Author: Andrea Ferraris
This plugin allows to stalk, dump and instrument a process using Frida functionalities.
BinRida allows to use Frida directly inside Binary Ninja.
To install, simply navigate to your Binary Ninja plugins directory and run
git clone https://github.com/bowline90/BinRida.git
There are four different commands:
- "BINRIDA: Dump context of this function" : retrieve various information entering and leaving a function;
- "BINRIDA: Instrument this address" : instrument this address. We can inspect or modify the status of the process during the execution of that specific instruction;
- "BINRIDA: Stalk function execution" : stalk this specific function;
- "BINRIDA: Stalk program execution" : stalk all the functions.
Each command will prompt a form for define various settings. There is a common area that specify how connect Frida to the process:
- Device: setting the frida device (local, tcp, ecc.);
- Application: this is the program that Frida will spawn. The default application is the same opened in Binary Ninja but it is possible to specify another application (for example, if you are reversing a shared library). The address are automatic rebased in the new process map;
- Command line: the command line arguments passed (default no one);
- Execution mode: spawn a new process or attach to an exist one;
- PID: in attach mode, this is the PID of the process.
If you need to interact with the program, you can use frida-server
and set TCP
as device.
In the stalk program exection command you should also set the function to intercept and start the stalking.
This command allows to view different and, possibly, usefull information during entering and leaving the function. The target function is the one opened in Binary Ninja.
In addition to the Frida settings, we have a multi-lines field where we can put a Javascript Frida code. In particular, we can use this form for retrieve the value of the arguments. For example, we have this function:
int32_t auth(char* arg1, int32_t arg2)
and we want to retrieve the runtime value of arg1 and arg2. We can use this commands and write the following JS code:
v_args['arg1'] = arg1.readCString();
v_args['arg2'] = arg2.toInt32();
and retrieve the runtime value in the final report. You can also use hexdump
function.
Note: the code entered is executed as Frida's JS code so you can use JS API to perform wathever you need to do (deference various pointer for example). For arguments, you can use the name defined in Binary Ninja (arg1, arg2 for example) and this will converted for Frida. v_args
will be sended out. This code is executed during the onEnter
callback.
A markdown report will be generated at the end of the stalking and contains the following information:
- Depth : this value is the recursion of the function;
- Callee function : the callee function and the relative module;
- Arguments : the output from
v_args
; - Register : value of the register entering (and before leaving) the function;
- Memory Mappings : the virtual memory map of the process;
- Module Mapping : the list of module mapped (with the address);
- Return Value : the returned value.
This command allows to instrument a single instruction. The target instruction is the one selected in Binary Ninja.
In addition to the Frida settings, we have a multi-lines field where we can put a Javascript Frida code.
This command can be a bit tricky to use: our code is executed during an Exception so all the thread are frozen. For example, if we want to retrieve the value of RAX
and RBX
we can use the following code:
send(context['rax']);
send(context['rbx']);
We can also change the value of the register:
context['rax'] = 10;
In particular, our code is executed inside an ExceptionHandler and we can use the context arguments. The value of PC
is changed in a stub but you can modify it (there is no rebasing for now).
You can also skip the execution of that instruction writing //SKIP
inside the script.
There is no formatted output: if you need one you can use the send
function and read the results in the log.
Note: the code entered is executed as Frida's JS code so you can use JS API to perform wathever you need to do.
These two commands allow to stalk the program execution: you can view the path followed by a specific execution.
In addition to the Frida settings, you can choose the color to use to highlight the executed block.
This commands can be usefull for tracking the executed path and search unexplored path.
Note: The stalk program execution breaks the execution in real world binary but the stalk function execution seems to be fine. Moreover, I changed the stalking method from the previous version: instead of using Frida Stalker function I will perform various runtime memory patching inserting breakpoint to retrieve the executed address. The basic blocks are retrieved by Binary Ninja. These features have various problems...
psutil
frida
pip install psutil frida
This plugin requires the following minimum version of Binary Ninja:
- 1689 "
- Add a no UI mode
- Form for using a different TCP server (not localhost)
- Some sort of memory for settings.
- Testing in real world
This plugin is released under a MIT license.
2