반응형

These instructions are for Windows XP => Windows 7 using Python 2.7 (though other versions should work too)

Thanks to louppen for the great starting point!

  1. Download and install MinGW Compilier v20101030
    • Make sure to use pre-packaged repo catalogs and the old version! PyDasm barfs when compiling because MinGW32 removed support for -mno-cygwin! Bug Report
    • On the "Select Components" dialog check C++ Compiler and ObjC Compiler in addition to selected by default set
  2. Download and install Python 2.7 (x64)
  3. Download and install Git for windows
    • Make sure it adds git to your path variable!
  4. Update $PATH to include C:\Python27 and C:\MinGW\bin KB article
  5. Checkout pydbg

    C:\sulley_build>git clone https://Fitblip@github.com/Fitblip/pydbg.git
    Cloning into 'pydbg'...
    remote: Counting objects: 17, done.
    remote: Compressing objects: 100% (12/12), done.
    remote: Total 17 (delta 4), reused 17 (delta 4)
    Unpacking objects: 100% (17/17), done.
    
  6. Build pydbg

    C:\sulley_build\pydbg>python setup.py install
    running install
    running build
    running build_py
    creating build
    creating build\lib
    creating build\lib\pydbg
    ...snip...
    running install_egg_info
    Removing C:\python27\Lib\site-packages\pydbg-0.0.0-py2.7.egg-info
    Writing C:\python27\Lib\site-packages\pydbg-0.0.0-py2.7.egg-info
    
  7. Download and extract libdasm

  8. Build the extention and install it (beware of gcc version 4.7.x removed support for -mno-cygwin, seehttp://stackoverflow.com/q/6034390/333353 and https://gist.github.com/4466320 for a fix)

    C:\sulley_build\libdisasm\pydasm>python setup.py build_ext -c mingw32
    running build_ext
    building 'pydasm' extension
    ...snip...
    C:\sulley_build\libdisasm\pydasm>python setup.py install
    running install
    running build
    running build_ext
    running install_lib
    copying build\lib.win32-2.7\pydasm.pyd -> C:\python27\Lib\site-packages
    running install_egg_info
    Writing C:\python27\Lib\site-packages\pydasm-1.5-py2.7.egg-info
    
  9. Checkout Sulley

    C:\sulley_build>git clone https://github.com/OpenRCE/sulley.git
    Cloning into 'sulley'...
    remote: Counting objects: 148, done.
    remote: Compressing objects: 100% (91/91), done.
    remote: Total 148 (delta 53), reused 146 (delta 51)
    Receiving objects: 100% (148/148), 267.03 KiB, done.
    Resolving deltas: 100% (53/53), done.
    
  10. Make sure process_monitor.py works (no import errors)

     C:\sulley_build\sulley>python process_monitor.py
     ERR> USAGE: process_monitor.py
         <-c|--crash_bin FILENAME> filename to serialize crash bin class to
         [-p|--proc_name NAME]     process name to search for and attach to
         [-i|--ignore_pid PID]     ignore this PID when searching for the target process
         [-l|--log_level LEVEL]    log level (default 1), increase for more verbosity
         [--port PORT]             TCP port to bind this agent to
    
  11. Download and extract PCapy

  12. Download and extract WinPcap Dev Kit (I put mine in C:\sulley_build\WpdPack)

  13. Build PCapy (pointing to WinPcap's include and lib directories) and install it

    C:\sulley_build\pcapy-0.10.5>python setup.py build_ext -c mingw32 -I "C:\sulley_build\WpdPack\Include" -L "C:\sulley_build\WpdPack\Lib"
    running build_ext
    building 'pcapy' extension
    creating build
    creating build\temp.win32-2.7
    creating build\temp.win32-2.7\Release
    creating build\temp.win32-2.7\Release\win32
    ...snip...
    C:\sulley_build\pcapy-0.10.5>python setup.py install
    running install
    running build
    running build_ext
    running install_lib
    copying build\lib.win32-2.7\pcapy.pyd -> C:\python27\Lib\site-packages
    running install_data
    creating C:\python27\share
    creating C:\python27\share\doc
    creating C:\python27\share\doc\pcapy
    copying README -> C:\python27\share\doc\pcapy
    copying LICENSE -> C:\python27\share\doc\pcapy
    copying pcapy.html -> C:\python27\share\doc\pcapy
    running install_egg_info
    Writing C:\python27\Lib\site-packages\pcapy-0.10.5-py2.7.egg-info
    
  14. Download and install WinPcap

  15. Download and extract Impacket

  16. Install Impacket

    C:\sulley_build\Impacket-0.9.6.0>python setup.py install
    running install
    running build
    running build_py
    creating build
    creating build\lib
    creating build\lib\impacket
    copying impacket\ImpactDecoder.py -> build\lib\impacket
    copying impacket\ImpactPacket.py -> build\lib\impacket
    copying impacket\nmb.py -> build\lib\impacket
    copying impacket\ntlm.py -> build\lib\impacket
    copying impacket\smb.py -> build\lib\impacket
    copying impacket\structure.py -> build\lib\impacket
    copying impacket\uuid.py -> build\lib\impacket
    copying impacket\__init__.py -> build\lib\impacket
    creating build\lib\impacket\dcerpc
    ...snip...
    
  17. Check to make sure network_monitor.py works

    C:\sulley_build\sulley>python network_monitor.py
    ERR> USAGE: network_monitor.py
        <-d|--device DEVICE #>    device to sniff on (see list below)
        [-f|--filter PCAP FILTER] BPF filter string
        [-P|--log_path PATH]      log directory to store pcaps to
        [-l|--log_level LEVEL]    log level (default 1), increase for more verbosity
    
        [--port PORT]             TCP port to bind this agent to
    
    Network Device List:
        [0] \Device\NPF_GenericDialupAdapter
        [1] {CF0B388B-8DF5-4BC4-8ECF-404F2A1B489C}  10.0.2.64


반응형
반응형


이걸 가지고 얼마나 삽질을 했던가...


msvcrt.printf ("Count : %d", count++)


msvcrt.printf("Count : %d" % count++)


도대체 무엇이 틀린까 고민하던 끝에 ollydbg를 통해서 스택 구조를 확인 해 보았다.

이런...이런....된장~~!!

겁나 삽질 할 필요도 없는 내용이 나오게 되었다.


msvcrt.printf ("Count : %d", count++)


    # CPU Stack

    # Address   Value      ASCII Comments

    # 0021FB0C  /1D1ADC9A  ; RETURN to _ctypes_pyd.1D1ADC9A

    # 0021FB10  |01A16BA4  ; ASCII "Loop iteration %d!"

    # 0021FB14  |00000002   ; 


msvcrt.printf("Count : %d" % count++)


    # CPU Stack

    # Address   Value      ASCII Comments

    # 0021FB20  /1D1ADC9A  ; RETURN to _ctypes_pyd.1D1ADC9A

    # 0021FB24  |019A88A4  ; ASCII "Loop iteration 0!"


자, 보이시는가?

C방식으로 호출 할 때는 ESP + 0x08 위치에 2번째 아큐먼트 값이 들어가고,

python 방식으로 호출할 때는 ESP + 0x04 위치에 이미 만들어진 아큐먼트 값이 들어가 있다.


따라서, python pydbg를 이용한 예제에서 아무리 ESP+0x08의 값을 가지고 삽질을 해봐야 답이 나오지 않는다.

그래서 아래와 같이 수정을 해야 한다.

(해당 내용은 나보다 먼저 고민하고 작성한 중국인이 있었다. 그 분에게 다시 한번 감사를 표한다. 

thank you so much wanglong1982http://shellcodes.sinaapp.com/articles/date/2013/05)


   # python 방식(printf "%s" % buff)에서는 ESP+0x04가 인자의 위치이다.

    # CPU Stack

    # Address   Value      ASCII Comments

    # 0021FB20  /1D1ADC9A  ; RETURN to _ctypes_pyd.1D1ADC9A

    # 0021FB24  |019A88A4  ; ASCII "Loop iteration 0!"

    # 또한, 인자는 이미 합쳐진 내용이 표현되며, c 호출 방식과 차이가 난다.


    # ESP + 0x04 인자의 주소를 읽어 드림.

    parameter_addr = dbg.context.Esp + 0x04

    print ('context EIP : 0x%08x' % dbg.context.Eip)

    print ('context ESP : 0x%08x' % dbg.context.Esp)

    print ('parameter address : 0x%08x' % parameter_addr)


    counter = dbg.read_process_memory(parameter_addr, 4)


    # read_process_memory는 패킹된 바이너리 문자열을 리턴한다.

    # 따라서 그것을 사용하기 전에 먼저 언팩을 수행해야 한다.

    string_addr = struct.unpack("L", counter)[0]


    # "Loop iteration %d!\n" = 20byte

    # 다 문자열 이기 때문에 공백까지 포함해서 20byte 계산

    str_len = 15 + 3 + 2


# 문자열이 존재하는 위치를 알았으니, 해당 문자열의 주소에 문자열 사이즈 만큼 얻어옮.

    counter_string = dbg.read_process_memory(string_addr, int(str_len))

    counter_string = struct.unpack(str(str_len) + "s", counter_string)[0]

# "!\n" 내용은 필요 없으므로 제거.

    counter_string = counter_string.split("!\n")[0]


    # counter_string 에서 앞에서 15 자리까지 버리고 다음부터 자리 가지고 옴.

    counter = counter_string[15:]

    print "Counter: %d" % int(counter)

# 랜덤한 숫자를 생성

    random_counter = str(random.randint(1, 100))

# 생성된 숫자를 "Loop iteration" 이후 주소에 기록

    dbg.write_process_memory(string_addr + 0x0F, random_counter)


위와 같은 코드를 이용하면 아래와 같은 내용을 얻을 수 있다.




C로 호출하는 방식은 책에 있는 내용을 그대로 인용하면 되므로 추가적으로 언급하지 않겠다.

python 형태로 호출할 때 유념하고, 또한 python 형태로 호출하더라도 수정 될 수 있는 내용이 이므로 포기하지 말고 

마무리 짓길 바란다.


반응형

+ Recent posts