Getting Fun With Frida-Ekoparty-21-10-2016 PDF
Getting Fun With Frida-Ekoparty-21-10-2016 PDF
Getting Fun With Frida-Ekoparty-21-10-2016 PDF
§ https://software.intel.com/en-us/articles/pin-a-dynamic-binary-
instrumentation-tool
§ https://en.wikipedia.org/wiki/DynamoRIO
Intro – How do I perform DBI? (frameworks)
• In both cases, you write a Pin/DynamoRIO tool using C/C++
language and inject C/C++ code
OutFile.open(KnobOutputFile.Value().c_str());
return 0;
}
Intro – How do I perform DBI? (frameworks)
ofstream OutFile;
// Write to a file since cout and cerr maybe closed by the application
OutFile.setf(ios::showbase);
OutFile.close();
}
Intro – How do I perform DBI? (frameworks)
§ For example, Pin can be executed as follow:
• Scriptable
• Execute Javascript programs inside another process. It uses V8 and
Duktape and JavaScriptCore (deprecated) engines.
• Windows:
§ C:\Users\travesti>pip install frida
• Linux:
§ travesti@palermo:~$ sudo pip install frida
§ Then …
Frida – How do I use Frida?
• As easy as this:
• console
• Process
• Module
• Memory
• Thread
• Socket
• File
• Instruction
Frida – JavaScript API - Console
§ console: used for output.
• console.log(line)
• console.warn(line)
• console.error(line)
Frida – JavaScript API - Process
§ Process: functions and properties used to interact with a
process.
• Process.arch, Process.platform
• Process.isDebuggerAttached
• Process.enumerateThreads(callbacks)
• Process.findModuleByAddress(address)
• Process.findModuleByName(name)
• Process.enumerateModules(callbacks)
§ […]
Frida – JavaScript API - Module
§ Module: used to interact with modules residing in the process.
• Module.enumerateImports(name, callbacks)
• Module.enumerateExports(name, callbacks)
• Module.enumerateRanges(name, protection, callbacks)
• Module.findBaseAddress(name)
• Module.findExportByName(module|null, exp)
§ […]
Frida – JavaScript API - Memory
§ Memory: used to interact with memory pages residing in a
given process.
• Thread.backtrace([context, backtracer])
• Thread.sleep(delay)
Frida – JavaScript API - Socket
§ Socket: used to handle sockets.
• Socket.type(handle)
• Socket.localAddress(handle)
• Socket.peerAddress(handle)
Frida – JavaScript API - File
§ File: used to handle file I/O.
• File(filePath, mode)
• write
• read
• flush
• close
Frida – JavaScript API - Instruction
§ Instruction: used to get information about a given instruction
from process’s code.
• Instruction.parse(target)
Frida – Interceptor/Stalker
• Frida has two main components exposed trough its API:
• Interceptor
• Normal operation mode (hooking)
• No stealthiness
• Stalker
• Instrumentation per-se
• Stealth (kind of)
• Lack of functionality (CALL/RET)
• More details: https://medium.com/@oleavr/anatomy-of-a-code-tracer-
b081aadb0df8
Frida – How do I use Interceptor?
• Interceptor example:
Frida – Interceptor example output
Frida – Interceptor at low level (API hook)
Frida – Interceptor stub
Frida – Stalker
• Stalker example:
Frida – How Stalker works?
• Stalker at low level:
§ https://github.com/poxyran/misc/blob/master/frida-heap-trace.py
Tools based on Frida
§ https://github.com/wapiflapi/villoc
Tools based on Frida
• fridump: Universal memory dumper tool. Aimed to dump
accessible memory regions from any platform supported by
Frida.
https://github.com/Nightbringer21/fridump
Tools based on Frida
Tools based on Frida
§ frida-extract: FridaExtract is a Frida.re based RunPE extraction
tool. Using FridaExtract you can automatically extract and
reconstruct a PE file that has been injected using the RunPE
method.
https://github.com/OALabs/frida-extract
Tools based on Frida
§ frida-discover: tool for discovering internal functions in a
program. Eg: Cryptoshark: https://github.com/frida/cryptoshark
Tools based on Frida
Cryptoshark and frida-discover are based on Frida’s Stalker
API.
§ Then …
Conclusions
Additional information
Additional information
• Questions to:
§ https://twitter.com/oleavr
§ http://www.frida.re/
§ https://github.com/frida
• Frida resources:
§ https://github.com/dweinstein/awesome-frida
Acknowledgments & Greetings
Acknowledgments & Greetings
• Ole André V. Ravnås
• For answering all my question about Frida
• Francisco Falcón
• For the feedback about this presentation
Questions?
Thank you.