Nick Anderson muffins

Debug with GDB on macOS 11

The big reason to do this is that LLDB has no ability to "follow-fork-mode child", in other words, a multi-process target that doesn't have a single-process mode (or, a bug that only manifests when in multi-process mode) is going to be difficult or impossible to debug, especially if you have to run the target over and over in order to make the bug manifest. If you have a repeatable bug, no big deal, break on the fork from the parent process and attach to the child in a second lldb instance. Otherwise, read on.

Install GDB

Don't make the mistake of thinking you can just brew install gdb. Currently this is version 10.2 and it's mostly broken, with at least two annoying bugs as of April 29th 2021, but the big one is https://sourceware.org/bugzilla/show_bug.cgi?id=24069

$ xcode-select install  # install the XCode command-line tools

Manual osquery release process

These are some notes about the manual osquery release process (circa 2019-12)

While our goal is to replace this with ci/cd, this is what today is.

References:

IDAPython cheatsheet

Important links

Basic commands

Get informations on the binary

This is a technique for extracting all imported modules from a packaged Python application as .pyc files, then decompiling them. The target program needs to be run from scratch, but no debugging symbols are necessary (assuming an unmodified build of Python is being used).

This was originally performed on 64-bit Linux with a Python 3.6 target. The Python scripts have since been updated to handle pyc files for Python 2.7 - 3.9.

Theory

In Python we can leverage the fact that any module import involving a .py* file will eventually arrive as ready-to-execute Python code object at this function:

PyObject* PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals);

	/*
	* fmtid + 24 == number of property identifiers and offsets
	* fmtid + 28 == start of property identifier and offsets (4 bytes each)
	*/
	rule test {
	strings:
	//$fmtid = { 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae }
	$fmtid = { e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 }
	$redacted_author = "REDACTED AUTHOR"
	condition:

	import idaapi
	import idc


	class HexJumpHandler(idaapi.action_handler_t):
	def activate(self, ctx):
	selection = idaapi.read_selection()
	valid_selection = selection[0]
	if (valid_selection):
	addr = idc.DbgDword(selection[1])

	[Colors]
	AbstractTableViewBackgroundColor=#002B36
	AbstractTableViewHeaderTextColor=#657B83
	AbstractTableViewSelectionColor=#073642
	AbstractTableViewSeparatorColor=#808080
	AbstractTableViewTextColor=#657B83
	DisassemblyAddressBackgroundColor=#002B36
	DisassemblyAddressColor=#657B83
	DisassemblyAutoCommentBackgroundColor=#XXXXXX
	DisassemblyAutoCommentColor=#85833A

	function ConvertTo-Rc4ByteStream {
	<#
	.SYNOPSIS

	Converts an input byte array to a RC4 cipher stream using the specified key.

	Author: @harmj0y
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None

	$EventFilterArgs = @{
	EventNamespace = 'root/cimv2'
	Name = 'PowerShellProcessStarted'
	Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"'
	QueryLanguage = 'WQL'
	}

	$Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs

	$CommandLineConsumerArgs = @{

	# blog post
	#
	# https://www.jessesquires.com/blog/customizing-git-log/

	git log --graph --pretty=format:'commit: %C(bold red)%h%Creset %C(red)<%H>%Creset %C(bold magenta)%d %Creset%ndate: %C(bold yellow)%cd %Creset%C(yellow)%cr%Creset%nauthor: %C(bold blue)%an%Creset %C(blue)<%ae>%Creset%n%C(cyan)%s%n%Creset'