SlideShare una empresa de Scribd logo

Infecting Python Bytecode

Iftach Ian Amit
Iftach Ian Amit

A method of infecting python bytecode with self-spreading mechanism. Presented at the November 2011 meeting of the DC9723.

Tecnología
1 de 16
Descargar para leer sin conexión
Spoils of the Hackathon Leon Fedotov Joey Geralnik Itzik Kotler
Hackathon: ● The hackathon was really awesome ● Next "Spoils of the Hackathon" presentation could be given by YOU! ● Seriously: come, code, crack, create. It is really fun.
pytroj
Python’s execution ○ Python file is interpreted. ○ Bytecode is stored in a file with the same name but with the pyc extension. ○ The file is signed with the original file’s system timestamp and executed. ○ Next time you run the same file, python will look for a pyc file and check it’s timestamp against the original. ○ If they match we are good to go and python only executes the bytecode without reinterpretation.
Goals of pytroj ○ Self infecting payload. ○ Once an infected file is executed pytroj looks for pyc files and prepends itself to them. ○ Then the infected file executes its original bytecode. ○ If at any time the .py file is updated, the .pyc will be automatically recompiled. This is intentional: the updated code must run or pytroj will be easily detectable. ○ However, because pytroj infects all .pyc files on each run it should quickly be reinfected
Flow
How? ○ pytroj opens the file it’s been executing from. ○ Reads the bytecode, and finds itself with a string trick - we bound out payload with two strings. ○ then it looks for pyc files, and uses the same technique to inject what it found into the files. ○ saves the files without touching the timestamp that “signs” the pyc file.
Getting started ● Code must be able to reproduce. ● Quine? No, we cheat. ● Program reads itself, locates malicious part, and copies to other .pyc files.
Tampering with pyc files ● Python marshal module reads pyc files (less magic number and timestamp) and returns code object. ● Code object is read only :-(. ● Open source to the rescue! Byteplay reads new Code object that can be converted to marshal code objects and are easy to work with. ● Include byteplay in pytroj ● Payload is now ~30KB.
Restructuring - but first! ● Can't count the number of times I entered `rm *.pyc` to remove infected pyc files and start again -_- ● All it would take is one mistake to enter `rm *.py` instead. ● Summary: use version control. Plus, github is free hosting.
Restructuring - payload size ● How can we decrease size of payload? ● Once again, open source to the rescue. ● pyminifier takes input file, zips it, converts result to base64, produces output file with: exec zlib.decompress(base64.b64decode ("base64_program_here")) ● Minifying byteplay brings payload size down to ~7KB. ● For comparison, .pyc files in my /usr/lib/python2.7 range between 100B and 170KB, with most being above 10. 7KB will usually not be noticeable. ● can be gunzipped and minimized further but we wanted to keep the logic open and easy to understand.
Automatically detecting length of exploit ● Simple hack - begin and end code with: signature = "DC9723" ● Gets translated into: 0 LOAD_CONST 0 ('DC9723') 3 STORE_NAME 0 (signature) ● if data.code[1][1] == signature: #Code is already infected return ● To find exploit size, iterate over own code until you come to the second signature, easy!
Live example!
Less than legal next steps: ● Infect package on pypi. Installing the package with `pip install infected_django` could infect the whole system. ● Malicious code instead of our harmless payload could do anything: keylog, spyware, etc.
linx ● https://github.com/jgeralnik/Pytroj ● http://news.ycombinator.com/item? id=3039439 ● http://www.symantec. com/connect/blogs/python-has-venom ● http://www.google.co.il/search?q=pytroj
FIN

Recomendados

Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Jian-Hong Pan
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about goDvir Volk
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extensionSqreen
 
AnyEvent and Plack
AnyEvent and PlackAnyEvent and Plack
AnyEvent and PlackMasahiro Honma
 
Decision making - for loop , nested loop ,if-else statements , switch in goph...
Decision making - for loop , nested loop ,if-else statements , switch in goph...Decision making - for loop , nested loop ,if-else statements , switch in goph...
Decision making - for loop , nested loop ,if-else statements , switch in goph...sangam biradar
 
Open source projects with python
Open source projects with pythonOpen source projects with python
Open source projects with pythonroskakori
 
PyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesPyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesViach Kakovskyi
 
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?Viach Kakovskyi
 

Recomendados

Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Bind Python and C @ COSCUP 2015
Bind Python and C @ COSCUP 2015Jian-Hong Pan
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about goDvir Volk
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extensionSqreen
 
AnyEvent and Plack
AnyEvent and PlackAnyEvent and Plack
AnyEvent and PlackMasahiro Honma
 
Decision making - for loop , nested loop ,if-else statements , switch in goph...
Decision making - for loop , nested loop ,if-else statements , switch in goph...Decision making - for loop , nested loop ,if-else statements , switch in goph...
Decision making - for loop , nested loop ,if-else statements , switch in goph...sangam biradar
 
Open source projects with python
Open source projects with pythonOpen source projects with python
Open source projects with pythonroskakori
 
PyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesPyCon Poland 2016: Maintaining a high load Python project: typical mistakes
PyCon Poland 2016: Maintaining a high load Python project: typical mistakesViach Kakovskyi
 
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?
Austin Python Meetup 2017: What's New in Pythons 3.5 and 3.6?Viach Kakovskyi
 
How to deliver a Python project
How to deliver a Python projectHow to deliver a Python project
How to deliver a Python projectmattjdavidson
 
Go. Why it goes
Go. Why it goesGo. Why it goes
Go. Why it goesSergey Pichkurov
 
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"LogeekNightUkraine
 
Dive into Pinkoi 2013
Dive into Pinkoi 2013Dive into Pinkoi 2013
Dive into Pinkoi 2013Mosky Liu
 
Beginning python programming
Beginning python programmingBeginning python programming
Beginning python programmingkanteshraj
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming languageSlawomir Dorzak
 
Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Robert Stern
 
kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs sangam biradar
 
Golang preso
Golang presoGolang preso
Golang presoChristopher Foresman
 
Python lecture 02
Python lecture 02Python lecture 02
Python lecture 02Tanwir Zaman
 
Torch7 and ConvNet
Torch7 and ConvNetTorch7 and ConvNet
Torch7 and ConvNetQin Jian
 
PyWPS Development restart
PyWPS Development restartPyWPS Development restart
PyWPS Development restartJachym Cepicky
 
Python on pi
Python on piPython on pi
Python on piswee meng ng
 
Torch intro
Torch introTorch intro
Torch introCheonEum Park
 
Paris.py
Paris.pyParis.py
Paris.pyDimitri Merejkowsky
 
Introduction to Clime
Introduction to ClimeIntroduction to Clime
Introduction to ClimeMosky Liu
 
Vim and Python
Vim and PythonVim and Python
Vim and Pythonmajmcdonald
 
Ruxmon.2013-08.-.CodeBro!
Ruxmon.2013-08.-.CodeBro!Ruxmon.2013-08.-.CodeBro!
Ruxmon.2013-08.-.CodeBro!Christophe Alladoum
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Codemotion
 
Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Cesar Cardenas Desales
 
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Wajhi Ul Hassan Naqvi
 
Reversing the dropbox client on windows
Reversing the dropbox client on windowsReversing the dropbox client on windows
Reversing the dropbox client on windowsextremecoders
 

Más contenido relacionado

La actualidad más candente

How to deliver a Python project
How to deliver a Python projectHow to deliver a Python project
How to deliver a Python projectmattjdavidson
 
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"LogeekNightUkraine
 
Dive into Pinkoi 2013
Dive into Pinkoi 2013Dive into Pinkoi 2013
Dive into Pinkoi 2013Mosky Liu
 
Beginning python programming
Beginning python programmingBeginning python programming
Beginning python programmingkanteshraj
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming languageSlawomir Dorzak
 
Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Robert Stern
 
kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs sangam biradar
 
Torch7 and ConvNet
Torch7 and ConvNetTorch7 and ConvNet
Torch7 and ConvNetQin Jian
 
PyWPS Development restart
PyWPS Development restartPyWPS Development restart
PyWPS Development restartJachym Cepicky
 
Introduction to Clime
Introduction to ClimeIntroduction to Clime
Introduction to ClimeMosky Liu
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Codemotion
 

La actualidad más candente (20)

How to deliver a Python project
How to deliver a Python projectHow to deliver a Python project
How to deliver a Python project
 
Go. Why it goes
Go. Why it goesGo. Why it goes
Go. Why it goes
 
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
Kyrylo Cherneha "C++ & Python Interaction in Automotive Industry"
 
Dive into Pinkoi 2013
Dive into Pinkoi 2013Dive into Pinkoi 2013
Dive into Pinkoi 2013
 
Beginning python programming
Beginning python programmingBeginning python programming
Beginning python programming
 
Introduction to Go programming language
Introduction to Go programming languageIntroduction to Go programming language
Introduction to Go programming language
 
Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1Golang basics for Java developers - Part 1
Golang basics for Java developers - Part 1
 
kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs kikstart journey of Golang with Hello world - Gopherlabs
kikstart journey of Golang with Hello world - Gopherlabs
 
Golang preso
Golang presoGolang preso
Golang preso
 
Python lecture 02
Python lecture 02Python lecture 02
Python lecture 02
 
Torch7 and ConvNet
Torch7 and ConvNetTorch7 and ConvNet
Torch7 and ConvNet
 
PyWPS Development restart
PyWPS Development restartPyWPS Development restart
PyWPS Development restart
 
Python on pi
Python on piPython on pi
Python on pi
 
Torch intro
Torch introTorch intro
Torch intro
 
Paris.py
Paris.pyParis.py
Paris.py
 
Introduction to Clime
Introduction to ClimeIntroduction to Clime
Introduction to Clime
 
Vim and Python
Vim and PythonVim and Python
Vim and Python
 
Ruxmon.2013-08.-.CodeBro!
Ruxmon.2013-08.-.CodeBro!Ruxmon.2013-08.-.CodeBro!
Ruxmon.2013-08.-.CodeBro!
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
 
Software maintenance PyConPL 2016
Software maintenance PyConPL 2016Software maintenance PyConPL 2016
Software maintenance PyConPL 2016
 

Similar a Infecting Python Bytecode

Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Wajhi Ul Hassan Naqvi
 
Reversing the dropbox client on windows
Reversing the dropbox client on windowsReversing the dropbox client on windows
Reversing the dropbox client on windowsextremecoders
 
Programming with Python - Basic
Programming with Python - BasicProgramming with Python - Basic
Programming with Python - BasicMosky Liu
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epubepuborwu
 
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdfThe Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdfssuser8b3cdd
 
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016Takayuki Shimizukawa
 
PyCourse - Self driving python course
PyCourse - Self driving python coursePyCourse - Self driving python course
PyCourse - Self driving python courseEran Shlomo
 
Python for security professionals by katoh jeremiah [py con ng 2018]
Python for security professionals by katoh jeremiah [py con ng 2018]Python for security professionals by katoh jeremiah [py con ng 2018]
Python for security professionals by katoh jeremiah [py con ng 2018]jerrykatoh
 
Python Tutorial | Python Programming Language
Python Tutorial | Python Programming LanguagePython Tutorial | Python Programming Language
Python Tutorial | Python Programming Languageanaveenkumar4
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
Lecture 2 introduction to python
Lecture 2 introduction to pythonLecture 2 introduction to python
Lecture 2 introduction to pythonalvin567
 
Easy contributable internationalization process with Sphinx @ pyconmy2015
Easy contributable internationalization process with Sphinx @ pyconmy2015Easy contributable internationalization process with Sphinx @ pyconmy2015
Easy contributable internationalization process with Sphinx @ pyconmy2015Takayuki Shimizukawa
 
Python Programming for Beginners
Python Programming for BeginnersPython Programming for Beginners
Python Programming for BeginnersP. SUNDARI ARUN
 
Python 3.5: An agile, general-purpose development language.
Python 3.5: An agile, general-purpose development language.Python 3.5: An agile, general-purpose development language.
Python 3.5: An agile, general-purpose development language.Carlos Miguel Ferreira
 
PyCon2022 - Building Python Extensions
PyCon2022 - Building Python ExtensionsPyCon2022 - Building Python Extensions
PyCon2022 - Building Python ExtensionsHenry Schreiner
 
Get Starte with MicroPython ESP32
Get Starte with MicroPython ESP32Get Starte with MicroPython ESP32
Get Starte with MicroPython ESP32fanghe22
 

Similar a Infecting Python Bytecode (20)

Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
Reversingobfuscatedpythonapplications dropbox-140819110311-phpapp01
 
Reversing the dropbox client on windows
Reversing the dropbox client on windowsReversing the dropbox client on windows
Reversing the dropbox client on windows
 
Programming with Python - Basic
Programming with Python - BasicProgramming with Python - Basic
Programming with Python - Basic
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epub
 
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdfThe Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
The Python Book_ The ultimate guide to coding with Python ( PDFDrive ).pdf
 
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
Easy contributable internationalization process with Sphinx @ PyCon APAC 2016
 
PyCourse - Self driving python course
PyCourse - Self driving python coursePyCourse - Self driving python course
PyCourse - Self driving python course
 
05 python.pdf
05 python.pdf05 python.pdf
05 python.pdf
 
Python for security professionals by katoh jeremiah [py con ng 2018]
Python for security professionals by katoh jeremiah [py con ng 2018]Python for security professionals by katoh jeremiah [py con ng 2018]
Python for security professionals by katoh jeremiah [py con ng 2018]
 
Introduction python
Introduction pythonIntroduction python
Introduction python
 
Python Tutorial | Python Programming Language
Python Tutorial | Python Programming LanguagePython Tutorial | Python Programming Language
Python Tutorial | Python Programming Language
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by Python
 
Lecture 2 introduction to python
Lecture 2 introduction to pythonLecture 2 introduction to python
Lecture 2 introduction to python
 
Easy contributable internationalization process with Sphinx @ pyconmy2015
Easy contributable internationalization process with Sphinx @ pyconmy2015Easy contributable internationalization process with Sphinx @ pyconmy2015
Easy contributable internationalization process with Sphinx @ pyconmy2015
 
Python Programming for Beginners
Python Programming for BeginnersPython Programming for Beginners
Python Programming for Beginners
 
Python 3.5: An agile, general-purpose development language.
Python 3.5: An agile, general-purpose development language.Python 3.5: An agile, general-purpose development language.
Python 3.5: An agile, general-purpose development language.
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Welcome_to_Python.pptx
Welcome_to_Python.pptxWelcome_to_Python.pptx
Welcome_to_Python.pptx
 
PyCon2022 - Building Python Extensions
PyCon2022 - Building Python ExtensionsPyCon2022 - Building Python Extensions
PyCon2022 - Building Python Extensions
 
Get Starte with MicroPython ESP32
Get Starte with MicroPython ESP32Get Starte with MicroPython ESP32
Get Starte with MicroPython ESP32
 

Más de Iftach Ian Amit

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVIftach Ian Amit
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing KeynoteIftach Ian Amit
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and BackIftach Ian Amit
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?Iftach Ian Amit
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?Iftach Ian Amit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itIftach Ian Amit
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer GamesIftach Ian Amit
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723Iftach Ian Amit
 

Más de Iftach Ian Amit (20)

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLV
 
Devsecops at Cimpress
Devsecops at CimpressDevsecops at Cimpress
Devsecops at Cimpress
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing Keynote
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
ISTS12 Keynote
ISTS12 KeynoteISTS12 Keynote
ISTS12 Keynote
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applications
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Cyber state
Cyber stateCyber state
Cyber state
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done it
 
Exploiting Second life
Exploiting Second lifeExploiting Second life
Exploiting Second life
 
Dtmf phreaking
Dtmf phreakingDtmf phreaking
Dtmf phreaking
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723
 

Último

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Último (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Infecting Python Bytecode

  • 1. Spoils of the Hackathon Leon Fedotov Joey Geralnik Itzik Kotler
  • 2. Hackathon: ● The hackathon was really awesome ● Next "Spoils of the Hackathon" presentation could be given by YOU! ● Seriously: come, code, crack, create. It is really fun.
  • 4. Python’s execution ○ Python file is interpreted. ○ Bytecode is stored in a file with the same name but with the pyc extension. ○ The file is signed with the original file’s system timestamp and executed. ○ Next time you run the same file, python will look for a pyc file and check it’s timestamp against the original. ○ If they match we are good to go and python only executes the bytecode without reinterpretation.
  • 5. Goals of pytroj ○ Self infecting payload. ○ Once an infected file is executed pytroj looks for pyc files and prepends itself to them. ○ Then the infected file executes its original bytecode. ○ If at any time the .py file is updated, the .pyc will be automatically recompiled. This is intentional: the updated code must run or pytroj will be easily detectable. ○ However, because pytroj infects all .pyc files on each run it should quickly be reinfected
  • 7. How? ○ pytroj opens the file it’s been executing from. ○ Reads the bytecode, and finds itself with a string trick - we bound out payload with two strings. ○ then it looks for pyc files, and uses the same technique to inject what it found into the files. ○ saves the files without touching the timestamp that “signs” the pyc file.
  • 8. Getting started ● Code must be able to reproduce. ● Quine? No, we cheat. ● Program reads itself, locates malicious part, and copies to other .pyc files.
  • 9. Tampering with pyc files ● Python marshal module reads pyc files (less magic number and timestamp) and returns code object. ● Code object is read only :-(. ● Open source to the rescue! Byteplay reads new Code object that can be converted to marshal code objects and are easy to work with. ● Include byteplay in pytroj ● Payload is now ~30KB.
  • 10. Restructuring - but first! ● Can't count the number of times I entered `rm *.pyc` to remove infected pyc files and start again -_- ● All it would take is one mistake to enter `rm *.py` instead. ● Summary: use version control. Plus, github is free hosting.
  • 11. Restructuring - payload size ● How can we decrease size of payload? ● Once again, open source to the rescue. ● pyminifier takes input file, zips it, converts result to base64, produces output file with: exec zlib.decompress(base64.b64decode ("base64_program_here")) ● Minifying byteplay brings payload size down to ~7KB. ● For comparison, .pyc files in my /usr/lib/python2.7 range between 100B and 170KB, with most being above 10. 7KB will usually not be noticeable. ● can be gunzipped and minimized further but we wanted to keep the logic open and easy to understand.
  • 12. Automatically detecting length of exploit ● Simple hack - begin and end code with: signature = "DC9723" ● Gets translated into: 0 LOAD_CONST 0 ('DC9723') 3 STORE_NAME 0 (signature) ● if data.code[1][1] == signature: #Code is already infected return ● To find exploit size, iterate over own code until you come to the second signature, easy!
  • 14. Less than legal next steps: ● Infect package on pypi. Installing the package with `pip install infected_django` could infect the whole system. ● Malicious code instead of our harmless payload could do anything: keylog, spyware, etc.
  • 15. linx ● https://github.com/jgeralnik/Pytroj ● http://news.ycombinator.com/item? id=3039439 ● http://www.symantec. com/connect/blogs/python-has-venom ● http://www.google.co.il/search?q=pytroj
  • 16. FIN