . dtype ( ’ f 8 ’ ) )p r i n t ab = demo2package . p l u s a r r a y f l o a t ( a )p r i n t b
Introduction C Extension for python Python for reverse engineering
C code
s t a t i c PyObject ∗ p l u s o n e ( PyObject ∗ s e l f , PyObject ∗a r g s ) {
P y L i s t O b j e c t ∗ l ,∗ r ;i f ( ! PyArg ParseTup le ( args , ”O” , &l ) ) re tu rn NULL ;r = PyList New ( P y L i s t S i z e ( l ) ) ;i n t i = 0 ;f o r ( i =0; i < P y L i s t S i z e ( l ) ; i ++){
long tmp = PyInt AsLong ( P y L i s t G e t I t e m ( l , i ) ) ;P y L i s t S e t I t e m ( r , i , PyInt FromLong ( tmp+1) ) ;
}re tu rn r ;
}
Introduction C Extension for python Python for reverse engineering
Numpy version of add one to array items
#inc lude ” s t d i o . h”#inc lude ” Python . h”#inc lude ” a r r a y o b j e c t . h”#inc lude ”demo2 . h”
s t a t i c PyMethodDef demo2packageMethods [ ] = {{” p l u s a r r a y f l o a t ” , p l u s a r r a y f l o a t , METH VARARGS
, ” P l u s one to a l l e l em e n t i n a r r a y ” } ,{NULL , NULL , 0 , NULL}
} ;
vo id i n i t d e m o 2 p a c k a g e ( ) {( vo id ) P y I n i t M o d u l e ( ” demo2package ” ,
demo2packageMethods ) ;i m p o r t a r r a y ( ) ; // Must be p r e s e n t f o r NumPy .
Ca l l e d f i r s t a f t e r above l i n e .}
Introduction C Extension for python Python for reverse engineering
Numpy version of add one to array items
s t a t i c PyObject ∗ p l u s a r r a y f l o a t ( PyObject ∗ s e l f ,PyObject ∗ a r g s ) {
PyArrayObject ∗ a i n ;PyArrayObject ∗ aout ;i f ( ! PyArg ParseTup le ( args , ”O! ” , &PyArray Type ,& a i n ) )
re tu rn Py None ;i n t dims [ 1 ] ;dims [ 0 ] = ain−>d i m e n s i o n s [ 0 ] ;aout = ( PyArrayObject ∗) PyArray SimpleNew ( 1 , dims ,
NPY DOUBLE) ;double ∗ tmpin = ( double ∗) ( a in−>data ) ;double ∗ tmpout = ( double ∗) ( aout−>data ) ;i n t i = 0 ;f o r ( i = 0 ; i < dims [ 0 ] ; i ++){
tmpout [ i ] = tmpin [ i ] + 1 ;}re tu rn P y A r r a y R e t u r n ( aout ) ;
}
Introduction C Extension for python Python for reverse engineering
Makefile
a l l : demopackage . so demo2package . so
demopackage . so : demo . ogcc −s h a r e d −o demopackage . so demo . o
demo . o : demo . cgcc −c − f p i c demo . c − I / u s r / i n c l u d e / python2 . 6 /
demo2package . so : demo2 . ogcc −s h a r e d −o demo2package . so demo2 . o
demo2 . o : demo2 . cgcc −c − f p i c demo2 . c − I / u s r / i n c l u d e / python2 . 6 / − I / u s r
/ l i b 6 4 / python2 . 6 / s i t e −packages /numpy/ c o r e / i n c l u d e/numpy/
Introduction C Extension for python Python for reverse engineering
IDAPython
Download from https://code.google.com/p/idapython/
IDA Free, https://github.com/DarthGizka/IDAPython-free/
Usage, https://code.google.com/p/idapython/w/list
Pros:
Good documentation
Varities of APIs
Cons:
Not Free
No well support for IDA free
Only run under IDA environment.
Introduction C Extension for python Python for reverse engineering
idag -OIDAPython:ex1 idaapi modified.py unins000.exe
from i d a a p i import ∗
f = open ( ’ out . t x t ’ , ’w ’ )t r y :
# Get c u r r e n t eaea = g e t s c r e e n e a ( )pr in t>>f , ’ c u r r e n t EA ’ , eai f ea == None :
r a i s e E x c e p t i o n ( ’ Get c u r r e n t EA f a i l e d ’ )# Get segment c l a s sseg = g e t s e g ( ea )pr in t>>f , ’ segment c l a s s ’ , segi f seg == None :
r a i s e E x c e p t i o n ( ’ Get c u r r e n t SEG f a i l e d ’ )except E x c e p t i o n as e :
pr in t>>f , s t r ( e )f . c l o s e ( )
Introduction C Extension for python Python for reverse engineering
Output
c u r r e n t EA 4294967295segment c l a s s NoneGet c u r r e n t SEG f a i l e dGet c u r r e n t SEG f a i l e d
Introduction C Extension for python Python for reverse engineering
Using licenced IDA pro
Full reference :http://www.offensivecomputing.net/papers/IDAPythonIntro.pdfDemo:
Get all segments and functions
Check whether there are Internet Address
Write the result into a file
Introduction C Extension for python Python for reverse engineering
PyXED
XED2 has better decoding performance than the others. 1
Download XED library link
XED Document link
Build package instruction link
Dump assmebly demo
1N-version Disassembly: Differential Testing of x86 Disassemblers
Introduction C Extension for python Python for reverse engineering
Python ollydbg
Similar with IDAPython, python is only a script language in theOllydbg enviroment.Set up information could be found here,https://github.com/0vercl0k/ollydbg2-python.
Introduction C Extension for python Python for reverse engineering
Q & A