2008-08-20 19:27:03 +00:00
|
|
|
#include "byakugan.h"
|
|
|
|
#include "msfpattern.h"
|
|
|
|
#include "jutsu.h"
|
|
|
|
#include "tenketsu.h"
|
|
|
|
#include "mushishi.h"
|
2008-12-17 21:59:40 +00:00
|
|
|
#include "symPort.h"
|
2008-08-20 19:27:03 +00:00
|
|
|
|
|
|
|
char *registers[] = {
|
|
|
|
"eax",
|
|
|
|
"ebx",
|
|
|
|
"ecx",
|
|
|
|
"edx",
|
|
|
|
"esp",
|
|
|
|
"ebp",
|
|
|
|
"eip",
|
|
|
|
NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
HRESULT CALLBACK byakugan(PDEBUG_CLIENT4 Client, PCSTR args) {
|
|
|
|
INIT_API();
|
|
|
|
UNREFERENCED_PARAMETER(args);
|
|
|
|
|
|
|
|
dprintf(HELPSTRING);
|
|
|
|
dprintf("!jutsu <command> <args> - Perform Jutsu: !jutsu help\n");
|
|
|
|
dprintf("!tenketsu - Begin realtime heap vizualization: !tenketsu help\n");
|
|
|
|
dprintf("!pattern_offset <length> <optional: addr>\n");
|
|
|
|
dprintf("!mushishi <detect|defeat>- Detect or defeat anti-debugging mechanisms\n");
|
|
|
|
|
|
|
|
EXIT_API();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
|
|
|
|
HRESULT CALLBACK pattern_offset(PDEBUG_CLIENT4 Client, PCSTR args) {
|
|
|
|
char *arg1, **arg2, *holder[2], *context;
|
|
|
|
ULONG length, addr;
|
|
|
|
int offset, i;
|
|
|
|
|
|
|
|
INIT_API();
|
|
|
|
UNREFERENCED_PARAMETER(args);
|
|
|
|
|
|
|
|
arg1 = strtok((char *)args, " ");
|
|
|
|
arg2 = holder;
|
|
|
|
arg2[0] = strtok(NULL, " ");
|
|
|
|
arg2[1] = NULL;
|
|
|
|
|
|
|
|
if (arg1 == NULL) {
|
|
|
|
dprintf("[Byakugan] Please provide a length.\n");
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
|
|
|
|
length = strtoul(arg1, NULL, 10);
|
|
|
|
|
|
|
|
if (arg2[0] == NULL)
|
|
|
|
arg2 = registers;
|
|
|
|
|
|
|
|
for (i = 0; arg2[i] != NULL; i++) {
|
|
|
|
addr = GetExpression(arg2[i]);
|
|
|
|
|
|
|
|
offset = msf_pattern_offset(length, addr);
|
|
|
|
if (offset != -1)
|
|
|
|
dprintf("[Byakugan] Control of %s at offset %d.\n", arg2[i], offset);
|
|
|
|
}
|
|
|
|
|
|
|
|
EXIT_API();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
|
|
|
|
HRESULT CALLBACK mushishi(PDEBUG_CLIENT4 Client, PCSTR args) {
|
|
|
|
char *command;
|
|
|
|
|
|
|
|
INIT_API();
|
|
|
|
|
|
|
|
command = strtok((char *)args, " ");
|
|
|
|
if (command != NULL) {
|
|
|
|
if (!_stricmp(command, "detect")) {
|
|
|
|
mushishiDetect();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
if (!_stricmp(command, "defeat")) {
|
|
|
|
mushishiDefeat();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
dprintf("[Mushishi] Proper commands are: 'detect' 'defeat'\n");
|
|
|
|
|
|
|
|
EXIT_API();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
|
2008-12-17 21:59:40 +00:00
|
|
|
HRESULT CALLBACK symport(PDEBUG_CLIENT4 Client, PCSTR args) {
|
2008-12-18 18:20:04 +00:00
|
|
|
char *command, *module, *path;
|
2008-12-17 21:59:40 +00:00
|
|
|
|
|
|
|
INIT_API();
|
|
|
|
|
2008-12-18 18:20:04 +00:00
|
|
|
module = strtok((char *)args, " ");
|
|
|
|
path = strtok(NULL, " ");
|
|
|
|
if (module != NULL && path != NULL) {
|
|
|
|
addMapFile(module, path);
|
2008-12-17 21:59:40 +00:00
|
|
|
return (S_OK);
|
2008-12-18 18:20:04 +00:00
|
|
|
} else {
|
|
|
|
dprintf("[symPort] Proper format is: !symport <moduleName> <map file path>\n");
|
|
|
|
}
|
2008-12-17 21:59:40 +00:00
|
|
|
EXIT_API();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
|
2008-08-20 19:27:03 +00:00
|
|
|
HRESULT CALLBACK jutsu(PDEBUG_CLIENT4 Client, PCSTR args) {
|
2009-01-15 20:25:44 +00:00
|
|
|
char *command, *bufName, *bufPatt, *bindPort, *bufSize, *bufType, *bufAddr;
|
2008-08-20 19:27:03 +00:00
|
|
|
|
|
|
|
INIT_API();
|
|
|
|
|
|
|
|
command = strtok((char *)args, " ");
|
|
|
|
if (command != NULL) {
|
|
|
|
if (!_stricmp(command, "help")) {
|
|
|
|
helpJutsu();
|
|
|
|
return (S_OK);
|
2009-11-03 21:49:24 +00:00
|
|
|
}
|
|
|
|
if (!_stricmp(command, "moduleInfo")) {
|
|
|
|
|
2008-08-20 19:27:03 +00:00
|
|
|
}
|
2009-01-15 20:25:44 +00:00
|
|
|
if (!_stricmp(command, "memDiff")) {
|
|
|
|
bufType = strtok(NULL, " ");
|
|
|
|
bufSize = strtok(NULL, " ");
|
|
|
|
bufPatt = strtok(NULL, " ");
|
|
|
|
bufAddr = strtok(NULL, " ");
|
|
|
|
if (!bufAddr) {
|
|
|
|
dprintf("[J] Format: memDiff <type> <size> <value> <address>\n");
|
|
|
|
dprintf("Valid Types:\n\thex: Value is any hex characters\n");
|
|
|
|
dprintf("\tfile: Buffer is read in from file at path <value>\n");
|
|
|
|
dprintf("\tbuf: Buffer is taken from known tracked Buffers\n");
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
memDiffJutsu(bufType, strtoul(bufSize, NULL, 10),
|
|
|
|
bufPatt, strtoul(bufAddr, NULL, 0x10));
|
|
|
|
}
|
2009-01-07 17:50:31 +00:00
|
|
|
if (!_stricmp(command, "trackVal")) {
|
|
|
|
bufName = strtok(NULL, " ");
|
|
|
|
bufSize = strtok(NULL, " ");
|
|
|
|
bufPatt = strtok(NULL, " ");
|
2009-01-07 21:21:16 +00:00
|
|
|
|
|
|
|
if (bufName == NULL) {
|
|
|
|
listTrackedVals();
|
|
|
|
} else if (bufSize == NULL) {
|
|
|
|
listTrackedValByName(bufName);
|
|
|
|
} else
|
2009-01-15 20:25:44 +00:00
|
|
|
trackValJutsu(bufName, strtoul(bufSize, NULL, 10),
|
|
|
|
strtoul(bufPatt, NULL, 0x10));
|
2009-01-07 17:50:31 +00:00
|
|
|
}
|
2008-08-25 20:51:17 +00:00
|
|
|
if (!_stricmp(command, "searchOpcode")) {
|
|
|
|
char *instructions;
|
|
|
|
|
|
|
|
instructions = (char *) args + strlen(command) + 1;
|
|
|
|
searchOpcodes(instructions);
|
|
|
|
return (S_OK);
|
|
|
|
}
|
2009-08-12 21:31:45 +00:00
|
|
|
if (!_stricmp(command, "searchVtptr")) {
|
|
|
|
char *instructions, *offsetString;
|
|
|
|
DWORD offset;
|
|
|
|
|
|
|
|
offsetString = strtok(NULL, " ");
|
|
|
|
offset = strtoul(offsetString, NULL, 16);
|
|
|
|
instructions = offsetString + strlen(offsetString) + 1;
|
|
|
|
searchVtptr(offset, instructions);
|
|
|
|
return (S_OK);
|
|
|
|
}
|
2008-08-20 19:27:03 +00:00
|
|
|
if (!_stricmp(command, "listen")) {
|
|
|
|
bindPort = strtok(NULL, " ");
|
|
|
|
if (bindPort == NULL)
|
|
|
|
bindPort = DEFAULT_PORT;
|
|
|
|
bindJutsu(bindPort);
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
if (!_stricmp(command, "listBuf")) {
|
|
|
|
listTrackedBufJutsu();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
if (!_stricmp(command, "listReqs")) {
|
|
|
|
showRequestsJutsu();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
if (!_stricmp(command, "rmBuf")) {
|
|
|
|
bufName = strtok(NULL, " ");
|
|
|
|
if (bufName == NULL) {
|
|
|
|
dprintf("[Byakugan] This command requires a buffer name\n");
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
rmBufJutsu(bufName);
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
if (!_stricmp(command, "identBuf")) {
|
|
|
|
|
2009-01-16 17:14:46 +00:00
|
|
|
bufType = strtok(NULL, " ");
|
2008-08-20 19:27:03 +00:00
|
|
|
bufName = strtok(NULL, " ");
|
|
|
|
bufPatt = strtok(NULL, " ");
|
2009-01-16 17:14:46 +00:00
|
|
|
bufSize = strtok(NULL, " ");
|
|
|
|
if (bufPatt == NULL) {
|
|
|
|
dprintf("[Byakugan] This command requires a buffer type, name, (sometimes) value, and size\n");
|
2008-08-20 19:27:03 +00:00
|
|
|
return (S_OK);
|
|
|
|
}
|
2009-08-21 12:48:16 +00:00
|
|
|
if (bufSize == NULL)
|
|
|
|
identBufJutsu(bufType, bufName, bufPatt, 0);
|
|
|
|
else
|
|
|
|
identBufJutsu(bufType, bufName, bufPatt, strtoul(bufSize, NULL, 10));
|
2008-08-20 19:27:03 +00:00
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
if (!_stricmp(command, "hunt")) {
|
|
|
|
hunterJutsu();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!_stricmp(command, "findReturn")) {
|
|
|
|
returnAddressHuntJutsu();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
EXIT_API();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
HRESULT CALLBACK tenketsu(PDEBUG_CLIENT4 Client, PCSTR args) {
|
2009-11-03 21:49:24 +00:00
|
|
|
char *command, *heapName, *logName;
|
2008-08-20 19:27:03 +00:00
|
|
|
PVOID heapHandle;
|
|
|
|
|
|
|
|
INIT_API();
|
|
|
|
|
|
|
|
command = strtok((char *)args, " ");
|
|
|
|
|
|
|
|
if (command == NULL) {
|
2009-08-06 20:09:38 +00:00
|
|
|
tenkHelp();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
else if (!_stricmp(command, "model")) {
|
2009-11-03 21:49:24 +00:00
|
|
|
if(hookRtlHeap(1, NULL)) {
|
2009-08-06 20:09:38 +00:00
|
|
|
dprintf("[Byakugan] Unable to begin realtime heap modeling.\n");
|
2008-08-20 19:27:03 +00:00
|
|
|
EXIT_API();
|
|
|
|
return (S_FALSE);
|
|
|
|
}
|
|
|
|
}
|
2009-08-06 20:09:38 +00:00
|
|
|
else if (!_stricmp(command, "log")) {
|
2009-11-03 21:49:24 +00:00
|
|
|
logName = strtok(NULL, " ");
|
|
|
|
if (logName == NULL) {
|
|
|
|
dprintf("[Byakugan] Please provide a log name.\n");
|
|
|
|
return (S_FALSE);
|
|
|
|
}
|
|
|
|
if(hookRtlHeap(2, logName)) {
|
2009-08-06 20:09:38 +00:00
|
|
|
dprintf("[Byakugan] Unable to begin realtime heap modeling.\n");
|
|
|
|
EXIT_API();
|
|
|
|
return (S_FALSE);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (!_stricmp(command, "help")) {
|
|
|
|
tenkHelp();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
2008-12-17 21:59:40 +00:00
|
|
|
else if (!_stricmp(command, "validate")) {
|
|
|
|
heapName = strtok(NULL, " ");
|
|
|
|
if (heapName == NULL) {
|
|
|
|
dprintf("[Byakugan] Please provide a heap handle.\n");
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
heapHandle = (PVOID) strtoul(heapName, NULL, 16);
|
|
|
|
tenkValidate(heapHandle);
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
else if (!_stricmp(command, "listHeaps")) {
|
2008-08-20 19:27:03 +00:00
|
|
|
tenkListHeaps();
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
else if (!_stricmp(command, "listChunks")) {
|
|
|
|
heapName = strtok(NULL, " ");
|
|
|
|
if (heapName == NULL) {
|
|
|
|
dprintf("[Byakugan] Please provide a heap handle.\n");
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
heapHandle = (PVOID) strtoul(heapName, NULL, 16);
|
|
|
|
tenkListChunks(heapHandle);
|
|
|
|
return (S_OK);
|
|
|
|
}
|
|
|
|
|
|
|
|
EXIT_API();
|
|
|
|
|
|
|
|
return (S_OK);
|
|
|
|
}
|