Today marks another solar cycle I've spent on this planet. To celebrate I'd like to share one of my toys with all of you. Adder is a tool I wrote for myself, so that I could experiment with runtime modification of binary applications. I've found it really useful for prototyping run-time patches, understanding the effects and possibilities of call-hooking and other run-time program tweaks; that sort of thing. I hope you might find it useful too... Binary: http://www.rootkit.com/vault/x3nophi1e/adder-0.3.3-win32.zip ( NT 4 / 2000 / XP / 2003 ) Source: http://www.rootkit.com/vault/x3nophi1e/adder-0.3.3-src.zip Documentation: http://www.rootkit.com/vault/x3nophi1e/adder-manual.zip ( please read the installation instructions in here. ) The way it works is fairly simple. Adder allows you to inject a python interpreter into any win32 process. That interpreter then runs a script within the context of your target process which is able to instrument and modify the target in any way it sees fit. Included are a extensions to the python language that provide: - safe pointer support - execution path hooking in python and C++. Hooks can be installed at something close to instruction granularity. - x86 instruction manipulation. (based on z0mbie's ADE32 engine) - programmable x86 instruction disassembler. (a win32 port of libdisasm from The Bastard) - x86 assembler. (Dave Aitel's Mosdef 1.1) These features make it easy to play with the deep majik of really low-level code hacking in an efficient, sophisticated, high-level language. So adder is a sort of meta-tool which you might use to script things like: - dynamic analysis. Hook every function in jscript.dll and graph which ones execute when a HTML page's script runs. - API interception. Should IE really be allowed to open an .exe straight of the web? - run-time patching. Get rid of those pesky bugs. - binary forensics. Packers aren't so hard to crack when they run. Performance and stability are pretty good at this point. Since it's a tool I wrote for my own use, there are lots of rough edges that need to be cleaned up. I've been waiting to find the time to fix these for ages and never seem to. So you'll excuse the occasional glitch. Please tell me if you find something really horrid. Hope you all find this interesting, and maybe even useful. ~x --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
