Backward disassembler for ROP exploitation

bdasm is a PyCommand that I wrote for Immunity Debugger (v 1.73) which can search the address space of a process for a certain opcode/instruction and dissasemble backward and forward for a  specified number of instructions. 

This is especially useful in the exploit development process when existing gadget finding tools do not produce the results you need and you must extend your search manually. 

When using the return-oriented-programming (ROP) technique for exploit development, you usually need to find useful instructions followed by RET. There are some tools to search for these gadgets (ex. pvefindaddr) but what if they do not find the gadgets you need? The search must be extended and bdasm is the tool you need. 

Use case scenarios: 

Example 1: Search for all occurences of instruction xchg eax,esp in the address space of module kernel32.dll and display the instructions before and after. Display results only if the page is executable (-e) and if the instructions after contain a RET (-r). The space character from an instruction must be replaced by _ : 

!bdasm -i xchg_eax,esp -m kernel32.dll -e -r 

Search for instruction and disassemble

Disassemble at instruction

Notes:

  • As you can see in the screenshots, backward disassembling can produce multiple results from the same starting address because x86 instructions have variable lengths
  • Backward disassembling does not always produce results when it is started from an arbitrary address because the previous bytes of that address do not always form a valid instruction
  • bdasm tries to go backwards as many instructions as it can find, implementing a kind of backtracking algorithm

Example 2: Search for all occurences of add esp, xxx in module kernel32.dll. To do this, we assemble the instruction add esp, 50 and we obtain the opcode 81c450. So we will search for all occurences of the byte sequence 81c4 in module msvcrt.dll:

!bdasm -o 83c4 -m msvcrt.dll -e -r

Disassemble at opcode / byte sequence

Example 3: Disassemble (backward and forward) from a specific address. Print maximum 4 instructions backward and 6 instructions forward:

!bdasm -a 71ad26b1 -b 4 -f 6

Disassemble at address

 

Installation and usage:

Copy bdasm.py into the PyCommands directory of your Immunity Debugger installation (my path is C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands)

For usage instructions type: !bdasm in the Command Bar of Immunity Debugger.

Hoping that this tool will be useful to you, do not hesitate to send me any feedback!

Cheers,

Advertisements

3 Responses to “Backward disassembler for ROP exploitation”

  1. Saleh Alsanad Says:

    gotta test it, thanks for sharing.

  2. Very useful, thanks a lot!

  3. Great Tool … thanks 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: