On request, I've added a memory diffing function to byakugan, which will allow you to compare a segment of memory to any buffer that's tracked with identBuf. Shortly I'll be adding the ability to pull buffers in from files, and even directly from metasploit through a back channel. (I promise back channel support is next!)
To test (and explain) functionality, I threw together a simple program:
This code makes a simple MSF pattern, then corrupts a few random characters, and replaces all '6's with '1's.
If we then load this program in byakugan, and then register a buffer with identBuf
we can diff the registered buffer with the pattern in memory and see the changes:
!jutsu memDiff buf 64 msfPattern 0x0012fef0
The arguments to memDiff are type size value
and address
. For now the only accepted type is buf. This will take the name provided as value and pull that buffer from the tracked list for diffing. The size is the number of bytes to diff, and the address is the beginning address of the diff.
In this case, the output will look something like this:
The differ will show actual and expected with changes in bold on the actual side. In addition to that, it will store "bad chars" as well as corrupted offsets. It uses a simple algorithm to decide which is which. If a byte is modified, but that same byte is seen later in the payload, the assumption is made that the corruption is offset based, however, if all of a given character are missing, that is assumed to be a bad character. Obviously this approach falls down without a sufficiently complex input, but it certainly helps at times. I'll be augmenting this shortly with a truncation check to clean up the output in cases where you just dont have the space.
New binaries are uploaded for XPSP2, Vista, and Win7. New inputs coming soon!