Bit of Everything! Vulnerability Research, Reverse Engineering, Malware Analysis, Exploits etc...
Wednesday, December 31, 2014
Useful windbg and mona commands for exploit writing
Find opcodes of instructions, say, "jmp esp"
0:000>a //press Enter key once
Input>jmp esp //press Enter key once
7c901214 jmp esp
0:000> u 7c901214
ntdll!DbgUserBreakPoint+0x2:
7c901214 ffe4 jmp esp
So "ffe4" are the opcodes for "jmp esp"
Opcode Instruction
b0 01 mov al,1
c3 ret
0:000> s -b 0x00000000 L?0xffffffff "b001c3"
Syntax error at '"b001c3"'
0:000> s -b 0x00000000 L?0xffffffff b0 01 c3
77eda3fa b0 01 c3 90 90 90 90 90-8b 41 14 66 8b 08 f6 c1
7c80c190 b0 01 c3 90 90 90 90 90-8b ff 55 8b ec 8b 45 0c
0:000> u 77eda3fa
RPCRT4!NDR_PIPE_HELPER32::GotoNextParam+0x1b:
77eda3fa b001 mov al,1
Opcode Instruction
b0 01 mov al,1
c3 ret n
0:000> s -b 0x00000000 L?0xffffffff b0 01 c2
71a517a1 b0 01 c2 0c 00 90 90 90-90 90 ff 25 18 70 a8 71 ...........%.p.q
77eda6b2 b0 01 c2 08 00 90 90 90-90 90 32 c0 c3 90 90 90 ..........2.....
7c9518ea b0 01 c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 ............U..V
0:000> u 71a517a1
mswsock+0x17a1:
71a517a1 b001 mov al,1
71a517a3 c20c00 ret 0Ch
push esp / pop ebp / ret
0:000> s -b 0x00000000 L?0xffffffff 54 5D c2
77eedc68 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V
77eee353 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V
77eee7b3 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 51 T]..........U..Q
77eeecd6 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 6a T]..........U..j
77eeee84 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V
Random mona commands, might be useful during exploit writing
!mona suggest
!mona assemble -s "mov eax#ret"
Find all executable locations that have a pointer to “jmp ecx”
!mona find -type instr -s "jmp ecx" -p2p -x X
Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"
!mona findwild -s "mov r16#*#retn"
ROP gadgets from all loaded DLL's
!mona rop -n -o
ROP gadget from specific DLL
!mona rop -m msvcr71.dll -n
ROP gadgets without bad characters
!mona rop -m msvcr71.dll -n -cpb '\x00\x0a\x0d'
Find stackpivot at offset 1500
!mona stackpivot -n -o -distance 1500
https://labs.snort.org/awbo/windbg.txt
http://windbg.info/doc/1-common-cmds.html
http://blog.disects.com/2014/04/windbg-useful-debugging-commands.html
Subscribe to:
Post Comments (Atom)
Dude write a readable blogs..should look like written by security researcher :-)
ReplyDelete@Chintan. True !
ReplyDeleteBut most of the blogs are for my reference ;-)
Well, took the feedback, will try to write readable blogs!