SlideShare une entreprise Scribd logo

Ropython-windbg-python-extensions

Télécharger en tant que PPTX, PDF
A
Alin Gabriel Serdean

Debuggers on windows. WinDbg showcase. Python extensions in WinDbg. Extended information on PyKd.

Ingénierie
1  sur  20
Python extensions in WinDbg Alin Serdean Senior cloud engineer @cloudbaseit
About me • Mostly a kernel developer • Past year I have been working intensely to bring (Open vSwitch)OVS to Hyper-V • OVS is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license. • De facto standard in OpenStack • It is designed to support distribution across multiple physical servers
OVS use case
OVS features • LACP (IEEE 802.1AX-2008) • Standard 802.1Q VLAN model with trunking • STP (IEEE 802.1D-1998) • Multiple tunneling protocols (GRE, VXLAN, IPsec, GRE and VXLAN over IPsec) • Remote configuration protocol with C and Python bindings • Kernel and user-space forwarding engine options
Debuggers on Windows Microsoft Visual Studio Debugger - ships along with all versions of VS - good when you have sources - integrated UI - based on CodeView - good for userspace debugging - can be used kernel using the VisualDDK - less powerful
Debuggers on Windows SoftICE - one of the most popular debuggers in the 90s - Nu-Mega Tech. -> Compuware -> Micro Focus -> no longer maintained  - open source kernel debugger similar to SoftICE named Rasta Ring 0 Debugger (RR0D) - was designed to run live - Software vendors have put in place a wide range of countermeasures to protect themselves from people employing SoftICE as a tool to analyse software.
SoftICE mov eax, dword ptr [pIDT+2] ; eax -> IDT add eax, 8 ; eax -> int 1 vector mov ebx, [eax] ; ebx == int 1 vector add eax, 16 ; eax -> int 3 vector mov eax, [eax] ; eax == int 3 vector and eax, 0ffffh ; strip the selector and ebx, 0ffffh ; part of it sub eax, ebx ; find displacement cmp eax, 10h ; jne HackedVector ; if it isn't equal, then chances are SoftICE had tampered with these vectors
Debuggers on Windows • OllyDbg – x86 only – x64 under heavy development – Used for reverse engineering/cracking – Can be used for malware as well – Userspace only
Debuggers on Windows • Interactive Disassembler – Known as IDA – Was sold to DataRescue -> IDA Pro – Orig. author created Hex-Rays – Hex-Rays is back the dev. and support of IDA – Has support for scripting languages (IDARuby and IDAPython) through extensions. Latest IDA Pro release IDAPython is preinstalled  – Has support over a variety of Instruction sets
Debuggers on Windows WinDbg – Well written documentation (MSDN) – Can be used for kernel-memory dumps – Can be used to debug: • Userspace • Drivers • OS itself! – x64 support  – Has extensions loading them by DLLs (the ones that starts !)
Debuggers on Windows • WinDbg(contd’) – Has the ability to automatically load PDBs – Has support of multiple scripting languages • Proprietary looks a bit awful and has to few commands • Python through the kindness of the following: – PyDbgExt – PyKd • Ruby unstable at the moment: – https://github.com/bnagy/rBuggery – Free to use 
Python Extensions • PyDbgExt – Still alpha – Has to be recompiled on 8/8.1 – Relies on boost – Highly unstable – No documentation
Python Extensions • PyKd - https://pykd.codeplex.com/ – It has installer  – It has documentation – It has samples – Microsoft acknowledges it – Used by reverse engineers intensively – Decently stable – Highly maintained
Typical example of Windbg Script !for_each_module " .if(not(wo(dwo(${@#Base}+0x3c)+${@#Base}+46+18) & 0x40)) { r @$t3 = @#End - @#Base; .foreach /s (retn "C2 C3") { .foreach (f {s -[1]b @#Base L@$t3 ${retn}}) { .for(r @$t0 = 1; @$t0 < 4; r @$t0 = @$t0 + 1) { r @$t1 = 0; .foreach (g {.catch {u f - @$t0 L@$t0+1}}) { .if($spat("${g}", "*ret*") != 0) { r @$t1 = 1 } }; .if(@$t1 == 1) { .printf "---------------------- size %x", @$t0; .echo; .catch {u f - @$t0 L@$t0+1} } } } } } "
• The example above is an example to find a specific vulnerability in Windows • It is used to find ROP gadgets • ROP - Return-oriented programming allows you to execute code in non-executable memory and code signing. • The script above bypasses ASLR(Address space layout randomization) • It searches for the Optional PE Header (DllCharacteristics) then checks for the IMAGE_DLLCHARACTERISTICS_DYNAMI C_BASE 0x0040 flag
WinDbg print process r? @$t0=(nt!_LIST_ENTRY*)@@(nt!PsActiveProcessHead) .for (r? @$t1 = @$t0->Flink; (@$t1!=@$t0); r?@$t1 = @$t1->Flink) { r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks) as /x $ProcPid @@(@$t2->UniqueProcessId) as /ma $ProcName @@(@$t2->ImageFileName) as /x $Temp @$t2 as /x $Temp2 @@(@$t2->UniqueProcessId) .block { .echo ${$Temp} ${$Temp2}} .block {.echo ${$ProcName} with PID ${$ProcPid} } ad $ProcName ad $ProcPid ad $Temp }
Same script in PyKd import sys from pykd import * nt = module( "nt" ) processList = typedVarList( nt.PsActiveProcessHead, "nt!_EPROCESS", "ActiveProcessLinks" ) j = 1 for process in processList: dprint("Process "+str(j)+": ") print "".join( [chr(i) for i in process.ImageFileName if i != 0] ) j += 1
PyKd contd’ Listing all Namespaces of WebServiceMethod from pykd import * def dump_soapclientmethod(): # get all SoapClientMethod's soapcliaddrs = pykd.dbgCommand("!dumpheap -mt 0000064283abea38 - short").split("n") print "### found %d soap client addresses" % (len(soapcliaddrs)) for addr in soapcliaddrs: # dumpobj to get object properties do = pykd.dbgCommand("!do %(addr)s" % { 'addr': addr }) # get the line for 'action' property actionline = [line for line in do.split('n') if 'action' in line] # line ends with "<address> action" and we want the <address> actionaddr = actionline[0].split()[-2] # get the string in the retrieved <address> doaction = pykd.dbgCommand("!do -nofields %(addr)s" % {'addr': actionaddr}).split("n") print "%s -> %s" % (actionaddr, doaction[-2])
• the code above renders an output like: ### found 125 soap client addresses 00000001c1755b48 -> String: http://schemas.microsoft.com/sharepoint/soap/List 00000001e2085640 -> String: http://schemas.microsoft.com/sharepoint/soap/Copy 0000000240fb35c8 -> String: http://schemas.microsoft.com/sharepoint/soap/List 00000002419c4158 -> String: http://schemas.microsoft.com/sharepoint/soap/Copy ...
Q & A

Recommandé

Fluentd v1 and Roadmap
Fluentd v1 and RoadmapFluentd v1 and Roadmap
Fluentd v1 and RoadmapTreasure Data, Inc.
 
(1) cpp introducing the_cpp_programming_language
(1) cpp introducing the_cpp_programming_language(1) cpp introducing the_cpp_programming_language
(1) cpp introducing the_cpp_programming_languageNico Ludwig
 
Fluentd at HKOScon
Fluentd at HKOSconFluentd at HKOScon
Fluentd at HKOSconN Masahiro
 
Fluentd Hacking Guide at RubyKaigi 2014
Fluentd Hacking Guide at RubyKaigi 2014Fluentd Hacking Guide at RubyKaigi 2014
Fluentd Hacking Guide at RubyKaigi 2014Naotoshi Seo
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Docker and Fluentd
Docker and FluentdDocker and Fluentd
Docker and FluentdSATOSHI TAGOMORI
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by OctavioRowell Dionicio
 

Recommandé

Fluentd v1 and Roadmap
Fluentd v1 and RoadmapFluentd v1 and Roadmap
Fluentd v1 and RoadmapTreasure Data, Inc.
 
(1) cpp introducing the_cpp_programming_language
(1) cpp introducing the_cpp_programming_language(1) cpp introducing the_cpp_programming_language
(1) cpp introducing the_cpp_programming_languageNico Ludwig
 
Fluentd at HKOScon
Fluentd at HKOSconFluentd at HKOScon
Fluentd at HKOSconN Masahiro
 
Fluentd Hacking Guide at RubyKaigi 2014
Fluentd Hacking Guide at RubyKaigi 2014Fluentd Hacking Guide at RubyKaigi 2014
Fluentd Hacking Guide at RubyKaigi 2014Naotoshi Seo
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Docker and Fluentd
Docker and FluentdDocker and Fluentd
Docker and FluentdSATOSHI TAGOMORI
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by OctavioRowell Dionicio
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Docker meetup
Docker meetupDocker meetup
Docker meetupRuslan Lutsenko
 
Lua and its Ecosystem
Lua and its EcosystemLua and its Ecosystem
Lua and its EcosystemFrançois Perrad
 
Fluentd and PHP
Fluentd and PHPFluentd and PHP
Fluentd and PHPchobi e
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenSaúl Ibarra Corretgé
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...linuxlab_conf
 
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013Chris Barber
 
Exploring the Titanium CLI - Codestrong 2012
Exploring the Titanium CLI - Codestrong 2012Exploring the Titanium CLI - Codestrong 2012
Exploring the Titanium CLI - Codestrong 2012Chris Barber
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsAll Things Open
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog ProtocolsMartin Schütte
 
Fluentd - CNCF Paris
Fluentd - CNCF ParisFluentd - CNCF Paris
Fluentd - CNCF ParisHorgix
 
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaOpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaNETWAYS
 
Snaps on open suse
Snaps on open suseSnaps on open suse
Snaps on open suseZygmunt Krynicki
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Zabbix
 
From nothing to Prometheus : one year after
From nothing to Prometheus : one year afterFrom nothing to Prometheus : one year after
From nothing to Prometheus : one year afterAntoine Leroyer
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain艾鍗科技
 
01 linux-quick-start
01 linux-quick-start01 linux-quick-start
01 linux-quick-startNguyen Vinh
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
MyCloud for $100k
MyCloud for $100kMyCloud for $100k
MyCloud for $100kSebastien Goasguen
 
Making of-the-logistic-map-bifurcation-diagram
Making of-the-logistic-map-bifurcation-diagramMaking of-the-logistic-map-bifurcation-diagram
Making of-the-logistic-map-bifurcation-diagrammartsberger
 

Contenu connexe

Tendances

Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Fluentd and PHP
Fluentd and PHPFluentd and PHP
Fluentd and PHPchobi e
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenSaúl Ibarra Corretgé
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...linuxlab_conf
 
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013Chris Barber
 
Exploring the Titanium CLI - Codestrong 2012
Exploring the Titanium CLI - Codestrong 2012Exploring the Titanium CLI - Codestrong 2012
Exploring the Titanium CLI - Codestrong 2012Chris Barber
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsAll Things Open
 
Fluentd - CNCF Paris
Fluentd - CNCF ParisFluentd - CNCF Paris
Fluentd - CNCF ParisHorgix
 
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaOpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaNETWAYS
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Zabbix
 
From nothing to Prometheus : one year after
From nothing to Prometheus : one year afterFrom nothing to Prometheus : one year after
From nothing to Prometheus : one year afterAntoine Leroyer
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain艾鍗科技
 
01 linux-quick-start
01 linux-quick-start01 linux-quick-start
01 linux-quick-startNguyen Vinh
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 

Tendances (20)

Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
Docker meetup
Docker meetupDocker meetup
Docker meetup
 
Lua and its Ecosystem
Lua and its EcosystemLua and its Ecosystem
Lua and its Ecosystem
 
Fluentd and PHP
Fluentd and PHPFluentd and PHP
Fluentd and PHP
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in between
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
 
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
 
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013
Titanium 3.2 CLI - TiAppCamp2 - 11/2/2013
 
Exploring the Titanium CLI - Codestrong 2012
Exploring the Titanium CLI - Codestrong 2012Exploring the Titanium CLI - Codestrong 2012
Exploring the Titanium CLI - Codestrong 2012
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS Tools
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 
Fluentd - CNCF Paris
Fluentd - CNCF ParisFluentd - CNCF Paris
Fluentd - CNCF Paris
 
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaOpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
 
Snaps on open suse
Snaps on open suseSnaps on open suse
Snaps on open suse
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
 
From nothing to Prometheus : one year after
From nothing to Prometheus : one year afterFrom nothing to Prometheus : one year after
From nothing to Prometheus : one year after
 
嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain嵌入式Linux課程-GNU Toolchain
嵌入式Linux課程-GNU Toolchain
 
01 linux-quick-start
01 linux-quick-start01 linux-quick-start
01 linux-quick-start
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 

En vedette

Making of-the-logistic-map-bifurcation-diagram
Making of-the-logistic-map-bifurcation-diagramMaking of-the-logistic-map-bifurcation-diagram
Making of-the-logistic-map-bifurcation-diagrammartsberger
 
Working in the multi-cloud with libcloud
Working in the multi-cloud with libcloudWorking in the multi-cloud with libcloud
Working in the multi-cloud with libcloudGrig Gheorghiu
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryGeorge Lestaris
 
Immutable Systems in the AWS Cloud
Immutable Systems in the AWS CloudImmutable Systems in the AWS Cloud
Immutable Systems in the AWS CloudSimone Soldateschi
 
Modern Web development and operations practices
Modern Web development and operations practicesModern Web development and operations practices
Modern Web development and operations practicesGrig Gheorghiu
 
Rackspace & Akamai vs. Amazon & CloudFront for a Django site
Rackspace & Akamai vs. Amazon & CloudFront for a Django siteRackspace & Akamai vs. Amazon & CloudFront for a Django site
Rackspace & Akamai vs. Amazon & CloudFront for a Django siteSep Dehpour
 
Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Jian-Hong Pan
 
Cloud Academy & AWS: how we use Amazon Web Services for machine learning and ...
Cloud Academy & AWS: how we use Amazon Web Services for machine learning and ...Cloud Academy & AWS: how we use Amazon Web Services for machine learning and ...
Cloud Academy & AWS: how we use Amazon Web Services for machine learning and ...Alex Casalboni
 
Boost.Python: C++ and Python Integration
Boost.Python: C++ and Python IntegrationBoost.Python: C++ and Python Integration
Boost.Python: C++ and Python IntegrationGlobalLogic Ukraine
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundRodolfo Carvalho
 
Подключение внешних библиотек в python
Подключение внешних библиотек в pythonПодключение внешних библиотек в python
Подключение внешних библиотек в pythonMaxim Shalamov
 
Недостатки Python
Недостатки PythonНедостатки Python
Недостатки PythonPython Meetup
 

En vedette (15)

MyCloud for $100k
MyCloud for $100kMyCloud for $100k
MyCloud for $100k
 
Making of-the-logistic-map-bifurcation-diagram
Making of-the-logistic-map-bifurcation-diagramMaking of-the-logistic-map-bifurcation-diagram
Making of-the-logistic-map-bifurcation-diagram
 
Working in the multi-cloud with libcloud
Working in the multi-cloud with libcloudWorking in the multi-cloud with libcloud
Working in the multi-cloud with libcloud
 
CernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud FoundryCernVM-FS for Docker image distribution in Cloud Foundry
CernVM-FS for Docker image distribution in Cloud Foundry
 
Immutable Systems in the AWS Cloud
Immutable Systems in the AWS CloudImmutable Systems in the AWS Cloud
Immutable Systems in the AWS Cloud
 
Modern Web development and operations practices
Modern Web development and operations practicesModern Web development and operations practices
Modern Web development and operations practices
 
Rackspace & Akamai vs. Amazon & CloudFront for a Django site
Rackspace & Akamai vs. Amazon & CloudFront for a Django siteRackspace & Akamai vs. Amazon & CloudFront for a Django site
Rackspace & Akamai vs. Amazon & CloudFront for a Django site
 
Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015
 
Cloud Academy & AWS: how we use Amazon Web Services for machine learning and ...
Cloud Academy & AWS: how we use Amazon Web Services for machine learning and ...Cloud Academy & AWS: how we use Amazon Web Services for machine learning and ...
Cloud Academy & AWS: how we use Amazon Web Services for machine learning and ...
 
Boost.Python: C++ and Python Integration
Boost.Python: C++ and Python IntegrationBoost.Python: C++ and Python Integration
Boost.Python: C++ and Python Integration
 
CS1 and Python
CS1 and PythonCS1 and Python
CS1 and Python
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd round
 
Подключение внешних библиотек в python
Подключение внешних библиотек в pythonПодключение внешних библиотек в python
Подключение внешних библиотек в python
 
Недостатки Python
Недостатки PythonНедостатки Python
Недостатки Python
 
Interfacing C/C++ and Python with SWIG
Interfacing C/C++ and Python with SWIGInterfacing C/C++ and Python with SWIG
Interfacing C/C++ and Python with SWIG
 

Similaire à Ropython-windbg-python-extensions

Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Jérôme Petazzoni
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Itzik Kotler
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkJérôme Petazzoni
 
"Making OpenCV Code Run Fast," a Presentation from Intel
"Making OpenCV Code Run Fast," a Presentation from Intel"Making OpenCV Code Run Fast," a Presentation from Intel
"Making OpenCV Code Run Fast," a Presentation from IntelEdge AI and Vision Alliance
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkAmr Thabet
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R Kai Lichtenberg
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdbRoman Podoliaka
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniTheFamily
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
 
The future of server side JavaScript
The future of server side JavaScriptThe future of server side JavaScript
The future of server side JavaScriptOleg Podsechin
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMNeependra Khare
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareCylance
 
Docker module 1
Docker module 1Docker module 1
Docker module 1Liang Bo
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1Hajime Tazaki
 

Similaire à Ropython-windbg-python-extensions (20)

Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and Azure
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 
"Making OpenCV Code Run Fast," a Presentation from Intel
"Making OpenCV Code Run Fast," a Presentation from Intel"Making OpenCV Code Run Fast," a Presentation from Intel
"Making OpenCV Code Run Fast," a Presentation from Intel
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R From Zero to Hero - All you need to do serious deep learning stuff in R
From Zero to Hero - All you need to do serious deep learning stuff in R
 
App container rkt
App container rktApp container rkt
App container rkt
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
The future of server side JavaScript
The future of server side JavaScriptThe future of server side JavaScript
The future of server side JavaScript
 
Zenoh Tutorial
Zenoh TutorialZenoh Tutorial
Zenoh Tutorial
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBM
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
React native
React nativeReact native
React native
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
 
Docker module 1
Docker module 1Docker module 1
Docker module 1
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
 

Dernier

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 

Dernier (20)

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 

Ropython-windbg-python-extensions

  • 1. Python extensions in WinDbg Alin Serdean Senior cloud engineer @cloudbaseit
  • 2. About me • Mostly a kernel developer • Past year I have been working intensely to bring (Open vSwitch)OVS to Hyper-V • OVS is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license. • De facto standard in OpenStack • It is designed to support distribution across multiple physical servers
  • 4. OVS features • LACP (IEEE 802.1AX-2008) • Standard 802.1Q VLAN model with trunking • STP (IEEE 802.1D-1998) • Multiple tunneling protocols (GRE, VXLAN, IPsec, GRE and VXLAN over IPsec) • Remote configuration protocol with C and Python bindings • Kernel and user-space forwarding engine options
  • 5. Debuggers on Windows Microsoft Visual Studio Debugger - ships along with all versions of VS - good when you have sources - integrated UI - based on CodeView - good for userspace debugging - can be used kernel using the VisualDDK - less powerful
  • 6. Debuggers on Windows SoftICE - one of the most popular debuggers in the 90s - Nu-Mega Tech. -> Compuware -> Micro Focus -> no longer maintained  - open source kernel debugger similar to SoftICE named Rasta Ring 0 Debugger (RR0D) - was designed to run live - Software vendors have put in place a wide range of countermeasures to protect themselves from people employing SoftICE as a tool to analyse software.
  • 7. SoftICE mov eax, dword ptr [pIDT+2] ; eax -> IDT add eax, 8 ; eax -> int 1 vector mov ebx, [eax] ; ebx == int 1 vector add eax, 16 ; eax -> int 3 vector mov eax, [eax] ; eax == int 3 vector and eax, 0ffffh ; strip the selector and ebx, 0ffffh ; part of it sub eax, ebx ; find displacement cmp eax, 10h ; jne HackedVector ; if it isn't equal, then chances are SoftICE had tampered with these vectors
  • 8. Debuggers on Windows • OllyDbg – x86 only – x64 under heavy development – Used for reverse engineering/cracking – Can be used for malware as well – Userspace only
  • 9. Debuggers on Windows • Interactive Disassembler – Known as IDA – Was sold to DataRescue -> IDA Pro – Orig. author created Hex-Rays – Hex-Rays is back the dev. and support of IDA – Has support for scripting languages (IDARuby and IDAPython) through extensions. Latest IDA Pro release IDAPython is preinstalled  – Has support over a variety of Instruction sets
  • 10. Debuggers on Windows WinDbg – Well written documentation (MSDN) – Can be used for kernel-memory dumps – Can be used to debug: • Userspace • Drivers • OS itself! – x64 support  – Has extensions loading them by DLLs (the ones that starts !)
  • 11. Debuggers on Windows • WinDbg(contd’) – Has the ability to automatically load PDBs – Has support of multiple scripting languages • Proprietary looks a bit awful and has to few commands • Python through the kindness of the following: – PyDbgExt – PyKd • Ruby unstable at the moment: – https://github.com/bnagy/rBuggery – Free to use 
  • 12. Python Extensions • PyDbgExt – Still alpha – Has to be recompiled on 8/8.1 – Relies on boost – Highly unstable – No documentation
  • 13. Python Extensions • PyKd - https://pykd.codeplex.com/ – It has installer  – It has documentation – It has samples – Microsoft acknowledges it – Used by reverse engineers intensively – Decently stable – Highly maintained
  • 14. Typical example of Windbg Script !for_each_module " .if(not(wo(dwo(${@#Base}+0x3c)+${@#Base}+46+18) & 0x40)) { r @$t3 = @#End - @#Base; .foreach /s (retn "C2 C3") { .foreach (f {s -[1]b @#Base L@$t3 ${retn}}) { .for(r @$t0 = 1; @$t0 < 4; r @$t0 = @$t0 + 1) { r @$t1 = 0; .foreach (g {.catch {u f - @$t0 L@$t0+1}}) { .if($spat("${g}", "*ret*") != 0) { r @$t1 = 1 } }; .if(@$t1 == 1) { .printf "---------------------- size %x", @$t0; .echo; .catch {u f - @$t0 L@$t0+1} } } } } } "
  • 15. • The example above is an example to find a specific vulnerability in Windows • It is used to find ROP gadgets • ROP - Return-oriented programming allows you to execute code in non-executable memory and code signing. • The script above bypasses ASLR(Address space layout randomization) • It searches for the Optional PE Header (DllCharacteristics) then checks for the IMAGE_DLLCHARACTERISTICS_DYNAMI C_BASE 0x0040 flag
  • 16. WinDbg print process r? @$t0=(nt!_LIST_ENTRY*)@@(nt!PsActiveProcessHead) .for (r? @$t1 = @$t0->Flink; (@$t1!=@$t0); r?@$t1 = @$t1->Flink) { r? @$t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks) as /x $ProcPid @@(@$t2->UniqueProcessId) as /ma $ProcName @@(@$t2->ImageFileName) as /x $Temp @$t2 as /x $Temp2 @@(@$t2->UniqueProcessId) .block { .echo ${$Temp} ${$Temp2}} .block {.echo ${$ProcName} with PID ${$ProcPid} } ad $ProcName ad $ProcPid ad $Temp }
  • 17. Same script in PyKd import sys from pykd import * nt = module( "nt" ) processList = typedVarList( nt.PsActiveProcessHead, "nt!_EPROCESS", "ActiveProcessLinks" ) j = 1 for process in processList: dprint("Process "+str(j)+": ") print "".join( [chr(i) for i in process.ImageFileName if i != 0] ) j += 1
  • 18. PyKd contd’ Listing all Namespaces of WebServiceMethod from pykd import * def dump_soapclientmethod(): # get all SoapClientMethod's soapcliaddrs = pykd.dbgCommand("!dumpheap -mt 0000064283abea38 - short").split("n") print "### found %d soap client addresses" % (len(soapcliaddrs)) for addr in soapcliaddrs: # dumpobj to get object properties do = pykd.dbgCommand("!do %(addr)s" % { 'addr': addr }) # get the line for 'action' property actionline = [line for line in do.split('n') if 'action' in line] # line ends with "<address> action" and we want the <address> actionaddr = actionline[0].split()[-2] # get the string in the retrieved <address> doaction = pykd.dbgCommand("!do -nofields %(addr)s" % {'addr': actionaddr}).split("n") print "%s -> %s" % (actionaddr, doaction[-2])
  • 19. • the code above renders an output like: ### found 125 soap client addresses 00000001c1755b48 -> String: http://schemas.microsoft.com/sharepoint/soap/List 00000001e2085640 -> String: http://schemas.microsoft.com/sharepoint/soap/Copy 0000000240fb35c8 -> String: http://schemas.microsoft.com/sharepoint/soap/List 00000002419c4158 -> String: http://schemas.microsoft.com/sharepoint/soap/Copy ...
  • 20. Q & A