frida re fridadotre debugger debuggee debugger debuggee
play

www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee - PowerPoint PPT Presentation

Dec 26, 2022 •400 likes •769 views

Unlocking secrets of proprietary software using www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee bootstrapper Debugger Debuggee bootstrapper-thread bootstrapper Debugger Debuggee bootstrapper-thread bootstrapper

  1. Unlocking secrets of proprietary software using www.frida.re @fridadotre

  2. Debugger Debuggee

  3. Debugger Debuggee bootstrapper

  4. Debugger Debuggee bootstrapper-thread bootstrapper

  5. Debugger Debuggee bootstrapper-thread bootstrapper frida-agent.so

  6. Debugger Debuggee bootstrapper-thread bootstrapper Comm. Channel frida-agent.so

  7. Debugger Debuggee bootstrapper-thread bootstrapper Comm. Channel frida-agent.so JavaScript

  8. Motivation Existing tools often not a good fi t for the task at hand Creating a new tool usually takes too much e ff ort Short feedback loop: reversing is an iterative process Use one toolkit for multi-platform instrumentation Future remake of oSpy (see below)

  12. What is Frida? Dynamic instrumentation toolkit Debug live processes Scriptable Execute your own debug scripts inside another process Multi-platform Windows, Mac, Linux, iOS, Android, QNX Highly modular, JavaScript is optional Open Source

  13. Why would you need Frida? For reverse-engineering For programmable debugging For dynamic instrumentation But ultimately: To enable rapid development of new tools for the task at hand

  14. Let's explore the basics ▼

  15. 1) Build and run a simple program that calls f( n ) every second with n increasing with each call.

  16. 2) Let's fi gure out what n is.

  17. Frida has a REPL. Let's use it.

  18. It live-reloads!

  19. 3) Let's modify what n is. How about +9000?

  20. 4) Let's speed up time.

  21. 5) Let's call f() ourselves.

  22. 6) rpc, send() and recv().

  23. Let's see what files Twitter open()s on macOS

  24. Let's try interacting with Objective-C

  25. Let's take that to iOS.

  26. Let's figure out who is calling open().

  27. Let's inspect registers.

  28. Let's explore a bit with frida-trace on SnapChat.

  29. Android instrumentation 'use strict'; Java.perform(function () { var MainActivity = Java.use( 're.frida.helloworld.MainActivity'); MainActivity.isRegistered.implementation = function () { console.log('isRegistered() w00t'); return true; }; });

  30. Injecting errors 'use strict'; $ node app.js Spotify connect() family=2 ip=78.31.9.101 port=80 blocking! const AF_INET = 2; connect() family=2 ip=193.182.7.242 port=80 const AF_INET6 = 30; blocking! connect() family=2 ip=194.132.162.4 port=443 const ECONNREFUSED = 61; blocking! connect() family=2 ip=194.132.162.4 port=80 blocking! ['connect', 'connect$NOCANCEL'].forEach(funcName => { connect() family=2 ip=194.132.162.212 port=80 const connect = new NativeFunction( blocking! connect() family=2 ip=194.132.162.196 port=4070 Module.findExportByName('libsystem_kernel.dylib', funcName), blocking! connect() family=2 ip=193.182.7.226 port=443 'int', blocking! ['int', 'pointer', 'int']); Interceptor.replace(connect, new NativeCallback((socket, address, addressLen) => { const family = Memory.readU8(address.add(1)); if (family == AF_INET || family == AF_INET6) { const port = (Memory.readU8(address.add(2)) << 8) | Memory.readU8(address.add(3)); let ip = ''; if (family == AF_INET) { for (let offset = 4; offset != 8; offset++) { if (ip.length > 0) ip += '.'; ip += Memory.readU8(address.add(offset)); } } else { for (let offset = 8; offset !== 24; offset += 2) { if (ip.length > 0) ip += ':'; ip += toHex(Memory.readU8(address.add(offset))) + toHex(Memory.readU8(address.add(offset + 1))); } } console.log('connect() family=' + family + ' ip=' + ip + ' port=' + port); if (port === 80 || port === 443 || port === 4070) { console.log(' blocking!'); this.errno = ECONNREFUSED; return -1; } else { console.log(' accepting!'); return connect(socket, address, addressLen); } } else { return connect(socket, address, addressLen); } }, 'int', ['int', 'pointer', 'int'])); send('ready'); }); function toHex(v) { let result = v.toString(16); if (result.length === 1) result = '0' + result; return result; }

  31. All calls between two recv() calls 'use strict'; $ node app.js Spotify const co = require('co'); const frida = require('frida'); Waiting for application to call recv()... const load = require('frida-load'); let session, script; Results received: co(function *() { session = yield frida.attach(process.argv[2]); const source = yield load( require.resolve('./agent.js')); 0x119875dc7 CALL 0x119887527 script = yield session.createScript(source); script.events.listen('message', message => { if (message.type === 'send') { 0x119875e7 CALL 0x11989a1e6 const stanza = message.payload; switch (stanza.name) { case '+ready': 0x1197f4df CALL 0x11992f934 console.log('Waiting for application to call recv()...'); break; case '+result': { 0x1197f4f3 CALL 0x1197edd7d console.log('Results received:'); const events = stanza.payload.events; events.forEach(ev => { const location = ev[0]; 0x7fff8acdf6ad CALL 0x7fff8ace32dc const target = ev[1]; const depth = ev[2]; let indent = ''; | 0x7fff95355059 CALL 0x7fff9535c08b for (let i = 0; i !== depth; i++) indent += ' | '; console.log('\t' + indent + location + '\tCALL ' + target); 0x7fff937774be CALL 0x7fff9375d5a0 }); session.detach(); break; | 0x7fff9376e76 CALL 0x7fff93788d6e } } } else { console.log(message); | 0x7fff9376e722 CALL 0x7fff93788d2c } }); yield script.load(); | | 0x7fff8d1e9754 CALL 0x7fff8d1e721 }); | | 0x7fff8d1e9765 CALL 0x7fff8d1e721 | | 0x7fff8d1e9421 CALL 0x7fff8d1e955c | | | 0x7fff8d1e95bf CALL 0x7fff8d1e7 | | | | 0x7fff8d1e7417 CALL 0x7 | | | 0x7fff8d1e95eb CALL 0x7fff8d203 'use strict'; const WAITING = 1; const STALKING = 2; 0x7fff9377752c CALL 0x7fff93788d9e const COLLECTING = 3; const DONE = 4; let state = WAITING; | 0x7fff8d1ed7c8 CALL 0x7fff8d1e721 let stalkedThreadId = null; let blobs = []; ['recv', 'recv$NOCANCEL'].forEach(funcName => { Interceptor.attach(Module.findExportByName('libsystem_c.dylib', funcName), { 0x7fff9377754e CALL 0x7fff93788b5e onEnter: args => { if (state === STALKING && this.threadId === stalkedThreadId) { state = COLLECTING; Stalker.unfollow(); | 0x7fff8acdfd10 CALL 0x7fff8acdec91 } }, onLeave: retval => { if (state === WAITING) { | | 0x7fff8acded53 CALL 0x7fff8ace32e2 state = STALKING; stalkedThreadId = this.threadId; Stalker.follow({ events: { call: true | | | 0x7fff95352182 CALL 0x7fff95353 }, onReceive: events => { blobs.push(events); if (state === COLLECTING) { | | | | 0x7fff95353663 CALL 0x1 sendResult(); state = DONE; } } | | | | | 0x14ce858a CALL 0x7 }); } } }); }); | | | | | | 0x7fff9535bb4e send({ name: '+ready' }); | | | | | | | 0x7fff9535bbe0 function sendResult() { const events = blobs.reduce((result, blob) => { const cursor = { data: blob, | 0x7fff8acdfd20 CALL 0x7fff8ace3348 offset: 0 }; let e; while ((e = nextEvent(cursor))) { | 0x7fff8acdfd48 CALL 0x7fff8acde877 result.push(e); } return result; | | 0x7fff8acde8ce CALL 0x7fff8ace32e2 }, []); send({ name: '+result', payload: { | | | 0x7fff95352182 CALL 0x7fff95353 events: events } }); } | | | | 0x7fff95353663 CALL 0x1 function nextEvent(cursor) { // FIXME: 32-bit support const data = cursor.data; if (cursor.offset === data.length) | | | | | 0x14ce858a CALL 0x7 return null; skipEventType(cursor); const location = readPointer(cursor); const target = readPointer(cursor); | | | | | | 0x7fff9535bb4e const depth = readDepth(cursor); return [location, target, depth]; } function skipEventType(cursor) { | | | | | | | 0x7fff9535bbe0 cursor.offset += 8; } function readPointer(cursor) { | | 0x7fff8acde8e1 CALL 0x7fff8ace32c4 const data = cursor.data; const offset = cursor.offset; cursor.offset += 8; return ptr('0x' + | | 0x7fff8acde923 CALL 0x7fff8acdd68f data[offset + 7].toString(16) + data[offset + 6].toString(16) + data[offset + 5].toString(16) + data[offset + 4].toString(16) + data[offset + 3].toString(16) + | | | 0x7fff8acdd6ad CALL 0x7fff8ace3 data[offset + 2].toString(16) + data[offset + 1].toString(16) + data[offset + 0].toString(16)); } | | | | 0x7fff968e0ef CALL 0x7 function readDepth(cursor) { const data = cursor.data; const offset = cursor.offset; cursor.offset += 8; | | | 0x7fff8acdd6b5 CALL 0x7fff8ace3 // FIXME: sign extend return (data[offset + 3] << 24) | (data[offset + 2] << 16) | (data[offset + 1] << 8) | | 0x7fff8acdfd60 CALL 0x7fff8acdd5d4 (data[offset + 0] << 0); } | 0x7fff8acdfd6b CALL 0x7fff8acdd5d4 | 0x7fff8acdfd76 CALL 0x7fff8acdd5d4 | 0x7fff8acdfd81 CALL 0x7fff8acdd68f

  34. Questions? Twitter: @oleavr @fridadotre

  35. Thanks! Please drop by https://t.me/fridadotre (or #frida on FreeNode)

Recommend

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so

Gdb debugger Somewhat limited as a debugger, but works in a command line environment (so compatible with other stuff this term) Works for C/C++ programs Supports most core debugger features, well examine a few of the most common

261 views • 9 slides
How to design a Baseband debugger SSTIC 2020 June the 3rd Synacktiv David Berard, Vincent

How to design a Baseband debugger SSTIC 2020 June the 3rd Synacktiv David Berard, Vincent

How to design a Baseband debugger SSTIC 2020 June the 3rd Synacktiv David Berard, Vincent Fargues Table of Contents 1 Introduction Shannon architecture 2 Debugger injection Conclusion 3 6 Debugger development 4 Examples of use 5

807 views • 79 slides
Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019

Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019

Visual Debugger for Jupyter Notebooks: Myth or Reality? Elizaveta Shashkova EuroPython 2019 About Me Software Developer at JetBrains, PyCharm IDE Debugger and Data Science tools @lisa_shashkova 2 Visual Debugger 3

892 views • 68 slides
The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer

The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer

The Time Has Come: Linux Graphics Debugger Matt Campbell, Senior Engineer, Graphics Developer Tools GAMEWORKS Overview Linux Graphics Debugger Features Agenda Debugging UE4 on Linux Graphics Debugger Thanks to our friends at 2 NVIDIA

598 views • 28 slides
CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240

CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240

CS 240 Programming in C GNU Debugger (gdb) October 16, 2019 Haoyu Wang UMass Boston CS 240 October 16, 2019 1 / 11 GNU Debugger (gdb) A debugger is a program that simulates/runs another program which can help you find where goes wrong of

127 views • 11 slides
1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

Debuggers A very real interactive debugger: gdb Widely used Debugging Runs on everything A classic implementation (with and without Debuggers) Mostly standard debugger technology Design decisions Runs and

274 views • 8 slides
Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945

Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945

Center for Information Services and High Performance Computing (ZIH) Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945 Matthias Lieber (Matthias.Lieber@tu-dresden.de) Why using a Debugger? Your

759 views • 47 slides
Debugging Memory Problems on Cray XT3 Supercomputers with TotalView Debugger Chris Gottbrath,

Debugging Memory Problems on Cray XT3 Supercomputers with TotalView Debugger Chris Gottbrath,

Debugging Memory Problems on Cray XT3 Supercomputers with TotalView Debugger Chris Gottbrath, Ariel Burton TotalView Technologies Robert Moench, Luiz DeRose Cray What is TotalView? Source Code Debugger C, C++, Fortran 77,

459 views • 29 slides
Bi BigDebug : : Interactive Debugger for Bi Big Data

Bi BigDebug : : Interactive Debugger for Bi Big Data

Bi BigDebug : : Interactive Debugger for Bi Big Data Analytics in Apache Spark MUHAMMAD ALI GULZAR, MATTEO INTERLANDI, TYSON CONDIE,

390 views • 16 slides
CS 241 Data Organization Using GDB March 22, 2018 What is GDB? The GNU debugger Allows

CS 241 Data Organization Using GDB March 22, 2018 What is GDB? The GNU debugger Allows

CS 241 Data Organization Using GDB March 22, 2018 What is GDB? The GNU debugger Allows you to inspect the program during execution Works for several languages, including C and C++ Compiling for Debugging When you are going to use

462 views • 15 slides
gdb or what to do when my program segfaults? sws1 1 gdb Gnu debugger, for several

gdb or what to do when my program segfaults? sws1 1 gdb Gnu debugger, for several

gdb or what to do when my program segfaults? sws1 1 gdb Gnu debugger, for several languages, incl. C and C++ It allows you to inspect what a program is doing at points during execution Esp. useful to find out the cause of a

153 views • 12 slides
COMP 1402 Winter 2008 Tutorial #6 Arrays Part 2, Structures, Debugger Overview of Tutorial #6

COMP 1402 Winter 2008 Tutorial #6 Arrays Part 2, Structures, Debugger Overview of Tutorial #6

COMP 1402 Winter 2008 Tutorial #6 Arrays Part 2, Structures, Debugger Overview of Tutorial #6 Arrays revisited, array indexing Memory allocation Freeing memory Basic Data structures Debugger revisited Exercises 1

342 views • 15 slides
gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It

gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It

1 what to do when my program segfaults? gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It allows you to inspect what a program is doing at points during ll t i t h t i d i t i t d i execution

537 views • 12 slides
: A Concurrency-Agnostic Debugger An Example for Domain-Specific Online Debugging

: A Concurrency-Agnostic Debugger An Example for Domain-Specific Online Debugging

: A Concurrency-Agnostic Debugger An Example for Domain-Specific Online Debugging C. Torres Lopez S. Marr D. Aumayr H. Mssenbck E. Gonzalez Boix IFIP WG 2.11, July 17-20, 2017, Koblenz What am I doing? A simple VM for all

485 views • 26 slides
FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant with focus on incident handling, forensics and malware analysis Not a dedicated reverser RE is just part of my job =&gt; I avoid RE as much as

670 views • 15 slides
Mike Madison The main use of a debugger is to run the target program under controlled conditions

Mike Madison The main use of a debugger is to run the target program under controlled conditions

Mike Madison The main use of a debugger is to run the target program under controlled conditions that permit the programmer to track its operations in progress and monitor changes in computer resources (most often memory areas used by the target

761 views • 31 slides
THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a

THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a

THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a program for use with gdb, use the -g compiler switch Most debuggers provide the same functionality Other graphical options on MCECS Linux

506 views • 8 slides
MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu

MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu

MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu Institute for Interdisciplinary Information Sciences Tsinghua University Software-Defined Networks (SDN): promises and challenges SDN will simplify

414 views • 25 slides
Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers

Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers

Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers life Debugger allows the programmer to take a look at the program in execution to deduce the cause of crashes and erroneous results Debugger

595 views • 13 slides
Software and Programming I Lab 2: Step-by-step execution of programs using a Debugger

Software and Programming I Lab 2: Step-by-step execution of programs using a Debugger

Software and Programming I Lab 2: Step-by-step execution of programs using a Debugger SP1-Lab2-20.pdf 1 23 January 2020 Tobi Brodie (tobi@dcs.bbk.ac.uk) Lab Session 2: Objectives This session we are concentrating on BlueJs built-in

658 views • 32 slides
ddSMT: A Delta Debugger for the SMT-LIB v2 Format Aina Niemetz and Armin Biere Institute for

ddSMT: A Delta Debugger for the SMT-LIB v2 Format Aina Niemetz and Armin Biere Institute for

ddSMT: A Delta Debugger for the SMT-LIB v2 Format Aina Niemetz and Armin Biere Institute for Formal Models and Verification (FMV) Johannes Kepler University, Linz, Austria http://fmv.jku.at/ SMT Workshop 2013 July 8 - 9, 2013 Helsinki,

595 views • 42 slides
COSC 340: Software Engineering Using the Debugger Michael Jantz COSC 340: Software Engineering

COSC 340: Software Engineering Using the Debugger Michael Jantz COSC 340: Software Engineering

COSC 340: Software Engineering Using the Debugger Michael Jantz COSC 340: Software Engineering 1 Introduction What is it? A tool that supports examination of your program during execution How does it work? User attaches the

793 views • 28 slides
DEBUGGER CSSE 120 Rose-Hulman Institute of Technology Integrated Development Environments

DEBUGGER CSSE 120 Rose-Hulman Institute of Technology Integrated Development Environments

PRACTICE, ECLIPSE. DEBUGGER CSSE 120 Rose-Hulman Institute of Technology Integrated Development Environments (IDEs) What are they? Why use one? The next slides Our IDE Eclipse address the listed points Why we chose it

251 views • 13 slides
Advice about Debugger Construction Arthur Nunes-Harwitt Nassau Community College One Education

Advice about Debugger Construction Arthur Nunes-Harwitt Nassau Community College One Education

Advice about Debugger Construction Arthur Nunes-Harwitt Nassau Community College One Education Drive Garden City, NY 11530 nunesa@ncc.edu http://www.matcmp.ncc.edu/ ~ nunesa/ 1 Background (define (interp exp env k) (cond ((constant? exp) (k

760 views • 16 slides

More recommend