Ole André Vadla Ravnås PRO
Creator of Frida. Security Researcher at NowSecure. Polyglot hacker passionate about reverse-engineering and dynamic instrumentation.
Taking testing to the next level using Frida's dynamic binary instrumentation
What is Frida?
- Dynamic instrumentation toolkit
- Debug live processes
- Scriptable
- Execute your own debug scripts inside another process
- Multi-platform
- Windows, Mac, Linux, iOS, Android, QNX
- Highly modular, JavaScript is optional
- Open Source
Can we do fault injection at the socket API level?
Let's add a testing API to an existing application without modifying it
▼
1) We are the developers of Quake. Can we make it expose an API for testing?
2) Let's make it expose a REST API.
3) Let's expose health and ammo.
#define MAX_CL_STATS 32
#define STAT_HEALTH 0
…
#define STAT_SHELLS 6
#define STAT_NAILS 7
#define STAT_ROCKETS 8
…
typedef struct
{
int movemessages;
usercmd_t cmd;
int stats[MAX_CL_STATS];
…
} client_state_t;
…
extern client_state_t cl;4) Let's do that on the right thread.
5) How about POST /attack?
6) Can I have a Python API instead?
Can we detect memory leaks in C/C++ code?
▼
1) Let's try Gum::SanityChecker.
2) Can we have backtraces, too?
3) Backtraces are expensive, can we collect them for a subset only?
Other use-cases:
- Adding jitter to thread scheduling
- Fuzzing
Questions?
Twitter: @oleavr @fridadotre
Thanks!
Please drop by https://t.me/fridadotre
(or #frida on FreeNode)
Taking testing to the next level using Frida's dynamic binary instrumentation
By Ole André Vadla Ravnås
