Backward disassembler for ROP exploitation

bdasm is a PyCommand that I wrote for Immunity Debugger (v 1.73) which can search the address space of a process for a certain opcode/instruction and dissasemble backward and forward for a  specified number of instructions.
This is especially useful in the exploit development process when existing gadget finding tools do not produce the results you need and you must extend your search manually.
When using the return-oriented-programming (ROP) technique for exploit development, you usually need to find useful instructions followed by RET. There are some tools to search for these gadgets (ex. pvefindaddr) but what if they do not find the gadgets you need? The search must be extended and bdasm is the tool you need.
Use case scenarios:
Example 1: Search for all occurences of instruction xchg eax,esp in the address space of module kernel32.dll and display the instructions before and after. Display results only if the page is executable (-e) and if the instructions after contain a RET (-r). The space character from an instruction must be replaced by _ :
!bdasm -i xchg_eax,esp -m kernel32.dll -e -r
 

Notes:
  • As you can see in the screenshots, backward disassembling can produce multiple results from the same starting address because x86 instructions have variable lengths
  • Backward disassembling does not always produce results when it is started from an arbitrary address because the previous bytes of that address do not always form a valid instruction
  • bdasm tries to go backwards as many instructions as it can find, implementing a kind of backtracking algorithm
Example 2: Search for all occurences of add esp, xxx in module kernel32.dll. To do this, we assemble the instruction add esp, 50 and we obtain the opcode 81c450. So we will search for all occurences of the byte sequence 81c4 in module msvcrt.dll:
!bdasm -o 83c4 -m msvcrt.dll -e -r


Example 3: Disassemble (backward and forward) from a specific address. Print maximum 4 instructions backward and 6 instructions forward:
!bdasm -a 71ad26b1 -b 4 -f 6


Installation and usage:
Copy bdasm.py into the PyCommands directory of your Immunity Debugger installation (my path is C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands)
For usage instructions type: !bdasm in the Command Bar of Immunity Debugger.


Category Article

One Response to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment