forked from c3r34lk1ll3r/BinRida
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0ac823b
commit ebcfa4d
Showing
1 changed file
with
2 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,7 @@ | |
"python3" | ||
], | ||
"description": "Frida plugin for Binary Ninja - continuation of BinRida by @c3r34lk1ll3r", | ||
"longdescription": "_BinRida_ allows to use [Frida](https://www.frida.re/) directly inside Binary Ninja.\n\nTo install, simply navigate to your Binary Ninja plugins directory and run\n ``` \ngit clone https://github.com/bowline90/BinRida.git\n ``` \n## Usage\nThere are four different commands:\n * _\"BINRIDA: Dump context of this function\"_ : retrieve various information entering and leaving a function;\n * _\"BINRIDA: Instrument this address\"_ : instrument this address. We can inspect or modify the status of the process during the execution of that specific instruction;\n * _\"BINRIDA: Stalk function execution\"_ : stalk this specific function;\n * _\"BINRIDA: Stalk program execution\"_ : stalk all the functions.\n\n## Frida Settings\nEach command will prompt a form for define various settings. There is a _common_ area that specify how connect _Frida_ to the process:\n * _Device_: setting the frida device (_local_, _tcp_, ecc.);\n * _Application_: this is the program that _Frida_ will spawn. The default application is the same opened in Binary Ninja but it is possible to specify another application (for example, if you are reversing a shared library). The address are automatic rebased in the new process map; \n* _Command line_: the command line arguments passed (default no one);\n * _Execution mode_: spawn a new process or attach to an exist one;\n * _PID_: in _attach_ mode, this is the PID of the process. \n\n If you need to interact with the program, you can use `frida-server` and set `TCP` as device.\n\n In the _stalk program exection_ command you should also set the function to intercept and start the stalking. \n## Commands\n\n### BINRIDA: Dump context of this function\nThis command allows to view different and, possibly, usefull information during entering and leaving the function. The _target_ function is the one opened in Binary Ninja.\n#### Settings\nIn addition to the _Frida_ settings, we have a multi-lines field where we can put a Javascript _Frida_ code. In particular, we can use this form for retrieve the value of the arguments.For example, we have this function:\n```\nint32_t auth(char* arg1, int32_t arg2)\n```\n and we want to retrieve the runtime value of _arg1_ and _arg2_. We can use this commands and write the following JS code:\n```\nv_args['arg1'] = arg1.readCString();\nv_args['arg2'] = arg2.toInt32();\n ```\n and retrieve the runtime value in the final report. You can also use `hexdump` function.\n\n**Note:** the code entered is executed as Frida's JS code so you can use [JS API](https://www.frida.re/docs/javascript-api/) to perform wathever you need to do (deference various pointer for example). For arguments, you can use the name defined in Binary Ninja (arg1, arg2 for example) and this will converted for Frida. `v_args` will be sended out. This code is executed during the `onEnter` callback.\n\n #### Output\nA markdown report will be generated at the end of the stalking and contains the following information:\n\n * _Depth_ : this value is the recursion of the function;\n * _Callee function_ : the callee function and the relative module;\n * _Arguments_ : the output from `v_args`;\n * _Register_ : value of the register entering (and before leaving) the function;\n * _Memory Mappings_ : the virtual memory map of the process;\n * _Module Mapping_ : the list of module mapped (with the address);\n * _Return Value_ : the returned value.\n\n### BINRIDA: Instrument this address\nThis command allows to instrument a single instruction. The _target_ instruction is the one selected in Binary Ninja.\n#### Settings\nIn addition to the _Frida_ settings, we have a multi-lines field where we can put a Javascript _Frida_ code.\nThis command can be a bit tricky to use: our code is executed during an _Exception_ so all the thread are frozen. For example, if we want to retrieve the value of `RAX` and `RBX` we can use the following code:\n```\nsend(context['rax']);\nsend(context['rbx']);\n```\nWe can also change the value of the register:\n```\ncontext['rax'] = 10;\n```\nIn particular, our code is executed inside an [ExceptionHandler](https://www.frida.re/docs/javascript-api/#process) and we can use the _context_ arguments. The value of `PC` is changed in a stub but you can modify it (there is no rebasing for now).\nYou can also skip the execution of that instruction writing `//SKIP` inside the script.\nThere is no formatted output: if you need one you can use the `send` function and read the results in the _log_.\n\n**Note:** the code entered is executed as Frida's JS code so you can use [JS API](https://www.frida.re/docs/javascript-api/) to perform wathever you need to do. \n\n### BINRIDA: Stalk program/function execution\nThese two commands allow to _stalk_ the program execution: you can view the path followed by a specific execution.\n#### Settings\nIn addition to the _Frida_ settings, you can choose the color to use to highlight the executed block. \n\nThis commands can be usefull for tracking the executed path and search unexplored path.\n\n**Note:** The _stalk program execution_ breaks the execution in _real world binary_ but the _stalk function execution_ seems to be fine. Moreover, I changed the _stalking method_ from the previous version: instead of using _Frida Stalker_ function I will perform various runtime memory patching inserting breakpoint to retrieve the executed address. The basic blocks are retrieved by Binary Ninja. These features have various problems...\n## Dependencies: \n - `psutil` \n - `frida`\n", | ||
"longdescription": "# Frinja\n\nAuthor: **Dimitris Zervas**\n\nFrida plugin for binary ninja.\n\nA set of jinja-enabled frida scripts using the context of binary ninja's static analysis.\n\nThis is a continuation of the [BinRida](https://github.com/c3r34lk1ll3r/BinRida) plugin by @[c3r34lk1ll3r](https://github.com/c3r34lk1ll3r).\n\n## Usage\n\nFirst of all you'll need to go to `Plugins > Frinja > Settings` to set up the frida\nconnection and the application to be instrumented.\n\nAfterwards you can use any available commands - the `Hook Function` and `Run Hooker`\ncommands are explained [below](#hooker)\n\n### Dump Function Context\n\nIt hooks and gathers all calls and returns of the focused function and generates\na markdown report with the following information:\n\n- Callee address\n- Thread ID\n- Arguments (tries to dereference pointers, read strings and numbers)\n- Return value\n- Register values\n\n### Inspect Function Paths\n\nA code coverage tracer for the focused function that highlights the executed basic blocks\n\n## Hooker\n\nThe main show of this plugin is the `Run Hooker` command. It allows you to trace\nand tamper with the execution of the application.\n\nAfter a function is marked with the `Hook Function` command (or any function with\nthe `Frinja Hooked` tag) all its calls and returns will get logged in the log pane.\n\nThere's also the ability to add pre and post hooks to the function as well as altering\nthe return value.\n\nTo do so a function comment should be added in the following format:\n\n```text\n@prehook: <prehook js code>\n@posthook: <posthook js code>\n@ret: <return value>\n```\n\nThe return value can be any kind of valid javascript expression\n\n## License\n\nThis plugin is released under a MIT license.", | ||
"license": { | ||
"name": "MIT", | ||
"text": "Copyright 2019 Andrea Ferraris\nCopyright 2024 <[email protected]> Dimitris Zervas\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." | ||
|
@@ -25,6 +25,6 @@ | |
"Jinja2" | ||
] | ||
}, | ||
"version": "1.0.2", | ||
"version": "1.0.3", | ||
"minimumbinaryninjaversion": 3164 | ||
} |