Goaded by some coworkers about the opcode searching functionality of windbg prompted me to add a new option to jutsu today: searchOpcode
You can search for sets of instructions in conjunction, it will assemble them, providing you the machine code, then search for the instructions in executable memory. Instructions are delimited by pipes. I plan to add some limited wildcard functionality in the near future as well.
0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
[J] Searching for:
> pop ecx
> pop ecx
> ret
[J] Machine Code:
> 59 59 c3
[J] Opcode sequence found at: 0x004012f9
Monday, August 25, 2008
Subscribe to:
Post Comments (Atom)
1 comments:
One example of what I'm talking about is intrusion detection. The better you get at intrusion detection, the more incident response you will end up doing as a result. Getting better at security operations in general will often lead to the discovery of more intrusions as your knowledge increases, new systems are implemented, and security systems are improved. Someone who is good at penetration testing or application fuzzing may be able to find and exploit more vulnerabilities, and in the end do extra work because of that. I'm sure there are many more examples.
Post a Comment