SlideShare ist ein Scribd-Unternehmen logo

Infecting Python Bytecode

Iftach Ian Amit
Iftach Ian Amit

A method of infecting python bytecode with self-spreading mechanism. Presented at the November 2011 meeting of the DC9723.

Technologie
1 von 16
Downloaden Sie, um offline zu lesen
Spoils of the Hackathon Leon Fedotov Joey Geralnik Itzik Kotler
Hackathon: ● The hackathon was really awesome ● Next "Spoils of the Hackathon" presentation could be given by YOU! ● Seriously: come, code, crack, create. It is really fun.
pytroj
Python’s execution ○ Python file is interpreted. ○ Bytecode is stored in a file with the same name but with the pyc extension. ○ The file is signed with the original file’s system timestamp and executed. ○ Next time you run the same file, python will look for a pyc file and check it’s timestamp against the original. ○ If they match we are good to go and python only executes the bytecode without reinterpretation.
Goals of pytroj ○ Self infecting payload. ○ Once an infected file is executed pytroj looks for pyc files and prepends itself to them. ○ Then the infected file executes its original bytecode. ○ If at any time the .py file is updated, the .pyc will be automatically recompiled. This is intentional: the updated code must run or pytroj will be easily detectable. ○ However, because pytroj infects all .pyc files on each run it should quickly be reinfected
Flow
How? ○ pytroj opens the file it’s been executing from. ○ Reads the bytecode, and finds itself with a string trick - we bound out payload with two strings. ○ then it looks for pyc files, and uses the same technique to inject what it found into the files. ○ saves the files without touching the timestamp that “signs” the pyc file.
Getting started ● Code must be able to reproduce. ● Quine? No, we cheat. ● Program reads itself, locates malicious part, and copies to other .pyc files.
Tampering with pyc files ● Python marshal module reads pyc files (less magic number and timestamp) and returns code object. ● Code object is read only :-(. ● Open source to the rescue! Byteplay reads new Code object that can be converted to marshal code objects and are easy to work with. ● Include byteplay in pytroj ● Payload is now ~30KB.
Restructuring - but first! ● Can't count the number of times I entered `rm *.pyc` to remove infected pyc files and start again -_- ● All it would take is one mistake to enter `rm *.py` instead. ● Summary: use version control. Plus, github is free hosting.
Restructuring - payload size ● How can we decrease size of payload? ● Once again, open source to the rescue. ● pyminifier takes input file, zips it, converts result to base64, produces output file with: exec zlib.decompress(base64.b64decode ("base64_program_here")) ● Minifying byteplay brings payload size down to ~7KB. ● For comparison, .pyc files in my /usr/lib/python2.7 range between 100B and 170KB, with most being above 10. 7KB will usually not be noticeable. ● can be gunzipped and minimized further but we wanted to keep the logic open and easy to understand.
Automatically detecting length of exploit ● Simple hack - begin and end code with: signature = "DC9723" ● Gets translated into: 0 LOAD_CONST 0 ('DC9723') 3 STORE_NAME 0 (signature) ● if data.code[1][1] == signature: #Code is already infected return ● To find exploit size, iterate over own code until you come to the second signature, easy!
Live example!
Less than legal next steps: ● Infect package on pypi. Installing the package with `pip install infected_django` could infect the whole system. ● Malicious code instead of our harmless payload could do anything: keylog, spyware, etc.
linx ● https://github.com/jgeralnik/Pytroj ● http://news.ycombinator.com/item? id=3039439 ● http://www.symantec. com/connect/blogs/python-has-venom ● http://www.google.co.il/search?q=pytroj
FIN

Empfohlen

Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Jian-Hong Pan
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about goDvir Volk
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extensionSqreen
 
AnyEvent and Plack
AnyEvent and PlackAnyEvent and Plack
AnyEvent and PlackMasahiro Honma
 
Decision making - for loop , nested loop ,if-else statements , switch in goph...
Decision making - for loop , nested loop ,if-else statements , switch in goph...Decision making - for loop , nested loop ,if-else statements , switch in goph...
Decision making - for loop , nested loop ,if-else statements , switch in goph...sangam biradar
 
Open source projects with python
Open source projects with pythonOpen source projects with python
Open source projects with pythonroskakori
 
PyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesPyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesViach Kakovskyi
 
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?Viach Kakovskyi
 

Empfohlen

Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Jian-Hong Pan
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about goDvir Volk
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extensionSqreen
 
AnyEvent and Plack
AnyEvent and PlackAnyEvent and Plack
AnyEvent and PlackMasahiro Honma
 
Decision making - for loop , nested loop ,if-else statements , switch in goph...
Decision making - for loop , nested loop ,if-else statements , switch in goph...Decision making - for loop , nested loop ,if-else statements , switch in goph...
Decision making - for loop , nested loop ,if-else statements , switch in goph...sangam biradar
 
Open source projects with python
Open source projects with pythonOpen source projects with python
Open source projects with pythonroskakori
 
PyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesPyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesViach Kakovskyi
 
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?Viach Kakovskyi
 
How to deliver a Python project
How to deliver a Python projectHow to deliver a Python project
How to deliver a Python projectmattjdavidson
 
Go. Why it goes
Go. Why it goesGo. Why it goes
Go. Why it goesSergey Pichkurov
 
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"LogeekNightUkraine
 
Dive into Pinkoi 2013
Dive into Pinkoi 2013Dive into Pinkoi 2013
Dive into Pinkoi 2013Mosky Liu
 
Beginning python programming
Beginning python programmingBeginning python programming
Beginning python programmingkanteshraj
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming languageSlawomir Dorzak
 
Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Robert Stern
 
kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs sangam biradar
 
Golang preso
Golang presoGolang preso
Golang presoChristopher Foresman
 
Python lecture 02
Python lecture 02Python lecture 02
Python lecture 02Tanwir Zaman
 
Torch7 and ConvNet
Torch7 and ConvNetTorch7 and ConvNet
Torch7 and ConvNetQin Jian
 
PyWPS Development restart
PyWPS Development restartPyWPS Development restart
PyWPS Development restartJachym Cepicky
 
Python on pi
Python on piPython on pi
Python on piswee meng ng
 
Torch intro
Torch introTorch intro
Torch introCheonEum Park
 
Paris.py
Paris.pyParis.py
Paris.pyDimitri Merejkowsky
 
Introduction to Clime
Introduction to ClimeIntroduction to Clime
Introduction to ClimeMosky Liu
 
Vim and Python
Vim and PythonVim and Python
Vim and Pythonmajmcdonald
 
Ruxmon.2013-08.-.CodeBro!
Ruxmon.2013-08.-.CodeBro!Ruxmon.2013-08.-.CodeBro!
Ruxmon.2013-08.-.CodeBro!Christophe Alladoum
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Codemotion
 
Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Cesar Cardenas Desales
 
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Wajhi Ul Hassan Naqvi
 
Reversing the dropbox client on windows
Reversing the dropbox client on windowsReversing the dropbox client on windows
Reversing the dropbox client on windowsextremecoders
 

Weitere ähnliche Inhalte

Was ist angesagt?

How to deliver a Python project
How to deliver a Python projectHow to deliver a Python project
How to deliver a Python projectmattjdavidson
 
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"LogeekNightUkraine
 
Dive into Pinkoi 2013
Dive into Pinkoi 2013Dive into Pinkoi 2013
Dive into Pinkoi 2013Mosky Liu
 
Beginning python programming
Beginning python programmingBeginning python programming
Beginning python programmingkanteshraj
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming languageSlawomir Dorzak
 
Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Robert Stern
 
kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs sangam biradar
 
Torch7 and ConvNet
Torch7 and ConvNetTorch7 and ConvNet
Torch7 and ConvNetQin Jian
 
PyWPS Development restart
PyWPS Development restartPyWPS Development restart
PyWPS Development restartJachym Cepicky
 
Introduction to Clime
Introduction to ClimeIntroduction to Clime
Introduction to ClimeMosky Liu
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Codemotion
 

Was ist angesagt? (20)

How to deliver a Python project
How to deliver a Python projectHow to deliver a Python project
How to deliver a Python project
 
Go. Why it goes
Go. Why it goesGo. Why it goes
Go. Why it goes
 
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
 
Dive into Pinkoi 2013
Dive into Pinkoi 2013Dive into Pinkoi 2013
Dive into Pinkoi 2013
 
Beginning python programming
Beginning python programmingBeginning python programming
Beginning python programming
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming language
 
Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1
 
kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs
 
Golang preso
Golang presoGolang preso
Golang preso
 
Python lecture 02
Python lecture 02Python lecture 02
Python lecture 02
 
Torch7 and ConvNet
Torch7 and ConvNetTorch7 and ConvNet
Torch7 and ConvNet
 
PyWPS Development restart
PyWPS Development restartPyWPS Development restart
PyWPS Development restart
 
Python on pi
Python on piPython on pi
Python on pi
 
Torch intro
Torch introTorch intro
Torch intro
 
Paris.py
Paris.pyParis.py
Paris.py
 
Introduction to Clime
Introduction to ClimeIntroduction to Clime
Introduction to Clime
 
Vim and Python
Vim and PythonVim and Python
Vim and Python
 
Ruxmon.2013-08.-.CodeBro!
Ruxmon.2013-08.-.CodeBro!Ruxmon.2013-08.-.CodeBro!
Ruxmon.2013-08.-.CodeBro!
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
 
Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Software maintenance PyConPL 2016
Software maintenance PyConPL 2016
 

Ähnlich wie Infecting Python Bytecode

Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Wajhi Ul Hassan Naqvi
 
Reversing the dropbox client on windows
Reversing the dropbox client on windowsReversing the dropbox client on windows
Reversing the dropbox client on windowsextremecoders
 
Programming with Python - Basic
Programming with Python - BasicProgramming with Python - Basic
Programming with Python - BasicMosky Liu
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epubepuborwu
 
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdfThe Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdfssuser8b3cdd
 
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016Takayuki Shimizukawa
 
PyCourse - Self driving python course
PyCourse - Self driving python coursePyCourse - Self driving python course
PyCourse - Self driving python courseEran Shlomo
 
Python for security professionals by katoh jeremiah [py con ng 2018]
Python for security professionals by katoh jeremiah [py con ng 2018]Python for security professionals by katoh jeremiah [py con ng 2018]
Python for security professionals by katoh jeremiah [py con ng 2018]jerrykatoh
 
Python Tutorial | Python Programming Language
Python Tutorial | Python Programming LanguagePython Tutorial | Python Programming Language
Python Tutorial | Python Programming Languageanaveenkumar4
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
Lecture 2 introduction to python
Lecture 2 introduction to pythonLecture 2 introduction to python
Lecture 2 introduction to pythonalvin567
 
Easy contributable internationalization process with Sphinx @ pyconmy2015
Easy contributable internationalization process with Sphinx @ pyconmy2015Easy contributable internationalization process with Sphinx @ pyconmy2015
Easy contributable internationalization process with Sphinx @ pyconmy2015Takayuki Shimizukawa
 
Python Programming for Beginners
Python Programming for BeginnersPython Programming for Beginners
Python Programming for BeginnersP. SUNDARI ARUN
 
Python 3.5: An agile, general-purpose development language.
Python 3.5: An agile, general-purpose development language.Python 3.5: An agile, general-purpose development language.
Python 3.5: An agile, general-purpose development language.Carlos Miguel Ferreira
 
PyCon2022 - Building Python Extensions
PyCon2022 - Building Python ExtensionsPyCon2022 - Building Python Extensions
PyCon2022 - Building Python ExtensionsHenry Schreiner
 
Get Started with MicroPython ESP32
Get Started with MicroPython ESP32Get Started with MicroPython ESP32
Get Started with MicroPython ESP32fanghe22
 

Ähnlich wie Infecting Python Bytecode (20)

Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
 
Reversing the dropbox client on windows
Reversing the dropbox client on windowsReversing the dropbox client on windows
Reversing the dropbox client on windows
 
Programming with Python - Basic
Programming with Python - BasicProgramming with Python - Basic
Programming with Python - Basic
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epub
 
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdfThe Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
 
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
 
PyCourse - Self driving python course
PyCourse - Self driving python coursePyCourse - Self driving python course
PyCourse - Self driving python course
 
05 python.pdf
05 python.pdf05 python.pdf
05 python.pdf
 
Python for security professionals by katoh jeremiah [py con ng 2018]
Python for security professionals by katoh jeremiah [py con ng 2018]Python for security professionals by katoh jeremiah [py con ng 2018]
Python for security professionals by katoh jeremiah [py con ng 2018]
 
Introduction python
Introduction pythonIntroduction python
Introduction python
 
Python Tutorial | Python Programming Language
Python Tutorial | Python Programming LanguagePython Tutorial | Python Programming Language
Python Tutorial | Python Programming Language
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by Python
 
Lecture 2 introduction to python
Lecture 2 introduction to pythonLecture 2 introduction to python
Lecture 2 introduction to python
 
Easy contributable internationalization process with Sphinx @ pyconmy2015
Easy contributable internationalization process with Sphinx @ pyconmy2015Easy contributable internationalization process with Sphinx @ pyconmy2015
Easy contributable internationalization process with Sphinx @ pyconmy2015
 
Python Programming for Beginners
Python Programming for BeginnersPython Programming for Beginners
Python Programming for Beginners
 
Python 3.5: An agile, general-purpose development language.
Python 3.5: An agile, general-purpose development language.Python 3.5: An agile, general-purpose development language.
Python 3.5: An agile, general-purpose development language.
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Welcome_to_Python.pptx
Welcome_to_Python.pptxWelcome_to_Python.pptx
Welcome_to_Python.pptx
 
PyCon2022 - Building Python Extensions
PyCon2022 - Building Python ExtensionsPyCon2022 - Building Python Extensions
PyCon2022 - Building Python Extensions
 
Get Started with MicroPython ESP32
Get Started with MicroPython ESP32Get Started with MicroPython ESP32
Get Started with MicroPython ESP32
 

Mehr von Iftach Ian Amit

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVIftach Ian Amit
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing KeynoteIftach Ian Amit
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and BackIftach Ian Amit
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?Iftach Ian Amit
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?Iftach Ian Amit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itIftach Ian Amit
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer GamesIftach Ian Amit
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723Iftach Ian Amit
 

Mehr von Iftach Ian Amit (20)

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLV
 
Devsecops at Cimpress
Devsecops at CimpressDevsecops at Cimpress
Devsecops at Cimpress
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing Keynote
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
ISTS12 Keynote
ISTS12 KeynoteISTS12 Keynote
ISTS12 Keynote
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applications
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Cyber state
Cyber stateCyber state
Cyber state
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done it
 
Exploiting Second life
Exploiting Second lifeExploiting Second life
Exploiting Second life
 
Dtmf phreaking
Dtmf phreakingDtmf phreaking
Dtmf phreaking
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723
 

Kürzlich hochgeladen

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Kürzlich hochgeladen (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

Infecting Python Bytecode

  • 1. Spoils of the Hackathon Leon Fedotov Joey Geralnik Itzik Kotler
  • 2. Hackathon: ● The hackathon was really awesome ● Next "Spoils of the Hackathon" presentation could be given by YOU! ● Seriously: come, code, crack, create. It is really fun.
  • 4. Python’s execution ○ Python file is interpreted. ○ Bytecode is stored in a file with the same name but with the pyc extension. ○ The file is signed with the original file’s system timestamp and executed. ○ Next time you run the same file, python will look for a pyc file and check it’s timestamp against the original. ○ If they match we are good to go and python only executes the bytecode without reinterpretation.
  • 5. Goals of pytroj ○ Self infecting payload. ○ Once an infected file is executed pytroj looks for pyc files and prepends itself to them. ○ Then the infected file executes its original bytecode. ○ If at any time the .py file is updated, the .pyc will be automatically recompiled. This is intentional: the updated code must run or pytroj will be easily detectable. ○ However, because pytroj infects all .pyc files on each run it should quickly be reinfected
  • 7. How? ○ pytroj opens the file it’s been executing from. ○ Reads the bytecode, and finds itself with a string trick - we bound out payload with two strings. ○ then it looks for pyc files, and uses the same technique to inject what it found into the files. ○ saves the files without touching the timestamp that “signs” the pyc file.
  • 8. Getting started ● Code must be able to reproduce. ● Quine? No, we cheat. ● Program reads itself, locates malicious part, and copies to other .pyc files.
  • 9. Tampering with pyc files ● Python marshal module reads pyc files (less magic number and timestamp) and returns code object. ● Code object is read only :-(. ● Open source to the rescue! Byteplay reads new Code object that can be converted to marshal code objects and are easy to work with. ● Include byteplay in pytroj ● Payload is now ~30KB.
  • 10. Restructuring - but first! ● Can't count the number of times I entered `rm *.pyc` to remove infected pyc files and start again -_- ● All it would take is one mistake to enter `rm *.py` instead. ● Summary: use version control. Plus, github is free hosting.
  • 11. Restructuring - payload size ● How can we decrease size of payload? ● Once again, open source to the rescue. ● pyminifier takes input file, zips it, converts result to base64, produces output file with: exec zlib.decompress(base64.b64decode ("base64_program_here")) ● Minifying byteplay brings payload size down to ~7KB. ● For comparison, .pyc files in my /usr/lib/python2.7 range between 100B and 170KB, with most being above 10. 7KB will usually not be noticeable. ● can be gunzipped and minimized further but we wanted to keep the logic open and easy to understand.
  • 12. Automatically detecting length of exploit ● Simple hack - begin and end code with: signature = "DC9723" ● Gets translated into: 0 LOAD_CONST 0 ('DC9723') 3 STORE_NAME 0 (signature) ● if data.code[1][1] == signature: #Code is already infected return ● To find exploit size, iterate over own code until you come to the second signature, easy!
  • 14. Less than legal next steps: ● Infect package on pypi. Installing the package with `pip install infected_django` could infect the whole system. ● Malicious code instead of our harmless payload could do anything: keylog, spyware, etc.
  • 15. linx ● https://github.com/jgeralnik/Pytroj ● http://news.ycombinator.com/item? id=3039439 ● http://www.symantec. com/connect/blogs/python-has-venom ● http://www.google.co.il/search?q=pytroj
  • 16. FIN