September 02, 2018

Taint with Frida

Frida is slow, you can’t do taint analysis

cit. chqmatteo

I never used Frida before, so I decided some days ago to start learning it.

But how to start? Obviously testing the real capabilities of the tool writing a taint analysis module.

https://github.com/andreafioraldi/taint-with-frida

In the following example each buffer readed using the read syscall is tainted.

var taint = require("./taint");

taint.syscallPreHook = function(ctx) {
    var sn = ctx.rax.toInt32();
    taint.log("foo", "syscall index = " + sn);
    if(sn == 0) { //read
        taint.memory.taint(ctx.rsi, ctx.rdx);
        taint.report();
    }
    else if(sn == 60 || sn == 231) { //exit || exit_group
        taint.log("foo", "exiting");
        taint.stopTracing();
        taint.report();
    }
}

taint.syscallPostHook = function(ctx) {
    taint.log("foo", "syscall ret = " + ctx.rax);
}

Interceptor.attach(ptr("0x400643"), //main
    function() {
        taint.log("foo", "enter main()");
        taint.startTracing(true); //true -> hook syscalls
    }
);

The postings on this site are my own and don't necessarily represent my employer’s positions, strategies or opinions.

© malweisse's corruptions, 2022 — built with Jekyll using Lagom theme