The METASM assembly manipulation suite
Take a look at the updates to the repository for more
- 2011/01: yay twitter
- 2010/10: added a mirror on github
- 2010/09: check some Metasm plugins we wrote on ESEC lab's website
- 2010/05: added DynLdr ruby dynamic loader
- 2010/04: basic Dalvik support
- 2010/02: Win32 native Gui
- 2009/09: generic debugger interface (windows/linux/gdbserver)
- 2009/08: support of x64 added (aka x86_64, Ia32e, Ia32 64-bit)
- 2009/07: C decompiler experiment (x86 only)
- 2009/03: metasm is now compatible with ruby 1.9
- 2009/01: the debugger interface can speak with a gdb-server over network (samples/lindebug.rb host:port)
- 2008/12: support for Mach-O and UniversalBinary executable file formats
- 2008/12: support for decoding PPC binary code
- 2008/11: GTK graphical interface for the disassembler (samples/disassemble-gtk.rb)
- 2008/04: can generate a minimal C header from pe or elf imports and a C header set (samples/factorize-headers-*.rb)
- 2007/10: linux console interface for debugging (samples/lindebug.rb)
- 2007/09: minimal C compiler for ia32
- 2007/08: full-blown C parser
- 2007/06: full-fledged C preprocessor
- 2007/06: support for PE/COFF file format
- 2007/04: support for ELF file format
Metasm is a cross-architecture assembler, disassembler, compiler, linker and debugger.
It has some advanced features such as live process manipulation, GCC/Microsoft Visual Studio-compatible preprocessor, automatic backtracking in the disassembler (similar to "slicing"), C headers shrinking, linux/windows/remote debugging API interface, a C compiler/decompiler, a gdb-server compatible debugger, and various advanced features. It is written in pure Ruby, with no dependency.
Metasm has been written in such a way that it is easy to add a new architecture. For now, the following architectures are supported:
- Intel IA32 (16/32/64bits)
- Maybe later:
The following file formats are supported:
- Raw (for shellcodes)
- MZ, PE/COFF (32 and 64 bits)
- ELF (32 and 64 bits)
- Mach-O (incomplete) and UniversalBinary
- a few other (a.out, xcoff, nds)
This tool was mainly developed from 2006 to Sept. 2008 at France Telecom R&D. Starting from Oct. 2008, Yoann Guillot will continue development at Sogeti/ESEC.
Metasm has been integrated into Metasploit, however the Metasploit trunk is not necessarily synced with the latest version.
Yoann GUILLOT (Developer) and Julien TINNES (Sales ;) (The 'contact' link on the left is the prefered way to contact us.)
You can also get in touch in the #metasm channel on the Freenode IRC network.
The README documents most stable features.
The samples directory holds a bunch of scripts which demonstrate the use of more or less advanced features (read the comments at the beginning of each file.)
However, the source is the most complete doc available ;)
A beginning of actual documentation (work in progress)(progressing slowly :P)
A few publications on the framework:
- REcon 10: The slides (in English) for the tracer talk, where we speak about developping a code tracer over the debugging engine, then add support for MSR branch tracing, and finally debugging/tracing a broadcom NIC firmware.
- HITB 09: The slides (in English) for the binary deobfuscation talk, quite similar to the one for SSTIC09.
- SSTIC 09: An article about automatic binary deobfuscation with Metasm: article (in English), translated for the Journal of Computer Virology from the original article (in French). The french slides are there too.
- SSTIC 08: Semi automatic unpacking and decompiling with Metasm: article (in English), translated for the Journal of Computer Virology. In french, the original slides and article. It covers the T2'07 challenge and Fabrice Desclaux' poeut.exe (mirrored here). Scripts here and here -- those may need an old version of the framework to run.
- hack.lu: slides from October 2007 - covers an updated version with the C compiler and Rubstop (linux textmode debugger).
- SSTIC 07: article and slides from June 2007 - in French. This article covers a deprecated version but you may still find some relevant informations.
The current developement snapshot is no longer available as a zip file.
To download metasm, you should use mercurial and clone the testing repository:
hg clone https://www.cr0.org/progs/metasm/hg/ metasm
Afterwards you can keep in sync with the latest version by using
hg pull -u
You can also download metasm v0.1 here (completely obsolete - kept only for archeological purposes).