Home > Books > Gray Hat Python by Justin Seitz

Gray Hat Python by Justin Seitz

May 17th, 2009

Update: for a little actual discussion of things in the book, I have a post on errata in the code listings here.

Recently, I got the book Gray Hat Python: Python Programming for Hackers and Reverse Engineers by Justin Seitz.  I like books published by No Starch Press, I like Python, and I like “hacker and reverse engineer” stuff.  So now that I finally got all done with college and graduation (the reason for the gap in posting here), I decided to start reading the book.

After a bit of introduction, the very first thing Seitz shows you how to do is build a debugger, using Python and the ctypes library to call into Windows kernel APIs.  That’s pretty cool, but I ran into a problem when it came to attaching to existing processes – no matter what, Kernel32.DebugActiveProcess returns 0 (fail) with error code 50 (NOT_SUPPORTED).  I can’t find anything directly related to this problem.  However, at the beginning of the text, Seitz says he assumes a 32-bit Windows platform.  I’m on 64-bit Vista.  I had hoped to get away with using the 32-bit version of Python et al., but it doesn’t look like it’ll work.

So I wanted to drop Seitz an email to ask him about it, maybe see if he could put something on the book’s web page saying “Hey, this won’t work at all under 64-bit or Vista or whatever.”  Problem is, I don’t see an email address for him in the book, nor on the book’s page, nor at his employer Immunity’s site.  I thought maybe he has a blog, so I’ll Google his name and see what I can find.

This brings me to the point of this post: DO NOT GOOGLE “JUSTIN SEITZ.”  You get maybe one thing about the Justin Seitz in question… and several images and a ton of webpages about some muscle-bound supermodel dude also named Justin Seitz, wearing various small fractions of clothing.  One of the tamer ones:

Suddenly my sister is into Gray Hat Python.

Suddenly my sister is into Gray Hat Python.

Or maybe he’s the same guy.  I dunno.  If so, he’s got about nine million ways he could kick your ass.

Anyway, my question is still unanswered.  Whether the problem is Vista, the 64-bit platform, or both, the code in Gray Hat Python won’t work natively on my machine.  I’ll have to try it on XP or something.  I’m on my own now – I’m too scared to try to contact Seitz again, ever.

Categories: Books
  1. July 1st, 2009 at 06:04 | #1

    I am in a similar kayak on this one: recent grad reading the Gray Hat Python book on a Vista 64 bit OS doing the Chapter 3 Building A Debugger Exercise. I get to the point of extending the debugger to enumerate threads and print the registers and it simply crashes python. It must be all the calls to kernel32.dll? I wonder if there is a similar kernel64.dll with respective calls that would make the demo work. Let me know if you find anything. Another option is install XP in virtual box and launch the code from there, but it seems mostly a hassle to prove the theory of something that is about to be replaced by a more polished debugger anyway.

    Cheers!

  2. July 1st, 2009 at 06:22 | #2

    Ah, I see you have solutions, pardon!

  3. Bill Clayton
    July 17th, 2009 at 10:15 | #3

    I too am using GHPython. I am working on Chap 6 – Hooking. I have tried “hippie_easy.py’ and it keeps throwing errors on imported script, libanalyze.py, found in Immunity Debugger’s libs directory. The error is at line 114, _getfromtuples(self, opcode) function. Line 114 is actually ‘self.ip=opcode[0] # Instruction pointer’ with about 30 other list element following. When I execute hippe_easy.py the last error line references this code and the error is:
    Error: ‘int’ object is unscriptable. Does opcode var need to be defined as a list somewhere first. If so where? I’ve tried and still can’t get past that error. Libanalyze.py is a core script that develops opcodes from binary so I would think it has been tested — guess not> Help anyone.

  4. SANDEEP MEHANDRU
    August 10th, 2009 at 22:30 | #4

    Hi,

    I have been working on a security project involving python.
    One of the use-cases, was to make use of ctypes.Union.

    To learn about ctypes.union I tried a sample from a python material.
    Howvere, i satrted to get an error. I valdiated the syntax from the python docs.
    But after correction , I am still reciveing the error.

    Please help me.
    I making use of the following python interpretor –> python 2.5.1

    Following is the python script code for defining and making use of a ctypes.Union:

    from ctypes import *

    class BARLEY_AMOUNT(Union):
    _fields_ = [
    (“barley_long”, c_long),
    (“barley_int”, c_int),
    (“barley_char”, c_char * 8),
    ]

    value = raw_input(“Enter amount of barley to put in beer vat:”)
    my_barley = BARLEY_AMOUNT(int(value))
    print “Barely amount as long: %ld” % my_barley.bareley_long
    print “Barely amount as int: %ld” % my_barley.barley_int
    print “Barely amount as long: %ld” % my_barley.barley_char

    Following is the error,that I am receiving:
    Traceback (most recent call last):
    File “C:\Python\src\chapter1-unions.py”, line 8, in
    class BARLEY_AMOUNT(Union):
    File “C:\Python\src\chapter1-unions.py”, line 16, in BARLEY_AMOUNT
    my_barley = BARLEY_AMOUNT(int(value))
    NameError: name ‘BARLEY_AMOUNT’ is not defined

    I have reached a dead end. Please help me on this.

  5. craig
    November 11th, 2009 at 23:05 | #5

    @Matteius
    I am having the same problem, did you get an answer?

  6. December 28th, 2009 at 10:11 | #6
  7. the doowde
    October 1st, 2010 at 19:11 | #7

    Dude its not gonna work. Your trying to build debugging applications expecting 32 bit processor instructions when your processor is really executing 64 bit, leaving you with either failure or incredibly inaccurate results. Download a 32 bit version of windows called “tiny xp”, and run it in a virtual machine. Boom! done, do all your coding/h4xing in there. BTW, i am reading the very same book, and would recommend it.

  8. December 17th, 2010 at 10:53 | #8

    justin email : https://forum.immunityinc.com/board/thread/1343/el-jefe-beta-ready-for-download/?page=1#post-1343

    Btw there is really no difference between sulley chapter and the official documentation itself(that i prefer)…
    Hope others topics on this book are a quite different and not just a copy…

    Best regards,
    Toto

  9. April 10th, 2011 at 04:09 | #9

    HAWT…

  10. Seb
    May 20th, 2013 at 19:36 | #10

    This program of his wont run on 64 bit architecture, because the addresses arent right and the processor architecture differes. however, if you learn to use the winAPI like he does in the example it should be possible to build a 64bit debugger like that. working on it myself now, but im a beginner, so havent got all the answers for you :). try learning to use GetProcAddress() calls from kernel32 on your system, and see if you can learn how windows api works in order to get all the correct addresses you need for 64bit. i imagine it just using different structs with similar calls, to include registers in 64 bit style. that means probarbly some ctypes in his program will also need to be converted to be able to contain 64 bit.

    So far i got the debugger to attach to a running process sucessfully, but it doesnt find function addresses to set breakpoints etc., since the stack is all messed up due to having a bunch of 32 bit addresses.

Comments are closed.