TOOL: Adder - runtime patching in python
Today marks another solar cycle I've spent on this planet. To celebrate I'd
like to share one of my toys with all of you.
Adder is a tool I wrote for myself, so that I could experiment with runtime
modification of binary applications. I've found it really useful for
prototyping run-time patches, understanding the effects and possibilities of
call-hooking and other run-time program tweaks; that sort of thing. I hope
you might find it useful too...
Binary:
http://www.rootkit.com/vault/x3nophi1e/adder-0.3.3-win32.zip
( NT 4 / 2000 / XP / 2003 )
Source:
http://www.rootkit.com/vault/x3nophi1e/adder-0.3.3-src.zip
Documentation:
http://www.rootkit.com/vault/x3nophi1e/adder-manual.zip
( please read the installation instructions in here. )
The way it works is fairly simple. Adder allows you to inject a python
interpreter into any win32 process. That interpreter then runs a script
within the context of your target process which is able to instrument and
modify the target in any way it sees fit. Included are a extensions to the
python language that provide:
- safe pointer support
- execution path hooking in python and C++. Hooks can be installed at
something close to instruction granularity.
- x86 instruction manipulation. (based on z0mbie's ADE32 engine)
- programmable x86 instruction disassembler. (a win32 port of libdisasm from
The Bastard)
- x86 assembler. (Dave Aitel's Mosdef 1.1)
These features make it easy to play with the deep majik of really low-level
code hacking in an efficient, sophisticated, high-level language. So adder
is a sort of meta-tool which you might use to script things like:
- dynamic analysis. Hook every function in jscript.dll and graph which ones
execute when a HTML page's script runs.
- API interception. Should IE really be allowed to open an .exe straight of
the web?
- run-time patching. Get rid of those pesky bugs.
- binary forensics. Packers aren't so hard to crack when they run.
Performance and stability are pretty good at this point. Since it's a tool I
wrote for my own use, there are lots of rough edges that need to be cleaned
up. I've been waiting to find the time to fix these for ages and never seem
to. So you'll excuse the occasional glitch. Please tell me if you find
something really horrid.
Hope you all find this interesting, and maybe even useful.
~x
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004