1. Board4all.biz is a forum where members can share their knowledge and much more - why not become part of our wonderful community thats been around for over 15 years and create an account with us. We have one of the (if not the) best development sections on the internet, especially Delphi. If you have problems registering you can send an email to admin@board4all.biz and we will look into it.

Python Memory Reading & Reverser Questions

Discussion in 'Reverser Knowledge Base' started by userzim, Dec 6, 2017 at 02:24.

  1. userzim

    userzim Registered User

    Joined:
    Oct 19, 2017
    Messages:
    20
    Likes Received:
    73
    Hey friends!

    I'm well enough experienced in C++ and Java RE but would like to bounce some ideas off of those who may be more fluent (what a geek!) than I am. As I've progressed I use Python more and more, it's not just my go-to prototyping language anymore and I'd really like to start building out my Python toolchain.

    There are some pretty good packages for memory editing in python (memorpy, pymem, hackmanager) but I'd like to first take a stab at converting what I know from CPP into the dreaded c_types of Python -- I wrote some quick code to grab the Window's calculator exe (x32) process and setup some addresses to read from. Pastebinned here. Most of my information, other than what's in the pydocs, comes from SO, but the majority actually comes from game hacking sites from 2002.

    Now normally in Cpp it's necessary to deal with modules and offsets, but for this example we shouldn't need to go that because Calc.exe is relatively standalone. But eventually python will need to be injected -- or the libraries will need to be loaded into python either with cdll, windll, or LoadLib and this is about where I'm stumped.

    1) It feels like there's another layer of abstraction that I am missing with Python's ctype functions... there's a separation between kernel calls and win32gui/api calls that's really throwing me off. Is there some resource that describes python's accesable lower-level controllers?

    2) I've worked with some Python extending C applications -- but ultimately I'd like to be able to inject shellcode (or even a python interpreter) using only Python. I have seen some implementations of this -- but just as a general question: what is necessary for compiling Python into injectable shellcode that does not need an interpreter? (I assume it's not automatic and most times will need to be written by the programmer).

    Thanks, let me know if I can help in any way!
     
    netdream, Markat and spudnik99 like this.
  2. userzim

    userzim Registered User

    Joined:
    Oct 19, 2017
    Messages:
    20
    Likes Received:
    73
    I took some more time to investigate the ctypes and struct interaction and was able to begin unpacking values from memory using the simple "<I" pattern. The new code is pastebinned here. The issue I'm having with this updated code is still missing layers of buffering that is usually present (ie. I'll need to write more efficient buffering system to unpack multiple values).

    It's interesting to see python's choice of return types for some of the c_type functions; I have found myself needing to manipulate the buffer and data encoding as leaving it in byte strings causes some arithmetic errors.

    I have yet to find a source that describes the paths the ctype functions take. I am not concerned about the cross platform abilities of my code at the moment but I do worry that the windows functions, like usual, will obscure most of my understanding. At least there's some progress.

    Cheers!
     
    netdream and Markat like this.
  3. userzim

    userzim Registered User

    Joined:
    Oct 19, 2017
    Messages:
    20
    Likes Received:
    73
    No large code updates at the moment but a few revelations for troubleshooting.

    • StackOverflow for Python memory reading is barren compared to almost every other language, but that doesn't mean it's useless for your search to be language agnostic. I was able to find out about AdjustTokenPrivileges, which can potentially allow one to override protected memory (assuming you're running your code as System/Admin already) through a Cpp post.
    • Know the program you're trying to access -- in the first example I was choochin' on Outlook and all was fine; I started to switch over to Calculator only to find all of my code was breaking. I could get the handle, the PID, but when I started scanning wide-breadth memory address it was returning nothing but x00. Running it as admin was still producing the same issues and I had the highest level of access I could grant myself! Oops, Window's Calculator, now wrapped in an Application Frame Host, is running x64 on my local machine while my python code was running in an x32 interpreter! Also try to get familiar with the window's title and application name.
    • There is no spoon.
    • Sanity check yourself, use well known tools to grab an address that has data in it. Copy code from Stackoverflow and get it to run on your machine. Try reading from a program that isn't your main project.

    Here's the code for the process privilege escalation; the code must already be running as admin (Unfortunately I don't have many 0days to publicly release) but will allow you to consume system processes. If there's anything greater than the SE_DEBUG_NAME value I would think it would be ring 0.

    /e

    The privilege code was documented at the GitHub repo FPDB here. Most of the exploits and memory reading Python code I've found is 2.7; for this project, and FPDB's, we will be focusing on 3.x (3.6 at the moment).

    Looking forward to getting some manageable classes up and running soon.
     
    Last edited: Dec 8, 2017 at 15:29

Share This Page