PR-3021 Bypassing Python 3.8 Audit Hooks

Presented at Texas Cyber Summit 2019, Oct. 12, 2019, 11:15 a.m. (45 minutes).

In Python 3.8, which is scheduled to be released October 2019, a new security feature is being implemented called “audit hooks”. According to PEP 578 and PEP 551, the purpose of audit hooking is to allow transparency into Python’s runtime so that events can be monitored and logged just like any other process. While additional insight is great for defenders, it's likely to become another hurdle for attackers to deal with. I dunno about y'all but I'm trying to run scripts unabated, feel me? Y'all tryna bypass these audit hooks or nah? Come through.

Presenters:

• Leron Gray - Microsoft
  Ten year Navy veteran and former NSA operator with five years of offensive security experience. He's currently a pentester, loves winning all the CTFs, and enjoys writing things in Python and Python-like languages.

Links:

• https://texascybersummitii2019.sched.com/event/UaV4/pr-3021-bypassing-python-38-audit-hooks

Similar Presentations:

• DEF CON 18 (2010) / pyREtic - In-memory Reverse Engineering for Obfuscated Python Bytecode
• DerbyCon 6.0 Recharge (2016) / Python 3: It’s Time