Common technique in Bypassing Stuff in Python.

•

3 likes•19,690 views

This document discusses bypassing antivirus detection in Python by using its ability to call functions in DLLs and shared libraries via ctypes. It provides examples of using ctypes to call Windows API functions like MessageBoxA, WinExec to launch calc.exe, and chaining VirtualAlloc, WriteProcessMemory, CreateThread and WaitForSingleObject to execute shellcode in-memory and bypass antivirus. The document suggests this technique can be used for post-exploitation and antivirus bypass. It also mentions freezing the Python code into an executable and provides references on Windows shellcoding.

Technology

Quick introduction to Python
• By default exist in every major Linux
Distribution
• Can be install or run as portable tools in
Windows :

So what’s the big deal?
• Python support Foreign Function Instruction
• It supports Ctypes.
• http://docs.python.org/2/library/ctypes.html
• It provides C compatible data types, and allows
calling functions in DLLs or shared libraries. It can
be used to wrap these libraries in pure Python
• Smell profits!!!
• Alternative ways besides using import system
• Good for Post Exploitation
• Bypass AV 

A Simple MessageBoxA 
• From MSDN
• Required 4 argument,

How to understand quickly 
• HWND – A handle to the owner window of the message box to be created.
If this parameter is NULL, the message box has no owner window. (SO we
set to Null, in Python Null is None)
• LPCTSR lpText - It’s a string for a Text
• LPCTSR lpCaption – It’s a string for the MessageBox Title
• UINT - Unsigned Integer .
_in_opt_ is a SAL Annotation saying you can put NULL as a value

SAL Annotation shortcut
Parameters are
required
Parameters are
optional
Input to called function _In_ _In_opt_
Input to called function, and output to
caller
_Inout_ _Inout_opt_
Output to caller _Out_ _Out_opt_
Output of pointer to caller _Outptr_ _Outptr_opt_

How easy to pop up a MessageBox in
python?
• Simple
from ctypes import *
ctypes.windll.user32.MessageBoxA(None,"Hello World","Title",None)

How to about WinExec?
• WinExec is a classical function since the age of Windows 16-
bit . Only 2 Args are needed.
• From MSDN
• We know lpCmdLine is a string for the Exectuable path but
what value should we place for uCmdShow?

uCmdShow from MSDN
• http://msdn.microsoft.com/en-
us/library/windows/desktop/ms633548(v=vs.85).aspx

To Spawn a calcfrom ctypes import *
ctypes.windll.kernel32.WinExec(“C:Windowssystem32calc.exe”,1)

How about Executing Shellcode?
• Many ways
– File Dropping Technique (BAD)
– Code Injection Technique(BAD)
– InMemory Technique (G000D)
• File Dropping Technique are bad , since antivirus/malware will
immedietely catch it up and trigeger
• Code Injection , affects the integrity of a binary. HIPS might trigger
alert.
• Why Shellcode? Becoz we can!!

InMemory Technique
• We are going to chain 4 API to execute our
shellcode .
– >VirtualAlloc()
– >WriteProcessMemory()
– >CreateThread()
– >WaitForSingleObject()

VirtualAlloc()
• lpAddress = Null
• dwSize = length of shellcode can be use,
• flAllocation = MEM_COMMIT|MEM_RESERVED (0x3000)
• flProtect = PAGE_EXECUTE_READWRITE(0x40)

WriteProcessMemory()
• hProcess = -1 * we writing in the same process
• lpBaseAddress = A Pointer to address return from VirtualALloc()
• lpBuffer = A pointer to our buffer
• nSize = we can use shellcode size and times 2 to be safe
• lpNUmberofBytesWritten = Null it..

CreateThread()
• Everything is 0 except for (go figure it out
yerself)

P.O.C
• Inspired by SK Training.. Use xcc !!!

(Optional) Freeze it to exe 
• Using pyinstaller

Exercise 
• Create a Reverse Shell is a piece of cake!

Reference
• Understanding Win32Shellcode Skape:
• http://www.hick.org/code/skape/papers/win32-shellcode.pdf
• Advance Windows Shellcode, SK:
• http://www.phrack.org/issues.html?id=7&issue=62
• http://msdn.microsoft.com/en-US/

XCon 2014 => http://xcon.xfocus.org/ In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough. In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.

[若渴計畫] Black Hat 2017之過去閱讀相關整理

Aj MaChInE

Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes

Peter Hlavaty

In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them… Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism. In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail*, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs. Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc). * unfortunately bug was not fixed at the time of talk, so we do not exposed details about TTF vulnerability, and we skipped directly to some challenges during exploitation, and demonstrate how OS design can overpower introduced exploit mitigations.

Automating Post Exploitation with PowerShell

EnclaveSecurity

As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.

ONOS System Test - ONS2016

Suibin Zhang

Pwning with powershell

jaredhaight

PowerShell for Cyber Warriors - Bsides Knoxville 2016

Russel Van Tuyl

Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.

This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. This is the version modified for the OWASP meeting in June of 2014.

Nikto

Sorina Chirilă

Vulnerability desing patterns

Peter Hlavaty

In current era of exploitation it is coming more complex to develop even PoC for vulnerability, especially when it comes to more complicated one, like race conditions, sandbox escapes ... And it seems that nowdays is still quite common write concept of exploitability for vendors, or even final code, in prehistoric way, and even using shellcoding. We will show how vulnerability "design patterns" transform writing code, from current widespread form of magic black box, to developing software which breaks another one. We believe that developing is the way to go for boosting vulnerability research, for sake of security and your own time.

Get-Help: An intro to PowerShell and how to Use it for Evil

jaredhaight

FreeIPA - Attacking the Active Directory of Linux

Julian Catrambone

FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

Defcon - Veil-Pillage

VeilFramework

Derbycon - The Unintended Risks of Trusting Active Directory

Will Schroeder

Vulnerabilities on Various Data Processing LevelsPositive Hack Days

Introducing PS>Attack: An offensive PowerShell toolkit

jaredhaight

Guardians of your CODE

Peter Hlavaty

In order to prevent exploiting mistakes, introduced in developing process, are continuously implemented various security mitigations & hardening on application level and in operating system level as well. Even when those mitigations highly increase difficulty of exploitation of common bugs in software / core, you should not rely solely on them. And it can help to know background and limits of those techniques, which protect your software directly or indirectly. In this talk we will take a look at some of helpful mitigations & features introduces past years (x64 address space, SMAP & SMEP, CFG, ...) focusing from kernel point of view. Its benefits, and weak points same time.

TriplePlay-WebAppPenTestingToolsYury Chemerkin

G rpc lection1

eleksdev

Practical Malware Analysis Ch12

Sam Bowne

SSL Checklist for Pentesters (BSides MCR 2014)

Jerome Smith

This presentation was made at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). I already have updated material (including SNI and OCSP Stapling) for the next version. Look out for future content @exploresecurity and @NCCGroupInfosec.

Owning computers without shell access dark

Royce Davis

You didnt see it’s coming? "Dawn of hardened Windows Kernel"

Peter Hlavaty

Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution. However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples. After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?

Статический анализ кода в контексте SSDL

Positive Hack Days

Ведущий: Иван Ёлкин Ведущий фаст-трека расскажет об опыте внедрения Static Analysis Security Tool в QIWI, о сложностях, с которыми сталкивались разработчики. Писать «костыли» или рефакторить код? Что делать, когда мнения клиента и разработчика расходятся? Поведает, сколько строк кода пришлось прочитать и написать до и после запуска сканера, и предложит краткий обзор найденных и упущенных уязвимостей.

CNIT 126: 10: Kernel Debugging with WinDbg

Sam Bowne

Secure360 - Attack All the Layers! Again!

Scott Sutherland

This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. More security blogs by the authors can be found @ https://www.netspi.com/blog/

Powering up on power shell avengercon - 2018

Fernando Tomlinson, CISSP, MBA

Advanced SOHO Router Exploitation XCON

Lyon Yang

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

midnite_runr

What's hot

Attack All the Layers: What's Working during Pentests (OWASP NYC)

Scott Sutherland

Nikto

Sorina Chirilă

Vulnerability desing patterns

Peter Hlavaty

Get-Help: An intro to PowerShell and how to Use it for Evil

jaredhaight

FreeIPA - Attacking the Active Directory of Linux

Julian Catrambone

Defcon - Veil-Pillage

VeilFramework

Derbycon - The Unintended Risks of Trusting Active Directory

Will Schroeder

Vulnerabilities on Various Data Processing LevelsPositive Hack Days

Introducing PS>Attack: An offensive PowerShell toolkit

jaredhaight

Guardians of your CODE

Peter Hlavaty

TriplePlay-WebAppPenTestingToolsYury Chemerkin

G rpc lection1

eleksdev

Practical Malware Analysis Ch12

Sam Bowne

SSL Checklist for Pentesters (BSides MCR 2014)

Jerome Smith

Owning computers without shell access dark

Royce Davis

You didnt see it’s coming? "Dawn of hardened Windows Kernel"

Peter Hlavaty

Статический анализ кода в контексте SSDL

Positive Hack Days

CNIT 126: 10: Kernel Debugging with WinDbg

Sam Bowne

Secure360 - Attack All the Layers! Again!

Scott Sutherland

Powering up on power shell avengercon - 2018

Fernando Tomlinson, CISSP, MBA

What's hot (20)

Attack All the Layers: What's Working during Pentests (OWASP NYC)

Nikto

Vulnerability desing patterns

Get-Help: An intro to PowerShell and how to Use it for Evil

FreeIPA - Attacking the Active Directory of Linux

Defcon - Veil-Pillage

Derbycon - The Unintended Risks of Trusting Active Directory

Vulnerabilities on Various Data Processing Levels

Introducing PS>Attack: An offensive PowerShell toolkit

Guardians of your CODE

TriplePlay-WebAppPenTestingTools

G rpc lection1

Practical Malware Analysis Ch12

SSL Checklist for Pentesters (BSides MCR 2014)

Owning computers without shell access dark

You didnt see it’s coming? "Dawn of hardened Windows Kernel"

Статический анализ кода в контексте SSDL

CNIT 126: 10: Kernel Debugging with WinDbg

Secure360 - Attack All the Layers! Again!

Powering up on power shell avengercon - 2018

Similar to Common technique in Bypassing Stuff in Python.

Advanced SOHO Router Exploitation XCON

Lyon Yang

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

midnite_runr

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...

Alexandre Moneger

This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing. Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached. The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.

Steelcon 2014 - Process Injection with Python

infodox

This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python. Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method. The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection

OSCON: System software goes weird

Docker, Inc.

with Justin Cormack For decades, system software has been on its own path, diverging from the wider software practice in many respects: C has been the exclusive language; operating systems are monolithic among the largest software projects; occasional releases, rather than continuous delivery, is the norm; and testing is often relatively limited given the sizes of the projects. But recently a diverse set of open source projects have taken standard programming practice and applied it to systems problems, producing software that looks very different. Justin Cormack explores a selection of these systems, in areas such as networking, security, and operating systems, and outlines what we can learn from them, how they are useful, whether they are useful, how much fun they are, and whether worse is better.

Piratng Avs to bypass exploit mitigation

Priyanka Aash

"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others. In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures." (Source: Black Hat USA 2016, Las Vegas)

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

enSilo

In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.

[2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용...

GangSeok Lee

2011 CodeEngn Conference 05 DBI 란 Dynamic Binary Instrumentation 의 약자이다. 이는 실행 중인 어떤 Process 또는 Program 에 특수한 목적으로 사용될 임의의 코드를 삽입하는 방법이다. 이를 이용하여 동적으로 생성된 Code 처리, 특정 코드의 발견, 실행중인 Process 분석 등을 할 수 있다. 주로 컴퓨터 구조 연구, 프로그램, 스레드 분 석에 이용되며, Taint Analysis 에 대한 개념, 각종 Tool 과 사용 방법, 간단한 예제, 최신 취약점 분석 등 을 통하여 DBI 를 알아보도록 한다. http://codeengn.com/conference/05

Introduction to Python Programming

Akhil Kaushik

TSC Summit #3 - Reverse engineering and anti debugging techniques

Mikal Villa

Project Basecamp: News From Camp 4

Digital Bond

Python programming 2nd

Aishwarya Deshmukh

DSA Day 2 PPT.pdf

AkramMohammad28

Building Embedded Linux Full Tutorial for ARM

Sherif Mousa

AV Evasion with the Veil Framework

VeilFramework

A Kernel of Truth: Intrusion Detection and Attestation with eBPF

oholiab

"Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems! Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet. So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell... At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems. This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP! As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.

DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...

DevSecCon

Matt Carroll Infrastructure Security Engineer at Yelp "Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems! Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet. So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell... At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems. This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP! As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.

Open Source Swift Under the Hood

C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1SJ7PSV. Alex Blewitt talks about Swift, the open source released in December 2015 and available on Linux as well as OSX and iOS. He looks at the open-source project, how applications and libraries can be built for both platforms, the differences between the different builds and how Swift works under the hood. Filmed at qconlondon.com. Alex Blewitt has over 20 years of experience in Objective-C and has been using Apple frameworks since NeXTSTEP 3.0. He currently works for a financial company in London and writes for the online technology news site InfoQ, as well as other books for Packt Publishing. He also has a number of apps on the App Store through Bandlem Limited.

Compilers and interpretersRAJU KATHI

Hacking Highly Secured Enterprise Environments by Zoltan Balazs

Shakacon

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation. I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Similar to Common technique in Bypassing Stuff in Python. (20)

Advanced SOHO Router Exploitation XCON

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...

Steelcon 2014 - Process Injection with Python

OSCON: System software goes weird

Piratng Avs to bypass exploit mitigation

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

[2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용...

Introduction to Python Programming

TSC Summit #3 - Reverse engineering and anti debugging techniques

Project Basecamp: News From Camp 4

Python programming 2nd

DSA Day 2 PPT.pdf

Building Embedded Linux Full Tutorial for ARM

AV Evasion with the Veil Framework

A Kernel of Truth: Intrusion Detection and Attestation with eBPF

DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...

Open Source Swift Under the Hood

Compilers and interpreters

Hacking Highly Secured Enterprise Environments by Zoltan Balazs

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

DevOps and Testing slides at DASA Connect

Kari Kakkonen

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

The Art of the Pitch: WordPress Relationships and Sales

UiPath Test Automation using UiPath Test Suite series, part 3

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

How world-class product teams are winning in the AI era by CEO and Founder, P...

ODC, Data Fabric and Architecture User Group

Essentials of Automations: Optimizing FME Workflows with Parameters

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Epistemic Interaction - tuning interfaces to provide information for AI support

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Leading Change strategies and insights for effective change management pdf 1.pdf

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

When stars align: studies in data quality, knowledge graphs, and machine lear...

DevOps and Testing slides at DASA Connect

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Designing Great Products: The Power of Design and Leadership by Chief Designe...

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Common technique in Bypassing Stuff in Python.

1. Bypass AV in Python by y0nd13.

2. Quick introduction to Python • By default exist in every major Linux Distribution • Can be install or run as portable tools in Windows :

3. How interpreter language work.

4. Hello World in Python Easy right!!

5. So what’s the big deal? • Python support Foreign Function Instruction • It supports Ctypes. • http://docs.python.org/2/library/ctypes.html • It provides C compatible data types, and allows calling functions in DLLs or shared libraries. It can be used to wrap these libraries in pure Python • Smell profits!!! • Alternative ways besides using import system • Good for Post Exploitation • Bypass AV 

6. Quick Introduction to Python FFI

7. A Simple MessageBoxA  • From MSDN • Required 4 argument,

8. How to understand quickly  • HWND – A handle to the owner window of the message box to be created. If this parameter is NULL, the message box has no owner window. (SO we set to Null, in Python Null is None) • LPCTSR lpText - It’s a string for a Text • LPCTSR lpCaption – It’s a string for the MessageBox Title • UINT - Unsigned Integer . _in_opt_ is a SAL Annotation saying you can put NULL as a value

9. SAL Annotation shortcut Parameters are required Parameters are optional Input to called function _In_ _In_opt_ Input to called function, and output to caller _Inout_ _Inout_opt_ Output to caller _Out_ _Out_opt_ Output of pointer to caller _Outptr_ _Outptr_opt_

10. How easy to pop up a MessageBox in python? • Simple from ctypes import * ctypes.windll.user32.MessageBoxA(None,"Hello World","Title",None)

11. How to about WinExec? • WinExec is a classical function since the age of Windows 16- bit . Only 2 Args are needed. • From MSDN • We know lpCmdLine is a string for the Exectuable path but what value should we place for uCmdShow?

12. uCmdShow from MSDN • http://msdn.microsoft.com/en- us/library/windows/desktop/ms633548(v=vs.85).aspx

13. To Spawn a calcfrom ctypes import * ctypes.windll.kernel32.WinExec(“C:Windowssystem32calc.exe”,1)

14. Get CurrentProcessID

15. How about Executing Shellcode? • Many ways – File Dropping Technique (BAD) – Code Injection Technique(BAD) – InMemory Technique (G000D) • File Dropping Technique are bad , since antivirus/malware will immedietely catch it up and trigeger • Code Injection , affects the integrity of a binary. HIPS might trigger alert. • Why Shellcode? Becoz we can!!

16. InMemory Technique • We are going to chain 4 API to execute our shellcode . – >VirtualAlloc() – >WriteProcessMemory() – >CreateThread() – >WaitForSingleObject()

17. VirtualAlloc() • lpAddress = Null • dwSize = length of shellcode can be use, • flAllocation = MEM_COMMIT|MEM_RESERVED (0x3000) • flProtect = PAGE_EXECUTE_READWRITE(0x40)

18. WriteProcessMemory() • hProcess = -1 * we writing in the same process • lpBaseAddress = A Pointer to address return from VirtualALloc() • lpBuffer = A pointer to our buffer • nSize = we can use shellcode size and times 2 to be safe • lpNUmberofBytesWritten = Null it..

19. CreateThread() • Everything is 0 except for (go figure it out yerself)

20. WaitForSingleObject() • -1 , -1 !!!

21. P.O.C • Inspired by SK Training.. Use xcc !!!

22. Using OllyDBG Attached with Olly

23. Executing native inside us heheheheh

24. 2nd POC is our calc 

25.

26. (Optional) Freeze it to exe  • Using pyinstaller

27. Simple2

28. Exercise  • Create a Reverse Shell is a piece of cake!

29. Reference • Understanding Win32Shellcode Skape: • http://www.hick.org/code/skape/papers/win32-shellcode.pdf • Advance Windows Shellcode, SK: • http://www.phrack.org/issues.html?id=7&issue=62 • http://msdn.microsoft.com/en-US/

Common technique in Bypassing Stuff in Python.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Common technique in Bypassing Stuff in Python.

Similar to Common technique in Bypassing Stuff in Python. (20)

Recently uploaded

Recently uploaded (20)

Common technique in Bypassing Stuff in Python.