Errata

Gray Hat Python

Errata for Gray Hat Python

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released.

The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.

Color Key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update

Version Location Description Submitted by Date submitted
PDF Page 20
Entire page

When a debugger has set a soft breakpoint at an address and the debuggee has executed that breakpoint the instruction pointer (EIP) no longer points to that address as it has been executed. It points one byte past the address, so the debugger must take this into account when checking its internal list of breakpoints.
After having restored the original opcode the EIP register must be decremented by one in order to execute that instruction correctly.

 Robert Larsen  Aug 06, 2012 
Printed Page 31
open_process function

The second and third parameters for kernel32.OpenProcess() are flipped. BOOL type should be the second and the PID should be the third.

Ref: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx

 Willy Kim  Jan 09, 2014 
Printed Page 32
my_test.py code snipper (2nd code snippet in this page)

In the code snippet for my_test.py, bellow "debugger.attach(int(pid))", there should be a "debugger.run()" function added in order for the module to execute correctly, otherwise it only executes the attach function and then immedeatly dettaches, never going into a loop for the debugger to use.

 William Edmunt Yote  Jun 15, 2016 
Printed Page 40
get_debug_event function

When calling self.get_thread_context, you should pass debug_event.dwThreadId, not self.h_thread.

 Willy Kim  Jan 10, 2014 
Printed Page 46
1st paragraph (printf_loop.py script)

In the while loop of the script, line 8 should be changed from:

msvcrt.printf("Loop iteration %d!\n" % counter)

to:

msvcrt.printf("Loop iteration %d!\n",counter)

The script, as is in the book, doesn't not give desired results with the pydbg exercises of the book.

 William Edmund Yote  Jul 28, 2016 
Printed Page 74
imm.log line

imm.log("[*]Found: %s (0x%08x)" %(search_code,hit), address =hit)

throws a TypeError exception

TypeError: log() got an unexpected keyword agrument 'address'

to be changed to
imm.log("[*]Found: %s (0x%08x)" %(search_code,hit))

it works like this but gives address on the far left side as
0BADF00D but the pointed address is correct in the message area of the log window.

 m3h  Dec 19, 2009 
Printed Page 74
[FIX] to previous post imm.log line

imm.log("[*]Found: %s (0x%08x)" %(search_code,hit), address = hit)

ref: http://debugger.immunityinc.com/update/Documentation/ref/Libs.immlib.Debugger-class.html#log

log(self, msg)

CHANGE TO:

imm.Log("[*]Found: %s (0x%08x)" %(search_code, hit ),address = hit)

ref:
http://debugger.immunityinc.com/update/Documentation/ref/Libs.immlib.Debugger-class.html#log

Log(self, msg, address=0xbadf00d, highlight=False, gray=False, focus=0)

 m3h  Dec 19, 2009 
Printed Page 76
line 20 and line 22

line [20]
imm.log("Shellcode Length : %d" % length)
to be
imm.log("Shellcode Length : %d" % shellcode_length)

line[22]
imm.log("Attack Shellcode: %s" % canvas_shellcode[:512])
exception NameError
global name 'canvas_shellcode' is not defined

 m3h  Dec 19, 2009 
PDF Page 113
8.1.2 Integer Overflows

There are several errors in the section on integer overflows. I will submit them individually.

First, the author keeps changing his opinion on how large an integer is. On page 113 it is 16 bits, on 114 it is 32 bits.

 Robert Larsen  Aug 06, 2012 
PDF Page 114
After assembly listing

This assembly listing:

MOV EAX, [ESP + 0x8]
LEA EDI, [EAX + 0x24]
PUSH EDI
CALL msvcrt.malloc

...does not, as the author states do the following: "The first instruction takes a parameter off the stack [ESP + 0x8] and loads it into EAX. The next instruction adds 0x24 to EAX and stores the result in EDI."

The first instruction does indeed take a parameter off the stack and stores it into EAX, but the next one adds 0x24 to that and stores THE DATA POINTED TO by the result into EDI. It is a memory dereference. The data at that address is passed onto malloc, not the result of the addition.

 Robert Larsen  Aug 06, 2012 
PDF Page 114
Listing 8-1

The text under the listing states that the integers in the listing are signed. In that case the calculations are correct and not at all confusing.

Stack parameter => 0xfffffff5 in decimal is -11
0x24 in decimal is 36
0xfffffff5 + 0x24 = -11 + 36 = 25

Not really an overflow.
However, had we treated the numbers as unsigned, things would have been different.

Stack parameter => 0xfffffff5 in decimal is 4294967285
0x24 in decimal is 36
0xfffffff5 + 0x24 = 4294967285 + 36 = 25

Now THAT is confusing.

 Robert Larsen  Aug 06, 2012