First, we load calc.exe and do a simple operation which will give us a result. I'll just do 9999 + 1, which will of course give us a value of 10000 or 0x2710 in hex. With the value displayed in calc, we'll attach with windbg, load byakugan, and issue the first trackVal command:
0:002> !jutsu trackVal result 4 0x2710
[J] Creating new list of candidates for result.
[J] Discovered 115 possible candidate addresses for result
Let's disect the command:
- result is the unique name of the value we're tracking
- it's arbitrary, but we'll need to remember it for later
- 4 is the size of the primitive we're concerned with; it can be 4, 2, or 1
- 0x2710 is the hex value that we'd like to find
Once the command is issued, we're informed that the name is unrecognized so an initial sweep of process memory is occuring to find all the possible candidate addresses for our value. When this is finished, we're informed that there are 115 possibilities. Far too many.
Our next task is to continue the process and make a minor change to the value in question. We'll add 3 to it, for a value of 0x2713, then break again and reissue our command:
0:002> !jutsu trackVal result 4 0x2713
[J] Narrowing down candidate list for result from 115 candidates.
[J] Value result is stored at address 0x0014cc64
The command is the same as before, apart from the value. It is important that we use the same name, because this time around we will only be searching the previously discovered candidate addresses. Out of the 115 addresses, only one has our new value in it, and we are informed of this. Score. If more than one had the value, we could repeat this exercise until it's fully narrowed down.
To list what values you're tracking, their sizes, and what how many candidates they have, simply type:
0:001> !jutsu trackVal
[J] Currently tracking:
Name: result Size: 4 Candidates: 111
And to see what the candidates are, just add a name to that command, and no size or value:
0:001> !jutsu trackVal result
[J] Currently tracking 111 candidates for result:
This new tool is expecially useful for cracking software, and cheating at Fallout 3. You can find it, along with the rest of the byakugan windbg plugin in the external directory of the metasploit subversion tree. Check http://metasploit.com for more information. Happy hunting!
BONUS: There are now updated XPSP2 and Vista binaries in the svn tree!