[Dailydave] Announcing metasm

Thomas Ptacek tqbf at matasano.com
Mon Jul 23 11:20:47 EDT 2007 

I'm pretty sure I'm one of 6,398 different people doing this, but
we're working with a debugger driven by runtime dynamic code
generation instead of OS debugger hooks; our targets are programs that
aggressively detect debuggers, emulation, and program text
manipulation.

"Debugger" is generous; I mean, "code capable of breakpointing,
inspecting, and modifying a remote execution context".

I quickly read the metasm code this weekend and, unless I missed it,
they didn't implement a parser; they just exploit Ruby's terseness to
make it look like assembly syntax. Parsing assembly syntax seems like
a complete waste of time; it's a wretched language.

On 7/23/07, Dave Aitel <dave.aitel at gmail.com> wrote:
> Is this debugger something you'd want integrated with Immunity Debugger?
> When you say "debugger that runs over firewire" do you mean kinda like
> WinDBG does when you're trying to do kernel debugging? I'm writing a kernel
> exploit all day today, but no chance of setting up WinDBG to do it - it's
> almost easier just to use memory dumps and !analyze -v. The WinDBG UI is
> almost as bad as SPIKE Proxy's.  One thing MOSDEF is not good at is
> enumerating all the different ways to add two numbers together. We only put
> one kind of encoding into the assembler and changing it now would be quite
> difficult. But we're optimized for shellcode size, and speed, while
> remaining pure-Python. Which is annoying because those are all polar
> opposites.
>
> What dialect of assembler is it that metasm implements? Is that NASM-like?
>
> -dave
>
>
>
> On 7/22/07, Thomas Ptacek < tqbf at matasano.com> wrote:
> >
> > I've learned not to benchmark ideas against MOSDEF; it's dispiriting.
> >
> > The difference between my code and yours, apart from maturity and
> > originality, is that yours focuses on assembly language and mine
> > focuses on a class hierarchy for opcodes. I wanted to see how far I
> > could get using Python as a superficial IL for x86.
> >
> > My goal isn't shellcode; it's process[or] manipulation. I used it to
> > write a debugger to run over firewire.
> >
> > > Thomas Ptacek wrote:
> > > > We've had a lot of luck with a very similar approach. Ours is in
> > > > Python, only supports x86, and isn't as complete; it also tries
> > > > less hard to look like a DSL. But we like it. If anyone's
> > > > interested, we'd be happy to post.
> > > How do these things differ from MOSDEF (other than having a
> disassembler?)
> >
> > --
> > ---
> > Thomas H. Ptacek // matasano security
> > read us on the web: http://www.matasano.com/log
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave at lists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
>
>


-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log

More information about the Dailydave mailing list