PyDbg

PyDbg merupakan library python yang dibuat oleh pedram amini. Library ini sangat populer dalam dunia reverse engineering karena membantu pekerjaan seorang reverse-engineer menjadi jauh lebih mudah. Kita dapat menggunakan high-level languange seperti python untuk berinteraksi dengan berbagai macam low-level stuff seperti process, thread, exception handler, dsb. Untuk kali ini saya akan fokuskan pada proses instalasi PyDbg dalam lingkungan windows.

Saya anggap python sudah terinstal dalam sistem operasi windows. Python yang saya gunakan saat ini agar memudahkan adalah python2.5 dan merupakan bagian dari Immunity Debugger. Silahkan instal immunity debugger tersebut yang secara otomatis akan melakukan instalasi python2.5.

Setelah python terinstal (apabila memilih default maka akan terinstal pada c:\Python25\) lanjutkan dengan melakukan instalasi epydoc. EpyDoc nantinya dapat digunakan untuk meng-generate dokumentasi API dari PyDbg.

PyDbg merupakan bagian dari PaiMei, untuk itu silahkan download dari situs resmi PaiMei. Saya download dalam bentuk SVN, dan nantinya kita dapat meng-customize untuk membuat installer pada windows.


$ svn checkout http://paimei.googlecode.com/svn/trunk/ paimei
A paimei/__build_installer.bat
A paimei/pgraph
A paimei/pgraph/__init__.py
A paimei/pgraph/graph.py
A paimei/pgraph/cluster.py
A paimei/pgraph/edge.py
A paimei/pgraph/node.py
A paimei/pydbg_server.py
A paimei/heap_trace.py
A paimei/__public_release.sh
A paimei/docs
A paimei/docs/stylesheet.css
A paimei/docs/developer_docs.html
A paimei/docs/PAIMEIdiff User Guide.pdf
A paimei/docs/installation.html
A paimei/docs/PAIMEIwxglade.wxg
A paimei/docs/images
A paimei/docs/images/erd.gif
A paimei/docs/authors_and_contributors.html
A paimei/docs/Listbook Graphic Templates.psd
A paimei/docs/scripts.html
A paimei/docs/index.html
A paimei/docs/PAIMEIpstalker_flash_demo
A paimei/docs/PAIMEIpstalker_flash_demo/index.html
A paimei/docs/PAIMEIpstalker_flash_demo/PaiMei Code Coverage Demo.swf
A paimei/docs/console_modules.html
A paimei/docs/SQL Structure.txt
A paimei/pida_dump.py
A paimei/__install_requirements.py
A paimei/proc_peek.py
A paimei/pydbgc.py
A paimei/crash_bin_explorer.py
A paimei/stack_integrity_monitor.py
A paimei/file_fuzz_tickler.py
A paimei/file_access_tracker.py
A paimei/AUTHORS.txt
A paimei/CHANGELOG.txt
A paimei/struct_spy.py
A paimei/null_selector_mem_monitor_poc.py
A paimei/demo_live_graphing.py
A paimei/__setup_mysql.py
A paimei/CONTRIBUTORS.txt
A paimei/pida
A paimei/pida/basic_block.py
A paimei/pida/defines.py
A paimei/pida/__init__.py
A paimei/pida/instruction.py
A paimei/pida/function.py
A paimei/pida/module.py
A paimei/installers
A paimei/logos
A paimei/logos/paimei-1.jpg
A paimei/logos/installer_banner.jpg
A paimei/logos/paimei-2.jpg
A paimei/logos/paimei-1-cutout.jpg
A paimei/logos/paimei-2-cutout.jpg
A paimei/logos/paimei-3.jpg
A paimei/logos/paimei-4.jpg
A paimei/logos/paimei-6.jpg
A paimei/logos/paimei-7.jpg
A paimei/logos/installer.bmp
A paimei/logos/paimei-5.gif
A paimei/__generate_epydocs.bat
A paimei/proc_peek_recon.py
A paimei/just_in_time_debugger.py
A paimei/setup.py
A paimei/proc_peek_recon_db.py
A paimei/MacOSX
A paimei/MacOSX/macsetup.sh
A paimei/MacOSX/macdll
A paimei/MacOSX/macdll/Exception.c
A paimei/MacOSX/macdll/windows.h
A paimei/MacOSX/macdll/dyld.h
A paimei/MacOSX/macdll/MacDll.h
A paimei/MacOSX/macdll/Exception.h
A paimei/MacOSX/macdll/main.c
A paimei/MacOSX/macdll/implementation.c
A paimei/MacOSX/macdll/macdll.xcodeproj
A paimei/MacOSX/macdll/macdll.xcodeproj/project.pbxproj
A paimei/MacOSX/macdll/MacX.c
A paimei/MacOSX/macdll/MachExceptions.defs
A paimei/MacOSX/macdll/._ExceptionTest
A paimei/MacOSX/macdll/implementation.h
A paimei/MacOSX/macdll/MacDll.c
A paimei/MacOSX/macdll/README
A paimei/MacOSX/macdll/dyld.c
A paimei/MacOSX/README
A paimei/mem_diff.py
A paimei/utils
A paimei/utils/udraw_connector.py
A paimei/utils/hooking.py
A paimei/utils/__init__.py
A paimei/utils/injection.py
A paimei/utils/process_stalker.py
A paimei/utils/crash_binning.py
A paimei/utils/code_coverage.py
A paimei/deprecated
A paimei/deprecated/fuzzie.py
A paimei/deprecated/__README__.txt
A paimei/deprecated/codenomicrap.py
A paimei/LICENSE.txt
A paimei/debuggee_procedure_call.py
A paimei/console
A paimei/console/images
A paimei/console/images/udraw.bmp
A paimei/console/images/mysql.bmp
A paimei/console/images/pydbg.bmp
A paimei/console/images/about.bmp
A paimei/console/images/ida.bmp
A paimei/console/images/icons
A paimei/console/images/icons/PAIMEIdiff.png
A paimei/console/images/icons/PAIMEIdocs.png
A paimei/console/images/icons/PAIMEIextender.png
A paimei/console/images/icons/PAIMEIfilefuzz.png
A paimei/console/images/icons/PAIMEIexplorer.png
A paimei/console/images/icons/PAIMEIpeek.png
A paimei/console/images/icons/PAIMEIpstalker.png
A paimei/console/images/paimei.ico
A paimei/console/images/splash.png
A paimei/console/PAIMEIconsole.pyw
A paimei/console/modules
A paimei/console/modules/PAIMEIpeek.py
A paimei/console/modules/PAIMEIpstalker.py
A paimei/console/modules/_PAIMEIfilefuzz
A paimei/console/modules/_PAIMEIexplorer
A paimei/console/modules/_PAIMEIexplorer/HtmlWindow.py
A paimei/console/modules/_PAIMEIexplorer/__init__.py
A paimei/console/modules/_PAIMEIexplorer/ExplorerTreeCtrl.py
A paimei/console/modules/_PAIMEIexplorer/PIDAModulesListCtrl.py
A paimei/console/modules/PAIMEIdocs.py
A paimei/console/modules/PAIMEIdiff.py
A paimei/console/modules/_PAIMEIpeek
A paimei/console/modules/_PAIMEIpeek/PyDbgDlg.py
A paimei/console/modules/_PAIMEIpeek/__init__.py
A paimei/console/modules/_PAIMEIpeek/ProcessListCtrl.py
A paimei/console/modules/_PAIMEIpeek/EditReconDlg.py
A paimei/console/modules/_PAIMEIpeek/AddReconDlg.py
A paimei/console/modules/_PAIMEIpeek/ReconListCtrl.py
A paimei/console/modules/_PAIMEIpeek/PeekOptionsDlg.py
A paimei/console/modules/_PAIMEIpstalker
A paimei/console/modules/_PAIMEIpstalker/HitsListCtrl.py
A paimei/console/modules/_PAIMEIpstalker/TargetsTreeCtrl.py
A paimei/console/modules/_PAIMEIpstalker/__init__.py
A paimei/console/modules/_PAIMEIpstalker/ProcessListCtrl.py
A paimei/console/modules/_PAIMEIpstalker/export_idc_dialog.py
A paimei/console/modules/_PAIMEIpstalker/target_properties.py
A paimei/console/modules/_PAIMEIpstalker/PIDAModulesListCtrl.py
A paimei/console/modules/PAIMEIfilefuzz.py
A paimei/console/modules/PAIMEIextender.py
A paimei/console/modules/PAIMEIexplorer.py
A paimei/console/modules/_PAIMEIdiff
A paimei/console/modules/_PAIMEIdiff/UnmatchedListCtrl.py
A paimei/console/modules/_PAIMEIdiff/PAIMEIDiffReport.py
A paimei/console/modules/_PAIMEIdiff/ModuleMatcher.py
A paimei/console/modules/_PAIMEIdiff/FunctionViewDiffListCtrl.py
A paimei/console/modules/_PAIMEIdiff/PAIMEIDiffInstruction.py
A paimei/console/modules/_PAIMEIdiff/__init__.py
A paimei/console/modules/_PAIMEIdiff/FunctionViewListCtrl.py
A paimei/console/modules/_PAIMEIdiff/MatchedList.py
A paimei/console/modules/_PAIMEIdiff/DiffConfigureDlg.py
A paimei/console/modules/_PAIMEIdiff/InsignificantConfigDlg.py
A paimei/console/modules/_PAIMEIdiff/PAIMEIDiffFunction.py
A paimei/console/modules/_PAIMEIdiff/UnmatchedList.py
A paimei/console/modules/_PAIMEIdiff/ExplorerTreeCtrl.py
A paimei/console/modules/_PAIMEIdiff/ModuleDiffer.py
A paimei/console/modules/_PAIMEIdiff/InsigList.py
A paimei/console/modules/_PAIMEIdiff/FunctionViewDlg.py
A paimei/console/modules/_PAIMEIdiff/PAIMEIDiffBasicBlock.py
A paimei/console/modules/_PAIMEIdiff/DiffModules
A paimei/console/modules/_PAIMEIdiff/DiffModules/api.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/size.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/smart_md5.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/constants.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/defines.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/neci.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/stack_frame.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/name.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/arg_var.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/spp.py
A paimei/console/modules/_PAIMEIdiff/DiffModules/crc.py
A paimei/console/modules/_PAIMEIdiff/FunctionViewStatsListCtrl.py
A paimei/console/modules/_PAIMEIdiff/MatchedListCtrl.py
A paimei/console/modules/_PAIMEIdiff/FunctionViewDifferDlg.py
A paimei/console/malware.dcfg
A paimei/console/msdiff.dcfg
A paimei/console/support
A paimei/console/support/about.py
A paimei/console/support/udraw_connect_dialog.py
A paimei/console/support/mysql_connect_dialog.py
A paimei/console/support/pydbg_locale_dialog.py
A paimei/pida_load.py
A paimei/tracer_single_step.py
A paimei/tracer_msr_branch.py
A paimei/pydbg
A paimei/pydbg/memory_snapshot_context.py
A paimei/pydbg/hardware_breakpoint.py
A paimei/pydbg/pdx.py
A paimei/pydbg/my_ctypes.py
A paimei/pydbg/defines.py
A paimei/pydbg/breakpoint.py
A paimei/pydbg/__init__.py
A paimei/pydbg/system_dll.py
A paimei/pydbg/windows_h.py
A paimei/pydbg/memory_snapshot_block.py
A paimei/pydbg/pydasm.pyd
A paimei/pydbg/pydbg_client.py
A paimei/pydbg/pydbg.py
A paimei/pydbg/memory_breakpoint.py
A paimei/ollydbg_connector
A paimei/ollydbg_connector/paimei_ollydbg_connector.suo
A paimei/ollydbg_connector/stdafx.h
A paimei/ollydbg_connector/paimei_ollydbg_connector.h
A paimei/ollydbg_connector/Release
A paimei/ollydbg_connector/Release/paimei_ollydbg_connector.dll
A paimei/ollydbg_connector/ollydbgvc7.lib
A paimei/ollydbg_connector/plugin.h
A paimei/ollydbg_connector/olly_callbacks.h
A paimei/ollydbg_connector/paimei_ollydbg_connector.sln
A paimei/ollydbg_connector/olly_redefines.h
A paimei/ollydbg_connector/ollydbgvc7.def
A paimei/ollydbg_connector/stdafx.cpp
A paimei/ollydbg_connector/paimei_ollydbg_connector.cpp
A paimei/ollydbg_connector/ReadMe.txt
A paimei/ollydbg_connector/paimei_ollydbg_connector.vcproj
A paimei/ollydbg_receiver.py
A paimei/README.txt
A paimei/push_pop_unpacker.py
A paimei/var_backtrace.py
Checked out revision 248.

Dalam SVN terdapat file __build_installer.bat, file tersebut akan meng-generate file installer yang dapat digunakan untuk instal PaiMei pada windows. Perhatikan isi dari file __build_installer.bat, dan masukan lokasi dimana python.exe berada. Untuk kasus saya perlu diubah menjadi:


c:\python25\python.exe setup.py bdist_wininst --bitmap=logos\installer.bmp --title=PaiMei

Setelah itu jalankan __build_installer.bat. Setelah selesai dan tidak ada error, akan ada folder bernama dist/ yang didalamnya terdapat installer PaiMai. Jalankan installer tersebut.

Setelah selesai, generate API docs untuk PaiMai dan berbagai library didalamnya termasuk PyDbg menggunakan __generate_epydocs.bat. Script tersebut akan generate folder docs yang didalamnya terdapat beragam API.

Setelah semua selesai, kita bisa test penggunaan PyDbg. Buat aplikasi sederhana dengan nama pydbg1.py seperti berikut ini:


from pydbg import *
from pydbg.defines import *

processes = []
dbg = pydbg()

for (pid, pname) in dbg.enumerate_processes():
processes.append([pid, pname])

print "PID Process Name"
print "--- ----------------"
for item in processes:
print "%s %s" % (item[0], item[1])

Aplikasi tersebut akan mengeluarkan output berupa seluruh proses yang berjalan pada windows saat itu serta PID (process id) nya. Aplikasi sederhana diatas menunjukan bahwa dengan PyDbg kita dapat berkomunikasi dengan internal windows melalui beberapa baris code dan sangat mudah.


C:\Documents and Settings\mrs\infosec-id\pydbg>python.exe pydbg1.py
PID Process Name
--- ----------------
0 [System Process]
4 System
564 smss.exe
628 csrss.exe
652 winlogon.exe
696 services.exe
708 lsass.exe
868 vmacthlp.exe
884 svchost.exe
960 svchost.exe
1056 svchost.exe
1100 svchost.exe
1168 svchost.exe
1392 spoolsv.exe
1536 svchost.exe
1600 jqs.exe
1680 vmtoolsd.exe
1788 VMUpgradeHelper.exe
844 alg.exe
536 explorer.exe
1164 wscntfy.exe
1580 VMwareTray.exe
1644 VMwareUser.exe
832 jusched.exe
1700 Updater.exe
388 daemon.exe
1992 wuauclt.exe
2140 svchost.exe
3772 notepad++.exe
3424 CesarFTP.exe
3536 Server.exe
2148 Adobe_Updater.exe
552 firefox.exe
1156 cmd.exe
3932 notepad++.exe
1836 cmd.exe
2968 cmd.exe
3988 python.exe

Untuk melihat method-method apa saja yang dapat digunakan oleh PyDbg kita dapat melihat langsung API yang di-generate menggunakan epydoc, berikut ini untuk method enumerate_process():

Silahkan bereksperimen sendiri dengan mencoba-coba beragam method yang disediakan oleh PyDbg :).

Advertisements

One thought on “PyDbg

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s