DISQUS

Matasano Chargen: Pedram Amini’s Amazing PaiMei: Win32 Reverse Engineering in Python

  • newsham · 3 years ago
    A plan9 reference from newsham? I know its cliche, been done, old hat, but its relevant. Really. I swear!

    http://cm.bell-labs.com/sys/doc/acidpaper.html

    Mixing scripting languages and debuggers can be very powerful, especially if you get the abstractions right.
  • Thomas Ptacek · 3 years ago
    Getting the abstractions right is a lot easier when once you've mapped the low-level native debugger implementation into a reasonable language, which Python almost is.

    Acid is cool, though.

    When are we getting our Haskell debugger library?
  • newsham · 3 years ago
    Getting off topic here, but if you're writing functional code, do you really need a debugger? You'd just write some rules saying how things should behave and have it automatically verified a la quickcheck: http://www.cs.chalmers.se/~rjmh/QuickCheck/

    Oh, you meant a debugger framework written in haskell, didnt you!? ;-) Yah, I'd stick to python for something like that. No need for strong typing and lazy evaluation there, really...
  • pedram amini · 3 years ago
    Wow. I am both flattered by the compliments and appreciative of the detailed post. Thank you on both counts. I like the relative time column you added, send me the patch and I'll check it into SVN ;-)

    With regards to the wish list:

    0.
    The PIDA file format is obtuse. I'm moving that to SQL and when I do I'll look into adding SQLLite support across the board. The default will still be MySQL. The nice thing about the central server is that the whole team's work is accessible from a single location.

    1.
    We can hack this together pretty quick. Many of my structures have a .ext member for filling in whatever you want. I can add that to the code coverage class to generically support whatever additions people want. The process stalker functionality is a class on it's own, so you should feasibly be able to write a small command line script with the added modification.

    2.
    Luis Miras is working on a Python symbol parser. I will definitely be adding that. At least for function names however, you can load the symbols in IDA pre-PIDA generation. But I hear you on the pain ;-)

    3.
    Have you tried the uDraw sync yet? uDraw rocks. Install it, launch it in '-server' mode, then connect PaiMei to it through the connections menu. Next, synchronize your loaded tag and each click in the hit window pulls up the relevant portion of the graph in uDraw. It also works in the other direction, click on a node in uDraw and the closest hit will be highlighted (with the register inspection data) in the hit list. You can also export the hit data into IDA, which I don't find as useful.

    4.
    Yeah it's entirely 32bit Windows right now. There is someone who is writing a Linux PyDbg, when that is done I will rename PyDbg to PyDbg-win32 and write an abstraction class on top of both. Hopefully as the entire framework matures more people will be contributing. Of all the open source software I've written, this one has gotten the most community feedback and support, so it's not out of the question.

    5.
    http://www.moondanceranch.com/images/pics/pony-...

    I use this framework all the time and have every intention of vigorously maintaining it. So all feedback is greatly appreciated and will not be ignored. On a final note, thanks again for the kind words. I caught the PDB talk at BlackHat and it's definitely an awesome tool.

    Cheers

    -pedram
  • Thomas Ptacek · 3 years ago
    OMG PONIES*&#(!!
  • Thomas Ptacek · 3 years ago
    For what it's worth:

    On "recording stack traces", I just added it, sort of (it "works" to a definition of "works" that includes "poorly tested, and some of the data looks bad").

    I'll mail you the diff. Why am I writing this here? Because it took me less than 30 minutes to "add" this functionality (caveat: adding it so it works might take longer), and I've barely read Pedram's code.

    PaiMei rocks.