Kali Linux

Flare-Qdb : Command-line And Python Debugger For Instrumenting And Modifying Native Software

Flare-qdb is a command-line and scriptable Python-based tool for evaluating and manipulating native program state. It uses Vivisect to set a breakpoint on each queried instruction and executes Python code when hit.

flare-qdb frees the analyst to take a nonlinear approach to dynamic analysis that accommodates the questions that arise in the course of normal debugging and static analysis. flare-qdb answers these questions without requiring the analyst to manually set up an interactive debugger session and navigate the program counter to that code location.

Here are some examples of spot questions flare-qdb can answer:

  • Does eax always equal this value at this point?
  • What was eax equal to before this branch?
  • What values will this string assume throughout this loop?
  • At the first iteration of the inner loop, what base address is used?
  • Is the program even going to hit this logic?
  • Which code executes first?
  • Does the number of loop iterations depend on the value of argv[1]?
  • Can I alter the command-line arguments to avoid this condition?

flare-qdb can also be used to facilitate automated, repeatable manipulation of program execution. Here are some examples of useful applications:

  • Executing a string decoder with different arguments to quickly extract all the strings used by a malware sample.
  • Overriding the arguments to Sleep() to permit rapid iterative testing of a custom command and control (C2) server.
  • Telling a privilege escalation tool that its integrity level is 0x1000 (MANDATORY_LOW_RID) in order to induce it to execute its exploit code.
  • Repeatably automating the unpacking of a packer that jumps into one or more non-deterministic heap locations.

flare-qdb accepts multiple queries that take the form of a program counter or Vivisect expression paired with some Python text to evaluate in the flare-qdb scripting environment. Vivisect expressions can be used to specify simple constant program counter values like "0x401000", symbolic expressions like "kernel32.Sleep", and more. Vivisect expressions can also incorporate register and memory state to articulate sophisticated conditions, such as "not eax or (( edx > 3) and (poi(ebp-8) < 5))".

The command line argument format for this is:

-at <vexpr-pc> <pythontext>

flare-qdb also supports conditional evaluation based on the truth value of a Vivisect expression:

-at-if <vexpr-pc> <vexpr-conds> <pythontext>

lare-qdb provides several builtins for convenient debugging, which are available both from the command line and as methods of its Qdb class.

flare-qdb has been tested primarily on Windows, but works on Linux. Unfortunately, the Darwin port of Vivisect’s vtrace.Trace class is incomplete, so flare-qdb does not support OSX.

Example Scripts

flare-qdb comes with De-DOSfuscator, which is a tool for decoding obfuscated batch files by running them. Details can be found in the De-DOSfuscator Guide or by reading the blog Cmd and Conquer: De-DOSfuscation with flare-qdb.

R K

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

5 days ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

5 days ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

5 days ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

5 days ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

5 days ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

5 days ago