Python resources for Debugging and reverse engineering

A collection of Python resources for Debugging and reverse engineering – these may assist your pentesting or security research

Paimei

PaiMei, is a reverse engineering framework consisting of multiple extensible components. The framework can essentially be thought of as a reverse engineer’s swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as fuzzer assistance, code coverage tracking, data flow tracking and more. The package includes includes PyDBG, PIDA, pGRAPH

https://github.com/OpenRCE/paimei

IDAPython

IDAPython is an IDA plugin which makes it possible to write scripts for IDA in the Python programming language. IDAPython provides full access to both the IDA API and any installed Python module. there are several example scripts provided in the repository.

https://github.com/idapython/src

Immunity Debugger

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry’s first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. Yo9u can read more about the debugger and see more features at http://immunityinc.com/products/debugger/index.html

http://debugger.immunityinc.com/

pefile

pefile is a multi-platform Python module to parse and work with Portable Executable (aka PE) files. Most of the information contained in the PE headers is accessible as well as all sections’ details and their data.

https://github.com/erocarrera/pefile

PyDbgEng

Microsoft releases free and powerfull debugging tools for Windows. The packadge includes the well known ‘WinDbg’ debugger, which, at its core, runs on top the Windows debugging engine – dbgeng.dll. PyDbgEng is a Python Wrapper For Microsoft Debug Engine.
Now that you have a scriptable debugger, here are some of the things you can do:

Fault Injection
Automatic Executable Unpacking
Application Fuzzing

http://pydbgeng.sourceforge.net/

distorm

Powerful Disassembler Library For x86/AMD64. diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text, which is great for advanced binary code analysis.

https://github.com/gdabah/distorm

Frida

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.

https://www.frida.re/

python-ptrace

python-ptrace is a debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python. Docs are at https://python-ptrace.readthedocs.io/en/latest/

High level Python object API : PtraceDebugger and PtraceProcess
Able to control multiple processes: catch fork events on Linux
Read/write bytes to arbitrary address: take care of memory alignment and split bytes to cpu word
Execution step by step using ptrace_singlestep() or hardware interruption 3
Can use distorm disassembler
Dump registers, memory mappings, stack, etc.
Syscall tracer and parser (strace.py command)

https://github.com/vstinner/python-ptrace

Androguard

Androguard is a full python tool to reverse engineer and analyse of Android applications. you can read the documentation at https://androguard.readthedocs.io/en/latest/

DEX, ODEX
APK
Android’s binary xml
Android resources
Disassemble DEX/ODEX bytecodes
Decompiler for DEX/ODEX files

https://github.com/androguard/androguard

Capstone

Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community.

http://www.capstone-engine.org/

keystone

lightweight multi-platform, multi-architecture assembler framework with Python bindings.

http://www.keystone-engine.org

PyBFD

A Python interface to the GNU Binary File Descriptor (BFD) library.

It’s a complete (or at least tries to be) wrapper around the low level functionality provided by GNU Binutils libopcodes and libbfd. This allows the user to manipulate all the supported architectures and file formats that Binutils tools does.

https://github.com/Groundworkstech/pybfd/

CHIPSEC

CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual.

https://github.com/chipsec/chipsec

mona.py

PyCommand for Immunity Debugger that replaces and improves on pvefindaddr

https://github.com/corelan/mona

uhooker

The Universal Hooker is a tool to intercept execution of programs. It enables the user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory. The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed when the hooked function is called in run-time.

https://www.coresecurity.com/corelabs-research/open-source-tools/uhooker

HAve we missed any tools, do you know of or have a script that you feel should be listed. Leave us a comment and we will take a look