Greyhat Ruby (Source Boston)

Posted on April 27, 2011 by

6



In 2011, I (Stephen A. Ridley) don’t plan on attending too many conferences that require far away travel for many reasons. 1) My work isn’t as interesting anymore ;-( and 2) I can’t travel as easily with Sammiches. With Boston being in the northeast (close to us) we decided we’d try SourceBoston out for the first time. We’ve known the conference organizers from past meetings and conferences, but this is the first time we’d ever attended any of the Source conferences.

SourceBoston was held at the (dog friendly 🙂 Boston Seaport Hotel, a surprisingly fancy venue that was on the waterfront and adjacent to The World Trade Center of Boston. Unlike many Infosec conferences we’ve attended, SourceBoston did a good job of intermingling “suits” with “grunts”. In other words, the attendees and speakers hailed from many different levels in their organizations (with a healthy sprinkling of academic types mixed in). There was also quality representation from the different niches in the Information Security community (from “hardware hacking” to “management and policy”). In short, its a cool little conference.

My talk at Source Boston 2011 was entitled “GreyHat Ruby”. The talk was on the many ways that a devout Python coder has come to find Ruby very useful for Information Security work. Here is a bullet list from a section of the presentation entitled “12 Good Reasons for C/C++/Python coders” (see examples/comparisons/screenshots in the slides!):

  1. Ruby has an equally useful Interactive Interpreter.
  2. Ruby has “real” case/switch statements
  3. Ruby has C style ternary statements
  4. Ruby has “public” and “private” namespaces
  5. Ruby (like C++ and Java) let’s you define classes in “piecemeal” (split that class def across files!).
  6. Ruby has a “container” class called “module” that act as namespace “directories” letting you arrange things as you see fit.
  7. Ruby doesn’t automatically make a namespace entry for an “included” file.
  8. Ruby has better “sprintf” functionality.
  9. Ruby has strong OOP paradigm and convenient “getter/setter” syntax.
  10. You can modify Ruby Class definitions “on the fly” without cumbersome “get_attr”/”set_attr”.
  11. Ruby is a “functional” programming language. It has “blocks” and “anonymous functions” (not kludgy lambdas).
  12. Lots of other neat things like send() and __END__.

After that list, I dive into some of the specific things useful for Information Security professionals:

  1. Accessing “foreign” functions: getting your Ruby code to call into DLLs and shared objects.
  2. Existing pure ruby process debuggers and hit-tracers
  3. Using JRuby to talk to Java RMI services
  4. Ruby and IDA
  5. Build quick user-friendly CLIs (like Python’s Cmd module).
  6. Plugging Ruby into Burp
  7. Using Ruby’s Win32OLE/Win32API/RubyDL  to “script” mouse clicks and keyboard actions on Windows via User32. (demo video here)
  8. Complete browser automation (Firefox, IE, Safari) allowing you to “script” user interaction with the browser. (Web pen-testing, QA, or fuzzing!)
  9. Writing distributed code with Drb and Rinda. (Don’t bother with socket code. Or, build a distributed fuzz farm!)
  10. Using Ruby to create “Domain Specific Languages” for your tasks (like fuzzing ;-).

That’s it in a nutshell, if you want to see more detail: 

Check out the slides!