PDA

View Full Version : [ New Tool ] Frida

oleavr
June 28th, 2014, 10:45
I'm the maintainer of Frida, an open source instrumentation toolkit for Windows, Mac, Linux, iOS and Android. The goal is to build the ultimate dynamic instrumentation engine for user-space, so developers can focus on building tools and not get lost in code injection, function hooking, instruction parsing, etc.

Website: http://www.frida.re/
Source code: http://github.com/frida

Its core is written in C and available through multiple language-bindings, like Python, C#, Qml, etc. It can be linked in statically and has no external runtime dependencies, making it easy to build relocatable standalone tools.

Here's a tutorial I wrote that shows how Frida and Qml can be used to build an interactive instrumentation tool in a few minutes:
Build a debugger in 5 minutes

BR,
Aimless
June 28th, 2014, 23:01
I took a look at the website and the intent seems good. But I kind of got lost on the Linux and scripting focus, but let that not detract you from the fact that you are doing a great service by making tools and sharing them to the RCE community. Now I believe the best way to learn a new tool is to actually use it in action.

So, I would like you to advise me on HOW TO DO the following 4 things with actual examples and scripts:

1) Take a simple example of notepad.exe This little gem is used for practicing release of new tools by myself and this one is no different. What I want to do here is for FRIDA to run (you let me know how) and enumerate all functions and/or locations that they are called. In simple terms, all functions in Notepad.exe that are found when disassembled in IDA, but only the ones that are executed when they are run. It's a cheap form of function instrumentation, but knowing how I can do that in Frida will help me understand how to make more complex queries. Is there a way to record and ignore a function? For example, a function in the window loop may be executed endlessly. To avoid that function appearing 100s of times, can we just say let it appear once then ignore it the rest of the times it appears?

2) See point no. 1. Now the second question is, notepad.exe calls multiple DLLs (user32.dll, gdi32.dll, etc). Is there a way to configure FRIDA (you tell me how) to not only record and display functions in notepad.exe, but also functions in these dlls? Please note that in point 1 and point 2, I am not looking at exported functions - they can well be instrumented with other software - but I am looking for native functions (what we call as SUB_XXXXXXXX) in IDA. Also, let me know IF FRIDA will hook functions in Notepad.exe and the DLLs it calls at the beginning of execution? If so, what happens to delayed load DLLs who may NOT mentioned in the import tables initially.

3) When we look at compressed and encrypted exes (both are different), there are generally no major functions defined. In this case, if FRIDA is attaching before the execution, how can it record the functions that have been executed (again, local functions, not Exported/Imported functions)?

4) Can we decide to record ONLY functions in their sequence of execution in Notepad.exe? Or can we also record line-by-line disassembly of the execution? Much like what IDA and Olly provide?

Once again, it's nice of you to release the same. Remember, you will have to give the example of how you do these things to 4 points above in WINDOWS. So no sudo, no grep, no cat, no nothing. And yes, no cygwin either.

Have Phun
blabberer
June 29th, 2014, 02:19
@ Ole Andr� V. Ravn�s

Thanks for posting And Welcome here And a very Big thanks for the effort in creating and publishing a free tool to the community.

I had seen your post in openrce long time back and i had also seen the make a debugger in 5 minutes tut far earlier than your post here (iirc some one posted a link to the tut in reddit) nice tutorial but to be frank i couldn't follow or rather i didnt followup because i couldn't relate to QML and few other things ( i might if it becomes necessary but Iam winaddicted by habit )

so though i have no problems with cat grep head tail wc awk sed i would also like to see something that is easily relatable for a windows addict

for example the curiosity of Aimless could be whetted with a windbg script that is similar to this

Code:






C:\>dir /b *filt*

filtnote.txt

unfiltnote.txt



C:\>cat filtnote.txt unfiltnote.txt

.logopen c:\\filtnotelog.txt

g notepad!WinMainCRTStartup ;

.prompt_allow -reg -src -sym ;

.step_filter "ntdll!*;"

tc 30



.logopen c:\\unfiltnotelog.txt

g notepad!WinMainCRTStartup ;

.prompt_allow -reg -src -sym ;

tc 30

C:\>windbg -Q -c "$$>a< c:\\filtnote.txt" notepad.exe



C:\>windbg -Q -c "$$>a< c:\\unfiltnote.txt" notepad.exe



C:\>dir /b *filt*

filtnote.txt

filtnotelog.txt

unfiltnote.txt

unfiltnotelog.txt



C:\>


winmerging the logs

2934
oleavr
June 29th, 2014, 08:36
@Aimless @blabberer Thanks a lot for your feedback – much appreciated!

Those are very good questions. Would you mind answers as a minimal WPF/C# GUI application, or is there another technology in particular you think would be a good fit to demo Frida on Windows?

Frida should obviously provide some more useful example tools, and that's where I'm hoping we could eventually start a community effort to create a whole suite of tools designed for reversers. As you pointed out, I realize using Qml for my tutorial wasn't the best idea, because it means most readers are introduced to two new things (Frida and Qml) instead of just one. So I have a feeling that platform-specific tutorials showing how to tackle familiar challenges are very much needed. Then for those wanting to take that one step further and build cross-platform tools, Qml could be one possible route once there.
Aimless
June 29th, 2014, 11:22
A simple example, for Point 1, should be good for starters. No need of creating an application. Just give a script that works the same. Much like what blabberer explained, only his is on Windbg. But explain it from the start. Assuming I have a Windows machine, start from going to the website and downloading whatever is needed, up to opening the log file that will have the necessary functions.

Screenshots, if possible.

Then, we can think about Points 2-4.

Have Phun
oleavr
June 29th, 2014, 11:32
I'm afraid it will have to be an application, because Frida is only a library. It does have some tools built on the library, but they're not yet advanced enough to demonstrate point 1, even if the library supports such a use-case. I'll keep you posted. This should be fun
blabberer
June 29th, 2014, 15:36
@oleavr

also win-addicts don't download sources they mostly look for a precompiled binary that is blindly double clickable

so i thought i will download some thing and spin it

read the documentation page in the site and i saw a link to some precompiled binary followed it and landed here

http://ospy.org/frida/windows/Win32-Release/

now this page doesnt have an installer or a single package that is down-loadable straight nor contains a readme telling me downloading x is ok for os y

so i did what i do most of the times

wget -c -mirror -np <url> and ended up downloading the bin and lib folder deleted all the index.html and .pdbs and was left with the following stuff

Code:




gumpp.exp    2,638    B234E9E4132F64FED0BAFAE9F95F462F    

gumpp.lib    4,834    86194BDBCBA995DF47DA015A638FBB7A    

Frida.dll.metagen    5,540    82DF1A02781C36534FDC7B4AB57A1180    

_frida.pyd    1,112,730    4F4E0D1326ECD0FE56F75A165B657E2D    

gumpp.dll    5,678,592    848FEBF0DF2B69149C8625C5AD5E2CF0    

Frida.dll    27,415,552    4B68B9CB0B3DACB72A4F2743CC04312D    

frida-server.exe    27,425,280    E727FEEE3F94B2FBD5927BF008167484    

_frida.pyd    27,502,080    9F76D7979B7DB7241D919E965976AA20    

npfrida.dll    27,529,728    6629347C7CE388BE408F35A5CDD15CF2



now this exe doesnt seem to run in the vm to which i downloaded it (winxp-sp3 on vpc 2007)

(is winxp supported ? is there a MD5 etc hash to confirm if the download is not corrupt ? ) if the MD5 pasted above is correct any ideas why frida-server.exe doesnt even want to run and says not a valid win32 application ?

edit

so i loaded the frida.dll in ollydbg to look at it and it requires msvcrt120.dll visual studio 2013 compiled dll ??? )
oleavr
June 29th, 2014, 15:53
Files look perfect. (Frida could really need some proper packaging though, and an auto-generated list of md5sums!) The reason it doesn't run is because I dropped XP support when upgrading to VS2013. Do you think it's worth supporting XP? Frida doesn't currently make use of any features beyond XP, it was just a question of using the modern VS toolchain vs the legacy one.
blabberer
June 29th, 2014, 16:09
i don't know if it is worth supporting xp i tend to use it because it is easy to use (no elevated whatever , no digi sign discos , no test signs no patchguard , softice runs in it , mature plugins for ollydbg , no bededit for kernel debugging with windbg and a few other reasons

iirc even visual studio 2013 is capable of supporting building for legacy os (i recently saw some pages in msdn where win8.1 wdk and visual studio - 2013 combination could be used for old style sources building not employing vcxprojects may be you should take a look at recent osronline ntdev lists
oleavr
June 29th, 2014, 16:19
That looks like some good reasons to me. It should be pretty straight-forward, just a matter of changing from the "v120" toolchain to "v120_xp". The cumbersome part is rebuilding Frida's SDK (its prebuilt dependencies). My spare-time isn't so ample these days, but I'll try to fit it into an evening this week.
blabberer
June 29th, 2014, 16:26
i downloaded the src zip (not gitting the clone) and it seems it is empty ? only releng folder contains some thing including a wget binary

is it updated ?

btw using reply to thread instead of reply with quote should eliminate unnecessary duplication of content


Code:




C:\Documents and Settings\Admin\Desktop\frida-master>tree /a /f

Folder PATH listing



C:.

|   frida-master.zip

|

\---frida-master

    |   .gitignore

    |   .gitmodules

    |   COPYING

    |   frida.sln

    |   Makefile

    |   Makefile.linux.mk

    |   Makefile.mac.mk

    |   Makefile.sdk.mk

    |   README.md

    |

    +---capstone

    +---frida-clr

    +---frida-core

    +---frida-gum

    +---frida-npapi

    +---frida-python

    +---frida-qml

    +---releng

    |   |   common.mk

    |   |   config.site.in

    |   |   frida-builddeps.vcxproj

    |   |   frida-builddeps.vcxproj.filters

    |   |   frida-Debug.props

    |   |   frida-Release.props

    |   |   frida.props

    |   |   release.py

    |   |   relocatify.sh

    |   |   setup-env.sh

    |   |   wget.exe

    |   |   windows-sdk.txt

    |   |   windows-toolchain.txt

    |   |

    |   \---patches

    |           binutils-android.patch

    |           libiconv-android.patch

    |

    \---udis86



C:\Documents and Settings\Admin\Desktop\frida-master>
oleavr
June 29th, 2014, 16:47
(Oops, sorry about the quote spam!)

The "frida" module makes use of git submodules, so I'm afraid you'll have to git clone it:

Code:


git clone https://github.com/frida/frida.git

cd frida

git submodule init

git submodule update


You will also need to have Python 2.7 installed if you want to build it (doesn't have to be in PATH, but ".py" extension needs to be registered).
blabberer
June 29th, 2014, 16:58
well git will not work in xp i am afraid zip is universal

i just hacked the vcxproj file in releng folder to employ vc 2010 express vcxproj

Quote:

------ Build started: Project: frida-builddeps, Configuration: Debug Win32 ------
C:\Documents and Settings\Admin\Desktop\frida-master\frida-master\releng\..\build\sdk-windows.exe: No such file or directory
Checking SDK
C:\Program Files\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppCommon.targets(151,5): error MSB6006: "cmd.exe" exited with code 1.
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========
oleavr
June 29th, 2014, 17:09
Oh, http://msysgit.github.io/ dropped support for XP also?

I wouldn't recommend hacking the project files as the SDK that frida-builddeps downloads has been built with VS2013, and building the SDK takes a lot more work to get building with VS < 2013. The VS2013 Express edition should work fine though.
blabberer
June 29th, 2014, 17:54
ok so it all boils down to an os upgrade visual 2013 wont work on xp as it needs .net 4.5 (even windbg > 6.2.9200 wont install in xp solely because installer uses some .net 4.5 blah blah and what it installs has no problems working on xp

Quote:

I wouldn't recommend hacking the project files as the SDK that frida-builddeps downloads has been built with VS2013,


i see so even if i wget and expand it it is not going to work well will wait till i get an xp drop or will try in win7 when i find time thanks


Code:


------ Build started: Project: frida-builddeps, Configuration: Debug Win32 ------

C:\Program Files\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppCommon.targets(151,5): warning MSB8015: Forcing a rebuild of all source files due to the contents of "C:\Documents and Settings\Admin\Desktop\frida-master\frida-master\releng\build\tmp-windows\Win32-Debug\frida-builddeps\custombuild.command.1.tlog" being invalid.

  --03:52:34--  http://build.frida.re:80/sdk-20140511-windows-any.exe

             => `C:\Documents and Settings\Admin\Desktop\frida-master\frida-master\releng\..\build\sdk-windows.exe'

  Connecting to build.frida.re:80... connected!

  HTTP request sent, awaiting response... 200 OK

  Length: 83,658,700 [application/octet-stream]

  

  Checking SDK

      0K -> .....

C:\Program Files\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppCommon.targets(151,5): error MSB6006: "cmd.exe" exited with code 1.

========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========
oleavr
June 29th, 2014, 18:00
@blabberer Yes, sorry
oleavr
June 29th, 2014, 18:08
@Aimless @blabberer

By the way, here's an example C# app that spawns "notepad.exe" and traces the main thread from its first instruction:

http://build.frida.re/frida/windows/examples/Stalker-20140630-bin.exe
(Requires .NET 4.5 to run. Note that I put "agent.js", which is the script injected into "notepad.exe", next to the binary to make it easy to edit, but this could obviously be baked into the binary.)

http://build.frida.re/frida/windows/examples/Stalker-20140630-src.exe
(Requires VS2013 to compile, no external dependencies.)

It was done very quickly so it's still a bit rough, though I hope it sheds some light on how to use Frida for 1). Have a look at the JS API docs at http://www.frida.re/docs/javascript-api/ to understand how "agent.js" works - and especially the "Stalker" section. Note that I used onCallSummary for simplicity, so the function calls made are unordered. You could imagine using this on an app where you exercise different parts of its logic and see which new functions are involved.

PS: "notepad.exe" seems to get into some kind of waiting state before its GUI is shown. Needs investigation.
Aimless
June 30th, 2014, 02:24
I don't think I can be convinced to use this. It's all in - how would you put it - "Quid Infernum?" territory right now. Read that as too much of a work-in-progress.

If there is a problem in delivering what I was asking for, a simple example from downloading to the result, it's probably not ready for simplistic folks like me. Of course, for Linux/Unix grandmasters like blabberer (love you blabberer!! you should teach me Windebug) it could be child's play.

So I'll wait till it matures. Or till you can think up of a simple example.

I don't want to install Visual Studio <whatever version> just so that I can crack an app, directly or indirectly.

But like I said before, I think I would be the exception. There would be people who would find this immensely useful. A nod of the hat to you for creating and distributing a free tool. Kudos for that.

Me? I think I'll go back to IDA.

Have Phun
oleavr
September 11th, 2014, 17:59
Replying way late here, I had a long digression while thinking about this.

One thing I realized that I probably didn't make very clear, is that Frida isn't meant to replace IDA or other tools. It's only meant to complement them by giving you building blocks from which you're meant to build your own tools for the task at hand. So yeah, a bit niche. On another note, you might be interested in a new tool that I'm hacking on:

https://github.com/frida/cryptoshark ("https://github.com/frida/cryptoshark")

Cheers!