Dynamic Machine Code Transformations

taking r2frida to the next level

Stalker: a code-tracer

Design goal #1:
avoid context-switches

Design goal #2:
identical side-effects

Design goal #3:
high granularity

Demo

But then some weeks before r2con

CodeWriter APIs

(demo)

Which lead to

(demo)

How it works

@0x7f000:
mov eax, 42
prolog()
resume_at = compile(0x1234)
epilog()
jmp [resume_at]

@0x1000:
mov eax, 42
jmp 0x1234

@0x1000:
mov eax, 42
jmp 0x1234

@0x7f000:
mov eax, 42
prolog()
resume_at = compile(0x1234)
epilog()
jmp [resume_at]

@0x1234:
divsd xmm0, xmm1
movsd [rcx], xmm0

call 0x2000

@0x7f100:
divsd xmm0, xmm1
movsd [rcx], xmm0
prolog()
resume_at = compile(0x2000)
epilog()
push_original_retaddr()
jmp [resume_at]

@0x1000:
mov eax, 42
jmp 0x1234

@0x7f000:
mov eax, 42
jmp 0x7f100

@0x1234:
divsd xmm0, xmm1
movsd [rcx], xmm0

call 0x2000

@0x7f100:
divsd xmm0, xmm1
movsd [rcx], xmm0
prolog()
resume_at = compile(0x2000)
epilog()

push_original_retaddr()
jmp [resume_at]

Thanks!

By Ole André Vadla Ravnås

Creator of Frida. Security Researcher at NowSecure. Polyglot hacker passionate about reverse-engineering and dynamic instrumentation.