Skip to content

Instantly share code, notes, and snippets.

@Ayrx

Ayrx/foo.c

Last active March 26, 2019 03:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Ayrx/6f61fdc1f93e88d9072accf6988847be to your computer and use it in GitHub Desktop.
Save Ayrx/6f61fdc1f93e88d9072accf6988847be to your computer and use it in GitHub Desktop.
Download ZIP
Frida Stalker Crash
Raw
foo.c
#include <stdio.h>
#include <unistd.h>
int main() {
while (1) {
printf("hello\n");
sleep(1);
}
}
Raw
gistfile1.txt
Creating block for 0x7fe8d11409d0:
0x7fe8d11409d0 cmp rax, -0x1000
; 0x7fe8d11409d0 48 3d 00 f0 ff ff
0x7fe8c81c4498 cmp rax, -0x1000
; 0x7fe8c81c4498 48 3d 00 f0 ff ff
0x7fe8d11409d6 ja 0x7fe8d1140a02
; 0x7fe8d11409d6 77 2a
0x7fe8c81c449e jbe 0x7fe8c81c449e
0x7fe8c81c44a4 lea rsp, [rsp - 0x80]
0x7fe8c81c44ac call 0x7fe8c81c4000
0x7fe8c81c44b1 push rax
0x7fe8c81c44b2 movabs rax, 0x7fe8d1140a02
0x7fe8c81c44bc xchg qword ptr [rsp], rax
0x7fe8c81c44c0 pop rsi
0x7fe8c81c44c1 movabs rdi, 0x7fe8c81c3000
0x7fe8c81c44cb sub rsp, 0x40
0x7fe8c81c44cf movabs rax, 0x7fe8cabd3edf
0x7fe8c81c44d9 call rax
0x7fe8c81c44db add rsp, 0x40
0x7fe8c81c44df mov rax, qword ptr [rip - 0x13b6]
0x7fe8c81c44e6 movabs rdx, 0
0x7fe8c81c44f0 movabs rsi, 0x7fe8c81c44a4
0x7fe8c81c44fa mov rdi, rax
0x7fe8c81c44fd call 0x7fe8cabd2d95
0x7fe8c81c4502 call 0x7fe8c81c40d5
0x7fe8c81c4507 mov rsp, qword ptr [rip - 0x13ae]
0x7fe8c81c450e jmp qword ptr [rip - 0x13c4]
0x7fe8c81c4514 lea rsp, [rsp - 0x80]
0x7fe8c81c451c call 0x7fe8c81c4000
0x7fe8c81c4521 push rax
0x7fe8c81c4522 movabs rax, 0x7fe8d11409d8
0x7fe8c81c452c xchg qword ptr [rsp], rax
0x7fe8c81c4530 pop rsi
0x7fe8c81c4531 movabs rdi, 0x7fe8c81c3000
0x7fe8c81c453b sub rsp, 0x40
0x7fe8c81c453f movabs rax, 0x7fe8cabd3edf
0x7fe8c81c4549 call rax
0x7fe8c81c454b add rsp, 0x40
0x7fe8c81c454f mov rax, qword ptr [rip - 0x1426]
0x7fe8c81c4556 movabs rdx, 0
0x7fe8c81c4560 movabs rsi, 0x7fe8c81c4514
0x7fe8c81c456a mov rdi, rax
0x7fe8c81c456d call 0x7fe8cabd2d95
0x7fe8c81c4572 call 0x7fe8c81c40d5
0x7fe8c81c4577 mov rsp, qword ptr [rip - 0x141e]
0x7fe8c81c457e jmp qword ptr [rip - 0x1434]
; 0x7fe8c81c449e 0f 86 fa ff ff ff 48 8d a4 24 80 ff ff ff e8 4f
; 0x7fe8c81c44ae fb ff ff 50 48 b8 02 0a 14 d1 e8 7f 00 00 48 87
; 0x7fe8c81c44be 04 24 5e 48 bf 00 30 1c c8 e8 7f 00 00 48 83 ec
; 0x7fe8c81c44ce 40 48 b8 df 3e bd ca e8 7f 00 00 ff d0 48 83 c4
; 0x7fe8c81c44de 40 48 8b 05 4a ec ff ff 48 ba 00 00 00 00 00 00
; 0x7fe8c81c44ee 00 00 48 be a4 44 1c c8 e8 7f 00 00 48 89 c7 e8
; 0x7fe8c81c44fe 93 e8 a0 02 e8 ce fb ff ff 48 8b 25 52 ec ff ff
; 0x7fe8c81c450e ff 25 3c ec ff ff 48 8d a4 24 80 ff ff ff e8 df
; 0x7fe8c81c451e fa ff ff 50 48 b8 d8 09 14 d1 e8 7f 00 00 48 87
; 0x7fe8c81c452e 04 24 5e 48 bf 00 30 1c c8 e8 7f 00 00 48 83 ec
; 0x7fe8c81c453e 40 48 b8 df 3e bd ca e8 7f 00 00 ff d0 48 83 c4
; 0x7fe8c81c454e 40 48 8b 05 da eb ff ff 48 ba 00 00 00 00 00 00
; 0x7fe8c81c455e 00 00 48 be 14 45 1c c8 e8 7f 00 00 48 89 c7 e8
; 0x7fe8c81c456e 23 e8 a0 02 e8 5e fb ff ff 48 8b 25 e2 eb ff ff
; 0x7fe8c81c457e ff 25 cc eb ff ff
Segmentation fault (core dumped)
Raw
inject.js
Process.enumerateThreads({
onMatch: function (thread) {
Stalker.follow(thread.id, {
events: {
compile: true
},
onReceive: function (events) {
console.log("a");
}
})
},
onComplete: function() { console.log("Done"); }
})
@Ayrx
Copy link
Author

Ayrx commented Feb 3, 2019

Compile foo.c with:

$ gcc -o foo foo.c

Inject with frida after running foo:

frida -n foo -l inject.js

@Ayrx
Copy link
Author

Ayrx commented Mar 25, 2019

Other related issues:

frida/frida#639
frida/frida#672

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment