metasploit-framework/external/source/byakugan/README

114 lines
4.1 KiB
Plaintext

Byakugan - Increase Your Sight
Pusscat Lin0xx
NOTE: If you trust me, skip to 4. - I've already included built libs.
A. Building / Installation
1. Requirements
a. WDK
b. Debugging Tools For Windows
- Install to C:\windbg\ - or injectsu will not be found
- Make sure to install with the custom setting
- Explicitly choose to install the SDK
2. Building the libraries
a. Open a WDK build environment for the proper windows version
b. Go to the byakugan base directory
c. type: setup
3. Installation (self built)
a. copy injectsu\i386\injectsu.dll C:\windbg\
b. copy bin\detoured.dll C:\windows\system32\
c. copy i386\byakugan.dll C:\windbg\
4. Installation (Prebuilt binaries)
a. copy bin\<platform>\injectsu.dll C:\windbg\
b. copy bin\<platform>\detoured.dll C:\windows\system32\
c. copy bin\<platform>\byakugan.dll C:\windbg\
B. Deployment:
1. Start up windbg and attach to (or start up) a new process
a. Ensure that both process are at the same priv level,
so they can both access the named pipe
b. Load the byakugan dll:
!load byakugan.dll
c. Display options with !byakugan command if desired
C. Testing:
1. testPattern
a. This tests the pattern matcher in byakugan
b. Build and run in windbg
c. on crash you should be able to type:
!pattern_offset 500
And have it give you the registers you control,
and at what offset into the buffer they occur
2. testTenketsu
a. This tests the heap visualization in byakugan
b. Build and run in windbg
c. On the first break, type
!tenketsu listHeaps
to find the heap containing the chunks you see (should say 11),
then type
!tenketsu listChunks <heap base>
to list the chunks information
d. Let it go, then when it breaks again, check the chunks again,
and it should show half of them as freed. You can for fun try to
find out what that extra allocation is for. Should be pretty simple.
D. Usage:
1. Tenketsu (Heap Visualization)
a. Load tenketsu heap visualization with:
!tenketsu
b. When process is broken, display heaps with
!tenketsu listHeaps
c. Display chunks with
!tenketsu listChunks <heap base>
2. Jutsu (Buffer Handling)
a. Register input with !jutsu identBuf <bufType> <bufname> <VALUE> <size>
1. Viable types are ascii, msfpattern, and file
ascii requires a name, and pattern, but no size
file takes the file path as a VALUE and requires a size argument
msfpattern requires no value argument
c. List registered buffers with !jutsu listBuf
d. Remove registered buffers with !jutsu rmBuf <name>
e. After crash, type !jutsu hunt to find out:
1. What buffer caused a crash
2. What registers you've overwritten (and if pattern, at what offset)
3. What registers point at what buffers
4. What corruption has occured (toupper, tolower, etc)
f. Use !jutsu findReturn to find valid return addresses
1. hunt will use all knowledge about controlled registers and buffer offsets
to find all possible usable return addresses
g. Use !jutsu searchOpcode to fine opcodes in executable memory
1. delimit instructions with pipes - example:
0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
[J] Searching for:
> pop ecx
> pop ecx
> ret
[J] Machine Code:
> 59 59 c3
[J] Opcode sequence found at: 0x004012f9
h. use !jutsu trackVal to find and primitive values in memory
3. Mushishi (Anti-debugging detection / removal)
a. Not much in here now, but growing
b. !mushishi detect - detects several methods
c. !mushishi defeat - defeats known defeatable methods
4. Sympath (Import IDA map files into windbg - map files contain all custom names)
a. !sympath moduleName mapFilePath
0:001> !symport calc C:\Users\lgrenier\calc.map
[S] Adjusting symbols to base address of: 0x calc (00680000)
[S] Failed to add synthetic symbol: ?bFocus@@3HA
[S] Failed to add synthetic symbol: ?machine@@3PAY04DA
[S] Failed to add synthetic symbol: ?init_num_ten@@3U_number@@A
[S] Failed to add synthetic symbol: ?init_p_rat_exp@@3U_number@@A
[S] Successfully imported 566 symbols.