Python for Reverse Engineering: Scripting a homebrew disassembly toolchain

Anirudh (~icyphox)


12

Votes

Description:

When it comes to reversing binaries, using established tools like IDA Pro and radare2 is the norm. But these tools are not designed with scriptability and automation in mind, while abstracting their low level workings from the user.

This talk discusses the use of Python scripts to disassemble ELF binaries to build a small toolchain of our own.

Who is this talk for?

  • Hobbyist reverse engineers
  • Anyone interested in low level security
  • CTF players looking to add new tools to their binary exploitation arsenal
  • Bored malware analysts looking to automate some of their work :)

Brief outline of the session

  • Speaker intro
  • Basics of ELF
  • Setup (prereqs, Python modules, etc.)
  • [DEMO] Identifying sections in an ELF binary
  • [DEMO] Extracting opcodes from .text
  • [DEMO] Finding relocation entries
  • Putting it all together

Potential takeaways from doing this exercise

  • A better understanding of how industry grade reverse engineering tools work under the hood
  • Scripting disassembly and debugging for use in automated pipelines. A few examples:
    • looking for certain headers (or magic bytes) across multiple binaries, i.e. primitive malware analysis
    • identifying common obfuscation patterns across multiple binaries
    • reversing and patching firmware binaries
  • Using these scripts along with pwntools to further simplify binary exploitation
  • Crafting custom gdb plugins
  • Customizing output to feed into other tools/logging
  • To further develop tools for exploit development (eg: finding ROP gadgets, etc.)

Prerequisites:

  • A basic understanding of x86 assembly
  • Minimal knowledge of the ELF format

Content URLs:

Blog post on the same, written by me.

GitHub repo with the said scripts.

Speaker Info:

I’m Anirudh, a computer science major at SRM IST, Kattankulathur, Chennai. My primary interest is computer security, and more specifically — offensive security, digital forensics and threat intel. I’m also a security researcher/CTF player at Sector443, an infosec community at our University. I've worked closely with a lot of organizations to provide security solutions, and have conducted pentests on their infrastructure. Apart from security, I actively contribute to open source projects, my most favourite being the Nim programming language.

Speaker Links:

Section: Networking and Security
Type: Talks
Target Audience: Intermediate
Last Updated:

Hi Anirudh, thanks for submitting the proposal.

While your description seems to be good enough. I would suggest you to add a bit more details on how it's related to CI/CD system(in take away section) and more about the uses of the tool chain you build by disassembling ELF binaries.

Also, it would be great if you can add some of your slides if they are ready and a 2 minute video pitch about your talk.

Please refer speaker best practices

Best,
Naren
(CFP coordinator)

Naren Ravi (~naren)

Hi Naren, I’ll add in those changes. As for the slides and video, I’ll try to put them up in about a week. A bit tied with my exams here, bear with me :)

Thanks!

Anirudh (~icyphox)

A week is totally fine. Good luck with your exams.

Naren Ravi (~naren)

Login to add a new comment.