frida re fridadotre debugger debuggee debugger debuggee
play

www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee - PowerPoint PPT Presentation

Dec 26, 2022 •400 likes •769 views

Unlocking secrets of proprietary software using www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee bootstrapper Debugger Debuggee bootstrapper-thread bootstrapper Debugger Debuggee bootstrapper-thread bootstrapper

  1. Unlocking secrets of proprietary software using www.frida.re @fridadotre

  2. Debugger Debuggee

  3. Debugger Debuggee bootstrapper

  4. Debugger Debuggee bootstrapper-thread bootstrapper

  5. Debugger Debuggee bootstrapper-thread bootstrapper frida-agent.so

  6. Debugger Debuggee bootstrapper-thread bootstrapper Comm. Channel frida-agent.so

  7. Debugger Debuggee bootstrapper-thread bootstrapper Comm. Channel frida-agent.so JavaScript

  8. Motivation Existing tools often not a good fi t for the task at hand Creating a new tool usually takes too much e ff ort Short feedback loop: reversing is an iterative process Use one toolkit for multi-platform instrumentation Future remake of oSpy (see below)

  12. What is Frida? Dynamic instrumentation toolkit Debug live processes Scriptable Execute your own debug scripts inside another process Multi-platform Windows, Mac, Linux, iOS, Android, QNX Highly modular, JavaScript is optional Open Source

  13. Why would you need Frida? For reverse-engineering For programmable debugging For dynamic instrumentation But ultimately: To enable rapid development of new tools for the task at hand

  14. Let's explore the basics ▼

  15. 1) Build and run a simple program that calls f( n ) every second with n increasing with each call.

  16. 2) Let's fi gure out what n is.

  17. Frida has a REPL. Let's use it.

  18. It live-reloads!

  19. 3) Let's modify what n is. How about +9000?

  20. 4) Let's speed up time.

  21. 5) Let's call f() ourselves.

  22. 6) rpc, send() and recv().

  23. Let's see what files Twitter open()s on macOS

  24. Let's try interacting with Objective-C

  25. Let's take that to iOS.

  26. Let's figure out who is calling open().

  27. Let's inspect registers.

  28. Let's explore a bit with frida-trace on SnapChat.

  29. Android instrumentation 'use strict'; Java.perform(function () { var MainActivity = Java.use( 're.frida.helloworld.MainActivity'); MainActivity.isRegistered.implementation = function () { console.log('isRegistered() w00t'); return true; }; });

  30. Injecting errors 'use strict'; $ node app.js Spotify connect() family=2 ip=78.31.9.101 port=80 blocking! const AF_INET = 2; connect() family=2 ip=193.182.7.242 port=80 const AF_INET6 = 30; blocking! connect() family=2 ip=194.132.162.4 port=443 const ECONNREFUSED = 61; blocking! connect() family=2 ip=194.132.162.4 port=80 blocking! ['connect', 'connect$NOCANCEL'].forEach(funcName => { connect() family=2 ip=194.132.162.212 port=80 const connect = new NativeFunction( blocking! connect() family=2 ip=194.132.162.196 port=4070 Module.findExportByName('libsystem_kernel.dylib', funcName), blocking! connect() family=2 ip=193.182.7.226 port=443 'int', blocking! ['int', 'pointer', 'int']); Interceptor.replace(connect, new NativeCallback((socket, address, addressLen) => { const family = Memory.readU8(address.add(1)); if (family == AF_INET || family == AF_INET6) { const port = (Memory.readU8(address.add(2)) << 8) | Memory.readU8(address.add(3)); let ip = ''; if (family == AF_INET) { for (let offset = 4; offset != 8; offset++) { if (ip.length > 0) ip += '.'; ip += Memory.readU8(address.add(offset)); } } else { for (let offset = 8; offset !== 24; offset += 2) { if (ip.length > 0) ip += ':'; ip += toHex(Memory.readU8(address.add(offset))) + toHex(Memory.readU8(address.add(offset + 1))); } } console.log('connect() family=' + family + ' ip=' + ip + ' port=' + port); if (port === 80 || port === 443 || port === 4070) { console.log(' blocking!'); this.errno = ECONNREFUSED; return -1; } else { console.log(' accepting!'); return connect(socket, address, addressLen); } } else { return connect(socket, address, addressLen); } }, 'int', ['int', 'pointer', 'int'])); send('ready'); }); function toHex(v) { let result = v.toString(16); if (result.length === 1) result = '0' + result; return result; }

  31. All calls between two recv() calls 'use strict'; $ node app.js Spotify const co = require('co'); const frida = require('frida'); Waiting for application to call recv()... const load = require('frida-load'); let session, script; Results received: co(function *() { session = yield frida.attach(process.argv[2]); const source = yield load( require.resolve('./agent.js')); 0x119875dc7 CALL 0x119887527 script = yield session.createScript(source); script.events.listen('message', message => { if (message.type === 'send') { 0x119875e7 CALL 0x11989a1e6 const stanza = message.payload; switch (stanza.name) { case '+ready': 0x1197f4df CALL 0x11992f934 console.log('Waiting for application to call recv()...'); break; case '+result': { 0x1197f4f3 CALL 0x1197edd7d console.log('Results received:'); const events = stanza.payload.events; events.forEach(ev => { const location = ev[0]; 0x7fff8acdf6ad CALL 0x7fff8ace32dc const target = ev[1]; const depth = ev[2]; let indent = ''; | 0x7fff95355059 CALL 0x7fff9535c08b for (let i = 0; i !== depth; i++) indent += ' | '; console.log('\t' + indent + location + '\tCALL ' + target); 0x7fff937774be CALL 0x7fff9375d5a0 }); session.detach(); break; | 0x7fff9376e76 CALL 0x7fff93788d6e } } } else { console.log(message); | 0x7fff9376e722 CALL 0x7fff93788d2c } }); yield script.load(); | | 0x7fff8d1e9754 CALL 0x7fff8d1e721 }); | | 0x7fff8d1e9765 CALL 0x7fff8d1e721 | | 0x7fff8d1e9421 CALL 0x7fff8d1e955c | | | 0x7fff8d1e95bf CALL 0x7fff8d1e7 | | | | 0x7fff8d1e7417 CALL 0x7 | | | 0x7fff8d1e95eb CALL 0x7fff8d203 'use strict'; const WAITING = 1; const STALKING = 2; 0x7fff9377752c CALL 0x7fff93788d9e const COLLECTING = 3; const DONE = 4; let state = WAITING; | 0x7fff8d1ed7c8 CALL 0x7fff8d1e721 let stalkedThreadId = null; let blobs = []; ['recv', 'recv$NOCANCEL'].forEach(funcName => { Interceptor.attach(Module.findExportByName('libsystem_c.dylib', funcName), { 0x7fff9377754e CALL 0x7fff93788b5e onEnter: args => { if (state === STALKING && this.threadId === stalkedThreadId) { state = COLLECTING; Stalker.unfollow(); | 0x7fff8acdfd10 CALL 0x7fff8acdec91 } }, onLeave: retval => { if (state === WAITING) { | | 0x7fff8acded53 CALL 0x7fff8ace32e2 state = STALKING; stalkedThreadId = this.threadId; Stalker.follow({ events: { call: true | | | 0x7fff95352182 CALL 0x7fff95353 }, onReceive: events => { blobs.push(events); if (state === COLLECTING) { | | | | 0x7fff95353663 CALL 0x1 sendResult(); state = DONE; } } | | | | | 0x14ce858a CALL 0x7 }); } } }); }); | | | | | | 0x7fff9535bb4e send({ name: '+ready' }); | | | | | | | 0x7fff9535bbe0 function sendResult() { const events = blobs.reduce((result, blob) => { const cursor = { data: blob, | 0x7fff8acdfd20 CALL 0x7fff8ace3348 offset: 0 }; let e; while ((e = nextEvent(cursor))) { | 0x7fff8acdfd48 CALL 0x7fff8acde877 result.push(e); } return result; | | 0x7fff8acde8ce CALL 0x7fff8ace32e2 }, []); send({ name: '+result', payload: { | | | 0x7fff95352182 CALL 0x7fff95353 events: events } }); } | | | | 0x7fff95353663 CALL 0x1 function nextEvent(cursor) { // FIXME: 32-bit support const data = cursor.data; if (cursor.offset === data.length) | | | | | 0x14ce858a CALL 0x7 return null; skipEventType(cursor); const location = readPointer(cursor); const target = readPointer(cursor); | | | | | | 0x7fff9535bb4e const depth = readDepth(cursor); return [location, target, depth]; } function skipEventType(cursor) { | | | | | | | 0x7fff9535bbe0 cursor.offset += 8; } function readPointer(cursor) { | | 0x7fff8acde8e1 CALL 0x7fff8ace32c4 const data = cursor.data; const offset = cursor.offset; cursor.offset += 8; return ptr('0x' + | | 0x7fff8acde923 CALL 0x7fff8acdd68f data[offset + 7].toString(16) + data[offset + 6].toString(16) + data[offset + 5].toString(16) + data[offset + 4].toString(16) + data[offset + 3].toString(16) + | | | 0x7fff8acdd6ad CALL 0x7fff8ace3 data[offset + 2].toString(16) + data[offset + 1].toString(16) + data[offset + 0].toString(16)); } | | | | 0x7fff968e0ef CALL 0x7 function readDepth(cursor) { const data = cursor.data; const offset = cursor.offset; cursor.offset += 8; | | | 0x7fff8acdd6b5 CALL 0x7fff8ace3 // FIXME: sign extend return (data[offset + 3] << 24) | (data[offset + 2] << 16) | (data[offset + 1] << 8) | | 0x7fff8acdfd60 CALL 0x7fff8acdd5d4 (data[offset + 0] << 0); } | 0x7fff8acdfd6b CALL 0x7fff8acdd5d4 | 0x7fff8acdfd76 CALL 0x7fff8acdd5d4 | 0x7fff8acdfd81 CALL 0x7fff8acdd68f

  34. Questions? Twitter: @oleavr @fridadotre

  35. Thanks! Please drop by https://t.me/fridadotre (or #frida on FreeNode)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so compatible with other stuff this term) Works for C/C++ programs Supports most core debugger features, well examine a few of the most common

261 views • 9 slides
How to design a Baseband debugger SSTIC 2020 June the 3rd Synacktiv David Berard, Vincent

How to design a Baseband debugger SSTIC 2020 June the 3rd Synacktiv David Berard, Vincent

How to design a Baseband debugger SSTIC 2020 June the 3rd Synacktiv David Berard, Vincent Fargues Table of Contents 1 Introduction Shannon architecture 2 Debugger injection Conclusion 3 6 Debugger development 4 Examples of use 5

807 views • 79 slides
Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019

Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019

Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019 About Me Software Developer at JetBrains, PyCharm IDE Debugger and Data Science tools @lisa_shashkova 2 Visual Debugger 3

892 views • 68 slides
The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer

The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer

The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer Tools GAMEWORKS Overview Linux Graphics Debugger Features Agenda Debugging UE4 on Linux Graphics Debugger Thanks to our friends at 2 NVIDIA

598 views • 28 slides
CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240

CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240

CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240 October 16, 2019 1 / 11 GNU Debugger (gdb) A debugger is a program that simulates/runs another program which can help you find where goes wrong of

127 views • 11 slides
1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

Debuggers A very real interactive debugger: gdb Widely used Debugging Runs on everything A classic implementation (with and without Debuggers) Mostly standard debugger technology Design decisions Runs and

274 views • 8 slides
Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945

Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945

Center for Information Services and High Performance Computing (ZIH) Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945 Matthias Lieber (Matthias.Lieber@tu-dresden.de) Why using a Debugger? Your

759 views • 47 slides
Debugging Memory Problems on Cray XT3 Supercomputers with TotalView Debugger Chris Gottbrath,

Debugging Memory Problems on Cray XT3 Supercomputers with TotalView Debugger Chris Gottbrath,

Debugging Memory Problems on Cray XT3 Supercomputers with TotalView Debugger Chris Gottbrath, Ariel Burton TotalView Technologies Robert Moench, Luiz DeRose Cray What is TotalView? Source Code Debugger C, C++, Fortran 77,

459 views • 29 slides
Bi BigDebug : : Interactive Debugger for Bi Big Data

Bi BigDebug : : Interactive Debugger for Bi Big Data

Bi BigDebug : : Interactive Debugger for Bi Big Data Analytics in Apache Spark MUHAMMAD ALI GULZAR, MATTEO INTERLANDI, TYSON CONDIE,

390 views • 16 slides
CS 241 Data Organization Using GDB March 22, 2018 What is GDB? The GNU debugger Allows

CS 241 Data Organization Using GDB March 22, 2018 What is GDB? The GNU debugger Allows

CS 241 Data Organization Using GDB March 22, 2018 What is GDB? The GNU debugger Allows you to inspect the program during execution Works for several languages, including C and C++ Compiling for Debugging When you are going to use

462 views • 15 slides
gdb or what to do when my program segfaults? sws1 1 gdb Gnu debugger, for several

gdb or what to do when my program segfaults? sws1 1 gdb Gnu debugger, for several

gdb or what to do when my program segfaults? sws1 1 gdb Gnu debugger, for several languages, incl. C and C++ It allows you to inspect what a program is doing at points during execution Esp. useful to find out the cause of a

153 views • 12 slides
COMP 1402 Winter 2008 Tutorial #6 Arrays Part 2, Structures, Debugger Overview of Tutorial #6

COMP 1402 Winter 2008 Tutorial #6 Arrays Part 2, Structures, Debugger Overview of Tutorial #6

COMP 1402 Winter 2008 Tutorial #6 Arrays Part 2, Structures, Debugger Overview of Tutorial #6 Arrays revisited, array indexing Memory allocation Freeing memory Basic Data structures Debugger revisited Exercises 1

342 views • 15 slides
gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It

gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It

1 what to do when my program segfaults? gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It allows you to inspect what a program is doing at points during ll t i t h t i d i t i t d i execution

537 views • 12 slides
: A Concurrency-Agnostic Debugger An Example for Domain-Specific Online Debugging

: A Concurrency-Agnostic Debugger An Example for Domain-Specific Online Debugging

: A Concurrency-Agnostic Debugger An Example for Domain-Specific Online Debugging C. Torres Lopez S. Marr D. Aumayr H. Mssenbck E. Gonzalez Boix IFIP WG 2.11, July 17-20, 2017, Koblenz What am I doing? A simple VM for all

485 views • 26 slides
FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant with focus on incident handling, forensics and malware analysis Not a dedicated reverser RE is just part of my job =&gt; I avoid RE as much as

670 views • 15 slides
Mike Madison The main use of a debugger is to run the target program under controlled conditions

Mike Madison The main use of a debugger is to run the target program under controlled conditions

Mike Madison The main use of a debugger is to run the target program under controlled conditions that permit the programmer to track its operations in progress and monitor changes in computer resources (most often memory areas used by the target

761 views • 31 slides
Lock-Free Algorithms For Ultimate Performance Martin Thompson - @mjpt777 Modern Hardware

Lock-Free Algorithms For Ultimate Performance Martin Thompson - @mjpt777 Modern Hardware

Lock-Free Algorithms For Ultimate Performance Martin Thompson - @mjpt777 Modern Hardware Overview Modern Hardware (Intel Sandy Bridge) ... ... Registers/Buffers C 1 C n C 1 C n &lt;1ns ... ... L1 L1 L1 L1 ~3-4 cycles ~1ns ...

639 views • 45 slides
Recent Advances in Generalized Matching Theory John William Hatfield Stanford Graduate School of

Recent Advances in Generalized Matching Theory John William Hatfield Stanford Graduate School of

Recent Advances in Generalized Matching Theory John William Hatfield Stanford Graduate School of Business Scott Duke Kominers Becker Friedman Institute, University of Chicago Matching Problems: Economics meets Mathematics Conference

1.37k views • 109 slides
Run-DMA Michael Rushanan, Stephen Checkoway Johns Hopkins University, University of Illinois at

Run-DMA Michael Rushanan, Stephen Checkoway Johns Hopkins University, University of Illinois at

Run-DMA Michael Rushanan, Stephen Checkoway Johns Hopkins University, University of Illinois at Chicago 1 Introduction Arbitrary computation using Direct Memory Access engine Access all resources of the device Implement the following

677 views • 34 slides
Stellar Consensus Protocol Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Stellar Consensus Protocol Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Stellar Consensus Protocol Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 25, 2018 1 / 30 Lecture Plan Consensus Protocol Terminology Related Protocols

335 views • 30 slides
CSRF Recall: Session using Cookies Browser Server POST/login.cgi r o a t c i n t e h

CSRF Recall: Session using Cookies Browser Server POST/login.cgi r o a t c i n t e h

CSRF Recall: Session using Cookies Browser Server POST/login.cgi r o a t c i n t e h t u a e : i o k o c t - e S G E T C o o k i e : a u t h e n t i c a t o r e s n o p s e r How it

363 views • 17 slides
How governments have tried to block Tor Roger Dingledine Jacob Appelbaum The Tor Project

How governments have tried to block Tor Roger Dingledine Jacob Appelbaum The Tor Project

How governments have tried to block Tor Roger Dingledine Jacob Appelbaum The Tor Project https://torproject.org/ 1 Estimated ~400,000? daily Tor users 2 Threat model: what can the attacker do? Alice Anonymity network Bob watch Alice!

831 views • 50 slides
06. Protect ction from Browser fi fingerprinting Nataliia

06. Protect ction from Browser fi fingerprinting Nataliia

06. Protect ction from Browser fi fingerprinting Nataliia Bielova @nataliabielova September 17 th =21 st , 2018 Web Privacy course University of Trento Nataliia Bielova

857 views • 20 slides
HIVeducation@aol.com I have no real or perceived conflicts of interest with any

HIVeducation@aol.com I have no real or perceived conflicts of interest with any

www.straighttalkwithcathy.com HIVeducation@aol.com I have no real or perceived conflicts of interest with any pharmaceuticals, or other companies. I am not being paid or compensated by any other organization for the following

1.09k views • 61 slides

More recommend