Workaround issue with DebugSymbol

[alvarofe]

Dunno if this is the best solution but I noticed that when using dtf to trace calls instead of

write 1,"lala\no\n",5

I was getting

0x7fff98084910 1, "lala\no\n", 5

This can be a hassle when you are tracing many functions. DebugSymbol should be doing this, but as far I know it does not work so is just a dirty workaround.

If this is not good javascript just tell me quite noob tbh.

[alvarofe]

Here the issue with DebugSymbol frida/frida-gum#186

[oleavr]

Interesting. What does DebugSymbol.fromAddress(Module.findExportByName(null, 'write')) return if you run it in the Frida REPL on your system? (To install the REPL: pip install frida and run frida -p 0, which gives you a system-session meaning the JS gets executed inside of Frida itself, so you don't have to attach to any process.)

[alvarofe]

mm. It does work from REPL but it wasn't on r2frida side

[Local::ProcName::Tweetbot]-> DebugSymbol.fromAddress(Module.findExportByName(null, 'write'))
{
    "address": "0x7fff98084910",
    "fileName": "",
    "lineNumber": 0,
    "moduleName": "libsystem_kernel.dylib",
    "name": "write"
}

[alvarofe]

air:r2 alvaro$ r2 frida://cat
Warning: r2frida cannot initialize mjolner
 -- Change the block size with 'b <block-size>'. In visual mode you can also enter radare2 command pressing the ':' key (like vi does)
[0x00000000]> \is write
0x7fff98084910
[0x00000000]> s 0x7fff98084910
[0x7fff98084910]> \dtf ^izi
true
[0x7fff98084910]> 0x7fff98084910 1,"lala\n",5

[alvarofe]

This from REPL fails

[Local::ProcName::cat]-> DebugSymbol.fromAddress(ptr(0x7fff98084910));
{
    "address": "0x7fff98084910",
    "fileName": null,
    "lineNumber": null,
    "moduleName": null,
    "name": null
}

[alvarofe]

Is kind of random behavior. With Tweetbot works but with cat it doesn't.

http://asciinema.org/a/dfk9e430250x7gbm217zmcgch

[trufae]

use const instead of var here

[trufae]

use let instead of var

[trufae]

imports are const

[trufae]

you can iterate here with for (let import of imports) { if (imp.address === address) {

[trufae]

use ===

[alvarofe]

Because of using == instead of === it does work. Maybe @oleavr that is the issue with DebugSymbol?

[trufae]

use ===, but better check for undefined. what if the import name is '' ? :P

[trufae]

move this logic into a separate function

[trufae]

remove leftover

[trufae]

this line does nothing

[alvarofe]

So == is needed to make a type conversion? If I use === it doesn't work

[dweinstein]

you can also use compare method for native pointers/addresses

[dweinstein]

[Local::ProcName::cat]-> imports[0].address
"0x7fffb458f374"
[Local::ProcName::cat]-> imports[0].address.compare
function
[Local::ProcName::cat]-> imports[0].address.compare("0x0") // better to use `isNull()`
1
[Local::ProcName::cat]-> imports[0].address.compare(imports[0].address)
0
[Local::ProcName::cat]-> imports[0].address.compare(imports[1].address)
-1

[alvarofe]

Compare doesn't work.

[Local::ProcName::cat]-> imports[36].address.compare("0x7fff98084910")
0
[Local::ProcName::cat]-> imports[36].address == "0x7fff98084910"
true
[Local::ProcName::cat]-> imports[36]
{
    "address": "0x7fff98084910",
    "module": "/usr/lib/libSystem.B.dylib",
    "name": "write",
    "type": "function"
}

Javascript ¯\(ツ)/¯

[oleavr]

@alvarofe Yeah always use strict equality checking, the others shouldn't be used IMO. In this case though, the value is a NativePointer, so .equals() should be used. By the way, shouldn't this logic be a fallback when DebugSymbol fails?

[oleavr]

Btw, if you feel like a little tour of non-strict equality craziness, check out this lightning talk:
https://www.destroyallsoftware.com/talks/wat

[alvarofe]

I should review other places when DebugSymbol is used in case it fails

[radare]

compare(ptr("0x...

…

On 19 Feb 2017, at 20:41, Álvaro Felipe Melchor ***@***.***> wrote: @alvarofe commented on this pull request. In src/agent/index.js: > @@ -947,6 +947,22 @@ function getPtr(p) { return Module.findExportByName(null, p); } +function nameFromAddress(address) { + var at = ''; + const module = Process.enumerateModulesSync()[0].name; + const imports = Module.enumerateImportsSync(module); + for (let imp of imports) { + if (imp.address == address) { So == is need to make a type conversion? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[oleavr]

Missing space between function name and opening parenthesis as per semistandard.

[oleavr]

Extra space and missing semicolon.

[oleavr]

By guaranteeing that this function is always called with a NativePointer (see suggestion below), we can drop ptr() here so it's just:

  let at = DebugSymbol.fromAddress(address).name;

[oleavr]

It would be simpler to always pass a NativePointer value to this function, by changing the else above from:

     var address = offset;

to:

     var address = ptr(offset);

(Note to self: we should refactor so offset is always a NativePointer.)

[oleavr]

Same with this ptr().

[oleavr]

And this ptr().

[alvarofe]

I had only time to update the PR. I couldn't look at other instances of DebugSymbol.

Regarding code style are you using https://github.com/Flet/semistandard ? just to make sure the next time I upload code in here.

Regarding compare @dweinstein you were right, I was using a string instead of NativePointer so my mistake.

[oleavr]

Missing semicolon.

[oleavr]

at = address.toString(); would be clearer.

[trufae]

this is also done in several other places in this js, so i would go to change this in a separate pr

[trufae]

if fromAddress() return null the .name will throw an exception that is not catched. i think that this code should be written in a different way. But Frida should already resolve those symbols . so it's a bug in Frida. Can you provide a reproducer? cc @oleavr

[trufae]

The problem here is that Frida is not exposing the address of the imports in the PLT/STUB inside the binary, so the symbols that hasnt been executed yet cannot be resolved. that's why you cant resolve write in cat because it's on hold in read.

One solution that comes to my mind will be to make Frida resolve the PLT symbols with the DebugSymbol API, or maybe provide an api to do that without having to iterate in js

[trufae]

nvm happens with read too.

[radare]

Thats because frida uses CoreSymbolication framework which depends on CoreFoundation and those libs are not loaded in cat. Its an issue in Frida that should be addressed there. We can have a workaround but I would prefer to have this solved using ApiResolver or making Frida use ApiResolver in case the symbolicator cant be instantiated.

…

On 21 Feb 2017, at 23:04, Sergi Àlvarez i Capilla ***@***.***> wrote: nvm happens with read too. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[alvarofe]

I agree on that, do not have any clue about Frida's internals but If I can help to sort this out let me know. Ok to close this PR and move the issue into Frida? Where is this in handled in Frida within frida-gum?

[trufae]

i'll merge this workaround, and do some tweaks later. but the fix should be done in Frida, not in r2frida, as long as we have other workarounds for Frida in r2frida, it's ok for me to have this merged to make r2frida useful outside mac

[alvarofe]

I agree on that but Frida code is out of my reach for the time being, I asked where to open the issue, basically in which frida's repo. But if you want to include this temporary is ok for me

[trufae]

you can use Process.findModuleByAddress(address) to avoid having to iterate over all modules to find which import falls in this address

[trufae]

also, iterate over the Exports too

[trufae]

Fixed the comments and merged from 8e5401d