windbg - Byakugan
来源:互联网 发布:数据分析平台 功能 编辑:程序博客网 时间:2024/06/07 08:39
1. Install Byakugan
lab:bin/ $ pwd/home/someone/metasploit-framework/external/source/byakugan/binlab:bin/ $ tree.├── Vista│ ├── byakugan.dll│ ├── detoured.dll│ └── injectsu.dll├── Win7│ ├── byakugan.dll│ ├── detoured.dll│ └── injectsu.dll├── WinXP│ ├── byakugan.dll│ ├── detoured.dll│ └── injectsu.dll└── XPSP2 ├── byakugan.dll ├── detoured.dll └── injectsu.dll
Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and put detoured.dll under c:\windows\system32 What can you do with byakugan.dll ?
copy byakugan.dll C:\Program Files\Debugging Tools for Windows (x86)\copy injectsu.dll C:\Program Files\Debugging Tools for Windows (x86)\copy detoured.dll c:\windows\system32\
2. Usage
Everybody knows that ollydbg has numerous plugins (I’ll talk about these plugins later). Windbg also has a framework/API for building plugins/extension. MSEC was just one example… Metasploit has built & released their own windbg plugin about a year ago, called byakugan.
Pre-compiled binaries for WIndows XP SP2, SP3, Vista and Windows 7 can be found in the framework3 folder (get latest trunk via svn), under \external\source\byakugan\bin Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and put detoured.dll under c:\windows\system32 What can you do with byakugan.dll ?
2.1 load plugin
!load byakugan
2.2 byakugan functions
jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and discover valid return addresses
pattern_offset
mushishi : framework for anti-debugging detection and defeating anti-debugging techniques
tenketsu : vista heap emulator/visualizer.
!load byakugan !pattern_offset 2000
2.2.1 jutsu functions
The jutsu component offers the following functions :
identBuf / listBuf / rmBuf : find buffers (plain ascii, metasploit patterns, or data from file) in memory…
memDiff : compare data in memory with a pattern and mark the changes. This will help you determining whether e.g. shellcode has been changed/corrupted in memory, whether certain ‘bad characters’ need to be excluded from shellcode, etc
hunt:
findReturn : search for the addresses that point to a usable function to return to.
searchOpcode : converts assembler instruction to opcode, AND it lists all executable opcode sequence addresses at the same time.
searchVtptr
trackVal
!jutsu searchOpcode pop esi | pop ebx | ret !jutsu memDiff file 1520 C:\exploit.bin 0x0012e858 !jutsu identBuf file ShellCode c:\exploit.bin !jutsu identBuf msfpattern MSFBuffer 1500 !jutsu listBuf !jutsu hunt !jutsu findReturn
operation demo
0:000> !load byakugan[Byakugan] Successfully loaded!0:000> !jutsu identBuf msfpattern MSFBuffer 200[J] Creating buffer MSFBuffer.0:000> !jutsu listBuf[J] Currently tracked buffer patterns: Buf: MSFBuffer Pattern: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7......2Ag3Ag4Ag5Ag0:000> !jutsu hunt[J] Found buffer MSFBuffer @ 0x0012e858
2.2.2 tenketsu functions
!tenketsu !tenketsu listHeaps !tenketsu listChunks
0:000> !tenketsuByakugan - Increase your SightPusscat / Lin0xx
Tenketsu Commands:
1. model - Load tenketsu heap visualization libraries and begin modeling
2. log - Load tenketsu heap visualization libraries and begin logging
3. listHeaps - List all currently tracked heaps and their information
4. listChunks - List all chunks associated with a givend heap
5. validate - check the chunk chain and find corrupted chunk headers
References
- https://github.com/Rendered79/metasploit/tree/master/external/source/byakugan
- https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
- http://www.codeproject.com/Articles/6084/Windows-Debuggers-Part-A-WinDbg-Tutorial
- http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html
http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html
http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html
- windbg - Byakugan
- WinDBG
- windbg
- WINDBG
- windbg
- WinDBG
- WinDbg
- WinDbg
- Windbg
- WinDBG
- WinDbg
- WinDBG
- windbg
- WinDbg
- windbg
- WinDbg
- WinDbg
- WinDBG
- 导入表 与 IAT
- 怎么在程序中使用代码调用iphone打电话功能
- C预处理器和C函数库
- (转)Eclipse RCP 插件开发中经常调用的几个方法
- Python os模块常用方法1
- windbg - Byakugan
- CUDA系列学习(一)An Introduction to GPU and CUDA
- 如何查看一个进程打开哪些fd及对应的文件或套接字操作
- Java并发编程-总结-11-20
- 愚蠢和愤怒
- SpringMVC学习笔记
- JAVA基础学习第三天
- 微信二次开发——自定义菜单
- 开发笔记-2015-06