Merging Static and Dynamic Analysis with R2Frida Plugins

© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OSS TOOLS: CREATING A
REVERSE ENGINEERING
PLUGIN FOR R2FRIDA
Merging the power of static & dynamic analysis

© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ALL THINGS MOBILE DEVSECOPS
Subscribe Here
https://www.nowsecure.com/go/subscribe/
Semi-monthly Newsletter
Delivered 1st & 3rd Wednesdays of the month
Resources for the Mobile DevSecOps journey

ASK A QUESTION ANY TIME
Use the “Ask a Question” tab below the slides

NOWSECURE COMPANY INNOVATION TIMELINE
NowSecure Sponsorship
of OSS FRIDA & RADARE
(2015)
Launch NowSecure INTEL
for Production AppStore
Monitoring (2018)
Launch NowSecure Workstation
Complete Analyst Mobile
AppSec Testing Kit (2015)
ViaForensics
Founded (2009)
Launch Mobile Forensic
Analysis Services (2010)
Launch Mobile App Pen
Testing Services (2012)
NowSecure Series A
& Company Rename
(2014)
Launch NowSecure AUTO for
Shift Left CI/CD-integrated
Mobile AppSec Testing (2017)
Publish Books “Android Forensics”
& “iOS Forensics” (2011)
NOWSECURE MISSION: Saving the World from Unsafe Mobile Apps

On a scale of 1 to 5, rate your level of knowledge of mobile app security.
1. beginner
2. novice
3. intermediate
4. advanced
5. expert
POLL #1

AGENDA
INTRODUCTION
WHAT IS R2 & FRIDA?
WHAT’S NEW IN R2 & FRIDA?
WHAT IS R2FRIDA?
EXTENDING R2FRIDA WITH PLUGINS
Q&A
MODERATOR
BRIAN REED
CMO, NOWSECURE
SERGI ALVAREZ I CAPILLA
AUTHOR OF RADARE2
SPEAKER

WHO AM I?
▪ My name is Sergi Àlvarez i Capilla
▪ But most people know me as pancake
▪ Author of radare2, r2frida, applesign,
fsmon, valabind, acr, 0xFFFF, and many,
many other open source tools out there.
▪ Senior Mobile Security Research Engineer
▪ Working at NowSecure
▪ Spend my time building new tools and ﬁnd
new ways to improve our products that make
safer Mobile apps.

On a scale of 1 to 5, rate your level of experience with r2.
1. beginner
2. novice
3. intermediate
4. advanced
5. expert
POLL #2

WHAT’S R2?
▪ 13yo OpenSource RE framework (tools + apis)
▪ It started as a simple hexadecimal editor for forensics.
▪ Quickly evolved, adding support for analysis,
disassembling, debugging, emulation, ...
▪ Cover many topics related to computer security:
▪ Exploiting, fuzzing, cracking, SRE, forensics..
▪ It’s written in C: small, fast and portable
▪ Easy to script with an expressive commandline shell
▪ Can be extended with plugins written in native or
dynamic languages

On a scale of 1 to 5, rate your level of experience with Frida.
1. beginner
2. novice
3. intermediate
4. advanced
5. expert
POLL #3

WHAT’S FRIDA?
Dynamic instrumentation toolkit written by my colleague Ole André
▪ Written in C with bindings for JavaScript and Python
▪ It’s the best introspection tooling for iOS and Android
▪ Injects an egg with a JS interpreter into the target process.
▪ At this point you can instrument the entire process with js
▪ Provides APIs to read/write memory, list symbols, add traces, ..
▪ Modify the behaviour or trace protocols, APIs, behaviours, ..

WHAT’S NEW IN R2 AND FRIDA?
There are ~500 commits/month in r2,
▪ So it’s hard to describe all the
improvements and new features in
a single slide.
Both projects have a solid userbase
and the main development focus is on
improving the core, cleanup/ refactor,
and improve usability.
▪ Frida
▪ Crashlog retrieval for iOS/Android
▪ Shorter APIs and more OO
▪ New Kernel APIs for tfp0
▪ ChromeDev tools
▪ Radare2
▪ Better graphs + navigation
▪ Improved Code and type analysis
▪ Performance improvements

WHAT’S R2FRIDA?
IO plugin for radare2 that uses Frida as backend.
Extends the scripting and static analysis capabilities of r2 with all the dynamic
analysis, code injection and tracing facilities of Frida.
▪ Works seamlessly on iOS, Android, macOS, Linux and Windows.
▪ Read/Write remote process memory from r2
▪ Type short commands instead of writing code
▪ Also can access remote ﬁlesystems

R2FRIDA OVERVIEW
▪ Radare2 runs in host
▪ r2frida is an r2 plugin that links
against the Frida SDK
▪ Spawn/attach local/remote
processes.
▪ Extend agent commands with plugins
▪ Frida-Server runs in the device
▪ Provides Interface to talk to inspect
processes and attach from host.
▪ End to end r2pipe
▪ r2frida commands mimic r2 ones
▪ Handle sync and async

WHAT’S NEW IN R2FRIDA v3.4
▪ New URI handler schema
▪ frida://usb/deviceid/spawn/appname
▪ Improved trace-logs support
▪ Trace logs are now cached and accessible via dtl
▪ All traces generate a JSON message sent to host for later postprocessing
▪ Trace-logs have counters, timestamp, module name, symbol name, address, ...
▪ Binary information listed depends on the current seek
▪ Added command to get the entrypoint of the program
▪ Fuzzy resolution of objc methods by using the objc: prefix
▪ Support remote FileSystems on all unix targets
▪ Retrieve crashlog message from device (ios + android only)
▪ Improved support for Android tracing and return injection
▪ Faster addr2name and name2addr resolutions
▪ Safer pointer/data auto-identification with isObjC and such
▪ Resolve thread and file descriptor names

SIMPLE R2FRIDA EXAMPLE DEMO
Attach to a running while hello world program and change the program behaviour at runtime

EXTENDING R2FRIDA WITH PLUGINS
R2 can interpret scripts in several languages, interact with r2 via r2pipe.
▪ Use r2pipe to script anything in r2frida from Rust, Python, Ruby, NodeJS, Java, ...
Run Frida oneliners (or run a js ﬁle in the agent) from the r2 shell
▪ Useful for small stuﬀ, but kind of annoying for large code snippets
The R2Frida plugin API can extend the r2frida commands
▪ Load/Unload and List those plugins
▪ Loaded in the agent side and fully compatible with Frida scripts
▪ Allows to run r2 commands from the agent side
▪ r2frida global object to access trace logs or register new commands

HELLO WORLD PLUGIN EXAMPLE
Basic plugin example looks like this:

What else can be interesting for the analyst to have in r2frida?
▪ UI interaction commands
▪ Cookie tracing and curlification of http traffic
▪ Use your own custom trace hooks
▪ Integration with Frida CodeShare
▪ Web interface on top of the internal r2’s http webserver
▪ Expose a fake filesystem to the process
▪ Bypass anti-debugging or authentication protections
▪ OS-specific features
BEYOND THE HELLO WORLD

CREATING THE PLUGIN
Open your favourite editor and create this hookurl.js

RUNNING THE PLUGIN
The ‘urls’ command will show all the URLs captured from the NSURL traces

EXTRACTING URLS FROM LOGS

By typing:
▪ dtf objc:NSURL.^URLWithString:$ ooo
We get noisy messages with the trace information
▪ e hook.verbose=false
We can list the trace
▪ dtlj~{}
And ﬁnally get the QR codes with the plugin:
▪ .hookurl qrs
TRACING NSURL INTO QR CODES

BACKTRACE GRAPHS
hookurls btgraph

REMOTE FILESYSTEM ACCESS DEMO
▪ IO plugins can expose commands to support mounting remote
ﬁlesystems and accessible via the ‘m’ command
▪ ‘mo’ command will open a remote ﬁle in memory for local analysis

WEBUI AND R2PIPE
With r2frida, it is also possible to use any r2pipe script or the Web browser
with your custom interface to automate Frida and r2 at the same time.

FINAL WORDS
▪ Radare2 and Frida are powerful open source tools
▪ They provide many ways to extend them and integrate with other tools
▪ R2frida is also open-source and combines the power of both
▪ Bring the state of the art in Reverse Engineering Mobile to the analyst
▪ https://rada.re
▪ https://github.com/nowsecure/r2frida

bit.ly/Connect-2019

MONDAY - DAY 1
Mobile Security Analysts Toolbox
In depth OSS Training Sessions
▪ Frida
▪ Radare
▪ r2Frida
▪ Capstone
▪ Ret2dec
▪ ZigBee
▪ And more…
Monday Night Party
NOWSECURE CONNECT19 OSS TRACK
TUESDAY - DAY 2
Mobile OSS tools hackathon
▪ Multiple tools and tracks
New OSS Tool Launch Sessions
▪ Multiple new OSS tools
Tool Creator’s Panel
Contest Awards
bit.ly/Connect-2019

NOWSECURE COMING ATTRACTIONS
NowSecure Connect 2019
Jun 3-4, 2019 | Washington D.C.
Black Hat USA (Training + Conference)
Aug 3-8, 2019 | Las Vegas, NV
r2con
Sep 4-7, 2019 | Barcelona, Spain
Webinar: Integrating Security into the
Mobile App DevOps Ecosystem
May 22, 2019

OPEN Q&A
Use the “Ask a Question” tab below the slides
BRIAN REED
CMO
PANCAKE
Radare2 Author

Merging Static and Dynamic Analysis with R2Frida Plugins

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Merging Static and Dynamic Analysis with R2Frida Plugins

Similar a Merging Static and Dynamic Analysis with R2Frida Plugins (20)

Más de NowSecure

Más de NowSecure (13)

Último

Último (7)

Merging Static and Dynamic Analysis with R2Frida Plugins