Archive for rop

Backward disassembler for ROP exploitation

Posted in Exploit development, Tools (StormSecurity) with tags , , , , , on September 17, 2010 by stormsecurity

bdasm is a PyCommand that I wrote for Immunity Debugger (v 1.73) which can search the address space of a process for a certain opcode/instruction and dissasemble backward and forward for a  specified number of instructions. 

This is especially useful in the exploit development process when existing gadget finding tools do not produce the results you need and you must extend your search manually. 

When using the return-oriented-programming (ROP) technique for exploit development, you usually need to find useful instructions followed by RET. There are some tools to search for these gadgets (ex. pvefindaddr) but what if they do not find the gadgets you need? The search must be extended and bdasm is the tool you need. 

Use case scenarios: 

Example 1: Search for all occurences of instruction xchg eax,esp in the address space of module kernel32.dll and display the instructions before and after. Display results only if the page is executable (-e) and if the instructions after contain a RET (-r). The space character from an instruction must be replaced by _ : 

!bdasm -i xchg_eax,esp -m kernel32.dll -e -r 

Search for instruction and disassemble

Disassemble at instruction

Notes:

  • As you can see in the screenshots, backward disassembling can produce multiple results from the same starting address because x86 instructions have variable lengths
  • Backward disassembling does not always produce results when it is started from an arbitrary address because the previous bytes of that address do not always form a valid instruction
  • bdasm tries to go backwards as many instructions as it can find, implementing a kind of backtracking algorithm

Example 2: Search for all occurences of add esp, xxx in module kernel32.dll. To do this, we assemble the instruction add esp, 50 and we obtain the opcode 81c450. So we will search for all occurences of the byte sequence 81c4 in module msvcrt.dll:

!bdasm -o 83c4 -m msvcrt.dll -e -r

Disassemble at opcode / byte sequence

Example 3: Disassemble (backward and forward) from a specific address. Print maximum 4 instructions backward and 6 instructions forward:

!bdasm -a 71ad26b1 -b 4 -f 6

Disassemble at address

 

Installation and usage:

Copy bdasm.py into the PyCommands directory of your Immunity Debugger installation (my path is C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands)

For usage instructions type: !bdasm in the Command Bar of Immunity Debugger.

Hoping that this tool will be useful to you, do not hesitate to send me any feedback!

Cheers,