Python

Offensive and Defensive Tool Construction

2|Page
Table of Contents
EVALUATION:...............................................................................................................................1
Objectives......................................................................................................................................2
Background Reading.....................................................................................................................2
Important Information.....................................................................................................................2
Problem 1 (15 pts).....................................................................................................................3
Problem 2 (30 pts).....................................................................................................................4
Requirements................................................................................................................................5
Using the pefile module..............................................................................................................5
Links to resources:.................................................................................................................5
Instructions.................................................................................................................................6
Complete the following tasks to extract the specific content from the file:.................................6
Questions:..................................................................................................................................8

EVALUATION:
1 Problem 1 15
2 Problem 2 30

TOTAL MARK 45

© 2017, Southern Alberta Institute of Technology. All rights reserved.

This publication and materials herein are protected by applicable intellectual property laws.
Unauthorized reproduction and distribution of this publication in whole or part is prohibited.

For more information, contact:

Director, Centre for Instructional Technology and Development
Southern Alberta Institute of Technology
1301 16 Ave. N.W., Calgary, AB T2M 0L4
2|Page

Offensive and Defensive Tool Construction

Python Programming I
Objectives
This lab focuses on the following objectives:
 Analyze the Linux filesystem using Python.
 Explore the use of python in building basic tools to gather information about the
filesystem.
 Use variables, expressions and statements in Python.
 Use built-in modules to assist in the development of Python Tools.

Background Reading
 Read chapters 6–10 in How to Think Like a Computer Scientist: Learning with Python,
available at www.greenteapress.com/thinkpython/thinkCSpy.pdf.
 https://docs.python.org/3.8/

Important Information
YOU MUST PRESENT IMAGES OF YOUR CODE BEING EXECUTED. DO NOT
SUBMIT YOUR ANSWERS IN THE DOCUMENT. CREATE A BLANK DOCUMENT
AND SUBMIT YOUR ANSWERS THERE.

YOU WILL LOSE MARKS FOR NOT FOLLOWING THE ABOVE

REQUIREMENTS.

All scripts must have the following elements:

1. File and Header comments, which follows the following format:
# Filename: m##XXX.py
# Author: Craig Mac
# Course: ITSC203
# Details: This exercise checks to see if students read the suggested items or
# prior to class or doing the labs.
# Resources: https://www.cs.siue.edu/programming-style-guide

2. Comments on lines where you used some unique computation that might be tricky to
comprehend a month later.
list1 = [x for x in range(20) if x % 4 == 1] # Using list comprehension to ….
3|Page

Problem 1 (15 pts)

To complete this question, you will need to:
1. Download the executable timestamp3, (available in Brightspace).
a. Save the file to your home directory of your Linux VM and then execute it.
b. Confirm that the folder Lab3_ITSC203 was created.
Write a Python program named m3p2.py (module 2, problem 2) that does the following:
2. Ask the user for a folder to analyze
3. Prints the entire folder structure
4. Asks for a date range in the format YYYY/MM/DD – YYYY/MM/DD
a. The first date is the oldest and the second date the most recent
5. Print the files with a MODIFIED DATE that falls within the date range
6. Also print the files that don’t meet the criteria
7. For steps 4 and 5 the output must show the relative file path, the modified date and time
as shown in the image.

HINT: Modules you may want to investigate (datetime, pathlib, os and glob)

Submit the python code and screenshots of the program executing.

The python code should be available for testing.
4|Page

Problem 2 (30 pts)

A binary file from the perspective of Cyber Security is a type of file that has been purpose built.
In the case of Microsoft Windows examples of binary files include:
 Portable Executables (PE)
a. Dynamic Linked Library files (dll)
b. Executable files (exe)
c. Control Panel (.cpl)
d. System file (.sys)
On a Linux system examples of binary files include:
 Executable and Linkable Format.
 Shared Object files
 Static object files
Other files considered binary files include:
 Portable Document Format (PDF)
 JPEG
 MKV
 GIF
 MPEG4
etc
All these files follow their own specifications; well-defined standards and can be opened in the
same way on every known system that has the correct tool to open them.
The purpose of formatting these files using a standardized format is to ensure consistency. For
example, all PE files that are executables are organized to ensure that when you double click
the file name; the Operating System can consistently open and execute it on any compatible
system.
We will investigate the PE file format in this laboratory using the Python pefile module. You can
use this module to automate analysis and provide a quick overview of components that are
important to your analysis. The standard is quite extensive and requires time to truly become an
expert. With this in mind our exploration will be limited to a few aspects of the PE file.

The PE file is made up of Headers and Section. The headers contain data about the sections
and the sections contain information and instructions required to tell the CPU what to do and the
data to apply those actions to. Stated differently sections contain data and instructions and
headers tell the system where to find the appropriate section.
5|Page

Requirements
For this problem you will likely need the following modules:
1. datetime
2. sys
3. struct
4. prettytable
5. pefile

Copy the file expandpe.zip, from D2L, to your work directory for Lab3. Unzip the file and
confirm that there are .exe and .dll files in this directory.

Using the pefile module

In order to use the Python pefile module you will need to understand the structure of a PE file.
The Wikipedia and Microsoft websites will be the main sources we will use to unravel the
mysteries of the PE file.

Links to resources:
 https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#file-headers
 https://en.wikipedia.org/wiki/Portable_Executable
 https://en.wikipedia.org/wiki/Portable_Executable#Use_on_other_operating_systems
 https://whatis.techtarget.com/definition/binary-file#:~:text=A%20binary%20file%20is
%20a,certain%20place%20within%20the%20file.
 https://en.wikipedia.org/wiki/Binary_file

To get started, you will create a variable that will represent an object of type PE. That PE object
will allow for the parsing of the file named Kyjrgz41.exe. Once the parsing is complete you will
proceed to extra meaningful information from the file.
6|Page

Instructions
1. Using Image1 as a reference, you will perform the following actions:
a. Import the PE class from the pefile module
Image 1: The image below shows the output using the ipython. You will write your code to
a text editor. The image is provided to show how you can start the process.

b. Create an instance variable of type PE, named mype22. This variable is associated
with the filename ‘Kyjrgz41.exe’
 This variable, mype22, allows us to access the different components of the
PE file
c. The first header in the file is called the MS DOS Header and it contains:
 variables with the “e_” prefix followed by an attribute name eg (magic,
lfanew)
 information that is now obsolete and offers no real insight according to
Microsoft documentation.
 2 pieces of information that modern systems use to identify the file type and
the new PE header
i. a signature, also known as the magic number.
ii. the PE header offset – the location of where the PE Header begins

Complete the following tasks to extract the specific content from the
file:
1. print(type(mype22.DOS_HEADER), '\n', mype22.DOS_HEADER)
a. What is a pefile.Structure?
b. Notice the two columns of numbers of the left side of the output. What do the 2
columns of number represent in the output?
c. What are the offsets of the magic number and the offset to the PE Header?
i. The values are located in the DOS_HEADER
d. How many bytes does the DOS_HEADER use?
2. Save the value of the magic as dosMagic
a. Do not process a file if the DOS Signature is not MZ
7|Page

3. Save the value of the lfanew as pehdrOffset

4. print(mype22.NT_HEADERS, mype22.NT_HEADERS.Signature)
a. What is the Signature value that is printed? Do the bytes of this output fall into
the ascii range? What do the bytes translate to?
b. Execute the following lines of code. What does the packed value represent?

c. Save the result of the pack operation as pesig

5. print(mype22.FILE_HEADER)
a. Save the machine type as machine
i. You need to use a dictionary to convert this number to a meaningful
string
ii. What does the number for the machine type mean?
b. Save the TimeDateStamp as timestamp
i. Convert the time stamp to the format MM/DD/YYYY HH:MM:SS
c. Save the Characteristics as characteristics
i. What do the characteristics translate to?
1. Use the table to create a dictionary you will use to convert the
number to something meaningful
6. print(mype22.OPTIONAL_HEADER)
a. Save the magic field as optMagic
i. Build a dictionary for values 0x10B, 0x20B and 0x107
ii. Match the values and print either PE32, PE32+ or ROM Image based on
the value of optMagic
b. Save the AddressOfEntryPoint as addrEntryPt
i. What is the Entry Point addres?
ii. What does the entry point address represent?
c. Save BaseOfCode as addrCodebase
d. Save the ImageBase as addrImagebase
i. What is the image base?
e. Save Subsystem as subsys
i. Decode the meaning of this value using a dictionary

7. print(mype22.is_exe(), mype22.is_dll(), mype22.PE_TYPE)

8. Now that you have complete the analysis for one file you will automate the analysis of
the other files in the directory using the same process. And then generate a table similar
to the one shown on the following page.

9. If there are files that are not PE files:

a. Print the names of the files at the end after the table has been printed.
Generate the following information using the PrettyTable module:
8|Page

Submit the code and screenshots of the program output.

Questions:
1. What is the significance of the Entry point of an executable file? 2pts

2. What is the significance of the Magic number? In other words what is it used for? 1pt

3. Why would the PE file format be considered complex? 1pt

4. Is the PE file format the only file format for executables? Name 1 other file format for

executable file on any Operating System? 2pts

5. Non-executable files like PDFs are considered binary files because like the PE file

format they have a specific structure that tells the Reader how to process the file. Are

they any other types of binary files like the PDF file? Name 5 file types and example

programs that can open them? Also list if python modules are available to parse these

types of files? 5pts (You can present the result in a table)