Inspector Gadget

From Inspector Gadget
Jump to: navigation, search

What is Inspector Gadget?

Currently Inspector Gadget is a learning aid for understanding the process of evading Data Execution Prevention by ROP chaining.
In the future I hope it will be more useful, as I have many ideas, though limited time to make them happen.

Why did you make inspector gadget?

About one year ago I decided to catch up on what have happened in the "memory corruption to arbitrary code execution" world since I last visited it.
I realized that exploiting a stack based buffer overflow was not as easy as in the old days, though found comfort in´s great tutorials and tools.
I decided the first thing I wanted to accomplish was to create a vulnerable application and exploit it.
So I made my own DEP and ASLR protected application containing a stack based buffer overflow in- linked it with an older pre-compiled downloadable version of the OpenSSL dll that does not use ASLR nor DEP.
In the process of writing my own exploit using the top of the line tools (MONA in Immunity Debugger), I got really tired of searching text documents for ROP gadgets, and constantly restarting the application, feeding it data, stepping through it line by line, only to step one line too many and restart again.

"There have to be an easier way to do this" I thought. And so the seed was planted.
My primary goal was to avoid the constant restarting, so I needed to make it possible to "fork" into experimental exploit pathways, if a path take a wrong turn, it should be easy to step back, and try again- without restarting and pressing F8 hundreds of times.
I also wanted a new way to search for ROP gadgets. I wanted to ask: "What gadgets increases EAX with 2" instead of freetext query "INC EAX, 2".
I wanted to find a gadget that does "INC EAX; INC EAX" or "ADD EAX, 2", the details of the gadget should not matter, all I really was interested in was the effect on the registers.
I started to think about what such an application would require: Debugging capabilities, VM simulation, a dedicated GUI, disassembly functionalities, and lots of work.
I also realized it would be a fun way to learn a lot about all my favorite low level topics, so I decided to make Inspector Gadget.

How far is Inspector Gadget in the development process now?

I vastly underestimated the amount of work required to make my ideas work. Especially the GUI is labor intensive, so for this first beta release I have only tested on my home made exploitable applications.
I hope that even at this stage it will be an easier way for people to learn how to write ROP chains.
I also hope that even though the simulation and GUI part might not work on other executables, at least the gadget indexing and searching features will.

Under what license will you release Inspector Gadget?

Currently I have decided to use the FreeBSD License and make the GUI part open source, but the main motor executable will not be open source, though free of charge.