The EMUX IoT Firmware Emulation Framework currently provides near native userland emulation for ARM and MIPS IoT devices. EMUX is actively used Saumil's popular ARM IoT Exploit Laboratory training for over 5 years.
The Debugging with EMUX workshop shall be in two parts:
Part 1 (30 minutes) - Setting up EMUX in 7 minutes - A tour of EMUX internals - EMUX utilities - Tracing userland processes within EMUX
Part 2 (90 minutes) - Debugging an ARM IoT target in EMUX - Debugging a MIPS IoT Target in EMUX - Crash dump analysis
4. @therealsaumil
@_ringzer0
What Is This Workshop About
An Introduction to debugging binaries on emulated targets
Using GDB + gdbserver for remote debugging
Hands-on examples
How EMUX makes the debugging process easy
7. @therealsaumil
@_ringzer0
Functions of a Debugger
Inspect the target
Inspect the CPU state
Examine Memory
Control Process Execution
Analyse Crashes and Exceptions
Luxuries: Plugins, Macros, Logging
8. @therealsaumil
@_ringzer0
Remote Debugging - how it works
GDB multiarch
nweb
(target binary)
192.168.100.1
gdbserver :5000
--attach <PID>
(gdb) target remote 192.168.100.2:5000
(gdb) set sysroot target:/path/to/rootfs
(gdb) continue
REMOTE HOST
192.168.100.2
9. @therealsaumil
@_ringzer0
Remote Debugging - emuxgdb
emux-docker-shell
nweb
(target binary)
REMOTE HOST
192.168.100.1
gdbserver
$ emuxgdb nweb
(gdb)
" Automatically looks up the PID of the target
" Launches gdbserver on the remote host
" Launches gdb-multiarch locally
" Connects to remote gdbserver
" Sets sysroot
" Ready to debug!
192.168.100.2
11. @therealsaumil
@_ringzer0
A few GDB/GEF commands
RECONNAISSANCE
vmmap [GEF] Display the process' memory layout
info target Information about the target being debugged (ELF binary)
info sharedlibrary Shared Libraries that are loaded with the binary
info functions List of functions that belong to the target binary
PROCESS EXECUTION
break Set a breakpoint
continue Resume process execution
rbreak Set multiple breakpoints using regular expressions
stepi / nexti Step Into / Next Instruction
CPU AND MEMORY
context [GEF] Better view of registers, stack, code, call stack, etc.
x Examine memory (many variations)
hexdump [GEF] When you want characters and bytes side by side
backtrace Display the call stack
info frame Inspect stack frames
disassemble Disassemble code
printf Formatted printing
LUXURIES
set logging Enable / Disable logging and redirect log output to a file
commands Execute multiple commands in sequence every time a breakpoint is reached
12. @therealsaumil
@_ringzer0
EMUX utilities
emuxps List processes running in the emulated device
emuxkill Terminate a process inside the emulated device
emuxmaps Remote process virtual memory layout
emuxgdb Attach gdb to a remote process in the emulated device
emuxnetstat Remote netstat
emuxhalt Shut down the emulated device
monitor Attach to QEMU monitor
21. @therealsaumil
@_ringzer0
HERE BE THE GOODS
CODE: https://github.com/therealsaumil/emux
!-
ANNOUNCEMENTS: @therealsaumil
DOCS: https://emux.exploitlab.net/