search

nowsecure / r2frida

Radare2 and Frida better together.
MIT License
1.18k stars 121 forks source link

`:il` , `:dm` and `:dmm` are unable to list anonymous mapping (memfd) #509

Open enovella opened 1 year ago

enovella commented 1 year ago

Using R2Frida, we try to see where the Frida agent is mapped in memory:

[0x75e660d000]> :dm~+frida-agent
[0x75e660d000]> :dmm~+frida-agent
[0x75e660d000]> :il~+frida-agent
[0x75e660d000]> :dp

22977
[0x75e660d000]>

Frida agent library was mapped anonymously:

cheeseburger:/ # cat /proc/22977/maps|egrep frida
759311f000-7593b17000 r--p 00000000 00:05 216887                         /memfd:frida-agent-64.so (deleted)
7593b18000-7594837000 r-xp 009f8000 00:05 216887                         /memfd:frida-agent-64.so (deleted)
7594837000-7594907000 r--p 01716000 00:05 216887                         /memfd:frida-agent-64.so (deleted)
7594908000-7594924000 rw-p 017e6000 00:05 216887                         /memfd:frida-agent-64.so (deleted)

Back into R2Frida with the offset:

[0x75e660d000]> 0x759311f000
[0x759311f000]> x
- offset -     0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x759311f000  7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF............
0x759311f010  0300 b700 0100 0000 0000 0000 0000 0000  ................
0x759311f020  4000 0000 0000 0000 981b 8001 0000 0000  @...............
0x759311f030  0000 0000 4000 3800 0a00 4000 1900 1800  ....@.8...@.....
0x759311f040  0600 0000 0400 0000 4000 0000 0000 0000  ........@.......
0x759311f050  4000 0000 0000 0000 4000 0000 0000 0000  @.......@.......
0x759311f060  3002 0000 0000 0000 3002 0000 0000 0000  0.......0.......
0x759311f070  0800 0000 0000 0000 0100 0000 0400 0000  ................
0x759311f080  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x759311f090  0000 0000 0000 0000 cc7c 9f00 0000 0000  .........|......
0x759311f0a0  cc7c 9f00 0000 0000 0010 0000 0000 0000  .|..............
0x759311f0b0  0100 0000 0500 0000 0080 9f00 0000 0000  ................
0x759311f0c0  0090 9f00 0000 0000 0090 9f00 0000 0000  ................
0x759311f0d0  a0eb d100 0000 0000 a0eb d100 0000 0000  ................
0x759311f0e0  0010 0000 0000 0000 0100 0000 0600 0000  ................
0x759311f0f0  a06b 7101 0000 0000 a08b 7101 0000 0000  .kq.......q.....
[0x759311f000]> :iE
ERROR: error: unable to find module containing 0x759311f000
[0x759311f000]> :iSS
ERROR: error: cannot read property 'and' of undefined
[0x759311f000]>
trufae commented 10 months ago

can you try again? i think its fixed now

enovella commented 10 months ago

It is not working yet on my setup.

trufae commented 10 months ago

Can u share a frida oneliner to list it?

trufae commented 10 months ago

Because i cant find a way to get this from frida. Therefor its a bug in frida

trufae commented 8 months ago

@oleavr can you expose the apis to access this info from Frida again? because this was already available before