oleavr
commented
7 years ago The first option also sounds like the best to me. Architecturally it should be like a Windows counterpart to gumdarwinmapper.h, and be consumed by frida-core like on i/macOS.
Open elvanderb opened 7 years ago
oleavr
commented
7 years ago The first option also sounds like the best to me. Architecturally it should be like a Windows counterpart to gumdarwinmapper.h, and be consumed by frida-core like on i/macOS.
elvanderb
commented
7 years ago OK. I'll continue to add some comments on this issue to document what I've done and what I plan to do.
TLS: Frida uses TLS callbacks to be noticed when a new thread is created. I'll see if we can do without those callbacks, if we can't we'll have to put some hooks as there is no other documented mechanism to do that. Frida also use some thread local variables. I didn't check yet but if they don't have initial value then we can get rid of them by using dynamically allocated TLS. If they have an initial non NULL value then we will have to initialize them at each new thread and we need TLS callbacks... I'll definitely have to code some multi-threaded tests and checks if it hasn't already be done.... I'm also afraid that the TLS are needed by the glib, which is a little bit more problematic...
DLLs: Frida only depends on system libraries so we don't have to deal with manifests etc. it should be easy to load it in memory an to populate the IAT.
CapitanShinChan
commented
6 years ago @elvanderb Any progresses with this? It's a feature that would be awesome to have, if you need it, I could give you some help, even if my skills are probably more limited than yours :P
elvanderb
commented
6 years ago Hi, no, I didn't had time for this. I think the best way to deal with this would be to use the Stuxnet method as we wouldn't have to deal with TLS. The easiest way to do this would be by using inifinite jumps (\xEB\xFE) to "debug" the process and hook the APIs. I won't have time to work on this in the next few weeks but I may have some time in september.
fasetto
commented
2 years ago Hello. Any progress on this one?
For the moment, the code that injects Frida in Windows processes works by injecting a small shellcode that call LoadLibrary. This is not optimal for the following reasons:
There is two main techniques to load a DLL from memory:
The first option is not too hard to do but has one major drawback: replacing the Windows loader is not that easy, especially for the TLS vars and callbacks - mechanisms that are used by frida - and the dependency loading (see https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx ...). We may replace them by hooking RtlUserThreadStart for example but we may encounter chicken and egg problems...
The second option is quite elegant (it was used, for example, by Stuxnet) and solve all the Windows internal problems but it asks to hook functions in the targeted process, something that we cannot do without... injecting a DLL. Again, we have a chicken and egg problem.
A third option might be to use a mixed approach: we inject a simple DLL with the first approach to have a limited hooking framework and we inject Frida by using the second technique.
The question is: what should we do? I think that the first solution might be sufficient and it has the benefit of being stealthier, it can be done 100% from the remote process so no userland hooks should block us and it would require minor changes in the code (no additional projects).
What do you think?