Linux Memory Tools (LMT)

Linux Memory tools are a set of Linux tools (Python, C and ASM) which aim is to facilitate exploit development. These tools can be used to dump process memory, search for patterns and quickly find OPCODEs location addresses (instructions mnemonics are functionnal but still in development). OPCODE search is possible on an instant memory snapshot or using a file dump. These tools are been quickly coded, consider them as helpful scripts. Return addresses or shellcode locations can be found instantly.

Current version: 0.2
Licence: GPL
Author: Pierre BETOUIN (pierre.betouin@security-labs.org)
MD5: ee818078aefb095992a0780c0ca86651
Download

Components

• Int/
  Directory containing scripts in order to find specific asm patterns in memory
  Copy a binary dump of the memory called "out" in the directory Int/ and then launch the scripts. Using grep's, cut's ... It will help to determine if a specific instruction could be reach in the binary dump The script just outputs several different disassemblies with incremental offset (alignments). Remember : these scripts were made quickly ! ;)
  
  
• Resources/
  Directory containing asm template and script to build OPCODE(s) you are searching for
  This is a bit poor and dirty but it works (fortunately !) - Modify template.asm with the instruction you want - Run make_template.sh and get the OPCODE(s) corresponding
  
  
• memory_dumper
  Dump a process memory range into a file. Useful when combinated with "hexedit", "strings", to find specific patterns, strings...
  
  
• opcode_file_finder.py
  Find OPCODE(s) in a memory dump file. You can specify a starting address corresponding to the processus base address in memory (see /proc/[pid]/maps) If you don't need it, just specify 0 as staring address, you'll then just obtain an offset.
  
  
• opcode_text_section_memory_finder.py
  Find OPCODE(s) directly in the process memory, in the .text section
  
  
• opcode_full_memory_finder.py
  Find OPCODE(s) in the whole memory process available directly in the process memory
  
  

Requirements

• Nasm (http://nasm.sourceforge.net)
• objdump
• Python
• subterfugue (http://subterfugue.org)

Author: Pierre BETOUIN (pierre.betouin@security-labs.org)
Last updated: Wed 20 september 2006, 10:30:49 (UTC+0200)