python deflowered shangri la
play

Python Deflowered Shangri-La! Christos Kalkanis - PowerPoint PPT Presentation

Aug 08, 2023 •271 likes •1.27k views

Python Deflowered Shangri-La! Christos Kalkanis chris@immunityinc.com Overview Full Python VM as injectable payload In-memory execution Asynchronous implant framework more :-) History The principles behind this talk

  1. Python Deflowered Shangri-La! Christos Kalkanis � chris@immunityinc.com

  2. Overview • Full Python VM as injectable payload • In-memory execution • Asynchronous implant framework • … more :-)

  3. History • The principles behind this talk are old, people have been talking about injectable virtual machines for years now • The application of Python to this domain has not been extensively discussed • Goals we managed to achieve are atypical if not novel

  4. Why Virtual Machines? • Post-exploitation scenarios are getting more and more sophisticated • Proliferation of platforms, all important: Not just Windows any more • Adverse environments • Requirements keep changing • Anti-forensics

  5. Why Virtual Machines? • We need tools that help us engineer flexible architectures • VMs offer an additional layer of abstraction that helps us deal with complexity • Flexibility: Multiple platforms, anti-forensics, dynamism at runtime • Dynamic languages like Python are well-suited to rapid-prototyping and bottom-up style of development

  6. Examples Wes Brown and Scott Dunlop: Mosquito Lisp (MOSREF) Unknown actors: Flame/Skywiper

  7. MOSREF • Custom Lisp VM+language implementation, compiled to bytecode • Tiny memory footprint < 200 KB • Crypto, XML, HTTP, Regex, Sockets, Database • Written in ANSI C and itself

  8. MOSREF Architecture • “Console” and “Drones” • Console contains bytecode compiler and performs drone management • Drones are tiny bytecode interpreters + thin comms layer (sockets/crypto) • Communication is abstracted, drones can be linked • Code dynamically loaded at runtime, including the compiler (when needed)

  9. MOSREF • No FFI/syscall interface • No shared library injection • Third party libraries • Interpreter performance could be an issue • No native threads (not really a drawback) • Overall, very impressive work

  10. Flame • Huge footprint, tens of megabytes • Functionality spread out over different modules • Bluetooth, Audio, Keylogger, Sniffer, Skype, MITM, Screenshots • Core written in C/C++, Lua used as the glue rather than main implementation language

  11. Flame • Doesn’t operate entirely in memory, dumps modules on disk • Functionality fixed into different modules that are loosely coupled, including core itself • No runtime redefinition • Reduced flexibility

  12. Observations • Interesting dichotomy • MOSREF team went for minimal footprint, extreme dynamism, MOSREF is a framework that’s designed to be programmed at runtime • Footprint not really a consideration for Flame • Some dynamism, but also lots of hardcoded logic • Flame caters to “operators” rather than programmers

  13. Why Python?

  14. Why Python? � � • We use it at Immunity :-)

  15. Why Python? • Batteries included • Lots of third-party libraries • Multiple platforms, bytecode is portable between all • Easy interface from C • Built-in FFI

  16. Why NOT Python? • Lots of libraries are garbage , including parts of standard library • Memory footprint • Python bytecode not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  17. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint • Python bytecode not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  18. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint • Python bytecode not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  19. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python bytecode not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  20. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  21. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  22. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  23. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks ( Work around, attempt to fix ) • Byte-code easy to reverse engineer

  24. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks ( Work around, attempt to fix ) • Byte-code easy to reverse engineer

  25. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks ( Work around, attempt to fix ) • Byte-code easy to reverse engineer ( Exploit runtime dynamism when important )

  26. Time • Anything that uses time.time() will be affected by system clock changes • This includes parts of the Python standard library one would expect not to :-) threading.Condition.wait(timeout) threading.Event.wait(timeout) threading.Thread.join(timeout) Queue.Queue.get(timeout) Queue.Queue.put(timeout)

  27. Our Goal • 1 DLL (deployment), 1 EXE (testing/debugging) • Fully self-contained, all dependencies bundled • 32/64bit, platform agnostic architecture • For Windows: XP SP0 - Windows 8.1 • Drop nothing on the filesystem, operate in memory • Not tied to specific Python version, no static linking • DLL should be injectable

  28. Existing Solutions • Generally do not support in-memory operation • Those that do, come with custom DLL loaders that have compatibility problems (py2exe) • Statically link Python thus losing dynloading/ extension/library support • Require compilation, convoluted build systems usually tied to Windows

  29. Loader Architecture Python C boot.py archive.py, memimport.py libpython libloader, libasset bootstrap (boot.c)

  30. Bootstrap

  31. libloader • Loads a DLL from memory using the OS loader extern int libloader_init (void); � extern void * libloader_load_library ( char *name, char *buffer, int length); � extern void * libloader_resolve (void *handle, char *name); � extern void * libloader_find_library (char *name); � extern int libloader_unload_library (void *handle); � extern int libloader_destroy (void);

  32. libloader (Windows) • Hooks NTDLL, similarly to Stuxnet • NtOpenFile, NtClose, NtCreateSection, NtQuerySection, NtMapViewOfSection, NtQueryAttributesFile • Kernel32!LoadLibrary does the actual loading • Kernel32!GetProcAddress works fine on handles returned

  33. libasset • Abstracts away embedded asset management (DLL resources for Windows, ELF/Mach-O sections) #define ASSET_INTERP 0 /* Main Python interpreter */ #define ASSET_LIBRARY 1 /* Dynamic library */ #define ASSET_EXTENSION 2 /* Python extension */ #define ASSET_ARCHIVE 3 /* Archive of Python modules */ #define ASSET_DATA 4 /* Binary data */ � extern struct ASSET *libasset_find_asset(char *name);

  34. libpython • Brings libasset/libpython into Python (by registering them as extensions) • Functions for initializing DLLs (loaded by libloader) as Python extensions • Functions that load Python bytecode/compile source from memory • Responsible for initializing and starting Python from python27.dll (all Python API functions are called indirectly, after we resolve them at runtime) extern int libpython_start(void);

  35. Execution • We have bundled the Python DLL • We can start a Python interpreter, from memory • We can load/execute bytecode/Python source at runtime

  36. Execution • We have bundled the Python DLL • We can start a Python interpreter, from memory • We can load/execute bytecode/Python source at runtime • Don’t have a standard library yet

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Maybank Economics Project 4 Shangri-La Asia Limited Done By: Leader :Liu Jou Hsuan Members :

Maybank Economics Project 4 Shangri-La Asia Limited Done By: Leader :Liu Jou Hsuan Members :

Maybank Economics Project 4 Shangri-La Asia Limited Done By: Leader :Liu Jou Hsuan Members : Felicia Lee, Janna Tan, Valarie Tam, Mandy Ho, Amelia Yee. Shangri-Las main business Shangri-La Asia Limited is in charge of four main hotels

346 views • 18 slides
Food Journey 16 November 2015 About Shangri-La Operates 46 hotels in Mainland China 2

Food Journey 16 November 2015 About Shangri-La Operates 46 hotels in Mainland China 2

Shangri- Las Sustainable Food Journey 16 November 2015 About Shangri-La Operates 46 hotels in Mainland China 2 Sustainability s tarts from who we are We believe there is no greater act of hospitality than to embrace a stranger as

289 views • 11 slides
Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons

Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons

Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons Flying Circus 1991 Python 0.9.0 Released 2008 Python 2.6 / 3.0rc2 Current Python 2.7.1 / 3.2 *7 th most popular language

753 views • 37 slides
1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

Python Example of a MapReduce Application The mapper and reducer are both self contained Python programs Read from standard input and write to standard output ! Mapper Tell Unix: this is Python #!/usr/bin/env python3 The emit function

464 views • 3 slides
Getting Started with Python The Python Interpreter A piece of software that executes

Getting Started with Python The Python Interpreter A piece of software that executes

Object-Oriented Programming in Python Goldwasser and Letscher Chapter 2 Getting Started with Python The Python Interpreter A piece of software that executes commands for the Python language Start the interpreter by typing python at a

862 views • 27 slides
An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we

An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we

An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we learn it 2. Python scripts and Jupyter 3. Fundamental data types 4. Basic Python procedures: operators, functions, methods etc. 5. Conditional

978 views • 66 slides
We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less

We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less

We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less overhead than Java for the programmer. Tyler Moore Python is closer to psuedo-code on the English-pseudocode-code spectrum than Java or C/C++, but

615 views • 9 slides
2018 Regional Symposium on ICT for Education GALLERY WALK 27-28 February 2018 | Shangri-La

2018 Regional Symposium on ICT for Education GALLERY WALK 27-28 February 2018 | Shangri-La

South Asia 2018 Regional Symposium on ICT for Education GALLERY WALK 27-28 February 2018 | Shangri-La Hotel | Colombo, Sri Lanka http://bit.ly/SARSIE2018 British Council English and Digital for Girls Education (EDGE) AMBITION

2.17k views • 11 slides
29 November 2018 (Shangri La, Jakarta) Professor Dr. Colin Ong, QC Arbitrator &amp; Queens

29 November 2018 (Shangri La, Jakarta) Professor Dr. Colin Ong, QC Arbitrator &amp; Queens

BANI Arbitration Seminar 2018 Setting Aside and Refusal of Enforcement of Foreign Awards - Law and Issues 29 November 2018 (Shangri La, Jakarta) Professor Dr. Colin Ong, QC Arbitrator &amp; Queens Counsel, 36 Stone Chambers (London) Counsel,

560 views • 17 slides
INVESTORS CONFERENCE 09 February 2017 | Makati Shangri-La, Philippines Opening Remarks Atty.

INVESTORS CONFERENCE 09 February 2017 | Makati Shangri-La, Philippines Opening Remarks Atty.

The New at Entertainment City Project INVESTORS CONFERENCE 09 February 2017 | Makati Shangri-La, Philippines Opening Remarks Atty. Grace Quevedo-Panagsagan Chairperson, Nayong Pilipino Foundaiton Message from the Department of Tourism

1.02k views • 43 slides
First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool:

First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool:

First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool: Python! Python Programming Language Python Programming Language Created in 1991 by Guido van Rossum Python Cro ross Platform Pro rogramming

662 views • 62 slides
From Shangri-La to the Land of Opportunities The Stories of Nepali Speaking Bhutanese Refugees -

From Shangri-La to the Land of Opportunities The Stories of Nepali Speaking Bhutanese Refugees -

From Shangri-La to the Land of Opportunities The Stories of Nepali Speaking Bhutanese Refugees - - R. L. Merkel, Jr. MD, PhD - -Aditi Giri, MBBS - -Prashant Khatiwada, MBBS Historical Background Nepalis in Bhutan Bhutanese

894 views • 55 slides
Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La

Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La

Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La to Develop an over US$250 million Integrated Mixed-use Development in Accra, Ghana Disclaimer All statements contained in this presentation which

137 views • 12 slides
RETHINKING SHANGRI-LA Revival of the sustainable courtyard dwellings Kathmandu, Nepal Pooja

RETHINKING SHANGRI-LA Revival of the sustainable courtyard dwellings Kathmandu, Nepal Pooja

RETHINKING SHANGRI-LA Revival of the sustainable courtyard dwellings Kathmandu, Nepal Pooja Vaidya Advisor: Prof. David Crutchfield Secondary Advisor: Dr. Doug Schulz Everywhere throughout the world, one finds the same bad movie, the same

579 views • 42 slides
Ringa Mountain Farm, Shangri-la, Project Description Objective: Seeking assistance or

Ringa Mountain Farm, Shangri-la, Project Description Objective: Seeking assistance or

Ringa Mountain Farm, Shangri-la, Project Description Objective: Seeking assistance or partnership with an experienced Rammed Earth builder or Engineer experienced in RE construction to help with training village community in stabilised and

597 views • 12 slides
Saturday, June 1 3 th, 2015 Jing An Shangri-La, Shanghai Premio Panda dOro 2015 Edition

Saturday, June 1 3 th, 2015 Jing An Shangri-La, Shanghai Premio Panda dOro 2015 Edition

Saturday, June 1 3 th, 2015 Jing An Shangri-La, Shanghai Premio Panda dOro 2015 Edition Jointly organized by the China-Italy Chamber of Commerce and the Fondazione Italia-Cina, sponsored by the Italian Ministry of Foreign Affairs, the

365 views • 12 slides
NCCAVS Junction Technologies User Group Meeting Updates on New Technologies Friday, July

NCCAVS Junction Technologies User Group Meeting Updates on New Technologies Friday, July

NCCAVS Junction Technologies User Group Meeting Updates on New Technologies Friday, July 12, 2019 Sponsors: Sumitomo Heavy Industries Ion Technology Axcelis UC Components Co-Chairs: Susan Felch John Borland Michael Current Agenda

282 views • 3 slides
implantation and decay counter Rin Yokoyama ( University of Tennessee, Knoxville ) R. Grzywacz,

implantation and decay counter Rin Yokoyama ( University of Tennessee, Knoxville ) R. Grzywacz,

YSO fragment implantation and decay counter Rin Yokoyama ( University of Tennessee, Knoxville ) R. Grzywacz, M. Singh, T . King, S. Go, A. Keeler, J. Agramunt, N. Brewer, J. Liu, S. Nishimura, V. Phong, M. Rajabali, C. Rasco, K. Rykaczewski,

509 views • 15 slides
ISOLDE Emily Ghosh ISOLDE I sotope mass S eparator O n- L ine DE tector Located at Proton

ISOLDE Emily Ghosh ISOLDE I sotope mass S eparator O n- L ine DE tector Located at Proton

ISOLDE Emily Ghosh ISOLDE I sotope mass S eparator O n- L ine DE tector Located at Proton Synchrotron Booster (PSB) at CERN Use of radioactive nuclei beams for experiments in Nuclear and Atomic Physics Solid State Material Science

343 views • 13 slides
Sometimes, the problem becomes more tractable when presented with the solution DISCLAIMER!!!

Sometimes, the problem becomes more tractable when presented with the solution DISCLAIMER!!!

Sometimes, the problem becomes more tractable when presented with the solution DISCLAIMER!!! This project is meant for educational purposes only. Views, concepts, techniques, knowledge, etc are that of the authors and do not represent our

441 views • 31 slides
Enhanced lateral drift sensors: concept and development. Anastasiia Velyka, Hendrik Jansen

Enhanced lateral drift sensors: concept and development. Anastasiia Velyka, Hendrik Jansen

Enhanced lateral drift sensors: concept and development. Anastasiia Velyka, Hendrik Jansen TIPP2017, Beijing DESY Hamburg How to achieve a high resolution? &gt; Decrease the size of the read-out cell, i.e. pixel or strip pitch pitch &gt; The

227 views • 21 slides
Diamond materials for detection Jean-Charles ARNAULT jean-charles.arnault@cea.fr Workshop

Diamond materials for detection Jean-Charles ARNAULT jean-charles.arnault@cea.fr Workshop

09 juin 2015 Diamond materials for detection Jean-Charles ARNAULT jean-charles.arnault@cea.fr Workshop Diamant et dtecteurs, LPSC, June 9, 2015 Diamond Sensors Laboratory from Chemical Vapour Deposition of diamond to sensors MEMS

638 views • 39 slides
HRI Ethics Nao pill (MAARS) American remote ATLAS reminder system control gunbot Robear

HRI Ethics Nao pill (MAARS) American remote ATLAS reminder system control gunbot Robear

2/21/19 Ethics and Robotics HRI Ethics Nao pill (MAARS) American remote ATLAS reminder system control gunbot Robear transfer robot Modular Advanced Armed Robotic Nao pill ATLAS System (MAARS) American reminder robot remote

226 views • 4 slides
Safety-critical Nick Kofinas Devices The Stuxnet Worm(s) Most of the following are

Safety-critical Nick Kofinas Devices The Stuxnet Worm(s) Most of the following are

How everything can be hacked Safety-critical Nick Kofinas Devices The Stuxnet Worm(s) Most of the following are Maybes Main target: Iranian nuclear program Main physical targets Centrifuge devices PLC controllers The

402 views • 21 slides

More recommend