windbg - Byakugan
2015-06-22 23:12
567 查看
1. Install Byakugan
lab:bin/ $ pwd /home/someone/metasploit-framework/external/source/byakugan/bin lab:bin/ $ tree . ├── Vista │ ├── byakugan.dll │ ├── detoured.dll │ └── injectsu.dll ├── Win7 │ ├── byakugan.dll │ ├── detoured.dll │ └── injectsu.dll ├── WinXP │ ├── byakugan.dll │ ├── detoured.dll │ └── injectsu.dll └── XPSP2 ├── byakugan.dll ├── detoured.dll └── injectsu.dll
Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and put detoured.dll under c:\windows\system32 What can you do with byakugan.dll ?
copy byakugan.dll C:\Program Files\Debugging Tools for Windows (x86)\ copy injectsu.dll C:\Program Files\Debugging Tools for Windows (x86)\ copy detoured.dll c:\windows\system32\
2. Usage
Everybody knows that ollydbg has numerous plugins (I’ll talk about these plugins later). Windbg also has a framework/API for building plugins/extension. MSEC was just one example… Metasploit has built & released their own windbg plugin about a year ago, called byakugan.Pre-compiled binaries for WIndows XP SP2, SP3, Vista and Windows 7 can be found in the framework3 folder (get latest trunk via svn), under \external\source\byakugan\bin Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and put detoured.dll under c:\windows\system32 What can you do with byakugan.dll ?
2.1 load plugin
!load byakugan
2.2 byakugan functions
jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and discover valid return addressespattern_offset
mushishi : framework for anti-debugging detection and defeating anti-debugging techniques
tenketsu : vista heap emulator/visualizer.
!load byakugan
!pattern_offset 2000
2.2.1 jutsu functions
The jutsu component offers the following functions :identBuf / listBuf / rmBuf : find buffers (plain ascii, metasploit patterns, or data from file) in memory…
memDiff : compare data in memory with a pattern and mark the changes. This will help you determining whether e.g. shellcode has been changed/corrupted in memory, whether certain ‘bad characters’ need to be excluded from shellcode, etc
hunt:
findReturn : search for the addresses that point to a usable function to return to.
searchOpcode : converts assembler instruction to opcode, AND it lists all executable opcode sequence addresses at the same time.
searchVtptr
trackVal
!jutsu searchOpcode pop esi | pop ebx | ret !jutsu memDiff file 1520 C:\exploit.bin 0x0012e858 !jutsu identBuf file ShellCode c:\exploit.bin !jutsu identBuf msfpattern MSFBuffer 1500 !jutsu listBuf !jutsu hunt !jutsu findReturn
operation demo
0:000> !load byakugan [Byakugan] Successfully loaded! 0:000> !jutsu identBuf msfpattern MSFBuffer 200 [J] Creating buffer MSFBuffer. 0:000> !jutsu listBuf [J] Currently tracked buffer patterns: Buf: MSFBuffer Pattern: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7......2Ag3Ag4Ag5Ag 0:000> !jutsu hunt [J] Found buffer MSFBuffer @ 0x0012e858
2.2.2 tenketsu functions
!tenketsu !tenketsu listHeaps !tenketsu listChunks
0:000> !tenketsu Byakugan - Increase your Sight Pusscat / Lin0xx
Tenketsu Commands:
1. model - Load tenketsu heap visualization libraries and begin modeling
2. log - Load tenketsu heap visualization libraries and begin logging
3. listHeaps - List all currently tracked heaps and their information
4. listChunks - List all chunks associated with a givend heap
5. validate - check the chunk chain and find corrupted chunk headers
References
https://github.com/Rendered79/metasploit/tree/master/external/source/byakugan
https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
http://www.codeproject.com/Articles/6084/Windows-Debuggers-Part-A-WinDbg-Tutorial
http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html
http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html
http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html
相关文章推荐
- CUDA系列学习(一)An Introduction to GPU and CUDA
- 你的灯亮着吗阅读笔记之一
- CUDA系列学习(一)An Introduction to GPU and CUDA
- 人月神话阅读笔记之三
- 怎么在程序中使用代码调用iphone打电话功能
- (转)Eclipse RCP 插件开发中经常调用的几个方法
- C预处理器和C函数库
- 站立会议第八天
- 第一阶段冲刺站立会议报告三(补)
- .NET跨平台:在Mac上跟着错误信息一步一步手写ASP.NET 5程序
- 导入表 与 IAT
- 10.MyBatis 延迟加载,一级缓存,二级缓存 设置
- 关于oracle数据库索引的一些学习记录
- 站立会议第七天
- break&continue
- 站立会议第六天
- Maven环境配置以及Eclipse安装Maven插件
- normal数据库关闭hang的问题
- 站立会议第五天
- PHPthinking人力资源管理系统模板(源码开放)