FRAPL - Next Generation Reverse Engineering Framework

Slide 1

Slide 1 text

October 22-23, 2016 1 2 3 4 5 6 7 8 9 10 11 12 FRAPL Max Bazaliy Next Generation Reverse Engineering Framework Alex Hude

Slide 2

Slide 2 text

October 22-23, 2016 Who we are 1 2 3 4 5 6 7 8 9 10 11 12 Alex Hude o Melbourne, Australia o BlackmagicDesign o Hardware, XNU o Fried Apple team Max Bazaliy o Kyiv, Ukraine o Lookout o XNU, Linux, LLVM o Fried Apple team

Slide 3

Slide 3 text

October 22-23, 2016 Modern Reverse Engineering 1 2 3 4 5 6 7 8 9 10 11 12 Static approach o Disassemblers o Code analyzers o Decompilers o IDA as a choice Dynamic approach o Debuggers o Dynamic analyzers o Code instrumentation o Frida as a choice

Slide 4

Slide 4 text

October 22-23, 2016 Static analysis challenges 1 2 3 4 5 6 7 8 9 10 11 12 o Missed context (CPU registers, stack, memory) o Hard to follow code execution flow (obfuscation) o Hard to follow data flow (encryption) o Hard to follow indirect function calls

Slide 5

Slide 5 text

October 22-23, 2016 Debugging challenges 1 2 3 4 5 6 7 8 9 10 11 12 o Anti debugging tricks o Data loss during restarts o Execution flow may be changed under debugging o No way to hook/replace existing code easily

Slide 6

Slide 6 text

October 22-23, 2016 Dynamic instrumentation challenges 1 2 3 4 5 6 7 8 9 10 11 12 o Code disassembly still missed o High learning curve o Usually requires to write a lot of code o Hard to maintain multiple things at a time

Slide 7

Slide 7 text

October 22-23, 2016 1 2 3 4 5 6 7 8 9 10 11 12

Slide 8

Slide 8 text

October 22-23, 2016 1 2 3 4 5 6 7 8 9 10 11 12

Slide 9

Slide 9 text

October 22-23, 2016 What is FRAPL ? 1 2 3 4 5 6 7 8 9 10 11 12 FRAPL = Fridascripts + FridaLink

Slide 10

Slide 10 text

October 22-23, 2016 Frida Scripts 1 2 3 4 5 6 7 8 9 10 11 12 o Node.jsclient (attach, spawn, RPC, script loading) o Node.jsserver script (RPC, GCD, iOS/macOSbindings) o Common operations wrappers (objchooks etc) o Utility functions (memory dumps, logging)

Slide 11

Slide 11 text

October 22-23, 2016 FridaLink 1 2 3 4 5 6 7 8 9 10 11 12 o IDA plugin that implements UI controls to Frida o Socket protocol between IDA & Frida Client (JSON) o RPC protocol for between Frida Client & Server (JSON) o FridaLink.js(Frida script)

Slide 12

Slide 12 text

October 22-23, 2016 FridaLinkarchitecture 1 2 3 4 5 6 7 8 9 10 11 12

Slide 13

Slide 13 text

October 22-23, 2016 FridaLinkgoals 13 14 15 16 17 18 19 20 21 22 23 o Bring static analysis info from IDA to Frida o Use dynamic info from Frida for IDA analysis o Monitor runtime state directly from IDA o Control Frida agent directly from IDA

Slide 14

Slide 14 text

October 22-23, 2016 FridaLinkfeatures 13 14 15 16 17 18 19 20 21 22 23 o Function/instruction hooks made easy o Function replacement made easy o Module loading made easy o Custom scripts support

Slide 15

Slide 15 text

October 22-23, 2016 FridaLinkfeatures 13 14 15 16 17 18 19 20 21 22 23 o CPU context monitoring o Memory monitoring o SQLite database support o Helpers and project save/restore

Slide 16

Slide 16 text

October 22-23, 2016 13 14 15 16 17 18 19 20 21 22 23

Slide 17

Slide 17 text

October 22-23, 2016 FridaLink-Overall View 13 14 15 16 17 18 19 20 21 22 23

Slide 18

Slide 18 text

October 22-23, 2016 FridaLink–Hooks 13 14 15 16 17 18 19 20 21 22 23 o Instruction hooks o Instruction breakpoints (hook with wait) o IDB (local) function hooks o Import function hooks

Slide 19

Slide 19 text

October 22-23, 2016 FridaLink–Function Replacement 13 14 15 16 17 18 19 20 21 22 23 Replace Import function Replace local function

Slide 20

Slide 20 text

October 22-23, 2016 FridaLink–Module Loading 13 14 15 16 17 18 19 20 21 22 23 o Automatic (on backtrace) o Manual

Slide 21

Slide 21 text

October 22-23, 2016 FridaLink–Custom Scripts 13 14 15 16 17 18 19 20 21 22 23 Execute custom script dialog

Slide 22

Slide 22 text

October 22-23, 2016 FridaLink–CPU Context Monitoring 13 14 15 16 17 18 19 20 21 22 23 CPU context Stack Backtrace

Slide 23

Slide 23 text

October 22-23, 2016 FridaLink–Memory Monitoring 13 14 15 16 17 18 19 20 21 22 23 Memory content Add new memory watchpoint Memory manger

Slide 24

Slide 24 text

October 22-23, 2016 FridaLink–SQLite Support 24 25 26 27 28 29 30 31 32 33 34 Set up DB Query execution Load script

Slide 25

Slide 25 text

October 22-23, 2016 FridaLink–Helpers and more 24 25 26 27 28 29 30 31 32 33 34 Address converter FRAPL logs

Slide 26

Slide 26 text

October 22-23, 2016 Getting Started 24 25 26 27 28 29 30 31 32 33 34 1. Load FridaLink.pyinto IDA 2. Create project using create_project.sh 3. Run client with node

Slide 27

Slide 27 text

October 22-23, 2016 macOSApplication Demo 24 25 26 27 28 29 30 31 32 33 34

Slide 28

Slide 28 text

October 22-23, 2016 iOS Application Demo 24 25 26 27 28 29 30 31 32 33 34

Slide 29

Slide 29 text

October 22-23, 2016 24 25 26 27 28 29 30 31 32 33 34

Slide 30

Slide 30 text

October 22-23, 2016 24 25 26 27 28 29 30 31 32 33 34 eta son https://github.com/FriedAppleTeam

Slide 31

Slide 31 text

October 22-23, 2016 Future plans 24 25 26 27 28 29 30 31 32 33 34 o Kernel support o Windows support ? o Android support ? o Hack the planet!

Slide 32

Slide 32 text

October 22-23, 2016 @getorix @mbazaliy 24 25 26 27 28 29 30 31 32 33 34 special thanks to @in7egral Questions