windbg - Byakugan

1. Install Byakugan

lab:bin/ $ pwd
/home/someone/metasploit-framework/external/source/byakugan/bin
lab:bin/ $ tree
.
├── Vista
│   ├── byakugan.dll
│   ├── detoured.dll
│   └── injectsu.dll
├── Win7
│   ├── byakugan.dll
│   ├── detoured.dll
│   └── injectsu.dll
├── WinXP
│   ├── byakugan.dll
│   ├── detoured.dll
│   └── injectsu.dll
└── XPSP2
├── byakugan.dll
├── detoured.dll
└── injectsu.dll

Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and put detoured.dll under c:\windows\system32 What can you do with byakugan.dll ?

copy byakugan.dll C:\Program Files\Debugging Tools for Windows (x86)\
copy injectsu.dll C:\Program Files\Debugging Tools for Windows (x86)\
copy detoured.dll c:\windows\system32\

2. Usage

Everybody knows that ollydbg has numerous plugins (I’ll talk about these plugins later). Windbg also has a framework/API for building plugins/extension. MSEC was just one example… Metasploit has built & released their own windbg plugin about a year ago, called byakugan.

Pre-compiled binaries for WIndows XP SP2, SP3, Vista and Windows 7 can be found in the framework3 folder (get latest trunk via svn), under \external\source\byakugan\bin Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and put detoured.dll under c:\windows\system32 What can you do with byakugan.dll ?

2.1 load plugin

!load byakugan

2.2 byakugan functions

jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and discover valid return addresses

pattern_offset

mushishi : framework for anti-debugging detection and defeating anti-debugging techniques

tenketsu : vista heap emulator/visualizer.

!load byakugan
!pattern_offset 2000

2.2.1 jutsu functions

The jutsu component offers the following functions :

identBuf / listBuf / rmBuf : find buffers (plain ascii, metasploit patterns, or data from file) in memory…

memDiff : compare data in memory with a pattern and mark the changes. This will help you determining whether e.g. shellcode has been changed/corrupted in memory, whether certain ‘bad characters’ need to be excluded from shellcode, etc

hunt:

findReturn : search for the addresses that point to a usable function to return to.

searchOpcode : converts assembler instruction to opcode, AND it lists all executable opcode sequence addresses at the same time.

searchVtptr

trackVal

!jutsu searchOpcode pop esi | pop ebx | ret
!jutsu memDiff file 1520 C:\exploit.bin 0x0012e858

!jutsu identBuf file ShellCode c:\exploit.bin
!jutsu identBuf msfpattern MSFBuffer 1500
!jutsu listBuf
!jutsu hunt
!jutsu findReturn

operation demo

0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !jutsu identBuf msfpattern MSFBuffer 200
[J] Creating buffer MSFBuffer.
0:000> !jutsu listBuf
[J] Currently tracked buffer patterns:
Buf: MSFBuffer  Pattern: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7......2Ag3Ag4Ag5Ag

0:000> !jutsu hunt
[J] Found buffer MSFBuffer @ 0x0012e858

2.2.2 tenketsu functions

!tenketsu
!tenketsu listHeaps
!tenketsu listChunks

0:000> !tenketsu
Byakugan - Increase your Sight
Pusscat / Lin0xx

Tenketsu Commands:

1. model - Load tenketsu heap visualization libraries and begin modeling

2. log - Load tenketsu heap visualization libraries and begin logging

3. listHeaps - List all currently tracked heaps and their information

4. listChunks - List all chunks associated with a givend heap

5. validate - check the chunk chain and find corrupted chunk headers

References

https://github.com/Rendered79/metasploit/tree/master/external/source/byakugan

https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/

http://www.codeproject.com/Articles/6084/Windows-Debuggers-Part-A-WinDbg-Tutorial

http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html

http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html

http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html