FireEye Labs Query-Oriented Debugger
flare-qdb is a command-line and scriptable Python-based tool for evaluating and manipulating native program state. It uses Vivisect to set a breakpoint on each queried instruction and executes Python code when hit.
flare-qdb frees the analyst to take a nonlinear approach to dynamic analysis that accommodates the questions that arise in the course of normal debugging and static analysis. flare-qdb answers these questions without requiring the analyst to manually set up an interactive debugger session and navigate the program counter to that code location.
Here are some examples of spot questions flare-qdb can answer:
- Does eax always equal this value at this point?
- What was eax equal to before this branch?
- What values will this string assume throughout this loop?
- At the first iteration of the inner loop, what base address is used?
- Is the program even going to hit this logic?
- Which code executes first?
- Does the number of loop iterations depend on the value of
- Can I alter the command-line arguments to avoid this condition?
flare-qdb can also be used to facilitate automated, repeatable manipulation of program execution. Here are some examples of useful applications:
- Executing a string decoder with different arguments to quickly extract all the strings used by a malware sample.
- Overriding the arguments to
Sleep()to permit rapid iterative testing of a custom command and control (C2) server.
- Telling a privilege escalation tool that its integrity level is 0x1000
MANDATORY_LOW_RID) in order to induce it to execute its exploit code.
- Repeatably automating the unpacking of a packer that jumps into one or more non-deterministic heap locations.
flare-qdb accepts multiple queries that take the form of a program counter or
Vivisect expression paired with some Python text to evaluate in the flare-qdb
scripting environment. Vivisect expressions can be used to specify simple
constant program counter values like
"0x401000", symbolic expressions like
"kernel32.Sleep", and more. Vivisect expressions can also incorporate
register and memory state to articulate sophisticated conditions, such as
"not eax or (( edx > 3) and (poi(ebp-8) < 5))".
The command line argument format for this is:
-at <vexpr-pc> <pythontext>
flare-qdb also supports conditional evaluation based on the truth value of a Vivisect expression:
-at-if <vexpr-pc> <vexpr-conds> <pythontext>
flare-qdb provides several builtins for convenient debugging, which are
available both from the command line and as methods of its
flare-qdb has been tested primarily on Windows, but works on Linux.
Unfortunately, the Darwin port of Vivisect's
vtrace.Trace class is
incomplete, so flare-qdb does not support OSX.
flare-qdb comes with De-DOSfuscator, which is a tool for decoding obfuscated batch files by running them. Details can be found in the De-DOSfuscator Guide or by reading the blog Cmd and Conquer: De-DOSfuscation with flare-qdb.
Information about installing flare-qdb is available in the Installation Guide.
Information about using flare-qdb on the command line is available in the Command Line Usage Guide.
A full reference of flare-qdb's builtins (available both from the CLI and as
instance methods) is available in the Builtins
Reference or by typing
flareqdb --help-builtins after
De-DOSfuscator documentation can be found in the De-DOSfuscator Guide.
Troubleshooting information can be found in the Troubleshooting Guide.
Acknowledgements and thoughts about future functionality that may be useful can be found in the Notes.