Wednesday, January 7, 2009

New byakugan functionality!

I've just added a new jutsu method to byakugan to help you find the address of a particular primitive (DWORD, WORD, or BYTE) in memory. Obviously, this isn't a terribly difficult task - you use the search function in windbg. What trackVal will do for you is allow you to see which of the thousand some-odd addresses search returns is actually storing the primitive you care about. For example, I'll demonstrate how to use trackVal to determine where the result value lives in calc.exe

First, we load calc.exe and do a simple operation which will give us a result. I'll just do 9999 + 1, which will of course give us a value of 10000 or 0x2710 in hex. With the value displayed in calc, we'll attach with windbg, load byakugan, and issue the first trackVal command:

0:002> !jutsu trackVal result 4 0x2710
[J] Creating new list of candidates for result.
[J] Discovered 115 possible candidate addresses for result

Let's disect the command:
- result is the unique name of the value we're tracking
- it's arbitrary, but we'll need to remember it for later
- 4 is the size of the primitive we're concerned with; it can be 4, 2, or 1
- 0x2710 is the hex value that we'd like to find

Once the command is issued, we're informed that the name is unrecognized so an initial sweep of process memory is occuring to find all the possible candidate addresses for our value. When this is finished, we're informed that there are 115 possibilities. Far too many.

Our next task is to continue the process and make a minor change to the value in question. We'll add 3 to it, for a value of 0x2713, then break again and reissue our command:

0:002> !jutsu trackVal result 4 0x2713
[J] Narrowing down candidate list for result from 115 candidates.
[J] Value result is stored at address 0x0014cc64

The command is the same as before, apart from the value. It is important that we use the same name, because this time around we will only be searching the previously discovered candidate addresses. Out of the 115 addresses, only one has our new value in it, and we are informed of this. Score. If more than one had the value, we could repeat this exercise until it's fully narrowed down.

To list what values you're tracking, their sizes, and what how many candidates they have, simply type:

0:001> !jutsu trackVal
[J] Currently tracking:
Name: result Size: 4 Candidates: 111

And to see what the candidates are, just add a name to that command, and no size or value:

0:001> !jutsu trackVal result
[J] Currently tracking 111 candidates for result:
Address: 0x00684962
Address: 0x006c3fa8
Address: 0x006c9758
Address: 0x7463a0a6
Address: 0x74644707
Address: 0x74646042
....

This new tool is expecially useful for cracking software, and cheating at Fallout 3. You can find it, along with the rest of the byakugan windbg plugin in the external directory of the metasploit subversion tree. Check http://metasploit.com for more information. Happy hunting!

BONUS: There are now updated XPSP2 and Vista binaries in the svn tree!
Add to Technorati Favorites Digg! This
Post a Comment