Binary Instrumentation with Frida - GDG DevFest 19'

Transcript

1. Brought to you by

2. Binary instrumentation with Frida Fernando Diaz (VirusTotal) #DevFestMLG19

3. $ whoami Fernando Diaz Software Engineer @ VirusTotal Developing Sandboxing

   technologies. Started speaking GDG Malaga! @entdark_ Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

4. What is Binary Instrumentation? Binary instrumentation consists of implementing a

   set of code or instructions into a binary file to get an insight of its behaviour during execution. If we are instrumenting an application, not only can we get information about what is happening but also modify the flow when needed. Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

5. Types of instrumentation - Binary Instrumentation: Allows us to instrument

   binaries whom code isn’t accessible as long as they run in a controlled system. - Source instrumentation: Add instrumentation code to source code, not feasible without access to it. Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

6. Known frameworks / tools. * Frida: https://frida.re * DynamoRIO: https://dynamorio.org

   * Intel PIN: https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instr umentation-tool Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

7. What is Frida? - Open Source DBI Framework, currently sponsored

   by NowSecure and created by @oleavr (thanks!). - Not limited to desktop Operative Systems: It’s possible to instrument Android and iOS applications. - It can instrument applications on ARM. - Development is blazingly fast. - Bindings on the most popular languages, including Python, Java and NodeJS. Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

8. Why using Frida? - Quick development of tools for various

   tasks. - Debugging applications without source code access. - Reverse engineering on desktop and mobile platforms. - Instrumentate applications in different architectures. Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

9. Instrumentation languages Most commonly used languages for writing the instrumentation

   code are Javascript and TypeScript. It’s encouraged to operate with TypeScript for non-quick&dirty scripts. TypeScript allows for autocompletion and type-checking. Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

10. Frida internals: How does it work?

11. In other words... Debugger Channel Frida-agent Script (JS, TS) Target

    app Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

12. Frida setup $ pip3 install frida frida-tools … That’s it!

    Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

13. Working with Frida To operate with Frida we need a

    couple of things… - Frida bindings, we can install them via python-pip - A text editor - An application to debug ;) Frida API docs: https://frida.re/docs/javascript-api/ Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

14. Frida API: Interceptor.attach Interceptor.attach(NativePointer, { onEnter: (args:NativePointer[]) { // onEnter

    body }, onLeave: (retval: NativeReturnValue) { // onLeave body } }); Link to demo Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

15. Frida API: Interceptor.replace .replace(pointer, new NativeCallBack(function() { // contents //

    of our replacement }, returnType, [argument_types])) Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

16. Frida API: NativeFunction We can use NativeFunctions to take advantage

    of APIs or binary’s functions. NativeFunction( NativePointer, Return-type, argTypes[, abi]) Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

17. Supported ABIs - Windows x86: sysv, stdcall, thiscall, fastcall, mscdecl

    - Windows x64: win64 - UNIX x86: sysv, unix64 - UNIX ARM: sysv, vfp Application Binary Interface (ABI): Defines how data structures are accessed in machine code. On the contrary, an API defines this access via source Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

18. Module.findExportByName We can also use the alternative version .getExportByName -

    It returns the absolute address of the exportName passed as argument. Some examples: Module.findExportByName(null, “SLEEP”) Module.getExportByName(“KERNEL32.DLL”, “SLEEP”) Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

19. Practical Test Case: Instrumenting a Windows binary. - Notepad.exe is

    a plain text editor for Windows, it’s present in all Windows versions. - We can inspect what files it tries to open and/or create in the background. - We know for a fact that KERNEL32!CreateFileW is called for opening and/or creating files. Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

20. Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

21. None

22. Step by Step: CreateFileW HANDLE CreateFileW( LPCWSTR lpFileName, DWORD dwDesiredAccess,

    DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ); Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

23. Step by Step: Get a Pointer to KERNEL32.DLL!CreateFileW let CreateFileW

    = Module.getExportByName(“KERNEL32.DLL”, “CreateFileW”); Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

24. Questions? Feel free to ask via QR or http://slides.app.goo.gl/VNjg8

25. Questions? QR to slides