Book: Gray Hat Python
I’ve just finished reading this book written by Justin Seitz of Immunity Inc. Here is my review.
Title: Gray Hat Python: Python Pogramming for Hackers and Reverse Engineers
Author: Justin Seitz
I have to admit that Dave Aitel’s foreword is not that good. It is just stressful, or at least it was to me. After reading it I thought that the book will suck but I was wrong. It is really well-written and has a nice structure which is common among no starch press books, that is, more code less talk. Initially, I was thinking that it would be only useful to Python programmers, however, anything discussed in it can be easily transfered to any language. For example, during the detailed analysis of building a Windows debugger using Python, the author uses library routines provided by the Windows API and explains them pretty well. Clearly, you can use this knowledge to code a similar debugger in any programming language you like. Although, if you’re not interested in Windows then don’t buy it. At least 90% of its content is Windows specific. In my opinion, the free for download chapters 2 and 4 do not represent the book really well since both are really basic in comparison to other chapters. After developing a complete Windows debugger there are some more interesting chapters that include concepts such as code injection, hooking, fuzzing etc. The last chapter is also really cool since it is a detailed tutorial on writing plug-ins for IDA Pro. He’s doing all these using Python but as I already said you can easily transfer this knowledge to any other language.
I really liked that book but this is probably because I’m not that much into Windows. If you already know how to code your own debugger using Windows API routines, perform DLL injection, write fuzzers from simple to kernel level ones etc., then you don’t need this book. On the other hand, if you’re interested in Windows and you don’t know any of these then this is a great resource.
I found just one but I believe (from the rest of the book) the author knows this and for some reason that I’m not aware of he wrote the following:
“One extra register that should be mentioned is the EIP register. This register points to the current instruction that is being executed.“
from chapter 2, section “2.1General-Purpose CPU Registers”, page 16.
Of course, this is wrong according to Intel. Here is a snippet from Intel manual vol.1, section “3.5 Instruction Pointer”, page 3-24:
“The instruction pointer (EIP) register contains the offset in the current code segment for the next instruction to be executed.“
This is already known but for clarity I gave the snippet from the official Intel’s documentation which states that EIP points to the instruction to be executed and not the one that is currently being executed.