May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection -...
Transcript of May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection -...
![Page 1: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/1.jpg)
The engineering behind the gnireenigne
![Page 2: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/2.jpg)
May contain traces of assembler
![Page 3: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/3.jpg)
Background
![Page 4: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/4.jpg)
What motivated Frida?
● Interoperation○ connect to black-boxes beyond existing integration points
● Compatibility○ workarounds for specification vs implementation drift
○ micro-level reverse-engineering
● Design recovery○ recover specification from implementation
● Lack of dynamic reverse engineering tools
![Page 5: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/5.jpg)
Design goals for Frida
● Live inspection of other processes○ no source code○ no debugging symbols
● “Inject” our own agent D into the remote process P without P noticing, and communicate with D from the outside of process P
● Inspect and modify memory, threads, registers● Avoid anti-debugging defenses
![Page 6: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/6.jpg)
Plan of attack
1. Injecta. insert our own custom logic into remote process
2. Intercepta. trap function calls in remote process
3. Stalka. instruction-level code tracing in the remote processb. avoiding all current anti-debugging products
![Page 7: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/7.jpg)
Injection
![Page 8: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/8.jpg)
Injection - the basics
thread
1
libpthread.so
libc.so
libc
pthread
heap
a.out
a.out
thread
2
thread
3
debuggee
thread
1
libc
heap
frida
debugger
FIFO
![Page 9: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/9.jpg)
Injection - the game plan
1. Create .so containing our agent 2. Hijack thread in remote process with ptrace3. Allocate memory for bootstrapper in remote process4. Populate bootstrapper with our own code5. Execute bootstrapper in remote process, which
○ starts fresh thread, which■ opens FIFO to debugger process■ notifies debugger over FIFO■ loads agent .so file■ executes (long running) agent entry point from .so file■ closes FIFO
![Page 10: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/10.jpg)
Injection - the relevant APIs
● ptrace○ process trace
● mmap○ map files or devices into memory
● dlopen○ loads a dynamic library (.so file) into a process
● dlsym○ finds the address where a function from the .so is loaded into memory
● signal○ set up handlers for UNIX signals (SIGSTOP, SIGCONT, …)
![Page 11: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/11.jpg)
Create .so containing our agent
(hexdump for frida-agent.so)0x00000000: 7F454C46 02010100 00000000 00000000 .ELF............
0x00000010: 03003E00 01000000 E0DA0500 00000000 ..>.............
0x00000020: 40000000 00000000 48295C00 00000000 @.......H)\.....
0x00000030: 00000000 40003800 07004000 1D001C00 [email protected]...@.....
0x00000040: 01000000 05000000 00000000 00000000 ................
0x00000050: 00000000 00000000 00000000 00000000 ................
0x00000060: F2E85800 00000000 F2E85800 00000000 ..X.......X.....
0x00000070: 00002000 00000000 01000000 06000000 .. .............
0x00000080: 78E95800 00000000 78E97800 00000000 x.X.....x.x.....
0x00000090: 78E97800 00000000 803E0300 00000000 x.x......>......
0x000000A0: 408F0300 00000000 00002000 00000000 @......... .....
0x000000B0: 02000000 06000000 A8085B00 00000000 ..........[.....
![Page 12: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/12.jpg)
Hijack thread in remote process with ptrace
ptrace (PTRACE_ATTACH, pid, NULL, NULL);
waitpid (pid, &status, 0);
ptrace (PTRACE_GETREGS, pid, NULL, saved_regs);
![Page 13: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/13.jpg)
Allocate memory for bootstrapper (1)
ptrace (PTRACE_GETREGS, pid, NULL, ®s)
regs.rip = resolve_remote_libc_function (pid, “mmap”);
regs.rdi = 0;
regs.rsi = 8192;
regs.rdx = PROT_READ | PROT_WRITE | PROT_EXEC;
regs.rcx = MAP_PRIVATE | MAP_ANONYMOUS;
regs.r8 = -1;
regs.r9 = 0;
regs.rax = 1337;
regs.rsp -= 8;
![Page 14: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/14.jpg)
Allocate memory for bootstrapper (2)
ptrace (PTRACE_POKEDATA, pid, regs.rsp, DUMMY_RETURN_ADDRESS)
ptrace (PTRACE_SETREGS, pid, NULL, ®s)
ptrace (PTRACE_CONT, pid, NULL, NULL)
frida_wait_for_child_signal (pid, SIGTRAP)
ptrace (PTRACE_GETREGS, pid, NULL, ®s)
bootstrapper = regs.rax
● bootstrapper now contains the address of the bootstrapper memory block
![Page 15: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/15.jpg)
Populate bootstrapper with our own code
1. Initialize memory block with generated functions
so = dlopen (“libpthread.so”, RTLD_LAZY)thread_create = dlsym (so, “pthread_create”)thread_create (&worker_thread, NULL, bootstrapper + 128, NULL)int3()
create_frida_thread() [at bootstrapper + 0]
![Page 16: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/16.jpg)
Populate bootstrapper with our own code
1. Initialize memory block with generated functions
fifo = open(fifo_path, O_WRONLY)write(fifo, “frida_agent_main”, 1)so = dlopen(“frida-agent.so”, RTLD_LAZY)entry = dlsym(so, “frida_agent_main”)entry(DATA_STRING)close(fifo)
load_and_exec_agent_so() [at bootstrapper + 128]
![Page 17: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/17.jpg)
Execute bootstrapper in remote process
ptrace (PTRACE_GETREGS, pid, NULL, ®s)
regs.rip = bootstrapper
regs.rsp = bootstrapper + 8192
ptrace (PTRACE_SETREGS, pid, NULL, ®s)
ptrace (PTRACE_CONT, pid, NULL, NULL)
frida_wait_for_child_signal (pid, SIGTRAP)
![Page 18: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/18.jpg)
Resume remote thread execution
ptrace (PTRACE_SETREGS, pid, NULL, saved_regs)ptrace (PTRACE_DETACH, pid, NULL, NULL)
![Page 19: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/19.jpg)
Injection - the summary
thread
1libc.so
libc
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
heap
![Page 20: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/20.jpg)
Injection - the summary
thread
1libc.so
frida-agent.so
libc
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
Create .so file containing our agent
heap
![Page 21: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/21.jpg)
Injection - the summary
thread
1libc.so
frida-agent.so
libc
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
Hijack thread in remote processusing ptrace
heap
![Page 22: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/22.jpg)
Injection - the summary
libc.so
frida-agent.so
libc
heap
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
Hijack thread in remote processusing ptrace
thread
1
![Page 23: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/23.jpg)
Injection - the summary
libc.so
frida-agent.so
libc
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
Populate bootstrapper with our own code
thread
1
heap
![Page 24: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/24.jpg)
Injection - the summary
libc.so
frida-agent.so
libc
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
Execute bootstrapper
thread
1
heap
![Page 25: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/25.jpg)
Injection - the summary
thread
1
libpthread.so
libc.so
frida-agent.so
libc
pthread
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
frida
Start fresh thread
heap
![Page 26: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/26.jpg)
Injection - the summary
thread
1
libpthread.so
libc.so
frida-agent.so
libc
pthread
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
frida
FIFO
Opens FIFO to debugger process
heap
![Page 27: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/27.jpg)
Injection - the summary
thread
1
libpthread.so
libc.so
frida-agent.so
libc
pthread
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
frida
Notifies debugger over FIFO
FIFO
heap
![Page 28: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/28.jpg)
Injection - the summary
thread
1
libpthread.so
libc.so
frida-agent.so
libc
pthread
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
frida
Loads agent .so file
FIFOfrida-agent
heap
![Page 29: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/29.jpg)
Injection - the summary
thread
1
libpthread.so
libc.so
frida-agent.so
libc
pthread
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
frida
frida-agent
Resume remote thread execution
heap
FIFO
![Page 30: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/30.jpg)
Injection - the summary
thread
1
libpthread.so
libc.so
frida-agent.so
libc
pthread
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
FIFOfrida-agent
frida
heapExecute agent entry point
![Page 31: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/31.jpg)
Injection - the summary
thread
1
libpthread.so
libc.so
frida-agent.so
libc
pthread
a.out
a.out
thread
2
debuggee
thread
1
libc
pthread
heap
frida
debugger
FIFOfrida-agent
frida
heap
Done!
![Page 32: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/32.jpg)
Interception© 2010, Alex Eylar
![Page 33: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/33.jpg)
Interception - the basics
...
...
...
call foo
...
...
...
...
...
...
...
...
...
ret
f: g:
![Page 34: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/34.jpg)
Interception - the basics
...
...
...
call foo
...
...
...
...
...
...
...
...
...
ret
f: g:
Caller Callee
Callsite
![Page 35: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/35.jpg)
Interception - the basics
...
...
...
call foo
...
...
f: g:
...
...
...
...
...
...
...
ret
![Page 36: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/36.jpg)
Interception - the basics
...
...
...
call foo
...
...
...
...
...
...
...
...
...
jmp g
f: g:
...
...
...
...
...
...
...
ret
![Page 37: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/37.jpg)
Interception - the game plan
● find address of function of interest● generate trampoline for calling our interceptor function● replace first instruction(s) with call to our own trampoline● trampoline calls interceptor function● trampoline hides all stack/register modifications
![Page 38: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/38.jpg)
Find address of function
1. Enumerate all modules for current processa. Look up in /proc/self/maps
2. For each module (= each .so or executable)
a. Parse ELF formatb. Find all symbols (= function names)
c. Find base address for code segment
3. If relevant symbol founda. Compute location of symbol relative to base addressb. Find base address of module in current process
![Page 39: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/39.jpg)
![Page 40: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/40.jpg)
Interception - initial conditions
__decrypt_frame:55 push ebp8b ec mov ebp, esp8b 45 08 mov eax, [rbp + 8]8b 4d 0c mov ecx, [rbp + 12]…
…e8 04 03 01 01 call __decrypt_frame…
![Page 41: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/41.jpg)
Interception - desired flow
__decrypt_frame:55 push ebp8b ec mov ebp, esp8b 45 08 mov eax, [rbp + 8]8b 4d 0c mov ecx, [rbp + 12]…
trampoline:<save registers>call js_on_enter_callback<restore registers>
…e8 04 03 01 01 call __decrypt_frame…
![Page 42: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/42.jpg)
Generate trampoline
__decrypt_frame:55 push ebp8b ec mov ebp, esp8b 45 08 mov eax, [rbp + 8]8b 4d 0c mov ecx, [rbp + 12]…
trampoline:<save registers>call js_on_enter_callback<restore registers>
…e8 04 03 01 01 call __decrypt_frame…
![Page 43: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/43.jpg)
Save initial instructions at trampoline end
trampoline:<save registers>call js_on_enter_callback<restore registers>push ebpmov ebp, espmov eax, [rbp + 8]jmp next_instruction
…e8 04 03 01 01 call __decrypt_frame…
__decrypt_frame:55 push ebp8b ec mov ebp, esp8b 45 08 mov eax, [rbp + 8]8b 4d 0c mov ecx, [rbp + 12]…
![Page 44: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/44.jpg)
Replace first instructions → desired flow
__decrypt_frame:e9 01 02 03 04 jmp trampoline90 nopnext_instruction:8b 4d 0c mov ecx, [rbp + 12]…
trampoline:<save registers>call js_on_enter_callback<restore registers>push ebpmov ebp, espmov eax, [rbp + 8]jmp next_instruction
…e8 04 03 01 01 call __decrypt_frame…
Done!
![Page 45: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/45.jpg)
Stalking
![Page 46: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/46.jpg)
Stalking - the game plan
● intercept (trap) function call● apply instruction-based binary code rewriting to first basic
block of function● wrap each instruction with a prologue and epilogue● rewrite every branch instruction to call into stalker● place resulting basic block in a new memory page● mark page executable● replace first instruction in original function with branch to
new basic block
![Page 47: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/47.jpg)
Stalking - the basics
3 push eax
max:
2 jg 6
4 mov eax, ebx
1 cmp eax, ebx
5 pop ebx6 ret
![Page 48: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/48.jpg)
Stalking - the basics
3 push eax
max:
2 jg 6
4 mov eax, ebx
1 cmp eax, ebx
5 pop ebx
6 ret
Split into basic blocks
![Page 49: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/49.jpg)
Stalking - the basics
3 push eax
max:
2 jg 6
4 mov eax, ebx
1 cmp eax, ebx
5 pop ebx
6 ret
1 cmp eax, ebxinstrumentation
instrumentation
Wrap each instruction with instrumentation
![Page 50: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/50.jpg)
Stalking - the basics
3 push eax
max:
2 jg 6
4 mov eax, ebx
1 cmp eax, ebx
5 pop ebx
6 ret
1 cmp eax, ebxinstrumentation
stalk(jg, 3 | 6)
stalker
Call back into stalker for every basic block
transition
![Page 51: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/51.jpg)
Stalking - the basics
3 push eax
max:
2 jg 6
4 mov eax, ebx
1 cmp eax, ebx
5 pop ebx
6 ret
1 cmp eax, ebxinstrumentation
stalk(jg, 3 | 6)
instrumentation3 push eaxinstrumentation4 mov eax, ebxinstrumentation5 pop ebxstalk(ret)
stalkerStalker incrementally rewrites basic blocks
![Page 52: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/52.jpg)
Stalking - the basics
3 push eax
max:
2 jg 6
4 mov eax, ebx
1 cmp eax, ebx
5 pop ebx
6 ret
1 cmp eax, ebxinstrumentation
stalk(jg, 3 | 6)
instrumentation3 push eaxinstrumentation4 mov eax, ebxinstrumentation5 pop ebxstalk(ret)
stalkerCall back into stalker for every basic block
transition
![Page 53: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/53.jpg)
Stalking - challenges
● must decode every instruction● prologue and epilogue must be “invisible”● no flags modification● no stack modification● no register modification● self-modifying code● self-checking code (checksums)● code that accesses instruction pointer
![Page 54: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/54.jpg)
Stalking - challenges
● must decode every instruction● prologue and epilogue must be “invisible”● no flags modification● no stack modification● no register modification● self-modifying code● self-checking code (checksums)● code that accesses instruction pointer
Use the source, Luke
![Page 55: May contain traces of assembler - Frida · Resume remote thread execution heap FIFO. Injection - the summary thread 1 libpthread.so libc.so frida-agent.so libc pthread a.out a.out](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd7174857be371d5c794232/html5/thumbnails/55.jpg)