Byakugan Windbg Plugin
Byakugan - Increase Your Sight Pusscat Lin0xx NOTE: If you trust me, skip to 4. I've already included built libs. Building / Installation 1. Requirements a.
Debugging Tools For Windows - Install to C: windbg - or injectsu will not be found - Make sure to install with the custom setting - Explicitly choose to install the SDK 2. Building the libraries a. Open a WDK build environment for the proper windows version b.
Go to the byakugan base directory c. Type: setup 3. Installation (self built) a. Copy injectsu i386 injectsu.dll C: windbg b. Copy bin detoured.dll C: windows system32 c. Copy i386 byakugan.dll C: windbg 4.
Metasploit has built & released their own windbg plugin about a year ago, called byakugan. 2.1 load plugin! Load byakugan. 2.2 byakugan functions.
- Metasploit has built & released their own windbg plugin about a year ago, called byakugan. You can load the byakugan module in windbg using the following command.
- The Next Generation of Help. In order to create a more streamlined experience for users, Rapid7 is evolving our community and integrating it with our website.
Installation (Prebuilt binaries) a. Copy bin injectsu.dll C: windbg b. Copy bin detoured.dll C: windows system32 c.
Copy bin byakugan.dll C: windbg B. Deployment: 1.Start up windbg and attach to (or start up) a new process a. Ensure that both process are at the same priv level, so they can both access the named pipe b. Load the byakugan dll:!load byakugan.dll c. Display options with!byakugan command if desired C. TestPattern a. This tests the pattern matcher in byakugan b.
Byakugan Windbg Plugin
Build and run in windbg c. On crash you should be able to type:!patternoffset 500 And have it give you the registers you control, and at what offset into the buffer they occur 2. TestTenketsu a.
This tests the heap visualization in byakugan b. Build and run in windbg c. On the first break, type!tenketsu listHeaps to find the heap containing the chunks you see (should say 11), then type!tenketsu listChunks to list the chunks information d. Let it go, then when it breaks again, check the chunks again, and it should show half of them as freed. You can for fun try to find out what that extra allocation is for.
Should be pretty simple. Tenketsu (Heap Visualization) a. Load tenketsu heap visualization with:!tenketsu b. When process is broken, display heaps with!tenketsu listHeaps c. Display chunks with!tenketsu listChunks 2. Jutsu (Buffer Handling) a.
Register input with!jutsu identBuf b. Can also autoregister MSF pattern bufs with!jutsu identBuf msfpattern c. List registered buffers with!jutsu listBuf d. Remove registered buffers with!jutsu rmBuf e. After crash, type!jutsu hunt to find out: 1. What buffer caused a crash 2. What registers you've overwritten (and if pattern, at what offset) 3.
What registers point at what buffers 4. What corruption has occured (toupper, tolower, etc) f.
Use!jutsu findReturn to find valid return addresses 1. Hunt will use all knowledge about controlled registers and buffer offsets to find all possible usable return addresses g. Use!jutsu searchOpcode to fine opcodes in executable memory 1. Delimit instructions with pipes - example: 0:000!jutsu searchOpcode pop ecx pop ecx ret J Searching for: pop ecx pop ecx ret J Machine Code: 59 59 c3 J Opcode sequence found at: 0x004012f9 3. Mushishi (Anti-debugging detection / removal) a. Not much in here now, but growing b.!mushishi detect - detects several methods c.!mushishi defeat - defeats known defeatable methods.