xorl %eax, %eax

Book: Gray Hat Python

with 4 comments

I’ve just finished reading this book written by Justin Seitz of Immunity Inc. Here is my review.

ghpython

Title: Gray Hat Python: Python Pogramming for Hackers and Reverse Engineers

Author: Justin Seitz

I have to admit that Dave Aitel’s foreword is not that good. It is just stressful, or at least it was to me. After reading it I thought that the book will suck but I was wrong. It is really well-written and has a nice structure which is common among no starch press books, that is, more code less talk. Initially, I was thinking that it would be only useful to Python programmers, however, anything discussed in it can be easily transfered to any language. For example, during the detailed analysis of building a Windows debugger using Python, the author uses library routines provided by the Windows API and explains them pretty well. Clearly, you can use this knowledge to code a similar debugger in any programming language you like. Although, if you’re not interested in Windows then don’t buy it. At least 90% of its content is Windows specific. In my opinion, the free for download chapters 2 and 4 do not represent the book really well since both are really basic in comparison to other chapters. After developing a complete Windows debugger there are some more interesting chapters that include concepts such as code injection, hooking, fuzzing etc. The last chapter is also really cool since it is a detailed tutorial on writing plug-ins for IDA Pro. He’s doing all these using Python but as I already said you can easily transfer this knowledge to any other language.

I really liked that book but this is probably because I’m not that much into Windows. If you already know how to code your own debugger using Windows API routines, perform DLL injection, write fuzzers from simple to kernel level ones etc., then you don’t need this book. On the other hand, if you’re interested in Windows and you don’t know any of these then this is a great resource.

ERRATA:

I found just one but I believe (from the rest of the book) the author knows this and for some reason that I’m not aware of he wrote the following:

One extra register that should be mentioned is the EIP register. This register points to the current instruction that is being executed.

from chapter 2, section “2.1General-Purpose CPU Registers”, page 16.

Of course, this is wrong according to Intel. Here is a snippet from Intel manual vol.1, section “3.5 Instruction Pointer”, page 3-24:

The instruction pointer (EIP) register contains the offset in the current code segment for the next instruction to be executed.

This is already known but for clarity I gave the snippet from the official Intel’s documentation which states that EIP points to the instruction to be executed and not the one that is currently being executed.

Written by xorl

June 17, 2009 at 22:01

Posted in books

4 Responses

Subscribe to comments with RSS.

  1. Saw this book at borders today and I’m considering picking it up because from the quick glance I had of it I liked what I saw.

    HackTalk

    September 9, 2009 at 21:56

  2. adding to xorl’s errata .
    I have this book and its a great book ; with minor typos and code mistakes. and ones mentioned by xorl

    page 74
    imm.log(“[*]Found: %s (0x%08x)” %(search_code,hit), address =hit)

    to be changed to
    imm.Log(“[*]Found: %s (0x%08x)” %(search_code,hit), address = hit)

    so you dont get BADF00D in the log window address area

    reference :
    http://debugger.immunityinc.com/update/Documentation/ref/Libs.immlib.Debugger-class.html#log

    and page 76 lines 20 and 22

    [20]
    imm.log(“Shellcode Length : %d” % length)
    to be
    imm.log(“Shellcode Length : %d” % shellcode_length)

    [22]

    imm.log(“Attack Shellcode: %s” % canvas_shellcode[:512])
    exception NameError
    global name ‘canvas_shellcode’ is not defined
    ???

    Awesome blog xorl

    M3h

    December 19, 2009 at 18:33

  3. I ordered this book and have had it for about a week now. Great book. Its thought me allot, not only for coding, but for how windows handles processes and stack evaluation. I recommend this to everyone who wants to increase there skills and understandings.

    K.B. Carte

    January 25, 2010 at 01:29

  4. First, let me say I absolutely love this book.

    I’m working through some of the examples in Chapter 10, “Fuzzing Windows Drivers” and have run into a troublesome problem when running ioctl_dump.py. I get a “TypeError: log() encountered an unexpected keyword argument ‘address'”.

    The complete error message is:

    Traceback (most recent call last)”
    \ioctl_dump.py, line 15 in main ioctl_list = driver.getIOCTLCodes()
    \dirverlib.py, line 50 in getIOCTLCodes self.getIOCTLDispatch()
    \driverlib.py line 247 in getIOCTLDispatch self.imm.log(“Dispatch address: 0x%08x” % self.IOCTLDispatchFunctionAddress, address = self.IOCTLDispatchFunctionAddress)
    TypeError: log() got an unexpected keyword argument ‘address’
    Any help or insight would be most appreciated. Fyi, I’ve been able to get some other examples from this excellent book working, it’s just this one that’s giving me some difficulty.
    Thanks.

    D.Bailey

    November 21, 2010 at 20:28


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s