Dailydave mailing list archives
Re: Announcing metasm
From: "Thomas Ptacek" <tqbf () matasano com>
Date: Mon, 23 Jul 2007 10:20:47 -0500
I'm pretty sure I'm one of 6,398 different people doing this, but we're working with a debugger driven by runtime dynamic code generation instead of OS debugger hooks; our targets are programs that aggressively detect debuggers, emulation, and program text manipulation. "Debugger" is generous; I mean, "code capable of breakpointing, inspecting, and modifying a remote execution context". I quickly read the metasm code this weekend and, unless I missed it, they didn't implement a parser; they just exploit Ruby's terseness to make it look like assembly syntax. Parsing assembly syntax seems like a complete waste of time; it's a wretched language. On 7/23/07, Dave Aitel <dave.aitel () gmail com> wrote:
Is this debugger something you'd want integrated with Immunity Debugger? When you say "debugger that runs over firewire" do you mean kinda like WinDBG does when you're trying to do kernel debugging? I'm writing a kernel exploit all day today, but no chance of setting up WinDBG to do it - it's almost easier just to use memory dumps and !analyze -v. The WinDBG UI is almost as bad as SPIKE Proxy's. One thing MOSDEF is not good at is enumerating all the different ways to add two numbers together. We only put one kind of encoding into the assembler and changing it now would be quite difficult. But we're optimized for shellcode size, and speed, while remaining pure-Python. Which is annoying because those are all polar opposites. What dialect of assembler is it that metasm implements? Is that NASM-like? -dave On 7/22/07, Thomas Ptacek < tqbf () matasano com> wrote:I've learned not to benchmark ideas against MOSDEF; it's dispiriting. The difference between my code and yours, apart from maturity and originality, is that yours focuses on assembly language and mine focuses on a class hierarchy for opcodes. I wanted to see how far I could get using Python as a superficial IL for x86. My goal isn't shellcode; it's process[or] manipulation. I used it to write a debugger to run over firewire.Thomas Ptacek wrote:We've had a lot of luck with a very similar approach. Ours is in Python, only supports x86, and isn't as complete; it also tries less hard to look like a DSL. But we like it. If anyone's interested, we'd be happy to post.How do these things differ from MOSDEF (other than having adisassembler?)-- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Announcing metasm Julien TINNES (Jul 21)
- Re: Announcing metasm Thomas Ptacek (Jul 22)
- Re: Announcing metasm Dave Aitel (Jul 22)
- Re: Announcing metasm Thomas Ptacek (Jul 22)
- Re: Announcing metasm Dave Aitel (Jul 23)
- Re: Announcing metasm Thomas Ptacek (Jul 24)
- Message not available
- Re: Announcing metasm Thomas Ptacek (Jul 24)
- Re: Announcing metasm Dave Aitel (Jul 22)
- Re: Announcing metasm Thomas Ptacek (Jul 22)
- Re: Announcing metasm Julien TINNES (Jul 24)