FRAPL - Next Generation Reverse Engineering Framework

Transcript

1. October 22-23, 2016 1 2 3 4 5 6 7

   8 9 10 11 12 FRAPL Max Bazaliy Next Generation Reverse Engineering Framework Alex Hude

2. October 22-23, 2016 Who we are 1 2 3 4

   5 6 7 8 9 10 11 12 Alex Hude o Melbourne, Australia o BlackmagicDesign o Hardware, XNU o Fried Apple team Max Bazaliy o Kyiv, Ukraine o Lookout o XNU, Linux, LLVM o Fried Apple team

3. October 22-23, 2016 Modern Reverse Engineering 1 2 3 4

   5 6 7 8 9 10 11 12 Static approach o Disassemblers o Code analyzers o Decompilers o IDA as a choice Dynamic approach o Debuggers o Dynamic analyzers o Code instrumentation o Frida as a choice

4. October 22-23, 2016 Static analysis challenges 1 2 3 4

   5 6 7 8 9 10 11 12 o Missed context (CPU registers, stack, memory) o Hard to follow code execution flow (obfuscation) o Hard to follow data flow (encryption) o Hard to follow indirect function calls

5. October 22-23, 2016 Debugging challenges 1 2 3 4 5

   6 7 8 9 10 11 12 o Anti debugging tricks o Data loss during restarts o Execution flow may be changed under debugging o No way to hook/replace existing code easily

6. October 22-23, 2016 Dynamic instrumentation challenges 1 2 3 4

   5 6 7 8 9 10 11 12 o Code disassembly still missed o High learning curve o Usually requires to write a lot of code o Hard to maintain multiple things at a time

7. October 22-23, 2016 1 2 3 4 5 6 7

   8 9 10 11 12

8. October 22-23, 2016 1 2 3 4 5 6 7

   8 9 10 11 12

9. October 22-23, 2016 What is FRAPL ? 1 2 3

   4 5 6 7 8 9 10 11 12 FRAPL = Fridascripts + FridaLink

10. October 22-23, 2016 Frida Scripts 1 2 3 4 5

    6 7 8 9 10 11 12 o Node.jsclient (attach, spawn, RPC, script loading) o Node.jsserver script (RPC, GCD, iOS/macOSbindings) o Common operations wrappers (objchooks etc) o Utility functions (memory dumps, logging)

11. October 22-23, 2016 FridaLink 1 2 3 4 5 6

    7 8 9 10 11 12 o IDA plugin that implements UI controls to Frida o Socket protocol between IDA & Frida Client (JSON) o RPC protocol for between Frida Client & Server (JSON) o FridaLink.js(Frida script)

12. October 22-23, 2016 FridaLinkarchitecture 1 2 3 4 5 6

    7 8 9 10 11 12

13. October 22-23, 2016 FridaLinkgoals 13 14 15 16 17 18

    19 20 21 22 23 o Bring static analysis info from IDA to Frida o Use dynamic info from Frida for IDA analysis o Monitor runtime state directly from IDA o Control Frida agent directly from IDA

14. October 22-23, 2016 FridaLinkfeatures 13 14 15 16 17 18

    19 20 21 22 23 o Function/instruction hooks made easy o Function replacement made easy o Module loading made easy o Custom scripts support

15. October 22-23, 2016 FridaLinkfeatures 13 14 15 16 17 18

    19 20 21 22 23 o CPU context monitoring o Memory monitoring o SQLite database support o Helpers and project save/restore

16. October 22-23, 2016 13 14 15 16 17 18 19

    20 21 22 23

17. October 22-23, 2016 FridaLink-Overall View 13 14 15 16 17

    18 19 20 21 22 23

18. October 22-23, 2016 FridaLink–Hooks 13 14 15 16 17 18

    19 20 21 22 23 o Instruction hooks o Instruction breakpoints (hook with wait) o IDB (local) function hooks o Import function hooks

19. October 22-23, 2016 FridaLink–Function Replacement 13 14 15 16 17

    18 19 20 21 22 23 Replace Import function Replace local function

20. October 22-23, 2016 FridaLink–Module Loading 13 14 15 16 17

    18 19 20 21 22 23 o Automatic (on backtrace) o Manual

21. October 22-23, 2016 FridaLink–Custom Scripts 13 14 15 16 17

    18 19 20 21 22 23 Execute custom script dialog

22. October 22-23, 2016 FridaLink–CPU Context Monitoring 13 14 15 16

    17 18 19 20 21 22 23 CPU context Stack Backtrace

23. October 22-23, 2016 FridaLink–Memory Monitoring 13 14 15 16 17

    18 19 20 21 22 23 Memory content Add new memory watchpoint Memory manger

24. October 22-23, 2016 FridaLink–SQLite Support 24 25 26 27 28

    29 30 31 32 33 34 Set up DB Query execution Load script

25. October 22-23, 2016 FridaLink–Helpers and more 24 25 26 27

    28 29 30 31 32 33 34 Address converter FRAPL logs

26. October 22-23, 2016 Getting Started 24 25 26 27 28

    29 30 31 32 33 34 1. Load FridaLink.pyinto IDA 2. Create project using create_project.sh 3. Run client with node

27. October 22-23, 2016 macOSApplication Demo 24 25 26 27 28

    29 30 31 32 33 34

28. October 22-23, 2016 iOS Application Demo 24 25 26 27

    28 29 30 31 32 33 34

29. October 22-23, 2016 24 25 26 27 28 29 30

    31 32 33 34

30. October 22-23, 2016 24 25 26 27 28 29 30

    31 32 33 34 eta son https://github.com/FriedAppleTeam

31. October 22-23, 2016 Future plans 24 25 26 27 28

    29 30 31 32 33 34 o Kernel support o Windows support ? o Android support ? o Hack the planet!

32. October 22-23, 2016 @getorix @mbazaliy 24 25 26 27 28

    29 30 31 32 33 34 special thanks to @in7egral Questions