Date: Wed, 31 Mar 2004 16:32:27 -0500
From: Oliver Lavery <[email protected]>
To: [email protected]Subject: TOOL: Adder - runtime patching in python
Today marks another solar cycle I've spent on this planet. To celebrate =
I'd
like to share one of my toys with all of you.
Adder is a tool I wrote for myself, so that I could experiment with =
runtime
modification of binary applications. I've found it really useful for
prototyping run-time patches, understanding the effects and =
possibilities of
call-hooking and other run-time program tweaks; that sort of thing. I =
hope
you might find it useful too...
Binary:
http://www.rootkit.com/vault/x3nophi1e/adder-0.3.3-win32.zip
( NT 4 / 2000 / XP / 2003 )
Source:
http://www.rootkit.com/vault/x3nophi1e/adder-0.3.3-src.zip
Documentation:
http://www.rootkit.com/vault/x3nophi1e/adder-manual.zip
( please read the installation instructions in here. )
The way it works is fairly simple. Adder allows you to inject a python
interpreter into any win32 process. That interpreter then runs a script
within the context of your target process which is able to instrument =
and
modify the target in any way it sees fit. Included are a extensions to =
the
python language that provide:
- safe pointer support
- execution path hooking in python and C++. Hooks can be installed at
something close to instruction granularity.
- x86 instruction manipulation. (based on z0mbie's ADE32 engine)
- programmable x86 instruction disassembler. (a win32 port of libdisasm =
from
The Bastard)
- x86 assembler. (Dave Aitel's Mosdef 1.1)
These features make it easy to play with the deep majik of really =
low-level
code hacking in an efficient, sophisticated, high-level language. So =
adder
is a sort of meta-tool which you might use to script things like:
- dynamic analysis. Hook every function in jscript.dll and graph which =
ones
execute when a HTML page's script runs.
- API interception. Should IE really be allowed to open an .exe straight =
of
the web?
- run-time patching. Get rid of those pesky bugs.
- binary forensics. Packers aren't so hard to crack when they run.
Performance and stability are pretty good at this point. Since it's a =
tool I
wrote for my own use, there are lots of rough edges that need to be =
cleaned
up. I've been waiting to find the time to fix these for ages and never =
seem
to. So you'll excuse the occasional glitch. Please tell me if you find
something really horrid.
Hope you all find this interesting, and maybe even useful.
~x
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
=20