Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implements Frida Hardware breakpoints #647

Merged
merged 2 commits into from
Jan 2, 2025
Merged

Implements Frida Hardware breakpoints #647

merged 2 commits into from
Jan 2, 2025

Conversation

as0ler
Copy link
Contributor

@as0ler as0ler commented Jan 2, 2025

  • Bump Frida 16.5.9
  • It refactors the software breakpoint code.
  • Allows to configure software/hardware breakpoints via dbg.hwbp configuration flag.
  • Adds support for Hardware breakpoints.
  • Fix :dbc command to run a r2 command when a breakpoint hits.
  • Implements :dbs to enable/disable a breakpoint.

trufae
trufae requested changes Jan 2, 2025
View reviewed changes
src/agent/lib/debug/breakpoints.ts Outdated Show resolved Hide resolved
src/agent/lib/debug/breakpoints.ts Outdated
if (breakpoints.size === 0) {
return "No breakpoints set";
}
bps.push(`type\t address \tenabled\t cmd `);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use the text-table dependency https://www.npmjs.com/package/text-table . its already in the pkg.json

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did it using markdown-table which is the unique module with ESM support I've found.

src/agent/lib/debug/breakpoints.ts Outdated
return "No breakpoints set";
}
bps.push(`type\t address \tenabled\t cmd `);
bps.push(`----\t-----------\t-------\t-------`);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tabs are bad for your health\Wterminal output

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved!

src/agent/lib/debug/breakpoints.ts
* - For other architectures, it returns a 1-byte buffer with the instruction `0xcc`.
*/
export function breakpointInstruction(): ArrayBufferLike {
if (Process.arch === 'arm64') {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

taken from r2. maybe we can also add armv7 bps here:

  6 static RBreakpointArch r_bp_plugin_arm_bps[] = {
  7         { 64, 4, 0, (const ut8*)"\x00\x00\x20\xd4" }, // le - arm64 brk0
  8         { 64, 4, 1, (const ut8*)"\xd4\x20\x00\x00" }, // be - arm64
  9         //{ 64, 1, 0, (const ut8*)"\xfe\xde\xff\xe7" }, // le - arm64 // hacky fix
 10 
 11         {32, 4, 0, (const ut8*)"\xf0\x01\xf0\xe7" }, // eabi-le - undefined instruction - for all kernels
 12         {32, 4, 1, (const ut8*)"\xe7\xf0\x01\xf0" }, // eabi-be
 13 
 14 //      { 32, 1, 0, (const ut8*)"\xff\xff\xff\xff" }, // le - linux only? (undefined instruction)
 15 //      { 32, 1, 1, (const ut8*)"\xff\xff\xff\xff" }, // be - linux only? (undefined instruction)
 16 //      { 32, 4, 0, (const ut8*)"\x01\x00\x9f\xef" }, // le - linux only? (undefined instruction)
 17 //      { 32, 4, 1, (const ut8*)"\xef\x9f\x00\x01" }, // be
 18 #if 0
 19         { 4, 0, (const ut8*)"\xfe\xde\xff\xe7" }, // arm-le - from a gdb patch
 20         { 4, 1, (const ut8*)"\xe7\xff\xde\xfe" }, // arm-be
 21         { 4, 0, (const ut8*)"\xf0\x01\xf0\xe7" }, // eabi-le - undefined instruction - for all kernels
 22         { 4, 1, (const ut8*)"\xe7\xf0\x01\xf0" }, // eabi-be
 23 #endif
 24         { 16, 2, 0, (const ut8*)"\x01\xbe" },         // thumb-le
 25         { 16, 2, 1, (const ut8*)"\xbe\x01" },         // thumb-be
 26         { 16, 2, 0, (const ut8*)"\xfe\xdf" },         // arm-thumb-le
 27         { 16, 2, 1, (const ut8*)"\xdf\xfe" },         // arm-thumb-be
 28         { 16, 4, 0, (const ut8*)"\xff\xff\xff\xff" },         // arm-thumb-le
 29         { 16, 4, 1, (const ut8*)"\xff\xff\xff\xff" },         // arm-thumb-be
 30         { 0, 0, 0, NULL }
 31 };

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would consider this in another PR

src/io_frida.c
":db (<addr>|<sym>) Add a new breakpoint\n"
":db[j*] List breakpoints\n"
":dbc (<addr>|<sym>) Associate an r2 command when the breakpoint is hit\n"
":dbs (<addr>|<sym>) Enable/Disable a breakpoint\n"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe have dbd and dbe to make it implicit?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think :dbs is more intuitive

as0ler added 2 commits January 2, 2025 16:43
@as0ler
chore: Bump Frida 16.5.9
497b7b2
@as0ler
feat: Implement Hardware breakpoints and refactoring software breakpo…
1d652b8 
…ints code.

fix :dbc to allow running a r2cmd when a breakpoint is hit
@as0ler as0ler force-pushed the frida_native_breakpoints branch from 01e7a76 to 1d652b8 Compare January 2, 2025 15:43
@trufae trufae merged commit 3dde3da into master Jan 2, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trufae trufae trufae requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@as0ler @trufae