Monday, August 29, 2022

Avoiding user-after-free(s) in Frida

 Many have used Frida to perform instrumentation but it is also important to be aware of good practices when doing so. What I am going to talk about is two of the most common ones; I do them from time to time too.

The one I see the most is provoking user-after-frees when instrumenting functions. This happens whenever the lifetime of a variable/assignment is not ensured within Interceptor callbacks. An example of a dangerous situation:

Interceptor.attach(ptr(0x1234), {

  onEnter (args) {

     let tempArg = args[0];

     let one = ptr(1);

     tempArg = one;

  }

);

The way Frida handles this callback does not ensure that the assigments for both tempArg and one will remain during the execution of this block. This can be fixed by using this:

Interceptor.attach(ptr(0x1234), {

  onEnter (args) {

     this.tempArg = args[0];

     this.one = ptr(1);

     this.tempArg = this.one;

  }

);

When using this to store data it will ensure that it lives throughout the entire of the Interceptor block, this includes sharing data/state between onEnter and onLeave callbacks

No comments:

Post a Comment

Zanubis updates their list of targets, author nickname

 In recent changes the actors behind the Zanubis banking trojan have broadened their list of targets: The basic configuration has been updat...