PyEmu was released at BlackHat 2007[56] by Cody Pierce, one of the talented members of the
TippingPoint DVLabs team. PyEmu is a pure Python IA32 emulator that allows a developer
to use Python to drive CPU emulation tasks. Using an emulator can be very
beneficial for reverse engineering malware, when you don't necessarily
want the real malware code to execute. And it can be useful for a whole
host of other reverse engineering tasks as well. PyEmu has three methods
to enable emulation: IDAPyEmu, PyDbgPyEmu, and
PEPyEmu. The IDAPyEmu class allows
you to run the emulation tasks from inside IDA Pro using IDAPython (see
Chapter 11 for IDAPython coverage).
The PyDbgPyEmu class allows you to use the emulator
during dynamic analysis, which enables you to use real memory and register
values inside your emulator scripts. The PEPyEmu class
is a standalone static-analysis library that doesn't require IDA Pro for
disassembly. We will be covering the use of IDAPyEmu
and PEPyEmu for our purposes and leave the
PyDbgPyEmu class as an exploration exercise for the
reader. Let's get PyEmu installed in our development environment and then
move on to the basic architecture of the emulator.
Installing PyEmu is quite simple; just download the zip file from http://www.nostarch.com/ghpython.htm.
Once you have the zip file downloaded, extract it to C:\PyEmu. Each time you create a PyEmu script, you will have to set the path to the PyEmu codebase using the following two Python lines:
sys.path.append("C:\PyEmu\")
sys.path.append("C:\PyEmu\lib")That's it! Now let's dig into the architecture of the PyEmu system and then move into creating some sample scripts.
[56] Cody's BlackHat paper is available at https://www.blackhat.com/presentations/bh-usa-07/Pierce/Whitepaper/bh-usa-07-pierce-WP.pdf.