Build a debugger in 5 minutes (4/5)
Let’s tap into the internals of native processes with our own custom-made debugger.
Hook socket APIs
This is where it starts getting interesting. Frida allows us to hook any function, even without any debug symbols. It only needs to know the address where the function resides in memory.
Let’s go ahead and extend “agent.js” to hook the socket API. Add the following code at the end:
var socketModule = {
"windows": "ws2_32.dll",
"darwin": "libSystem.B.dylib",
"linux": "libc-2.19.so"
};
var socketFunctionPrefixes = [
"connect",
"recv",
"send",
"read",
"write"
];
function isSocketFunction(name) {
return socketFunctionPrefixes.some(function (prefix) {
return name.indexOf(prefix) === 0;
});
}
Module.enumerateExports(socketModule[Process.platform], {
onMatch: function (exp) {
if (exp.type === "function"
&& isSocketFunction(exp.name)) {
Interceptor.attach(exp.address, {
onEnter: function (args) {
this.fd = args[0].toInt32();
},
onLeave: function (retval) {
var fd = this.fd;
if (Socket.type(fd) !== "tcp")
return;
var address = Socket.peerAddress(fd);
if (address === null)
return;
send({
name: "socket-activity",
payload: {
fd: fd,
func: exp.name,
address: address
}
});
}
});
}
},
onComplete: function () {
}
});Let’s try it on a process that’s likely to generate some network activity:
Add error-handling
It would be great to have some feedback when something goes wrong.
We’ll add a “MessageDialog” to display error messages. Add a new import:
import QtQuick.Dialogs 1.1Then the dialog itself. Just put it right after the “RowLayout”:
MessageDialog {
id: errorDialog
title: "Error"
icon: StandardIcon.Critical
}Now let’s wire it up. Add the following inside the “Script” object:
onError: {
errorDialog.text = message;
errorDialog.open();
}That’s it. Go ahead and kill a process whilst debugging it to try it out:
That concludes the fourth minute of our five-minute tutorial.
