metasploit-framework/external/source/byakugan
pusscat 0f6ba79619 Add support for sucking in files directly to indentBuf and memDiff
git-svn-id: file:///home/svn/framework3/trunk@6159 4d416f70-5f16-0410-b530-b9f4589650da
2009-01-16 17:14:46 +00:00
..
bin Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
detours Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
i386 Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
injectsu Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
test Add tenketsu test program 2008-09-02 14:33:41 +00:00
README Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
byakugan.cpp Add success splash on load, add list functionality, update bins 2009-01-07 21:21:16 +00:00
byakugan.def Add dirty dirty IDA map file parsing code - soon to be integrated when I can figure out the IDebugSymbols object 2008-12-17 21:59:40 +00:00
byakugan.h Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
byakugan.rc Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
exts.cpp Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
handlerJutsu.cpp Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
heapModeler.cpp Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
heapSplay.cpp Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
heapStructs.h Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
jutsu.cpp Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
jutsu.h Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
makefile Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
msfpattern.cpp Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
msfpattern.h Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
mushishi.cpp Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
mushishi.h Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
setup.bat Add dirty dirty IDA map file parsing code - soon to be integrated when I can figure out the IDebugSymbols object 2008-12-17 21:59:40 +00:00
sources Add dirty dirty IDA map file parsing code - soon to be integrated when I can figure out the IDebugSymbols object 2008-12-17 21:59:40 +00:00
stdwindbg.cpp Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
stdwindbg.h Add support for sucking in files directly to indentBuf and memDiff 2009-01-16 17:14:46 +00:00
svn-commit.tmp Merging from the byakugan branch 2008-08-20 19:27:03 +00:00
symPort.cpp Uh... add files... 2008-12-19 16:57:01 +00:00
symPort.h Uh... add files... 2008-12-19 16:57:01 +00:00
tenketsu.cpp Add dirty dirty IDA map file parsing code - soon to be integrated when I can figure out the IDebugSymbols object 2008-12-17 21:59:40 +00:00
tenketsu.h Add dirty dirty IDA map file parsing code - soon to be integrated when I can figure out the IDebugSymbols object 2008-12-17 21:59:40 +00:00

README

Byakugan - Increase Your Sight
	Pusscat		Lin0xx

NOTE: If you trust me, skip to 4. - I've already included built libs.

A. Building / Installation
	1. Requirements
		a. WDK
		b. Debugging Tools For Windows
			- Install to C:\windbg\ - or injectsu will not be found
			- Make sure to install with the custom setting
			- Explicitly choose to install the SDK
	2. Building the libraries
		a. Open a WDK build environment for the proper windows version
		b. Go to the byakugan base directory
		c. type: setup
		
	3. Installation (self built)
		a. copy injectsu\i386\injectsu.dll C:\windbg\
		b. copy bin\detoured.dll C:\windows\system32\
		c. copy i386\byakugan.dll C:\windbg\

	4. Installation (Prebuilt binaries)
		a. copy bin\<platform>\injectsu.dll C:\windbg\
		b. copy bin\<platform>\detoured.dll C:\windows\system32\
		c.  copy bin\<platform>\byakugan.dll C:\windbg\


B. Deployment:
	1.	Start up windbg and attach to (or start up) a new process
		a. Ensure that both process are at the same priv level,
		   so they can both access the named pipe 
		b. Load the byakugan dll:
			!load byakugan.dll
		c. Display options with !byakugan command if desired

C. Testing:
	1. testPattern
		a. This tests the pattern matcher in byakugan
		b. Build and run in windbg
		c. on crash you should be able to type:
			!pattern_offset 500

			And have it give you the registers you control,
			and at what offset into the buffer they occur
	2. testTenketsu
		a. This tests the heap visualization in byakugan
		b. Build and run in windbg
		c. On the first break, type
			!tenketsu listHeaps
			
			to find the heap containing the chunks you see (should say 11),
			then type

			!tenketsu listChunks <heap base>

			to list the chunks information
		d. Let it go, then when it breaks again, check the chunks again,
		   and it should show half of them as freed.  You can for fun try to
		   find out what that extra allocation is for. Should be pretty simple.

D. Usage:
	1. Tenketsu (Heap Visualization)
        a. Load tenketsu heap visualization with:
            !tenketsu
        b. When process is broken, display heaps with
            !tenketsu listHeaps
        c. Display chunks with
            !tenketsu listChunks <heap base>
	2. Jutsu (Buffer Handling)
		a. Register input with !jutsu identBuf <bufType> <bufname> <VALUE> <size>
			1. Viable types are ascii, msfpattern, and file
				ascii requires a name, and pattern, but no size
				file takes the file path as a VALUE and requires a size argument
				msfpattern requires no value argument
		c. List registered buffers with !jutsu listBuf
		d. Remove registered buffers with !jutsu rmBuf <name>
		e. After crash, type !jutsu hunt to find out:
			1. What buffer caused a crash
			2. What registers you've overwritten (and if pattern, at what offset)
			3. What registers point at what buffers
			4. What corruption has occured (toupper, tolower, etc)
		f. Use !jutsu findReturn to find valid return addresses
			1. hunt will use all knowledge about controlled registers and buffer offsets
			   to find all possible usable return addresses
		g. Use !jutsu searchOpcode to fine opcodes in executable memory
			1. delimit instructions with pipes - example:

			0:000> !jutsu searchOpcode  pop ecx | pop ecx | ret
			[J] Searching for:
			>  pop ecx
			>  pop ecx
			>  ret
			[J] Machine Code:
			> 59 59 c3
			[J] Opcode sequence found at: 0x004012f9
		h. use !jutsu trackVal to find and primitive values in memory

	3. Mushishi (Anti-debugging detection / removal)
		a. Not much in here now, but growing
		b. !mushishi detect - detects several methods
		c. !mushishi defeat - defeats known defeatable methods

	4. Sympath (Import IDA map files into windbg - map files contain all custom names)
		a. !sympath moduleName mapFilePath

		0:001> !symport calc C:\Users\lgrenier\calc.map
		[S] Adjusting symbols to base address of: 0x calc (00680000)
		[S] Failed to add synthetic symbol: ?bFocus@@3HA
		[S] Failed to add synthetic symbol: ?machine@@3PAY04DA
		[S] Failed to add synthetic symbol: ?init_num_ten@@3U_number@@A
		[S] Failed to add synthetic symbol: ?init_p_rat_exp@@3U_number@@A
		[S] Successfully imported 566 symbols.