Reading Legacy Code to Harmonize Ruby and Rails Code Loaders

Luke Imhoff

	luke_imhoff@rapid7.com	Kronic.Deth@gmail.com
	@limhoff-r7	@KronicDeth
		@KronicDeth

Background

Code-Loading in Ruby and Rails
Loader	Extension Required	Loads Only Once	Synchrony	Loads
`Kernel.load`	Yes	No	Synchronous	File
`Kernel.require`	No	Yes	Synchronous	File
`Kernel.autoload`	No	Yes	Asynchronous	File
`ActiveSupport::Autoload#autoload`	No	Yes	Asynchronous	File
`ActiveSupport::Dependencies#autoload_paths`	No	Either	Asynchronous	Directory Tree

All these methods search $LOAD_PATH. ActiveSupport::Autoload will automatically infer the file path based on the parent Ruby Module's name and the constant being loaded. The infered file path follows the Rails convention of namespace Ruby Modules mapping to directories and the final Ruby Class or Module being a file. ActiveSupport::Dependencies.autoload_paths goes a step farther with the Rails conventions and you just have to give the root of directory trees that follow the Rails naming convention. Most developers will be use ActiveSupport::Dependencies.autoload_paths only indirectly from Rails's config.autoload_paths.

Setting

metasploit-framework: 9 years old (5 ruby / 4 perl)
Metasploit Pro: 2 years old
Rails 3.2.2: 5 months old

UI

A standard Rails application

prosvc

daemon UI uses to run metasploit-framework

pro
- engine
  - prosvc.rb
- modules (Metasploit Pro Modules)
- msf3
  - modules (Metasploit Framework Modules)
- ui

prosvc

it had a few problems

Too long

610 lines

Emulating `config.autoload_paths`

Adding a new class to UI and prosvc

Add normally to UI
Determine which classes have to be loaded before
Find earliest spot in prosvc to do require
Add require
Start prosvc
Debug load errors
Goto 2

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc

Tools

Rails Guides
Rubygems.org
Github
ack
Rubymine

Rails Guides

http://guides.rubyonrails.org/

High-level intros
Low-level configuration details

Rubygems.org

Find documentation
Find source
Follow dependencies

Github

Search for code
Search for issues
Software Archaeology
- Branch and Tag viewer
- Following blame and parent commit links

ack

Like grep, but smarter
Automatically searches current directory tree
Ignores .git
Automatically prints matching lines with line numbers and highlights

Rubymine

Static language tools for dynamic Ruby

See Ruby Modules/Classes and method in Structure View
CMD+Click on method to see its definition
Find usages of method
Assisted refactoring
Graphical debugging

Structure View is great when a file isn't well organized so you can quickly get an overview of the methods and not have to worry about method order. CMD+Click means you can follow a call graph statically to understand how methods are related. Find Usages can find methods by name and even works with dynamic dispatch like send. My favorite feature though is graphical debugging. I can place break points as I'm debugging without editting the code. The debugger can jump between threads and processes.

`config.autoload_paths` outside Rails

Barriers to `config.autoload_paths` in `prosvc`

Don't know how to use outside of Rails
Don't know how config.autoload_paths works
Don't know which gem handles config.autoload_paths

RTF MG

config.autoload_paths is mentioned in the Configuring guide

Where is `set_autoload_paths`?

Search rubygem.org for rails
Show all versions
Find 3.2.2

Gem	Purpose
actionmailer	sending mail
activerecord	database records
activeresource	non-database records
bundler	dependency management
actionpack	?
activesupport	?
railties	?

Check actionpack, activesupport, and railties

No Source Links
Assume rails Source Links

Searching Legacy Code

Try Github search
Realize Github search only works on master
Clone rails
Checkout 3.2.2
Search locally


cd ~/git
mkdir rails
cd rails
git clone git@github.com:rails/rails.git
cd rails
git checkout v3.2.2
ack set_autoload_paths

`ack set_autoload_path`

Configuring guide source
DSL call to define initializer

`railties/lib/rails/engine.rb:536`

`_all_autoload_paths`

_all_autoload_paths uses autoload_paths, eager_load_paths, and autoload_once_paths from config.

Emulate `set_autoload_paths`

config.autoload_paths
~~config.eager_load_paths~~
~~config.autoload_once_paths~~

ActiveSupport::Dependencies.autoload_paths.unshift(config.autoload_paths)

Calling initializers without `Rails::Engine`

Initializers are just methods
Need to emulate calling convention too

Back to the Guide

From the guide, we know to find the initializer that happen before set_autoload_paths, and therefore, may be required to emulate set_autoload_paths, we need to look for initializers before set_autoload_paths or that have :before => :set_autoload_paths

`set_load_path`

`_all_load_paths`

_all_load_paths depends on _all_autoload_paths, which means that set_autoload_paths depends on set_load_paths because any autoload path must be added as a normal load path and I should port set_load_paths in addition to set_autoload_paths.

Separating initializers and configuration

System	Initializers	Configuration
Rails	`Rails::Engine`	`Rails::Engine::Configuration`
prosvc	`Metasploit::Configured`	`Metasploit::Configuration`


require 'active_support/concern'

# TODO this should be a Rails::Engine if engine is ever moved under ui
module Metasploit::Configured
  extend ActiveSupport::Concern

  module ClassMethods
    def configuration
      @configuration ||= self::Configuration.new
    end

    def initialize!
      configuration.initializers.each do |initializer|
        send(initializer)
      end
    end

    def eager_load!
      configuration.dependencies.each(&:eager_load!)

      # Adapted from Rails::Engine#eager_load!
      configuration.eager_load_paths.each do |load_path|
        # strip the load_path itself from the name because the load_path is already add to $LOAD_PATH by
        # {#set_load_path}.
        # strip extension as it's not normally passed to require.
        require_path_regex = /\A#{Regexp.escape(load_path)}\/(.*)\.rb\Z/
        glob = "#{load_path}/**/*.rb"

        Dir.glob(glob) do |path|
          require_path = path.sub(require_path_regex, '\1')

          require_dependency require_path
        end
      end
    end

    def root
      configuration.root
    end

    def set_load_path
      configuration.dependencies.each(&:set_load_path)

      # reverse because unshift is pushing onto the front
      configuration.all_autoload_paths.reverse_each do |path|
        if File.directory?(path)
          $LOAD_PATH.unshift(path)
        end

        # uniq at end in case all_autoload_paths include paths already in $LOAD_PATH
        $LOAD_PATH.uniq!
      end
    end

    def set_autoload_paths
      configuration.dependencies.each(&:set_autoload_paths)

      ActiveSupport::Dependencies.autoload_paths.unshift(*configuration.all_autoload_paths)

      # Freeze so future modifications error out instead of being silently ignored
      configuration.autoload_paths.freeze
      configuration.eager_load_paths.freeze
    end
  end
end


require 'active_support/concern'

module Metasploit::Configured
  module ClassMethods
    def configuration
      @configuration ||= self::Configuration.new
    end
  end
end

`self::Configuration`	`Configuration`
Scoped to base class	Scoped to `Metasploit::Configured::ClassMethods`


module Metasploit::Configured
  module ClassMethods
    def initialize!
      configuration.initializers.each do |initializer|
        send(initializer)
      end
    end
  end
end

initializers are assumed to be in order
initializers are assumed to be methods
initialize! to match Rails convention


# Load the rails application
require File.expand_path('../application', __FILE__)

# Initialize the rails application
Pro::Application.initialize!


module Metasploit::Configured
  module ClassMethods
    def eager_load!
      configuration.dependencies.each(&:eager_load!)

      # Adapted from Rails::Engine#eager_load!
      configuration.eager_load_paths.each do |load_path|
        # strip the load_path itself from the name because the load_path is
        # already add to $LOAD_PATH by {#set_load_path}.
        # strip extension as it's not normally passed to require.
        require_path_regex = /\A#{Regexp.escape(load_path)}\/(.*)\.rb\Z/
        glob = "#{load_path}/**/*.rb"

        Dir.glob(glob) do |path|
          require_path = path.sub(require_path_regex, '\1')

          require_dependency require_path
        end
      end
    end
  end
end


module Metasploit::Configured
  module ClassMethods
    def root
      configuration.root
    end
  end
end

Allow Metasploit::Pro.root
Emulate Rails.application.root


module Metasploit::Configured
  module ClassMethods
    def set_load_path
      configuration.dependencies.each(&:set_load_path)

      # reverse because unshift is pushing onto the front
      configuration.all_autoload_paths.reverse_each do |path|
        if File.directory?(path)
          $LOAD_PATH.unshift(path)
        end

        # uniq at end in case all_autoload_paths include paths
        # already in $LOAD_PATH
        $LOAD_PATH.uniq!
      end
    end
  end
end


module Rails
  class Engine < Railtie
    def ordered_railties
      railties.all + [self]
    end

    def initializers
      initializers = []
      ordered_railties.each do |r|
        if r == self
          initializers += super
        else
          initializers += r.initializers
        end
      end
      initializers
    end
  end
end

There are multiple initializers with same name (one per engine/application)
Engine initializers are called before application initializers


module Metasploit::Configured
  module ClassMethods
    def set_load_path
      configuration.dependencies.each(&:set_load_path)

      # reverse because unshift is pushing onto the front
      configuration.all_autoload_paths.reverse_each do |path|
        if File.directory?(path)
          $LOAD_PATH.unshift(path)
        end

        # uniq at end in case all_autoload_paths include paths
        # already in $LOAD_PATH
        $LOAD_PATH.uniq!
      end
    end
  end
end


module Rails
  class Engine < Railtie
    initializer :set_load_path, :before => :bootstrap_hook do
      _all_load_paths.reverse_each do |path|
        $LOAD_PATH.unshift(path) if
        File.directory?(path)
      end
      $LOAD_PATH.uniq!
    end
  end
end

Engine (dependency) initializer calling is explicit
Rest is code style differences


module Metasploit
  class Configuration
    def all_autoload_paths
      all_autoload_paths = autoload_paths + eager_load_paths
      unique_autoload_paths = all_autoload_paths.uniq

      unique_autoload_paths
    end

    def autoload_paths
      @autoload_paths ||= []
    end

    def dependencies
      @dependencies ||= []
    end

    def eager_load_paths
      @eager_load_paths ||= []
    end

    def initializers
      # XXX not sure I like that initializer methods that only exist in
      # Metasploit::Configured are used here.
      @initializers ||= [
        :set_load_path,
        :set_autoload_paths,
        :eager_load!
      ]
    end

    attr_reader :root
  end
end


module Metasploit
  class Configuration
    def initializers
      # XXX not sure I like that initializer methods that only exist in
      # Metasploit::Configured are used here.
      @initializers ||= [
        :set_load_path,
        :set_autoload_paths,
        :eager_load!
      ]
    end
  end
end

No :before
No :after
Order is explicit
Simplified ordering code

Porting prosvc

prosvc requires

For each line

Determine load path

For each load path

Determine shared root


$:.unshift(File.expand_path(File.join(File.dirname(__FILE__), 'lib')))               # engine/lib
$:.unshift(File.expand_path(File.join(File.dirname(__FILE__), '..', 'msf3', 'lib'))) # msf3/lib

# ...

require_relative '../ui/config/initializers/carrierwave'                             # ui/config/initializers

#
# Load specific patches for system libraries
#
if arch == "win32"
  require "win32/registry"                                                           # engine/lib
  require "patches/win32_registry"                                                   # engine/lib
end

# ...

#
# Require our basic libraries and start loading
#
require 'metasploit_data_models'                                                    # (gem)
include MetasploitDataModels
# Figure out the rails path
rails_app_path = File.expand_path(File.dirname(__FILE__)) + "/../ui/app"
# Bring all Mdm::* models into view
Dir.glob("#{rails_app_path}/models/mdm/*.rb").each do |mdm_model_path|              # ui/app/models
  require mdm_model_path
end

# ---- BEGIN - Load all things SocialEngineering from Rails ----
module LiquidTemplating; end
liquid_files = Dir.glob("#{rails_app_path}/../lib/liquid_templating/*.rb")          # ui/lib
liquid_files.sort.each do |liquid_path|
  require liquid_path
end

# TODO: any better way to have both Rails and prosvc happy w/ talking to License?
require "#{rails_app_path}/models/license.rb"                                       # ui/app/models


# Declare the module manually - Rails does this from directory structure
module SocialEngineering; end
require "#{rails_app_path}/uploaders/social_engineering/campaign_file_uploader.rb"        # ui/app/uploaders

manually_loaded_models = ["human_target", "email", "web_page_attack_config_interface"]
skippable_files = ["campaign_task"]
require "#{rails_app_path}/models/social_engineering/human_target.rb"                     # ui/app/models
# avoid chicken-egg
require "#{rails_app_path}/models/social_engineering/web_page_attack_config_interface.rb" # ui/app/models
# avoid chicken-egg

se_files = Dir.glob("#{rails_app_path}/models/social_engineering/*.rb")
se_files.sort.each do |se_model_path|
  file_name = File.basename(se_model_path).split('.').first
  next if skippable_files.include? file_name
  next if manually_loaded_models.include? file_name
  require se_model_path                                                                   # ui/app/models
end
# ---- END - Load all things SocialEngineering from Rails ----

require 'msf/ui'                                                                          # msf3/lib
require 'rex'                                                                             # msf3/lib

# Metasploit Core API
require 'msf/core/rpc/v10/service'                                                        # msf3/lib

# Pro API
require 'pro/filters'                                                                     # engine/lib
require 'pro/config'                                                                      # engine/lib
require 'pro/rpc/v10/rpc_pro'                                                             # engine/lib

# Pro Mixins
require 'pro/mixins'                                                                      # engine/lib

# Pro Hooks
require 'pro/hooks'                                                                       # engine/lib

# Pro Client
require 'pro/client'                                                                      # engine/lib

# Background Daemon
require 'pro/bgdaemon'                                                                    # engine/lib

# NginX
require "pro/nginx"                                                                       # engine/lib


require 'logger'                                                      # (standard library)
# ...

# Load individual namespaces and models
require_relative "#{rails_app_path}/models/user_session.rb"           # ui/app/models
require_relative "#{rails_app_path}/models/task_chain.rb"             # ui/app/models
require_relative "#{rails_app_path}/models/scheduled_task.rb"         # ui/app/models
require_relative "#{rails_app_path}/models/campaign.rb"               # ui/app/models
require_relative "#{rails_app_path}/models/attachment.rb"             # ui/app/models
require_relative "#{rails_app_path}/models/email_template.rb"         # ui/app/models
require_relative "#{rails_app_path}/models/email_address.rb"          # ui/app/models
require_relative "#{rails_app_path}/models/web_template.rb"           # ui/app/models


# Load classes in lib root
ui_lib_path = File.expand_path(File.dirname(__FILE__)) + "/../ui/lib"
require "#{ui_lib_path}/sender.rb"                                    # ui/lib
lib_files = Dir.glob("#{ui_lib_path}/*.rb")
lib_files.sort.each do |lib_class|
  require lib_class                                                   # ui/lib
end

Load Paths

engine/lib
msf3/lib
ui/config/initializers
ui/app/models
ui/lib
ui/app/uploaders

Roots

msf3 (metasploit‑framework)
ui
engine


module Metasploit::Framework
  class Configuration < Metasploit::Configuration
    def initialize
      @root = Metasploit::Pro.root.join('msf3')

      lib_pathname = root.join('lib')
      lib_path = lib_pathname.to_s
      autoload_paths << lib_path

      base_pathname = root.join('lib', 'base')
      base_path = base_pathname.to_s
      autoload_paths << base_path
    end
  end
end


module Metasploit::Pro::Engine
  class Configuration < Metasploit::Configuration
    def initialize
      @dependencies = [
        Metasploit::Framework,
        Metasploit::Pro::UI
      ]

      @root = Metasploit::Pro.root.join('engine')

      lib_pathname = root.join('lib')
      lib_path = lib_pathname.to_s
      autoload_paths << lib_path
    end
  end
end


module Metasploit::Pro::UI
  class Configuration < Metasploit::Configuration
    def initialize
      @root = Metasploit::Pro.root.join('ui')

      lib_pathname = root.join('lib')
      lib_path = lib_pathname.to_s
      autoload_paths << lib_path

      # Some models reference the controllers,
      # so app/controllers needs to be added to autoload paths
      controllers_pathname = root.join('app', 'controllers')
      controllers_path = controllers_pathname.to_s
      autoload_paths << controllers_path

      uploaders_pathname = root.join('app', 'uploaders')
      uploaders_path = uploaders_pathname.to_s
      autoload_paths << uploaders_path

      models_pathname = root.join('app', 'models')
      models_path = models_pathname.to_s
      autoload_paths << models_path
    end
  end
end

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc

Testing with Metasploit Module Loader

A Side Note on Narrative

I didn't know this use case when I wrote this originally
I was just restart prosvc over and over for a couple weeks
egypt pointed out this use case in the PR

Metasploit Framework

Tool for running or developing exploits to test the security of remote computers
Used to test if your network is vulnerable to malware
Used to test if your internal security practices can defend from attackers

Metasploit Modules

Content for Metasploit Framework

Stored in modules directory
Assigned a type (auxiliary, encoders, exploits, nops, payloads, post)
Implemented as either a Ruby Class or a Ruby Module

Main Metasploit Module Types

Exploit: Deliver a payload by taking advantage of a bug
Payload: The thing that allows an attacker to control a compromised machine
Post: Pillage and burn
Auxiliary: Do something networky

`msfconsole`

Shell for interacting with Metasploit Framework
use command can instantiate a Metasploit Module
set command configures the instance of the Metasploit Module
run launch the instance of the Metasploit Module

Most use, to actually use Metasploit Framework's content will use the msfconsole Think of msfconsole as the irb or rails console for Metasploit Framework. It's called msfconsole because MSF is the community's abbreviation for "Metasploit Framework" even though we don't capitalize the 's' in "Metasploit".

`msfpro`

`msfconsole` with access to Metasploit Pro features

msfpro start-up

Loads all Metasploit Modules
1. Loads all autoload_paths
Presents prompt

msfpro test

Loads all Metasploit Modules
1. Loads all autoload_paths
Presents prompt
Remove autoload_path class constant
Force reload of autoload_path class

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc
- Fix NameError

How do I fix the code?

Use Call stack (backtrace)
Look at first line

const_defined? itself raised the exception and name is malformed. Name is a String (and not a symbol or object that responds to #to_s) since it comes from names and names comes from camel_cased_word, which calls split, which looks like String#split. #<KLASS:HEX> is the MRI format for no inspect.

constantize is a pure function, meaning it does not modify self. A pure function's behavior is completely controlled by the arguments to the function, so following the argument will lead to the root cause of the problem.

What called const_missing?

const_missing is implicitly called by Ruby VM when accessing SocialEngineering

Dataflow

name
name.presence
klass_name
klass_name.to_s
klass_name.to_s.scan
nesting

Origin of wrong name

Entire Module#name
Part of Module#name containing ::

To the debugger!

symlinks prevent ruby-debug-ide breakpoints from triggering
pry not built for production
debugger not built for production

print debugging

Namespace Module is wrong

Where is `Metasploit3?`

Metasploit Module Naming Convention

MetasploitN
- N is minimum major version of Metasploit Framework
1821 Metasploit3 Ruby Classes/Modules
32 Metasploit4 Ruby Classes/Modules

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc
- Fix NameError
- Find Module.new usages
- De-anonymize Module.new usages

We can replace fixing the NameError with the actual work of find Module.new and not making it anonymous anymore, which was the root cause of the NameError

`Module.new` Usages

`Msf::ModuleManager#reload_module`

`Msf::ModuleManager#load_module_from_file`

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc
- Find Module.new usages
- De-anonymize Module.new usages
- Replace Module.new in Msf::ModuleManager#load_module_from_file
- Replace Module.new in Msf::ModuleManager#reload_module

Replace `Module.new`

The name must be unique to prevent naming collisions
The name must be deterministic to allow replacement on reload

name is / separated ( auxiliary/pro/social_engineering/web_phish)
String#camelize will convert / separated to Module#name


>> "auxiliary/pro/social/engineering/web_phish".camelize
=> "Auxiliary::Pro::SocialEngineering::WebPhish"

Why start with `Object`?

Object is root of constant names
Derived from ModuleConstMissing#const_missing

Complications

Some directories aren't valid constant names

Hex-escaping

Reversibility preserves uniqueness
Prefix with 'X' to prevent decimal digits at start of escaped name

Reloading

Walking Down the Tree

Partial existence

Anonymous?! Module Creation

child_name not passed to Module.new

Module#name is set on first const_set
Module#name cannot be reset

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc
- Find Module.new usages
- Replace Module.new in Msf::ModuleManager#load_module_from_file
- Replace Module.new in Msf::ModuleManager#reload_module

All that's left to do is Replace Module.new in Msf::ModuleManager#reload_module, but while working on Msf::ModuleManager#load_module_from_file and I started to understand the code better, it annoyed me how the code was organized because it was making my work hard to do, which means it probably will be hard for other developers to work on this code. Therefore, I should start refactoring to make this easier.

Refactoring to ease understanding

Read code
Understand code
Refactor code

Refactoring

Small changes
Improve clarity of code
Ease changing code later
Does not affect external API

Features and Bug fixes

Variable size changes
Improve functioning of code
Complicate changing code later
Externally visible

Separate refactoring from features or bug fixes

Easier to confirm refactoring does not change external behavior
Easier to see change was minimum to fix bug
Easier to see minimum viable change was done to implement feature
Allow refactoring to be reviewed in a separate PR and benefit other developers sooner

Refactoring Goals

One Class/Module Per File
Group Related Methods into Included Ruby Modules
Break up into classes
- Separate extracted class from source class
- Extract external dependencies from internal represenation

One Class/Module per file

Make code easier to find
Follows Rails convention for loading

One Class/Module Per File
Group Related Methods into Included Ruby Modules
Break up into classes
- Separate extracted class from source class
- Extract external dependencies from internal represenation

Group related methods into included Ruby Modules

Intermediate step before extracting Classes
Moves ensure no method calling changes required
Less thorough testing required than extract Class

	Internal	External
Single	add_module
autosubscribe_module
demand_load_module
failed
	has_module_file_changed?
	load_module_from_file
	load_module_source
on_module_load
Multiple	load_modules	load_modules_from_directory

The Rewrite

on_* implies callback
Only deal with manipulating Msf::ModuelManager or Msf::ModuleSet state

Keep in Msf::ModuleManager::Loading

One Class/Module Per File
Group Related Methods into Included Ruby Modules
Break up into classes
- Separate extracted class from source class
- Extract external dependencies from internal represenation

All common methods stayed in the source class, but we were able to determine that the integration point between the source class and the extract class is #load_modules

Extracting external dependencies from internal representation

Examine each method
Look for lines that leak the external representation
Extract prefix/suffix leaks to abstract methods that must be overridden
Extract duplication around subclass behavior to superclass helper method that takes a block

I moved everything before the call to #load_module_from_file out into #each_module_reference_name, which can deal with the path filters, which are an external concern to be handled by. This allows load_module to only handle the internal representation. With the yield signature for each_module_reference_name the module could be coming from a filesystem, a zip, or a database.


class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
  protected

  # Yields the module_reference_name for each module file found under the directory path.
  #
  # @param [String] path The path to the directory.
  # @yield (see Msf::Modules::Loader::Base#each_module_reference_name)
  # @yieldparam [String] path The path to the directory.
  # @yieldparam [String] type The type correlated with the directory under path.
  # @yieldparam module_reference_name (see Msf::Modules::Loader::Base#each_module_reference_name)
  # @return (see Msf::Modules::Loader::Base#each_module_reference_name)
  def each_module_reference_name(path)
    ::Dir.foreach(path) do |entry|
      if entry.downcase == '.svn'
        next
      end

      full_entry_path = ::File.join(path, entry)
      type = entry.singularize

      unless ::File.directory?(full_entry_path) and
        module_manager.type_enabled? type
        next
      end

      full_entry_pathname = Pathname.new(full_entry_path)

      # Try to load modules from all the files in the supplied path
      Rex::Find.find(full_entry_path) do |entry_descendant_path|
        if module_path?(entry_descendant_path)
          entry_descendant_pathname = Pathname.new(entry_descendant_path)
          relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname)
          relative_entry_descendant_path = relative_entry_descendant_pathname.to_path

          # The module_reference_name doesn't have a file extension
          module_reference_name = module_reference_name_from_path(relative_entry_descendant_path)

          yield path, type, module_reference_name
        end
      end
    end
  end
end

You can see that method has to deal with the messy details of the external representation of the modules directory, such as ignored .svn directories and handling conversion from internal Metasploit Module types to the directory names for those Metasploit Module types. Even here, though, we try to keep the method short and focused. So this method calls out to #module_path? and #module_reference_name_from_path.

Filters

Hidden Files
Non-.rb files
Unit test files

Even with the duplication in the #each_module_reference_names, they still share helpers like this. This code follows best practices of extracting any literals to constants so that they are not magic Strings or Regexps.

Just strips extension
Worth making a method because...
- intention revealing name
- Hide cryptic gsub

`Msf::Modules::Loader::Base#load_module`

Still huge (~130 lines)
Interface to external representation extract to methods:
- #module_path
- #read_module_content
- #namespace_module_transaction

Jumping out of #each_module_reference_name into #load_modules, each yielded [parent_path, type, module_reference_name] is passed to #load_module


# Returns the full path to the module file on disk.
#
# @param (See Msf::Modules::Loader::Base#module_path
# @return [String] Path toe the module file on disk.
def module_path(parent_path, type, module_reference_name)
  file_name = module_reference_name + MODULE_EXTENSION
  type_directory = DIRECTORY_BY_TYPE[type]
  full_path = File.join(parent_path, type_directory, file_name)

  full_path
end

This method is isolating from the internal presentation that externally Metasploit Modules have .rb extensions and that they are stored in directories with slightly different names from the module_type.


# Load the module content from the on disk file.
#
# @param (see Msf::Modules::Loader::Base#read_module_content)
# @return (see Msf::Modules::Loader::Base#read_module_content)
def read_module_content(parent_path, type, module_reference_name)
  full_path = module_path(parent_path, type, module_refrence_name)

  File.read(full_path)
end

Although this method is just doing a File.read, it needs to be hidden behind a method so that the external presentation doesn't leak into #load_module

Not in original redesign
Added to handle exceptions and reloading outside of #load_module

Preserve pre-existing namespace module
Create new namespace module
Run block
If exception or didn't load, restore preserved namespace module

Enumerable#inject works by taking the yieldreturn from the block and passing it as parent to the next iteration of the block along with the next module_name from module_names. If any module along the path is not defined, then break is called, which causes inject to terminate early and return nil instead of the current value of the block or the last parent.

Refactoring Goals

One Class/Module Per File
Group Related Methods into Included Ruby Modules
Break up into classes
- Separate extracted class from source class
- Extract external dependencies from internal represenation

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc
- Find Module.new usages
- Replace Module.new in Msf::ModuleManager#load_module_from_file
- Replace Module.new in Msf::ModuleManager#reload_module

Congratulation! The test case works, but... does the test case cover all ways that all 1851 Metasploit Modules are actually written?

NOPE!

Module Creation	`#create_module_namespace`
Module Evaluation	`#module_eval_with_lexical_scope`

Why doesn't `Module#module_eval` work?

Refactoring lost Msf from lexical scope
Some Metasploit Modules didn't fully-qualify constants

There is no top-level Exploit::Remote::Tcp, but there is a Msf::Exploit::Remote::Tcp, so how is include Exploit::Remote::Tcp finding Msf::Exploit::Remote::Tcp?

Constant look-up in Ruby

Look at the lexically scoped constants
Look at the ancestors of the current Module or Class


module Msf::ModuleManager
  puts Module.nesting.inspect # [Msf::ModuleManager]
end


module Msf
  module ModuleManager
    puts Module.nesting.inspect # [Msf::ModuleManager, Msf]
  end
end

Constant look-up when loading Metasploit Modules

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc
- Find Module.new usages
- Replace Module.new in Msf::ModuleManager#load_module_from_file
- Replace Module.new in Msf::ModuleManager#reload_module
- Fix resolving constants under Msf

Ways to fix constant look-up

Restore nested namespaces
- Easy, small change
- Adds 3 levels of indentation
- Ties loading behavior to implementation detail (loader namespace)
- Forces loader to remain in Msf namespace, which is invalid for metasploit-framework (Metasploit::Framework is correct)
Fake lexical scope
- Hard, large change
- Module#module_eval with block doesn't capture lexical scope; have to use String
- Namespace for loaded module is separated from namespace of loader

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc
- Find Module.new usages
- Replace Module.new in Msf::ModuleManager#load_module_from_file
- Replace Module.new in Msf::ModuleManager#reload_module
- Fix resolving constants under Msf
- Fake Msf in lexical scope using Module#module_eval(String)

After the escaping, NAMESPACE_MODULE_NAMES is prefixed. NAMESPACE_MODULE_NAMES is ['Msf', 'Modules']. The 'Msf' as the first element of the namespace is the key to reintroducing the Msf into the lexical scope.

Nesting string Modules

To build up a lexical scope, the code needs to wrap child Ruby Modules in module Parent ... end blocks. Instead of have to prepend module Parent to the front of a string and append end to the end of the a string, I reverse the namespace_module_names, so I can build the inner modules first and then wrap them with the parent module like Russian nesting dolls.

You can tell how long it took me to figure this out based on the size of the comments. I actually ended up look at the Ruby MRI C code to figure out that module_eval with blocks won't capture lexical scope.

Better backtraces with `module_eval`

To make nicer backtrace and allow for easier debugging, the code evaluates namespace_module_content by giving it’s path as the current file and it’s starting line as the first line of NAMESPACE_MODULE_CONTENT, but it needs to be adjusted for all the outer namespaces.

With the path and line correct we get the neat power to put break points in body of the `NAMESPACE_MODULE_CONTENT` string:

Open ~/git/rapid7/metasploit-framework master in Rubymine
Place break point at /Users/luke.imhoff/git/limhoff-r7/metasploit-framework/lib/msf/core/modules/loader/base.rb:52
Run `rdebug-ide --host 0.0.0.0 --port 1234 --dispatcher-port 26162 -- $PWD/msfconsole --environment development` in Terminal Pane
Run msfconsole remote debugger run configuration in Rubymine
Click up stack
Step through string to Metasploit Module being loaded

Goals

Eliminate require_relative in prosvc
Eliminate explicit requires in prosvc
Share autoload_paths between UI and prosvc
- Find Module.new usages
- Replace Module.new in Msf::ModuleManager#load_module_from_file
- Replace Module.new in Msf::ModuleManager#reload_module
- Fake Msf in lexical scope using Module#module_eval(String)

Review

Tools
- Use Rails Guides when you don't know where to start in the code
- Use Rubygems.org when you need to find source or documentation
- Use Github when you need to look up bugs or follow git history backwards in time
- Use ack when you need to search code in the past
- Use Rubymine to quickly understand code
Module.new creates anonymous Ruby Modules
- They get a Module#name when a constant is set to the Module
- They break ActiveSupport::Dependencies’s const_missing
When files are too big they can be broken up
- Ensure there is one Class or Module per file
- Group related methods into included Modules
- Break up hierarchies of methods into Class hierarchies
Parts of files or entire files can be loaded by module_eval
- module_eval captures the lexical scope only with String
Lexical scope influences constant look-up
- Nesting module declaration has a different lexical scope than :: separated names
- The lexical scope can be retrieved with Module.nesting
Passing the path and line to module_eval allows debugging in string code.

Acknowledgements

I’d like to thank James “Egypt” Lee for imparting his knowledge of how to use the various msfconsole commands to ensure my changes didn’t break anything, fixing my lambda vs proc bug, and Ruby 1.8-incompatibility. I’d like to thank Samuel “Shuckins” Huckins for testing these changes against Metasploit Pro. I’d like to thank HD Moore for spotting when I missed automatic namespace names colliding with real Ruby Modules. I’d like to thank Trevor Rosen for allowing me to spend weeks to fix this the right way. I’d like to thank Regina Imhoff and Sonny Gonzalez for reviewing the accompanying article. I'd like to thank the Metasploit team for reviewing this presentation.

Article

Readable: https://limhoff-r7.github.io/metasploit-framework/austin.rb/2015/02/02/reading-legacy-code-to-harmonize-ruby-and-rails-code-loaders/
Source: https://github.com/limhoff-r7/limhoff-r7.github.io

Presentation

Interactive: https://limhoff-r7.github.io/reading-legacy-code-to-harmonize-ruby-and-rails-code-loaders
Source: https://github.com/limhoff-r7/reading-legacy-code-to-harmonize-ruby-and-rails-code-loaders

Reading Legacy Code to Harmonize Ruby and Rails Code Loaders

Background

Setting

UI

prosvc

prosvc

it had a few problems

Too long

Emulating config.autoload_paths

Adding a new class to UI and prosvc

Goals

Tools

Rails Guides

http://guides.rubyonrails.org/

Rubygems.org

Github

ack

Rubymine

Static language tools for dynamic Ruby

config.autoload_paths outside Rails

Barriers to config.autoload_paths in prosvc

RTF MG

Where is set_autoload_paths?

Check actionpack, activesupport, and railties

Searching Legacy Code

ack set_autoload_path

railties/lib/rails/engine.rb:536

_all_autoload_paths

Emulate set_autoload_paths

Calling initializers without Rails::Engine

Back to the Guide

set_load_path

_all_load_paths

Separating initializers and configuration

Porting prosvc

prosvc requires

Load Paths

Roots

Goals

Testing with Metasploit Module Loader

A Side Note on Narrative

Metasploit Framework

Metasploit Modules

Content for Metasploit Framework

Main Metasploit Module Types

msfconsole

msfpro

msfconsole with access to Metasploit Pro features

msfpro start-up

msfpro test

Goals

How do I fix the code?

What called const_missing?

Dataflow

Origin of wrong name

To the debugger!

print debugging

Namespace Module is wrong

Where is Metasploit3?

Metasploit Module Naming Convention

Goals

Module.new Usages

Msf::ModuleManager#reload_module

Msf::ModuleManager#load_module_from_file

Goals

Replace Module.new

Why start with Object?

Complications

Reloading

Walking Down the Tree

Partial existence

Anonymous?! Module Creation

Goals

Refactoring to ease understanding

Refactoring

Features and Bug fixes

Separate refactoring from features or bug fixes

Refactoring Goals

One Class/Module per file

Group related methods into included Ruby Modules

Emulating `config.autoload_paths`

`config.autoload_paths` outside Rails

Barriers to `config.autoload_paths` in `prosvc`

Where is `set_autoload_paths`?

`ack set_autoload_path`

`railties/lib/rails/engine.rb:536`

`_all_autoload_paths`

Emulate `set_autoload_paths`

Calling initializers without `Rails::Engine`

`set_load_path`

`_all_load_paths`

`msfconsole`

`msfpro`

`msfconsole` with access to Metasploit Pro features

Where is `Metasploit3?`

`Module.new` Usages

`Msf::ModuleManager#reload_module`

`Msf::ModuleManager#load_module_from_file`

Replace `Module.new`

Why start with `Object`?

`Msf::ModuleManager#add_module`

`Msf::ModuleManager#register_type_extension`

Only occurrence is `def` = dead

`Msf::Modules::Loader::Base#load_module`

Why doesn't `Module#module_eval` work?

Better backtraces with `module_eval`