Re: Announcing metasm

[Julien TINNES <jt () cr0 org>]

On Sunday 22 July 2007 17:14:21 Dave Aitel wrote:
> How do these things differ from MOSDEF (other than having a disassembler?)
>
> Is the goal here an injectable proglet session or just a nice way to
> assembler/disassemble shellcode?

Metasm is an assembly manipulation suite. Its purpose is to be a bit more 
generic than a shellcode compiler, even if it has clearly been developed with 
security tools (and especially exploits) in mind. It can be trivially used to 
assemble/disassemble shellcodes but it would be perfectly possible to 
implement a MOSDEF-like proglet session manager on top of it.

If you want an example of metasm in action for dynamic shellcode generation, 
you can take a look at our remote kernel exploit for Madwifi in Metasploit's 
trunk (madwifi_giwscan_cb.rb).
Even if this example doesn't rely too much on advanced features you can still 
see how we use .pad and .offset together and how we dynamically inject a 
Metasploit userland shellcode by using relocations (metasm has full 
relocation support).

If you want to see more advanced usages, take a look at the 'samples' 
directory, for instance win32hooker-advanced.rb.
This shows how you can find a process, a library mapped in this process and 
patch every exported function by using Metasm.

-- 
Julien TINNES
http://www.cr0.org
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave