fpicker: Fuzzing with Frida

https://insinuator.net/2021/03/fpicker-fuzzing-with-frida

https://github.com/ttdennis/fpicker

Finally, PageDOut No. 8 is out

https://pagedout.institute/?page=issues.php

Bypassing Frida: Advance Frida Detection Bypass

https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-1-cc7c1dfbad9d


https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-2-e3466a141a4c


https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-3-339aa1202c48


https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-4-c258e8f5aa64

VM Detection Tricks, Part 1: Physical memory resource maps

In this series we’ll document a novel and as-yet-undocumented Virtual Machine detection trick for each month of 2021. These detection tricks will be focused on 64-bit Windows 10 or Windows Server 2019 guests, targeting a variety of VM platforms.

https://labs.nettitude.com/blog/vm-detection-tricks-part-1-physical-memory-resource-maps

Decompilation Debugging

https://clearbluejar.github.io/posts/decompilation-debugging-pretending-all-binaries-come-with-source-code

Сustom shellcode compiler for Binary Ninja

https://scc.binary.ninja/index.html

IDA Pro 9.3 KeyGen


pip install + privilege escalation on Win (ShellExecuteW(..., "runas", ...) + generation of JSON license and signature + copying idapro.hexlic to %APPDATA%\Hex-Rays\Ida Pro\idapro.hexlic + of course editing the registry HKCU\SOFTWARE\Hex-Rays\IDA\Licenses\ + patching IDA binaries

On *nix/mac - it searches for libida.so, libida32.so, .dylib in the current directory and patches them

@reverseengine

🟢 7️⃣ Page Permissions

هر صفحه حافظه:

Read

Write

Execute

مثال:

Code → RX

Data → RW

📌 مهم: چون Debugger و loader با این پرمیژن‌ ها کار میکنن



🟢 7️⃣ Page Permissions

Each memory page:

Read

Write

Execute

Example:

Code → RX

Data → RW

📌 Important: Because Debugger and loader work with these permissions

@reverseengine

🟢 8️⃣ User Mode vs Kernel Mode

CPU
دو حالت داره:

User Mode
برنامه‌های معمولی
دسترسی محدود

Kernel Mode
خود سیستم‌عامل
دسترسی کامل

برنامه مستقیم نمیتونه کارهای حساس انجام بده باید syscall بزنه

📌  RE:

میفهمید چرا بعضی دستورها خطا میدن




🟢 8️⃣ User Mode vs Kernel Mode

CPU has two modes:

User Mode

Normal programs
Limited access


Kernel Mode

The operating system itself
Full access

A program cannot do sensitive work directly, it must make a syscall

📌 RE:

Do you understand why some commands give errors?

@reverseengine

بخش پونزدهم بافر اورفلو

ابزارها و فازینگ یا fuzzing برای یافتن باگ

معرفی ابزارهای اصلی فازینگ و روش ساخت یک harness ساده که بافر اورفلوها رو پیدا کنه

توضیح:
fuzzing

یعنی دادن ورودی های خودکار و نامنظم به برنامه برای پیدا کردن کرش یا رفتار غیرعادی

ابزارهای معروف شامل AFL libFuzzer honggfuzz و radamsa هستند

AddressSanitizer

کمک میکنه خطاهای حافظه رو با گزارش دقیق نشون بده

فایل harness
این فایل یک برنامه ساده میسازه که ورودی رو از stdin میخونه و روی بافر محلی کپی میکنه تا برای fuzz مناسب باشه
هدف اینه که fuzzers بتونه ورودی های مختلف رو ارسال کنه و ASan یا کرش رو بگیره

فایل file8_harness.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {
    char buf[64];
    size_t n = fread(buf, 1, sizeof(buf), stdin);
    /* ensure null termination for printing */
    if (n >= sizeof(buf)) n = sizeof(buf)-1;
    buf[n] = '\\0';
    /* intentionally unsafe copy to demonstrate overflow during fuzzing */
    char target[32];
    strcpy(target, buf);
    printf("ok got %zu bytes\\n", n);
    return 0;
}

دستورات برای کامپایل با AddressSanitizer
با ASan وقتی overflow اتقاق میوفته

دستورات

gcc -g -O1 -fsanitize=address -fno-omit-frame-pointer file8_harness.c -o file8_asan
./file8_asan < some_input

استفاده AFL
AFL
نیاز به یک binary instrumented شده داره و دایرکتوری seed برای ورودی های اولیه
اول نسخه ای با afl-gcc یا afl-clang بسازید بعد fuzz رو اجرا کنید

دستورات AFL

# ساخت با afl
afl-clang-fast -g file8_harness.c -o file8_afl

# آماده سازی دایرکتوری seed
mkdir in
echo "test" > in/seed1

# اجرای afl
afl-fuzz -i in -o out -- ./file8_afl

نکته درباره libFuzzer و clang
برای libFuzzer باید harness با تابع LLVMFuzzerTestOneInput باشه و با clang و -fsanitize=fuzzer ساخته بشه
این روش برای پروژه هایی که library oriented اند مناسب تره

نکته درباره radamsa
radamsa

میتونه seed های تصادفی تولید کنه و با pipe به برنامه ارسال کنه


مثال

radamsa in/seed1 | ./file8_asan

Part 15 Buffer Overflow

Tools and Fuzzing to Find Bugs

Introduction to the main fuzzing tools and how to build a simple harness that finds buffer overflows

Explanation:
Fuzzing

means giving automatic and irregular inputs to the program to find crashes or unusual behavior

Popular tools include AFL libFuzzer honggfuzz and radamsa

AddressSanitizer

Helps show memory errors with detailed reporting

Harness file
This file creates a simple program that reads input from stdin and copies it to a local buffer suitable for fuzzing
The goal is to allow fuzzers to send various inputs and get ASan or crashes

File file8_harness.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {
    char buf[64];
    size_t n = fread(buf, 1, sizeof(buf), stdin);
    /* ensure null termination for printing */
    if (n >= sizeof(buf)) n = sizeof(buf)-1;
    buf[n] = '\\0';
    /* intentionally unsafe copy to demonstrate overflow during fuzzing */
    char target[32];
    strcpy(target, buf);
    printf("ok got %zu bytes\\n", n);
    return 0;
}

Commands to compile with AddressSanitizer
With ASan when overflow occurs

Commands

gcc -g -O1 -fsanitize=address -fno-omit-frame-pointer file8_harness.c -o file8_asan
./file8_asan < some_input

Using AFL
AFL
requires an instrumented binary and a seed directory for initial inputs
First build with afl-gcc or afl-clang then run fuzz

AFL Commands

# Build with afl

afl-clang-fast -g file8_harness.c -o file8_afl

# Prepare seed directory

mkdir in
echo "test" > in/seed1

# Run afl

afl-fuzz -i in -o out -- ./file8_afl

Note about libFuzzer and clang
For libFuzzer you need harness with function LLVMFuzzerTestOneInput and build with clang and -fsanitize=fuzzer
This method is more suitable for library oriented projects

Note about radamsa
radamsa

Can generate random seeds and send them to the program via pipe

Example

radamsa in/seed1 | ./file8_asan

@reverseengine

Ghidra Plugin Development for Vulnerability Research

https://www.somersetrecon.com/blog/2019/ghidra-plugin-development-for-vulnerability-research-part-1

@reverseengine

User-Friendly Fuzzing with Sienna Locomotive

https://blog.trailofbits.com/2019/04/08/user-friendly-fuzzing-with-sienna-locomotive

@reverseengine