Wednesday, December 31, 2014

Useful windbg and mona commands for exploit writing



Find opcodes of instructions, say, "jmp esp"
0:000>a //press Enter key once
Input>jmp esp //press Enter key once
7c901214 jmp esp
0:000> u 7c901214 
ntdll!DbgUserBreakPoint+0x2:
7c901214 ffe4            jmp     esp

So "ffe4" are the opcodes for "jmp esp"

Opcode       Instruction
b0 01     mov al,1
c3             ret
0:000> s -b 0x00000000 L?0xffffffff "b001c3"
Syntax error at '"b001c3"'
0:000> s -b 0x00000000 L?0xffffffff b0 01 c3
77eda3fa  b0 01 c3 90 90 90 90 90-8b 41 14 66 8b 08 f6 c1
7c80c190  b0 01 c3 90 90 90 90 90-8b ff 55 8b ec 8b 45 0c
0:000> u 77eda3fa  
RPCRT4!NDR_PIPE_HELPER32::GotoNextParam+0x1b:
77eda3fa b001            mov     al,1

Opcode       Instruction
b0 01     mov al,1
c3             ret n
0:000> s -b 0x00000000 L?0xffffffff b0 01 c2
71a517a1  b0 01 c2 0c 00 90 90 90-90 90 ff 25 18 70 a8 71  ...........%.p.q
77eda6b2  b0 01 c2 08 00 90 90 90-90 90 32 c0 c3 90 90 90  ..........2.....
7c9518ea  b0 01 c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  ............U..V
0:000> u 71a517a1  
mswsock+0x17a1:
71a517a1 b001            mov     al,1
71a517a3 c20c00          ret     0Ch

push esp / pop ebp / ret
0:000> s -b 0x00000000 L?0xffffffff 54 5D c2
77eedc68  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V
77eee353  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V
77eee7b3  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 51  T]..........U..Q
77eeecd6  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 6a  T]..........U..j
77eeee84  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V

Random mona commands, might be useful during exploit writing
!mona suggest
!mona assemble -s "mov eax#ret"

Find all executable locations that have a pointer to “jmp ecx”
!mona find -type instr -s "jmp ecx" -p2p -x X

Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"

!mona findwild -s "mov r16#*#retn"

ROP gadgets from all loaded DLL's
!mona rop -n -o

ROP gadget from specific DLL
!mona rop -m msvcr71.dll -n

ROP gadgets without bad characters
!mona rop -m msvcr71.dll -n -cpb '\x00\x0a\x0d'

Find stackpivot at offset 1500
!mona stackpivot -n -o -distance 1500

https://labs.snort.org/awbo/windbg.txt
http://windbg.info/doc/1-common-cmds.html
http://blog.disects.com/2014/04/windbg-useful-debugging-commands.html