Python for Reverse Engineering: Scripting a homebrew disassembly toolchain

Anirudh (~icyphox)


Description:

When it comes to reversing binaries, using established tools like IDA Pro and radare2 is the norm. But these tools are not designed with scriptability and automation in mind, while abstracting their low level workings from the user.

This talk discusses the use of Python scripts to disassemble ELF binaries to build a small toolchain of our own.

Who is this talk for?

  • Hobbyist reverse engineers
  • Anyone interested in low level security
  • CTF players looking to add new tools to their binary exploitation arsenal
  • Bored malware analysts looking to automate some of their work :)

Brief outline of the session

  • Speaker intro
  • Basics of ELF
  • Setup (prereqs, Python modules, etc.)
  • [DEMO] Identifying sections in an ELF binary
  • [DEMO] Extracting opcodes from .text
  • [DEMO] Finding relocation entries
  • Putting it all together

Potential takeaways from doing this exercise

  • A better understanding of how industry grade reverse engineering tools work under the hood
  • Scripting disassembly and debugging for use in automated pipelines. A few examples:
    • looking for certain headers (or magic bytes) across multiple binaries, i.e. primitive malware analysis
    • identifying common obfuscation patterns across multiple binaries
    • reversing and patching firmware binaries
  • Using these scripts along with pwntools to further simplify binary exploitation
  • Crafting custom gdb plugins
  • Customizing output to feed into other tools/logging
  • To further develop tools for exploit development (eg: finding ROP gadgets, etc.)

Prerequisites:

  • A basic understanding of x86 assembly
  • Minimal knowledge of the ELF format

Content URLs:

Blog post on the same, written by me.

GitHub repo with the said scripts.

Slide deck.

Demo video (Turn up the volume a bit).

Speaker Info:

I’m Anirudh, a computer science major at SRM IST, Kattankulathur, Chennai. My primary interest is computer security, and more specifically — offensive security, digital forensics and privacy. I’m also a security researcher/CTF player at Sector443, an infosec community at our University. I've worked closely with a lot of organizations to provide security solutions, and have conducted pentests on their infrastructure. Apart from security, I actively contribute to open source projects, my most favourite being the Nim programming language.

Speaker Links:

Id: 1051
Section: Networking and Security
Type: Talks
Target Audience: Intermediate
Last Updated: