Binary Debugging of the instrumentation script — Frida

I like frida. People who know me know that I am in absolute awe of the frida DBI framework right from its inception. In my opinion it has been one of the best things to have happened to the community of Reverse Engineering and security research.

This post is a simple demonstration of debugging the instrumentation code injected into the target process’ memory dynamically by Frida at binary level. In order to keep the post crisp and self contained, I will stick to a basic “hello, world!” kind of use-case to explain the idea.

Frida also provides the researchers to debug the instrumentation code more conveniently with chrome devtools as described here (https://github.com/frida/frida-python/issues/134#issuecomment-634212646)

This post deliberately takes the binary debugging approach for the fun of debugging binary executables and for advanced use-cases.

Lets take a look at our target process:

Fig.1 — The target application

Now, let us compile this program and call the resulting executable as “test” and run the executable, while the target is running, attach frida to this executable and read the value of the variable “var_one” from its memory address as illustrated in Fig.2.

Fig.2 — Reading the value of the variable via memory from frida

All good so far! Now, we will repeat the same steps but this time we will try to step through the dynamic binary code of frida while it tries to read the value of the variable from the target process’ memory.

1. Run the target executable (test)
2. Attach frida to the target
3. Attach IDA Pro (or any other debugger of your choice) to the target executable (test)
4. Set a hardware breakpoint on the memory address in ida pro

Fig.3 — Setting Hardware Breakpoint on read for the memory address of variable “var_one”

Now, execute the frida commands and wait for IDA to fire hardware breakpoint on read.

Fig.4 — Hardware BP hit while executing frida instrumentation

This would break on the frida_agent code. You can now step through and get great insights and appreciate the technical wonder that is Frida.

Fig. 5 — Stepping through frida-agent code

Hope you have enjoyed this little post for getting ideas on playing with the process memory during instrumentation. See you in another post. As always, Feedback/suggestions/opinions are all welcome!