python deflowered shangri la
play

Python Deflowered Shangri-La! Christos Kalkanis - PowerPoint PPT Presentation

Aug 08, 2023 •271 likes •1.27k views

Python Deflowered Shangri-La! Christos Kalkanis chris@immunityinc.com Overview Full Python VM as injectable payload In-memory execution Asynchronous implant framework more :-) History The principles behind this talk

  1. Python Deflowered Shangri-La! Christos Kalkanis � chris@immunityinc.com

  2. Overview • Full Python VM as injectable payload • In-memory execution • Asynchronous implant framework • … more :-)

  3. History • The principles behind this talk are old, people have been talking about injectable virtual machines for years now • The application of Python to this domain has not been extensively discussed • Goals we managed to achieve are atypical if not novel

  4. Why Virtual Machines? • Post-exploitation scenarios are getting more and more sophisticated • Proliferation of platforms, all important: Not just Windows any more • Adverse environments • Requirements keep changing • Anti-forensics

  5. Why Virtual Machines? • We need tools that help us engineer flexible architectures • VMs offer an additional layer of abstraction that helps us deal with complexity • Flexibility: Multiple platforms, anti-forensics, dynamism at runtime • Dynamic languages like Python are well-suited to rapid-prototyping and bottom-up style of development

  6. Examples Wes Brown and Scott Dunlop: Mosquito Lisp (MOSREF) Unknown actors: Flame/Skywiper

  7. MOSREF • Custom Lisp VM+language implementation, compiled to bytecode • Tiny memory footprint < 200 KB • Crypto, XML, HTTP, Regex, Sockets, Database • Written in ANSI C and itself

  8. MOSREF Architecture • “Console” and “Drones” • Console contains bytecode compiler and performs drone management • Drones are tiny bytecode interpreters + thin comms layer (sockets/crypto) • Communication is abstracted, drones can be linked • Code dynamically loaded at runtime, including the compiler (when needed)

  9. MOSREF • No FFI/syscall interface • No shared library injection • Third party libraries • Interpreter performance could be an issue • No native threads (not really a drawback) • Overall, very impressive work

  10. Flame • Huge footprint, tens of megabytes • Functionality spread out over different modules • Bluetooth, Audio, Keylogger, Sniffer, Skype, MITM, Screenshots • Core written in C/C++, Lua used as the glue rather than main implementation language

  11. Flame • Doesn’t operate entirely in memory, dumps modules on disk • Functionality fixed into different modules that are loosely coupled, including core itself • No runtime redefinition • Reduced flexibility

  12. Observations • Interesting dichotomy • MOSREF team went for minimal footprint, extreme dynamism, MOSREF is a framework that’s designed to be programmed at runtime • Footprint not really a consideration for Flame • Some dynamism, but also lots of hardcoded logic • Flame caters to “operators” rather than programmers

  13. Why Python?

  14. Why Python? � � • We use it at Immunity :-)

  15. Why Python? • Batteries included • Lots of third-party libraries • Multiple platforms, bytecode is portable between all • Easy interface from C • Built-in FFI

  16. Why NOT Python? • Lots of libraries are garbage , including parts of standard library • Memory footprint • Python bytecode not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  17. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint • Python bytecode not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  18. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint • Python bytecode not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  19. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python bytecode not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  20. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  21. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  22. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks • Byte-code easy to reverse engineer

  23. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks ( Work around, attempt to fix ) • Byte-code easy to reverse engineer

  24. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks ( Work around, attempt to fix ) • Byte-code easy to reverse engineer

  25. Why NOT Python? • Lots of libraries are garbage , including parts of standard library ( Don’t use them ) • Memory footprint ( Can be an issue ) • Python byte-code not necessarily portable ( Source is, alternatively fix Python version ) • GIL, bugs in standard library, memory leaks ( Work around, attempt to fix ) • Byte-code easy to reverse engineer ( Exploit runtime dynamism when important )

  26. Time • Anything that uses time.time() will be affected by system clock changes • This includes parts of the Python standard library one would expect not to :-) threading.Condition.wait(timeout) threading.Event.wait(timeout) threading.Thread.join(timeout) Queue.Queue.get(timeout) Queue.Queue.put(timeout)

  27. Our Goal • 1 DLL (deployment), 1 EXE (testing/debugging) • Fully self-contained, all dependencies bundled • 32/64bit, platform agnostic architecture • For Windows: XP SP0 - Windows 8.1 • Drop nothing on the filesystem, operate in memory • Not tied to specific Python version, no static linking • DLL should be injectable

  28. Existing Solutions • Generally do not support in-memory operation • Those that do, come with custom DLL loaders that have compatibility problems (py2exe) • Statically link Python thus losing dynloading/ extension/library support • Require compilation, convoluted build systems usually tied to Windows

  29. Loader Architecture Python C boot.py archive.py, memimport.py libpython libloader, libasset bootstrap (boot.c)

  30. Bootstrap

  31. libloader • Loads a DLL from memory using the OS loader extern int libloader_init (void); � extern void * libloader_load_library ( char *name, char *buffer, int length); � extern void * libloader_resolve (void *handle, char *name); � extern void * libloader_find_library (char *name); � extern int libloader_unload_library (void *handle); � extern int libloader_destroy (void);

  32. libloader (Windows) • Hooks NTDLL, similarly to Stuxnet • NtOpenFile, NtClose, NtCreateSection, NtQuerySection, NtMapViewOfSection, NtQueryAttributesFile • Kernel32!LoadLibrary does the actual loading • Kernel32!GetProcAddress works fine on handles returned

  33. libasset • Abstracts away embedded asset management (DLL resources for Windows, ELF/Mach-O sections) #define ASSET_INTERP 0 /* Main Python interpreter */ #define ASSET_LIBRARY 1 /* Dynamic library */ #define ASSET_EXTENSION 2 /* Python extension */ #define ASSET_ARCHIVE 3 /* Archive of Python modules */ #define ASSET_DATA 4 /* Binary data */ � extern struct ASSET *libasset_find_asset(char *name);

  34. libpython • Brings libasset/libpython into Python (by registering them as extensions) • Functions for initializing DLLs (loaded by libloader) as Python extensions • Functions that load Python bytecode/compile source from memory • Responsible for initializing and starting Python from python27.dll (all Python API functions are called indirectly, after we resolve them at runtime) extern int libpython_start(void);

  35. Execution • We have bundled the Python DLL • We can start a Python interpreter, from memory • We can load/execute bytecode/Python source at runtime

  36. Execution • We have bundled the Python DLL • We can start a Python interpreter, from memory • We can load/execute bytecode/Python source at runtime • Don’t have a standard library yet

Recommend

Maybank Economics Project 4 Shangri-La Asia Limited Done By: Leader :Liu Jou Hsuan Members :

Maybank Economics Project 4 Shangri-La Asia Limited Done By: Leader :Liu Jou Hsuan Members :

Maybank Economics Project 4 Shangri-La Asia Limited Done By: Leader :Liu Jou Hsuan Members : Felicia Lee, Janna Tan, Valarie Tam, Mandy Ho, Amelia Yee. Shangri-Las main business Shangri-La Asia Limited is in charge of four main hotels

346 views • 18 slides
Food Journey 16 November 2015 About Shangri-La Operates 46 hotels in Mainland China 2

Food Journey 16 November 2015 About Shangri-La Operates 46 hotels in Mainland China 2

Shangri- Las Sustainable Food Journey 16 November 2015 About Shangri-La Operates 46 hotels in Mainland China 2 Sustainability s tarts from who we are We believe there is no greater act of hospitality than to embrace a stranger as

289 views • 11 slides
Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons

Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons

Python Tidbits Python created by that guy ---&gt; Python is named after Monty Pythons Flying Circus 1991 Python 0.9.0 Released 2008 Python 2.6 / 3.0rc2 Current Python 2.7.1 / 3.2 *7 th most popular language

754 views • 37 slides
1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

Python Example of a MapReduce Application The mapper and reducer are both self contained Python programs Read from standard input and write to standard output ! Mapper Tell Unix: this is Python #!/usr/bin/env python3 The emit function

464 views • 3 slides
Getting Started with Python The Python Interpreter A piece of software that executes

Getting Started with Python The Python Interpreter A piece of software that executes

Object-Oriented Programming in Python Goldwasser and Letscher Chapter 2 Getting Started with Python The Python Interpreter A piece of software that executes commands for the Python language Start the interpreter by typing python at a

862 views • 27 slides
An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we

An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we

An introduction to Python Andreas Bjerre-Nielsen Agenda 1. Python: what it is; why and how we learn it 2. Python scripts and Jupyter 3. Fundamental data types 4. Basic Python procedures: operators, functions, methods etc. 5. Conditional

978 views • 66 slides
We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less

We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less

We already know Java. Why learn Python? Using Python to Implement Algorithms Python has far less overhead than Java for the programmer. Tyler Moore Python is closer to psuedo-code on the English-pseudocode-code spectrum than Java or C/C++, but

615 views • 9 slides
2018 Regional Symposium on ICT for Education GALLERY WALK 27-28 February 2018 | Shangri-La

2018 Regional Symposium on ICT for Education GALLERY WALK 27-28 February 2018 | Shangri-La

South Asia 2018 Regional Symposium on ICT for Education GALLERY WALK 27-28 February 2018 | Shangri-La Hotel | Colombo, Sri Lanka http://bit.ly/SARSIE2018 British Council English and Digital for Girls Education (EDGE) AMBITION

2.17k views • 11 slides
29 November 2018 (Shangri La, Jakarta) Professor Dr. Colin Ong, QC Arbitrator &amp; Queens

29 November 2018 (Shangri La, Jakarta) Professor Dr. Colin Ong, QC Arbitrator &amp; Queens

BANI Arbitration Seminar 2018 Setting Aside and Refusal of Enforcement of Foreign Awards - Law and Issues 29 November 2018 (Shangri La, Jakarta) Professor Dr. Colin Ong, QC Arbitrator &amp; Queens Counsel, 36 Stone Chambers (London) Counsel,

560 views • 17 slides
INVESTORS CONFERENCE 09 February 2017 | Makati Shangri-La, Philippines Opening Remarks Atty.

INVESTORS CONFERENCE 09 February 2017 | Makati Shangri-La, Philippines Opening Remarks Atty.

The New at Entertainment City Project INVESTORS CONFERENCE 09 February 2017 | Makati Shangri-La, Philippines Opening Remarks Atty. Grace Quevedo-Panagsagan Chairperson, Nayong Pilipino Foundaiton Message from the Department of Tourism

1.02k views • 43 slides
First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool:

First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool:

First Tool: Python! Introduction to python programming Gholamhossein Tavasoli @ ZNU First Tool: Python! Python Programming Language Python Programming Language Created in 1991 by Guido van Rossum Python Cro ross Platform Pro rogramming

663 views • 62 slides
From Shangri-La to the Land of Opportunities The Stories of Nepali Speaking Bhutanese Refugees -

From Shangri-La to the Land of Opportunities The Stories of Nepali Speaking Bhutanese Refugees -

From Shangri-La to the Land of Opportunities The Stories of Nepali Speaking Bhutanese Refugees - - R. L. Merkel, Jr. MD, PhD - -Aditi Giri, MBBS - -Prashant Khatiwada, MBBS Historical Background Nepalis in Bhutan Bhutanese

894 views • 55 slides
Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La

Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La

Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La to Develop an over US$250 million Integrated Mixed-use Development in Accra, Ghana Disclaimer All statements contained in this presentation which

137 views • 12 slides
RETHINKING SHANGRI-LA Revival of the sustainable courtyard dwellings Kathmandu, Nepal Pooja

RETHINKING SHANGRI-LA Revival of the sustainable courtyard dwellings Kathmandu, Nepal Pooja

RETHINKING SHANGRI-LA Revival of the sustainable courtyard dwellings Kathmandu, Nepal Pooja Vaidya Advisor: Prof. David Crutchfield Secondary Advisor: Dr. Doug Schulz Everywhere throughout the world, one finds the same bad movie, the same

579 views • 42 slides
Ringa Mountain Farm, Shangri-la, Project Description Objective: Seeking assistance or

Ringa Mountain Farm, Shangri-la, Project Description Objective: Seeking assistance or

Ringa Mountain Farm, Shangri-la, Project Description Objective: Seeking assistance or partnership with an experienced Rammed Earth builder or Engineer experienced in RE construction to help with training village community in stabilised and

597 views • 12 slides
Saturday, June 1 3 th, 2015 Jing An Shangri-La, Shanghai Premio Panda dOro 2015 Edition

Saturday, June 1 3 th, 2015 Jing An Shangri-La, Shanghai Premio Panda dOro 2015 Edition

Saturday, June 1 3 th, 2015 Jing An Shangri-La, Shanghai Premio Panda dOro 2015 Edition Jointly organized by the China-Italy Chamber of Commerce and the Fondazione Italia-Cina, sponsored by the Italian Ministry of Foreign Affairs, the

365 views • 12 slides
Py Python Strings Python strings are immuatable: s = abc s[2] = d s = abd

Py Python Strings Python strings are immuatable: s = abc s[2] = d s = abd

2/25/20 CS 224 Introduction to Python Spring 2020 Class #14: Strings Py Python Strings Python strings are immuatable: s = abc s[2] = d s = abd These dont change the string abc s = s[:-1] + d they

444 views • 19 slides
Outline Spend 30-40 minutes on Python - Not an intro! - Very quick run-through of how Python

Outline Spend 30-40 minutes on Python - Not an intro! - Very quick run-through of how Python

CMSC 723 Computational Linguistics I Introduction to Python and NLTK Session 2 Wednesday, September 9, 2009 1 Outline Spend 30-40 minutes on Python - Not an intro! - Very quick run-through of how Python does stuff you already know

915 views • 33 slides
Python 1 Python Python is high-level programming language for general-purpose programming.

Python 1 Python Python is high-level programming language for general-purpose programming.

Python 1 Python Python is high-level programming language for general-purpose programming. Supports multiple programming paradigms, including object-oriented , imperative , functional programming, and procedural styles. Original

637 views • 35 slides
HPC Python Programming Ramses van Zon July 10, 2019 Ramses van Zon HPC Python Programming July

HPC Python Programming Ramses van Zon July 10, 2019 Ramses van Zon HPC Python Programming July

HPC Python Programming Ramses van Zon July 10, 2019 Ramses van Zon HPC Python Programming July 10, 2019 1 / 69 In this session. . . Performance and Python Profiling tools for Python Fast arrays for Python: Numpy Ramses van Zon HPC Python

1.32k views • 119 slides
UCX-PYTHON: A FLEXIBLE COMMUNICATION LIBRARY FOR PYTHON APPLICATIONS March 21, 2018 OUTLINE

UCX-PYTHON: A FLEXIBLE COMMUNICATION LIBRARY FOR PYTHON APPLICATIONS March 21, 2018 OUTLINE

UCX-PYTHON: A FLEXIBLE COMMUNICATION LIBRARY FOR PYTHON APPLICATIONS March 21, 2018 OUTLINE Motivation and goals Implementation choices Features/API Performance Next steps 2 WHY PYTHON-BASED GPU COMMUNICATION? Python use growing

315 views • 29 slides
A Crash Course in Python Based on Learning Python By Mark Lutz &amp; David Ascher, O'Reilly

A Crash Course in Python Based on Learning Python By Mark Lutz &amp; David Ascher, O'Reilly

A Crash Course in Python Based on Learning Python By Mark Lutz &amp; David Ascher, O'Reilly http://proquestcombo.safaribooksonline.com/book/programming/python/9780596805395 Presented by Cuauhtmoc Carbajal I TESM CEM A Crash Course in Python

1.35k views • 84 slides
Python for Data Science Overview of Python Why Python Installing Python Installing Python Modules

Python for Data Science Overview of Python Why Python Installing Python Installing Python Modules

Python for Data Science Overview of Python Why Python Installing Python Installing Python Modules Overview of the course Assumptions: We are here to learn some new skills We learn new skills by doing We work better with others

442 views • 43 slides
We already know Java and C++. Why learn Python? Using Python to Implement Algorithms Tyler Moore

We already know Java and C++. Why learn Python? Using Python to Implement Algorithms Tyler Moore

We already know Java and C++. Why learn Python? Using Python to Implement Algorithms Tyler Moore Python has far less overhead than Java/C++ for the programmer. Python is closer to psuedo-code on the English-pseudocode-code CSE 3353, SMU,

138 views • 9 slides

More recommend