Forem: Scott

How to Install Drozer using Docker

Scott — Mon, 06 May 2024 00:35:11 +0000

Drozer is a security testing framework for Android, which allows you to easily scan for vulnerabilities in Android components. Typically, this involves scanning activities, content providers, broadcast receivers, and services. In this article, you will learn how to install Drozer and connect it to a local Android emulator.

There are two components available for Drozer. The first component is the Drozer agent. This component is installed on your Android device. The Drozer agent acts as a server, running on port 31415. The Drozer client runs on any computer and it is designed to send requests to the Drozer agent. With these two components together, you can scan you Android applications for vulnerabilities. Let's get started with installing the Drozer agent!

Installing the Drozer Agent

To connect to a device, Drozer uses an agent application. This application is available on the Drozer repository. To install the agent on your device, first, download the agent APK. Once you have downloaded the apk, use adb to install the app using the following command:

adb install drozer-agent.apk

After this command completes, locate the drozer agent application on your device. Tap the app to open it. The main app screen will provide you with the ability to start the Drozer embedded server. Tap the button labelled Off to activate the server.

The Drozer server runs on port 31415 of your device. To allow this port to be reachable, you need to forward the port using the following adb command:

adb forward tcp:31415 tcp:31415

Your drozer agent is now ready to accept connections from the drozer client!

Installing the Drozer client

Drozer provides you with a variety of methods for installing the Drozer client. For this tutorial, we will use the Docker version of Drozer. To start, ensure that your have Docker installed on your computer.

You can install and run Drozer through Docker using a single command:

docker run -it --add-host host.docker.internal:host-gateway withsecurelabs/drozer console connect --server host.docker.internal

This command creates a connection between the Docker image and your local computer. With the connection created, it downloads the withsecurelabs/drozer image and runs the console connect command to connect to your local emulator. Once this is complete you will receive a shell that is connected to the Drozer agent! You are now up and running with Drozer.

Learn More About Android Penetration Testing with OliveStem

Want to learn more about Drozer and Android penetration testing? Check out our Android penetration testing course!

Understanding Heap Memory Allocation in C - Malloc and Free

Scott — Sun, 27 Aug 2023 22:24:28 +0000

Malloc and Free are the most common functions used for heap memory management. These functions provide the following advantages over sbrk and brk:

They are standardized as part of the C language.
They are easier to use with threaded programs.
They provide a simple interface for memory to be allocated, especially in smaller units.
Allow the arbitrary deallocation of blocks of memory.

Malloc takes in a size as an argument and returns a pointer to the newly allocated block of memory that is of the size specified in the argument. The allocated memory is not initialized.

The free function takes in a pointer to a block of allocated memory. The function will then add the block of memory to a list of free blocks, which are recycled by future malloc calls.

When malloc is called, it will generally complete the following steps:

Check if there is a block of memory in the list of free blocks large enough to allocate for the memory request.
If no free blocks are available, allocate a new block of memory to use.

Based on this process, it is important to note that when malloc is called, it does not always increase the program break. This is because in some cases, the memory may be available in the list of free blocks, meaning no new memory needs to be allocated to the heap.

With this basic understanding of malloc, let's look at a simple example of a malloc in C.

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

struct s{
    int value;
};

int main(int argc, char *argv[]){

    struct s *newS = malloc(sizeof(struct s));
    newS->value = 10;

    printf("%d\n", newS->value);
    free(newS);

    return 0;
}

In this example, we have a struct named s which contains a single property, value. To be able to use this struct, we need to allocate some memory for it. To do this, we use a malloc as shown in the first line of the main function. The argument for our malloc call is sizeof(struct s). This operation determines how much memory is required to contain our struct s, allocates a memory block of this size, and returns a pointer of the block to the variable newS.

With newS initialized, we can start to work with its property value. To access the property, we use the pointer notation newS->value. The line after the allocation shows how to set the value, and the print shows how to access the value.

At the end of the program, we no longer need the memory assocaited with newS. We make a call to the free function, providing newS as an argument. This will add the memory associated with newS to the free list, allowing it be used for future malloc calls.

It’s important to note that when the process terminates, all of its memory is returned to the system, so free isn’t actually required for this simple program. Free is generally used in more complex programs to make the program more readable and to help with efficient memory management.

You now know the basics of working with malloc and free!

Printing in the BIOS with x86 NASM

Scott — Sun, 27 Aug 2023 20:11:39 +0000

In my last article, I showed how you could create a simple bootloader. In this article, we will extend the bootloader to allow it to print a message in the BIOS. To check out the previous article, Click here!

BIOS allows for simple inputs and outputs, as the name suggests. Using BIOS interrupts, we can output a simple message to the screen to confirm that our code is working. To start, we are going to initialize our registers and stack memory to use in our program. We do this by adding some code to the main label.

We start by moving 0 into ax. We do this because we can’t move immediate data into registers like ds, so the only way to get 0 into them is to put 0 in another register first. Next, we set to the DS, ES, and SS registers to 0. The DS register sets the start address of the data segment, the ES register sets the start point of the extra segment, and the SS register sets the start address of the stack. After initializing these registers, we move 0x7C00 into the stack pointer so it is able to grow below the operating system.

With these registers initialized, we can now start the process of printing data to the screen. To start, here is the full code to print a message from the bootloader:

Let’s discuss each of the added lines of code in detail. At the bottom of our code, we defined the text we want to print to the screen. The variable that contains the text is called os_boot_message. It contains the message Our OS has booted! After the message, we add 0x0D and 0x0A, which are the characters for a new line. Finally, we add a 0, which is used to find the end of the string when we print it. In the main label, we load the os_boot_message variable into the si register. The si register is known as the source index register, and it is generally used for string operations. With the string loaded, we then call the print function.

The print function starts by pushing si, ax, and bx onto the stack to preserve their values. Next, we enter the print_loop label. This loop will first load a byte from the si register using the LODSB instruction. The next OR instruction checks if the value loaded was a 0, indicating the end of the string. The JZ instruction will jump to the done_print label if the value loaded was a 0. If the value was not zero, the value 0x0E is loaded into the ah register. This value tells the BIOS we are trying to print to the screen. Next, 0 is moved into BH. The BH register tells the BIOS the page number. This is generally set to 0 except for cases where you need to do double-buffering to draw to an off-screen page. Finally, we send an interrupt to the BIOS using INT 0x10, which tells the BIOS we want to write a character to the screen.

This print loop continues until a 0 character is reached, at which point ax, si, and bx are popped from the stack and the function returns to the caller.

With this complete, you can now build and run your operating system once again. Use make to build the image, then use qemu-system-i386 -fda build/main.img to load it. The result will be something similar to below.

Congratulations! You have create a basic bootloader than can print data onto the screen. With this you are well on your way to creating a functional operating system with x86!

Building a Simple Bootloader in NASM x86

Scott — Sun, 27 Aug 2023 00:20:47 +0000

A bootloader is a program that is responsible for booting a computer. In this tutorial, we will start the process of creating a simple bootloader that halts as soon as the file boots. This tutorial will use x86 assembly with legacy booting Let’s start by creating a file named main.asm, which will contain all our bootloader code. To start creating the bootloader, you will first need to understand a bit about how a computer boots from a drive.

Basics of Legacy Booting

When a computer first boots, it enters the BIOS (basic input output system). The BIOS provides many different utilities and tools that allow operating systems to perform hardware initialization during startup. In legacy booting, the BIOS will search for the operating system on the disk to start the booting process. The BIOS will load the first sector of each bootable device into memory at location 0x7C00. When the BIOS loads the sector, it checks for a special signature, 0xAA55. If this signature if found, the BIOS will start executing code.

To get our program to start running in BIOS, we need to place the signature 0xAA55 at the location 0x7C00. To do this, we use the following code:

The first line, ORG 0x7C00 tells the assembler to start calculating all memory offsets at 0x7C00. We do this because the memory location BIOS uses is 0x7C00. The next line, BITS 16, tells the assembler to output 16-bit instructions from the code. We use 16 bits because the processor will always start thinking it is in 16-bit mode. We can later move our code to 32-bit or 64-bit if required.

The main label of our program has a single instruction inside, hlt. This instruction will cause the CPU to halt, preventing it from executing any further instructions. The halt instruction lasts until the next external interrupt occurs, so we need to ensure that the system remains halted if this does occur. To keep the system halted, we create a label named .halt, which contains a single instruction that jumps back to the label. This will create an infinite loop, preventing the program from progressing further or ending.

The last two lines are where we add the 0AA55 signature for the BIOS. The disk we are using for our boot image has a block size of 512. We want to place the signature in the last two bytes of the disk. The code $-$$ gives us the size of our program so far in bytes. If we take 510-($-$$), we get the number of bytes left until we reach byte 510. We then use the times instruction to place a value of 0 into each byte before 510. After doing this, we will be at byte 510, ready to write the signature. To write the signature, we use DW (which defines data that is 2 bytes of size), providing a value of 00AA55h, which is the required signature.

With this, we are now ready to create a disk image with our simple operating system bootloader!

Building the Disk Image

To build the disk image, create a makefile in your directory. I have placed my main.asm file in a folder called src. I have also created another folder named build to contain all our build data. Inside the makefile, put the following code:

This makefile starts by defining a few constants. The constant ASM contains our assembler, NASM. The SRC_DIR constant contains the folder of our source code, src. The BUILD_DIR constant contains the folder to place our build data, build. The first rule in the makefile moves the main.bin file resulting from assembling main.asm into an img file. It then pads the file to make it 1.44MB, which is the minimum size required for this to be considered a valid disk. The second rule runs NASM against the main.asm file to create the main.bin file for the disk.

With the makefile defined, run make to test a build. You should now have a file named main.img in the build directory. To try booting off the disk, simply provide it to any emulator. For example, qemu can boot this disk using the command: qemu-system-i386 -fda build/main.img. When you do this, you will see a result like below.

Congratulations! You have created a simple bootloader for an operating system. With this solid foundations, you can start to develop more functionality for the system.

Understanding Heap Memory Allocation in C - sbrk and brk

Scott — Mon, 21 Aug 2023 22:01:35 +0000

In this tutorial, we will explore process memory to better understand how memory is allocated on the heap in C. To start, let's take a look at the general memory structure of a process.

Stack Memory

When a function is called, the stack memory grows to accommodate the stack frame of the function. When the function returns, the stack memory shrinks in size as it pops off the stack frame of the function. The stack memory starts at the high end of memory and grows downwards, towards the heap.

A special purpose register in your processor called a stack pointer tracks the current top of the stack. Each stack frame on the stack contains function arguments, local variables, and call linkage information such as return addresses for the function. Since functions can be called inside functions, we can often see multiple frames on a stack.

In C, we typically don’t need to worry about stack memory in too much detail. Knowing about how function frames work provides important context, but we don’t usually directly interact with the stack. When we allocate memory in C, we are interacting with the heap, which we will look at next.

Heap Memory

The heap is a dynamic area of memory that grows towards the stack. When you allocate memory in a program, that memory is allocated on the heap. To allocate memory, we usually use malloc, which is based on another set of functions, brk() and sbrk(). These functions work by resizing the program break, which is the memory location that represents the end of heap memory and the start of unallocated memory.

brk and sbrk

Resizing the heap of a process is a simple task. We just need to tell the kernel to adjust the location of the program break (which is defined as the current top of the heap). Since the memory that lies passed the program break is unallocated memory, we can move the break into the unallocated memory to allocate some new memory for our process. There are two functions associated with this process:

brk(void *end_data_segment): Sets the program break to the location specified by end_data_segment.
sbrk(intptr_t increment): Increments the size of the program break by increment.

To see how these functions work, let’s look at a simple example.

#include <unistd.h>
#include <stdio.h>

int main(int argc, char *argv[]){

    int *currentBreak = sbrk(0);
    printf("%p\n",currentBreak);

}

In this example, provide an increment of 0 to sbrk. When an increment of 0 is provided to sbrk, the current break address is returned.

If you provide a value other than 0 to sbrk, you get the previous break address, meaning the address before the break was changed. We can see this effect using a few increments in a row.

#include <unistd.h>
#include <stdio.h>

int main(int argc, char *argv[]){

    void *currentBreak = sbrk(0x5);
    printf("First increment of 0x5: %p\n",currentBreak);

    currentBreak = sbrk(0x5);
    printf("Second increment of 0x5: %p\n",currentBreak);

    currentBreak = sbrk(0x5);
    printf("Third increment of 0x5: %p\n",currentBreak);

    currentBreak = sbrk(0x5);
    printf("Fourth increment of 0x5: %p\n",currentBreak);

    currentBreak = sbrk(0x5);
    printf("Fifth increment of 0x5: %p\n",currentBreak);

}

When you run this set of increments, you will get a result similar to the following figure.

Notice that the break between the first and second increment is larger than the 0x5 we specified. This is because printf allocates memory to use as a buffer for stdout. When this happens initially, we see a large change in the heap break. The third, fourth, and fifth increment move consistently by the increment, 0x5, because no additional data is allocated on the heap between them.

In most cases, we don’t use sbrk and brk directly to adjust the heap in C. Instead, we use a more user-friendly version of this process known as malloc and free. In the next article, we will explore these functions in more detail!