114 lines
4.1 KiB
Plaintext
114 lines
4.1 KiB
Plaintext
Byakugan - Increase Your Sight
|
|
Pusscat Lin0xx
|
|
|
|
NOTE: If you trust me, skip to 4. - I've already included built libs.
|
|
|
|
A. Building / Installation
|
|
1. Requirements
|
|
a. WDK
|
|
b. Debugging Tools For Windows
|
|
- Install to C:\windbg\ - or injectsu will not be found
|
|
- Make sure to install with the custom setting
|
|
- Explicitly choose to install the SDK
|
|
2. Building the libraries
|
|
a. Open a WDK build environment for the proper windows version
|
|
b. Go to the byakugan base directory
|
|
c. type: setup
|
|
|
|
3. Installation (self built)
|
|
a. copy injectsu\i386\injectsu.dll C:\windbg\
|
|
b. copy bin\detoured.dll C:\windows\system32\
|
|
c. copy i386\byakugan.dll C:\windbg\
|
|
|
|
4. Installation (Prebuilt binaries)
|
|
a. copy bin\<platform>\injectsu.dll C:\windbg\
|
|
b. copy bin\<platform>\detoured.dll C:\windows\system32\
|
|
c. copy bin\<platform>\byakugan.dll C:\windbg\
|
|
|
|
|
|
B. Deployment:
|
|
1. Start up windbg and attach to (or start up) a new process
|
|
a. Ensure that both process are at the same priv level,
|
|
so they can both access the named pipe
|
|
b. Load the byakugan dll:
|
|
!load byakugan.dll
|
|
c. Display options with !byakugan command if desired
|
|
|
|
C. Testing:
|
|
1. testPattern
|
|
a. This tests the pattern matcher in byakugan
|
|
b. Build and run in windbg
|
|
c. on crash you should be able to type:
|
|
!pattern_offset 500
|
|
|
|
And have it give you the registers you control,
|
|
and at what offset into the buffer they occur
|
|
2. testTenketsu
|
|
a. This tests the heap visualization in byakugan
|
|
b. Build and run in windbg
|
|
c. On the first break, type
|
|
!tenketsu listHeaps
|
|
|
|
to find the heap containing the chunks you see (should say 11),
|
|
then type
|
|
|
|
!tenketsu listChunks <heap base>
|
|
|
|
to list the chunks information
|
|
d. Let it go, then when it breaks again, check the chunks again,
|
|
and it should show half of them as freed. You can for fun try to
|
|
find out what that extra allocation is for. Should be pretty simple.
|
|
|
|
D. Usage:
|
|
1. Tenketsu (Heap Visualization)
|
|
a. Load tenketsu heap visualization with:
|
|
!tenketsu
|
|
b. When process is broken, display heaps with
|
|
!tenketsu listHeaps
|
|
c. Display chunks with
|
|
!tenketsu listChunks <heap base>
|
|
2. Jutsu (Buffer Handling)
|
|
a. Register input with !jutsu identBuf <bufType> <bufname> <VALUE> <size>
|
|
1. Viable types are ascii, msfpattern, and file
|
|
ascii requires a name, and pattern, but no size
|
|
file takes the file path as a VALUE and requires a size argument
|
|
msfpattern requires no value argument
|
|
c. List registered buffers with !jutsu listBuf
|
|
d. Remove registered buffers with !jutsu rmBuf <name>
|
|
e. After crash, type !jutsu hunt to find out:
|
|
1. What buffer caused a crash
|
|
2. What registers you've overwritten (and if pattern, at what offset)
|
|
3. What registers point at what buffers
|
|
4. What corruption has occured (toupper, tolower, etc)
|
|
f. Use !jutsu findReturn to find valid return addresses
|
|
1. hunt will use all knowledge about controlled registers and buffer offsets
|
|
to find all possible usable return addresses
|
|
g. Use !jutsu searchOpcode to fine opcodes in executable memory
|
|
1. delimit instructions with pipes - example:
|
|
|
|
0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
|
|
[J] Searching for:
|
|
> pop ecx
|
|
> pop ecx
|
|
> ret
|
|
[J] Machine Code:
|
|
> 59 59 c3
|
|
[J] Opcode sequence found at: 0x004012f9
|
|
h. use !jutsu trackVal to find and primitive values in memory
|
|
|
|
3. Mushishi (Anti-debugging detection / removal)
|
|
a. Not much in here now, but growing
|
|
b. !mushishi detect - detects several methods
|
|
c. !mushishi defeat - defeats known defeatable methods
|
|
|
|
4. Sympath (Import IDA map files into windbg - map files contain all custom names)
|
|
a. !sympath moduleName mapFilePath
|
|
|
|
0:001> !symport calc C:\Users\lgrenier\calc.map
|
|
[S] Adjusting symbols to base address of: 0x calc (00680000)
|
|
[S] Failed to add synthetic symbol: ?bFocus@@3HA
|
|
[S] Failed to add synthetic symbol: ?machine@@3PAY04DA
|
|
[S] Failed to add synthetic symbol: ?init_num_ten@@3U_number@@A
|
|
[S] Failed to add synthetic symbol: ?init_p_rat_exp@@3U_number@@A
|
|
[S] Successfully imported 566 symbols.
|