zerosum0x0 / Winrepl
Programming Languages
Projects that are alternatives of or similar to Winrepl
WinREPL
WinREPL is a "read-eval-print loop" shell on Windows that is useful for testing/learning x86 and x64 assembly.
Pre-compiled binaries are available at: https://github.com/zerosum0x0/WinREPL/releases/
zerosum0x0/WinREPL is similar to yrp604/rappel (Linux) and Tyilo/asm_repl (Mac), but with a slightly different methodology that should allow for tricks such as self-modifying shellcode crypting/encoding. There is also enferex/asrepl for a Unicorn (emulated) version, but WinREPL is completely native inside a Windows process context.
Methodology
WinREPL is a debugger (parent process) that hollows out a copy of itself (child process).
- Parent process retrieves input from the user
- Machine code is generated with the ASMTK library
- Resulting bytes are written to a child process thread context
- Child process thread is resumed
- Parent process polls for debug events
Commands
Multiple assembly mnemonics can be executed on a single line by separating with semi-colons. Refer to ASMTK documentation for other syntactic sugar.
Besides being a raw assembler, there are a few extra commands.
.help Show this help screen.
.registers Show more detailed register info.
.read addr size Read from a memory address.
.write addr hexdata Write to a memory address.
.allocate size Allocate a memory buffer.
.loadlibrary path Load a DLL into the process.
.kernel32 func Get address of a kernel32 export.
.shellcode hexdata Execute raw shellcode.
.peb Loads PEB into accumulator.
.reset Start a new environment.
.quit Exit the program.
The following commands are not yet implemented but on the Todo list:
.dep addr size [0/1] Enable or disable NX-bit.
.stack Dump current stack memory contents.
.string data Push a string onto the stack.
.errno Get last error code in child process.
Create a GitHub issue to request other commands.
Other Todo
As always happens, code is rushed and awful.
- Clean up the hodge-podge of C and C++... just make it all C++
- Look into label support
- Better error handling for debug events
- Better command mappings
- Support for AT&T syntax
- Support for ARM architecture
- Perhaps integration with Unicorn for obscure architectures?
- Print useful error messages for debug exceptions like access violations
Building
As I don't want to go to prison, the provided binaries (./bin/winrepl_x86.exe and ./bin/winrepl_x64.exe) are not backdoored. That said, this program works via sorcery that is probably suspicious to antivirus.
You should be able to just initialize the git submodules and build with Visual Studio.
License
ZLIB, a super permissive license. Thanks @mrexodia