SlideShare a Scribd company logo

BSides Rochester 2018: Dave Kukfa: BinDbg: Easy Windows Debugging for Binary Ninja

J
JosephTesta9

BinDbg is a Binary Ninja plugin that allows users to debug Windows binaries by syncing a running Windows debugger (WinDbg) with the Binary Ninja disassembler. This provides dynamic analysis capabilities within Binary Ninja like highlighting branch decisions on the disassembly graph and resolving virtual function calls. The plugin launches and controls debugging sessions directly in Binary Ninja. It addresses a lack of good Windows support in existing debugger integrations for Binary Ninja. Developing the plugin involved challenges like wrestling with the Python debugger interface and determining object types from virtual tables.

Technology
1 of 11
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
BinDbg: Easy Windows Debugging for Binary Ninja Dave Kukfa https://kukfa.co @kukfa_
whoami ● Dave Kukfa ● Corporate security engineer by day ● Hobbyist reverse engineer by night ● RIT CSEC Graduate ● SF Bay Area ● Blog: https://kukfa.co ● Twitter: @kukfa_ Disclaimer: This talk and all materials are being released on my own behalf, not on behalf of my employer
Binary analysis tools ● Gold standard: IDA Pro ○ $$$ ○ Typically only justifiable by professionals ● Several recent challengers: ○ Radare ○ Hopper ○ Binary Ninja ● Binary Ninja is a powerful static analysis tool ○ Looking at the program’s disassembly without executing it ● I missed the dynamic (debugger) integrations that IDA had ○ So I set out to recreate it in Binja! Source: https://binary.ninja/ Source: https://www.hex-rays.com/products/ida/
BinDbg ● Binary Ninja plugin that syncs a running debugger (WinDbg) to Binary Ninja ○ Combining static and dynamic analyses ○ Use the debugger’s information to supplement Binary Ninja’s analysis ○ Control the debugger within Binary Ninja ● This has been done before ○ snare’s Binjatron: https://github.com/snare/binjatron ○ Eric Hennenfent’s Binja Dynamics: https://github.com/ehennenfent/binja_dynamics ● Windows support on existing solutions is lacking ○ Because I primarily reverse PEs, I wanted to create an easy-to-use Windows solution
Primary features (1/4) ● Launch and control debugging sessions directly from Binary Ninja ● Syncs Binja disassembly graph with WinDbg instruction pointer
Primary features (2/4) ● Set breakpoints and move instruction pointer directly on Binja’s disassembly graph
Primary features (3/4) ● Highlight branch decisions on disassembly graph (see where jumps are going)
Primary features (4/4) ● Resolve vtable calls and vtable references (determine object types)
Demo
Lessons learned ● Lots of time spent wrestling with pykd ○ Just catch its exceptions and keep going ¯_(ツ)_/¯ ● Determining object type using vtables is not 100% reliable ○ In the case of multiple inheritance, can’t just observe the first vtable and call it a day ● Windows is weird ○ Named pipes implementation ○ API and COM interfaces ● In hindsight, would have been easier to improve Windows support on existing tools
Questions? https://github.com/kukfa/bindbg

More Related Content

PDF
Nimble - iOS dependency management
Nimble
 
PPTX
.NET compiler platform codename Roslyn
Piotr Benetkiewicz
 
PDF
Android Development Lightning Talk by Lope Emano (Campus DevCon at STI Southw...
DEVCON
 
PDF
Build a real app with react native
John Pham
 
ODP
What's unique to Qt
Yikei Lu
 
PDF
Phonegap - Girl Geek Sydney
Georgi Knox
 
PDF
HackConf2015 - Ruby on Rails: Unexpected journey
Dimitar Danailov
 
PDF
Programming for non tech entrepreneurs
Rodrigo Gil
 
Nimble - iOS dependency management
Nimble
 
.NET compiler platform codename Roslyn
Piotr Benetkiewicz
 
Android Development Lightning Talk by Lope Emano (Campus DevCon at STI Southw...
DEVCON
 
Build a real app with react native
John Pham
 
What's unique to Qt
Yikei Lu
 
Phonegap - Girl Geek Sydney
Georgi Knox
 
HackConf2015 - Ruby on Rails: Unexpected journey
Dimitar Danailov
 
Programming for non tech entrepreneurs
Rodrigo Gil
 

Similar to BSides Rochester 2018: Dave Kukfa: BinDbg: Easy Windows Debugging for Binary Ninja (20)

PDF
The state of Jenkins pipelines or do I still need freestyle jobs
Andrey Devyatkin
 
PDF
ENIB 2015 2016 - CAI Web S02E03- Forge JS 1/4 - La forge JavaScript
Horacio Gonzalez
 
PDF
ENIB 2015-2016 - CAI Web - S01E01- La forge JavaScript
Horacio Gonzalez
 
PDF
Drupal and contribution (2010 - 2011 / 2)
Peter Arato
 
PDF
Headless Android
Opersys inc.
 
PPTX
Building lightning apps by Daniel Peter
Sudipta Deb ☁
 
PDF
VN Tech Seminor Vol.2 Docker Tutorial
Shuhei Yamashita
 
PDF
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Giovanni Toraldo
 
PDF
Xamarin.android memory management gotchas
Alec Tucker
 
ODP
Advanced Video Production with FOSS
Kirk Kimmel
 
PDF
Devoxx : being productive with JHipster
Julien Dubois
 
PDF
Learning to Mod Minecraft: A Father/Daughter Retrospective
Kevin Hakanson
 
PDF
Bdd agile requirements
Agile Vietnam
 
PDF
Drools & jBPM Workshop London 2013
Mauricio (Salaboy) Salatino
 
PDF
Influx/Days 2017 San Francisco | Dan Vanderkam
InfluxData
 
PDF
Headless Android at AnDevCon3
Opersys inc.
 
PDF
Montreal.rb ruby debugging basics - march 20th 2012
Rafael Rosa
 
PDF
How is Java / JVM built ? Back then and now...
Mani Sarkar
 
PDF
UX Sprint Demo Process
Rachel Maple
 
PDF
Releaseflow: a healthy build and deploy process
Christopher Cundill
 
The state of Jenkins pipelines or do I still need freestyle jobs
Andrey Devyatkin
 
ENIB 2015 2016 - CAI Web S02E03- Forge JS 1/4 - La forge JavaScript
Horacio Gonzalez
 
ENIB 2015-2016 - CAI Web - S01E01- La forge JavaScript
Horacio Gonzalez
 
Drupal and contribution (2010 - 2011 / 2)
Peter Arato
 
Headless Android
Opersys inc.
 
Building lightning apps by Daniel Peter
Sudipta Deb ☁
 
VN Tech Seminor Vol.2 Docker Tutorial
Shuhei Yamashita
 
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Giovanni Toraldo
 
Xamarin.android memory management gotchas
Alec Tucker
 
Advanced Video Production with FOSS
Kirk Kimmel
 
Devoxx : being productive with JHipster
Julien Dubois
 
Learning to Mod Minecraft: A Father/Daughter Retrospective
Kevin Hakanson
 
Bdd agile requirements
Agile Vietnam
 
Drools & jBPM Workshop London 2013
Mauricio (Salaboy) Salatino
 
Influx/Days 2017 San Francisco | Dan Vanderkam
InfluxData
 
Headless Android at AnDevCon3
Opersys inc.
 
Montreal.rb ruby debugging basics - march 20th 2012
Rafael Rosa
 
How is Java / JVM built ? Back then and now...
Mani Sarkar
 
UX Sprint Demo Process
Rachel Maple
 
Releaseflow: a healthy build and deploy process
Christopher Cundill
 
Ad

More from JosephTesta9 (12)

PDF
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
PDF
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
JosephTesta9
 
PPTX
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
JosephTesta9
 
PDF
BSides Rochester 2018: Timothy Duffy: Civic and Humanitarian Open Source
JosephTesta9
 
PPTX
BSides Rochester 2018: Michael West: Sentry, Or: How I Learned To Stop Worryi...
JosephTesta9
 
PPTX
BSides Rochester 2018: Lee Kagan: Red and Blue Ping Pong
JosephTesta9
 
PPTX
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
JosephTesta9
 
PDF
BSides Rochester 2018: Issa Hafiri & Christian Halbert: IOT Devices (And Why ...
JosephTesta9
 
PDF
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
JosephTesta9
 
PPTX
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
JosephTesta9
 
ODP
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
JosephTesta9
 
PPTX
BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security
JosephTesta9
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
JosephTesta9
 
BSides Rochester 2018: Justin Moore: Automated HTTP Request Repeating With Bu...
JosephTesta9
 
BSides Rochester 2018: Timothy Duffy: Civic and Humanitarian Open Source
JosephTesta9
 
BSides Rochester 2018: Michael West: Sentry, Or: How I Learned To Stop Worryi...
JosephTesta9
 
BSides Rochester 2018: Lee Kagan: Red and Blue Ping Pong
JosephTesta9
 
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
JosephTesta9
 
BSides Rochester 2018: Issa Hafiri & Christian Halbert: IOT Devices (And Why ...
JosephTesta9
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
JosephTesta9
 
BSides Rochester 2018: Drew Kirkpatrick: Open Source SAST and DAST Tools for ...
JosephTesta9
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
JosephTesta9
 
BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security
JosephTesta9
 
Ad

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
A Presentation on Artificial Intelligence
memembruh336
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Approach and Philosophy of On baking technology
30anthuong17
 
Cloud computing and distributed systems.
kkkkkhan
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 

BSides Rochester 2018: Dave Kukfa: BinDbg: Easy Windows Debugging for Binary Ninja

  • 1. BinDbg: Easy Windows Debugging for Binary Ninja Dave Kukfa https://kukfa.co @kukfa_
  • 2. whoami ● Dave Kukfa ● Corporate security engineer by day ● Hobbyist reverse engineer by night ● RIT CSEC Graduate ● SF Bay Area ● Blog: https://kukfa.co ● Twitter: @kukfa_ Disclaimer: This talk and all materials are being released on my own behalf, not on behalf of my employer
  • 3. Binary analysis tools ● Gold standard: IDA Pro ○ $$$ ○ Typically only justifiable by professionals ● Several recent challengers: ○ Radare ○ Hopper ○ Binary Ninja ● Binary Ninja is a powerful static analysis tool ○ Looking at the program’s disassembly without executing it ● I missed the dynamic (debugger) integrations that IDA had ○ So I set out to recreate it in Binja! Source: https://binary.ninja/ Source: https://www.hex-rays.com/products/ida/
  • 4. BinDbg ● Binary Ninja plugin that syncs a running debugger (WinDbg) to Binary Ninja ○ Combining static and dynamic analyses ○ Use the debugger’s information to supplement Binary Ninja’s analysis ○ Control the debugger within Binary Ninja ● This has been done before ○ snare’s Binjatron: https://github.com/snare/binjatron ○ Eric Hennenfent’s Binja Dynamics: https://github.com/ehennenfent/binja_dynamics ● Windows support on existing solutions is lacking ○ Because I primarily reverse PEs, I wanted to create an easy-to-use Windows solution
  • 5. Primary features (1/4) ● Launch and control debugging sessions directly from Binary Ninja ● Syncs Binja disassembly graph with WinDbg instruction pointer
  • 6. Primary features (2/4) ● Set breakpoints and move instruction pointer directly on Binja’s disassembly graph
  • 7. Primary features (3/4) ● Highlight branch decisions on disassembly graph (see where jumps are going)
  • 8. Primary features (4/4) ● Resolve vtable calls and vtable references (determine object types)
  • 10. Lessons learned ● Lots of time spent wrestling with pykd ○ Just catch its exceptions and keep going ¯_(ツ)_/¯ ● Determining object type using vtables is not 100% reliable ○ In the case of multiple inheritance, can’t just observe the first vtable and call it a day ● Windows is weird ○ Named pipes implementation ○ API and COM interfaces ● In hindsight, would have been easier to improve Windows support on existing tools