Full featured multi arch/os debugger built on top of PyQt5 and frida

Overview

Dwarf

PyPI pyversions PyPI version shields.io GitHub license GitHub issues

A debugger for reverse engineers, crackers and security analyst. Or you can call it damn, why are raspberries so fluffy or yet, duck warriors are rich as fuck. Whatever you like! Built on top of pyqt5, frida and some terrible code.

Known Issues

  • JavaTraceView is distorted
  • JavaTraceView shows weakref/handle instead of value

We are working on Dwarf 2.0 release

Installation

pip3 install dwarf-debugger

Development

pip3 install https://github.com/iGio90/Dwarf/archive/master.zip

Usage

Debugging UI (attach wizard)

dwarf

Debugging UI (straightforward)

dwarf -t android com.facebook.katana
dwarf -t android 2145
dwarf -t ios 2145
dwarf -t local /usr/bin/cat /etc/shadow

Debugging UI (own agent)

dwarf -t android -s /path/to/agent.js com.facebook.katana
dwarf -t local -s /path/to/agent.js /usr/bin/cat /etc/shadow

Dwarf typings + injector

$ dwarf-creator
project path (/home/igio90/test):
> 
project name (test):
> 
Session type (local)
[*] L (local)
[*] A (android)
[*] I (iOS)
[*] R (remote)

append i to use dwarf-injector (ai | android inject)
> ai
target package (com.whatsapp)
> com.whatsapp

$ (./intelliJ || ./vsCode).open(/home/igio90/test)
    .echo('enjoy scripting with frida and dwarf api autocompletition and in-line doc')

$ ./dwarf if myOs == 'unix' else 'dwarf.bat'

Dwarf trace

dwarf-trace -t android --java java.io.File.$init com.facebook.katana

* Trying to spawn com.facebook.katana
* Dwarf attached to 19337
java.io.File $init
    /data  - java.io.File
    misc

java.io.File $init
    /data/misc  - java.io.File
    user

...
dwarf-trace -t android --native --native-registers x0,x1,sp open+0x32
dwarf-trace -t android --native --native-registers x0,x1,sp targetModule@0x1234
dwarf-trace -t android --native --native-registers x0,x1,sp 0xdc00d0d0
dwarf-trace -t android --native --native-registers x0,x1,sp popen





Javascript | License | Become a patron | Slack

Comments
  • Can this software be installed on my Windows 10?

    Can this software be installed on my Windows 10?

    Hi, dude. I love this software and I installed it on my Mac. But I wonder if this can be installed on Windows 10? Sorry for my bad English. Thank you.

    opened by pharazone 68
  • Error installing frida on Android

    Error installing frida on Android

    Hi, I tried to automatically install frida on the device but it seems not working I've tried on a Nexus 5 with 5.1 and on a Pixel XL with android 8 rooted with Magisk from Ubuntu my steps are: I start Dwarf select Android A dwarf USB session window opens with a red bar saying waiting for device and a button install frida I click on install frida, a series of messages appear once done on the red bar appears a dropdown menu with 2 entries of Pixel XL If I try again Install frida more pixel xl entries appear in the dropdown menu I checked on the device and frida is not running nor installed

    opened by matbrik 15
  • There are too many same classes.

    There are too many same classes.

    Describe the bug There are too many same classes.

    To Reproduce Steps to reproduce the behavior:

    1. Attach android app whose package is "com.example.myapplication"
    2. Click on 'Java->Trace'
    3. search "MainActivity"
    4. See some same classes.

    Expected behavior For each, there should be only one class.

    Screenshots burning

    Desktop (please complete the following information):

    • OS: Ubuntu
    • Version 20.04

    Smartphone (please complete the following information):

    • OS: Android10
    opened by BurningTeng 11
  • empty debug window

    empty debug window

    i put a breakpoint on class constructor, breakpoint gets hit but everything is blank!!

    
    02:35:04 [ERROR-LogicJava.hook] Error: java.lang.ClassNotFoundException: Didn't find class "com.whatsapp.jobqueue.job" on path: DexPathList[[zip file "/system/framework/org.apache.http.legacy.boot.jar", zip file "/data/app/com.whatsapp-LqLY5Xrpfu9W8PvMcn2vHg==/base.apk"],nativeLibraryDirectories=[/data/app/com.whatsapp-LqLY5Xrpfu9W8PvMcn2vHg==/lib/arm64, /data/app/com.whatsapp-LqLY5Xrpfu9W8PvMcn2vHg==/base.apk!/lib/arm64-v8a, /system/lib64]]
    02:35:12 [ERROR-jvmExplorer-2] TypeError: Cannot read property '$className' of undefined
    02:35:12 [ERROR-jvmExplorer-2] TypeError: Cannot read property '$className' of undefined
    02:35:12 [ERROR-jvmExplorer-2] TypeError: Cannot read property '$className' of undefined
    02:35:12 [ERROR-jvmExplorer-2] TypeError: Cannot read property '$className' of undefined
    02:35:12 [ERROR-jvmExplorer-2] TypeError: Cannot read property '$className' of undefined
    02:35:12 [ERROR-jvmExplorer-2] TypeError: Cannot read property '$className' of undefined
    
    opened by 0x410c 11
  • Error message is shown when adding breakpoint for export function at first time

    Error message is shown when adding breakpoint for export function at first time

    Describe the bug Error message is shown when adding breakpoint of export function at first time. Error message is below.

    TypeError: not a function at attach (/script1.js:3640) at putNativeBreakpoint (/script1.js:3872) at putBreakpoint (/script1.js:3854) at putBreakpoint (/script1.js:2126) at apply (native) at api (/script1.js:3508) at apply (native) at (frida/runtime/message-dispatcher.js:13) at c (frida/runtime/message-dispatcher.js:23)

    To Reproduce Steps to reproduce the behavior:

    1. Attach android app whose package is "com.jingdong.app.mall"
    2. Click on View->Panels->Modules
    3. Add breakpoint for export function "Java_com_jingdong_common_utils_BitmapkitUtils_getSignFromJni" at first time
    4. The error message is shown.
    5. Add breakpoint again, the console will print "0xc0b4a8b5 already has a breakpoint"
    6. When I run app to trigger breakpoint, the breakpoint doesn't work. But following message will be shown:

    19:32:31.758101 @thread 18321 loading class := com.tencent.smtt.net.AwNetworkUtils 19:32:34.505922 @thread 18048 loading class := com.jd.lib.search.view.Activity.SearchActivity 19:32:53.064365 @thread 18048 loading class := com.jd.lib.search.view.holder.tip.a 19:32:53.065138 @thread 18048 loading class := com.jd.lib.search.view.adapter.cw 19:32:53.068883 @thread 18048 loading class := com.jd.lib.search.view.holder.tip.b 19:32:53.072689 @thread 18048 loading class := com.jd.lib.search.view.adapter.cw$a 19:33:00.650688 @thread 18048 loading class := com.jd.lib.search.view.Activity.ProductListActivity

    Expected behavior No error message and breakpoint can work.

    Screenshots burning

    Desktop (please complete the following information):

    • OS: Ubuntu
    • Version 20.04

    Smartphone (please complete the following information):

    • OS: Android 10
    opened by BurningTeng 9
  • IOS not supported ???

    IOS not supported ???

    Hello,

    It's me, again :). I'm trying to use DWARF with my iphone, and... I cannot even click on the apple button. If I press the Android Button, I can see a green ruban saying "Iphone Connected" but the tools does not give me any options.

    Thanks a lot,

    • Wally
    opened by folkene 9
  • Not Able to launch

    Not Able to launch

    PS D:\Tools for Testing\Dwarf\Dwarf> python .\dwarf.py adb: True dev/emu: True su: True root: False

    at least 3x True required Traceback (most recent call last): File ".\dwarf.py", line 41, in app_window = AppWindow(args) File "D:\Tools for Testing\Dwarf\Dwarf\ui\app.py", line 36, in init self.dwarf = Dwarf(self) File "D:\Tools for Testing\Dwarf\Dwarf\lib\core.py", line 80, in init self.script_manager = ScriptsManager(self) File "D:\Tools for Testing\Dwarf\Dwarf\lib\scripts_manager.py", line 24, in init self.update_scripts() File "D:\Tools for Testing\Dwarf\Dwarf\lib\scripts_manager.py", line 27, in update_scripts scripts = self.dwarf.get_git().get_dwarf_scripts()
    AttributeError: 'NoneType' object has no attribute 'replace'

    opened by mohittyagi11 9
  • the decompiler output is wrong

    the decompiler output is wrong

    Describe the bug the decompiler output is different with ida

    To Reproduce Steps to reproduce the behavior:

    1. open an app with dwarf

    Expected behavior the decompiler should output the correct asm code Screenshots the wrong output image the correct output image

    Desktop (please complete the following information):

    • OS: win10

    Smartphone (please complete the following information):

    • Device: mi6x
    • OS:android 6.0
    opened by jambooid 8
  • Empty spawn and procs

    Empty spawn and procs

    Phone: Nexus 5X - Android 8.1.0 root: magisk (Magisk Hide -> OFF) frida: last (v12.8.20) Python: 3.8.1 (Pyenv) In virtualenv installed last frida-tools and Dwarf (git clone)

    If execute frida-ps -U in terminal, there is a list of processes Dwarf empty process list

    opened by 4val0v 8
  • ReferenceError: breakpoint is not defined

    ReferenceError: breakpoint is not defined

    I am getting the error in the title when breakpoint() is executed. Here is how the command: Interceptor.attach(Module.findBaseAddress("libhello-jni.so").add(0x1161),function(arg) {console.log("hit");breakpoint()});

    Also, I am getting the same error as #88 when I run api.nativeBacktrace(); So I followed all the instructions there:

    • frida & frida server changed to 12.x
    • "disable_local_frida_update":true to prevent autoupdate
    • self._script = self._process.create_script(script_content, runtime='v8')
    • also made sure that "memPtr = ptr(address);" is fixed as per the patch in core.js
    • attached apk and source code (example hello-jni with a button to re-run the lib, apk located in hello3\app\debug\app-debug.apk) hello3.zip

    image

    The above command works for armv7 only, the following command should work on any arch: Interceptor.attach(Module.findExportByName("libhello-jni.so","getStr"),function(arg) {console.log("hit");breakpoint()});

    opened by wahibimoh 7
  • Remounting /system fails because it's missing in /proc/mounts

    Remounting /system fails because it's missing in /proc/mounts

    I am running OxygenOS 10.5.4 (OnePlus stock OS) with a Magisk patched bootloader. Dwarf provides a way to automatically install frida into /system. One of the steps is remounting /system to make it writeable which fails on my device.

    # mount -o rw,remount /system
    mount: '/system' not in /proc/mounts
    
    # cat /proc/mounts | grep system
    /sbin/.magisk/block/system_root /sbin/.magisk/mirror/system_root ext4 ro,seclabel,relatime,discard 0 0
    /sbin/.magisk/block/system_root /sbin/wlchg ext4 ro,seclabel,relatime,discard 0 0
    /sbin/.magisk/block/system_root /sbin/dashd ext4 ro,seclabel,relatime,discard 0 0
    /dev/block/loop2 /system/reserve ext4 ro,context=u:object_r:system_file:s0,relatime 0 0
    

    I know that Dwarf does have a check for /system_root, but it does not seem to work in my case, since it just sets the system partition's name to /system_root which doesn't even exist.

    I'm happy to share any further logs if needed.

    opened by sn0opy 7
Owner
iGio90
Full stack developer @overwolfmobile team. Founder of @secRet-re community. Reverse engineering my life into something human readable.
iGio90
Arghonaut is an interactive interpreter, visualizer, and debugger for Argh! and Aargh!

Arghonaut Arghonaut is an interactive interpreter, visualizer, and debugger for Argh! and Aargh!, which are Befunge-like esoteric programming language

Aaron Friesen 2 Dec 10, 2021
Debugger capable of attaching to and injecting code into python processes.

DISCLAIMER: This is not an official google project, this is just something I wrote while at Google. Pyringe What this is Pyringe is a python debugger

Google 1.6k Dec 15, 2022
The official code of LM-Debugger, an interactive tool for inspection and intervention in transformer-based language models.

LM-Debugger is an open-source interactive tool for inspection and intervention in transformer-based language models. This repository includes the code

Mor Geva 110 Dec 28, 2022
pdb++, a drop-in replacement for pdb (the Python debugger)

pdb++, a drop-in replacement for pdb What is it? This module is an extension of the pdb module of the standard library. It is meant to be fully compat

null 1k Dec 24, 2022
An improbable web debugger through WebSockets

wdb - Web Debugger Description wdb is a full featured web debugger based on a client-server architecture. The wdb server which is responsible of manag

Kozea 1.6k Dec 9, 2022
pdb++, a drop-in replacement for pdb (the Python debugger)

pdb++, a drop-in replacement for pdb What is it? This module is an extension of the pdb module of the standard library. It is meant to be fully compat

null 1k Jan 2, 2023
Graphical Python debugger which lets you easily view the values of all evaluated expressions

birdseye birdseye is a Python debugger which records the values of expressions in a function call and lets you easily view them after the function exi

Alex Hall 1.5k Dec 24, 2022
Voltron is an extensible debugger UI toolkit written in Python.

Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB an

snare 5.9k Dec 30, 2022
PINCE is a front-end/reverse engineering tool for the GNU Project Debugger (GDB), focused on games.

PINCE is a front-end/reverse engineering tool for the GNU Project Debugger (GDB), focused on games. However, it can be used for any reverse-engi

Korcan Karaokçu 1.5k Jan 1, 2023
NoPdb: Non-interactive Python Debugger

NoPdb: Non-interactive Python Debugger Installation: pip install nopdb Docs: https://nopdb.readthedocs.io/ NoPdb is a programmatic (non-interactive) d

Ondřej Cífka 67 Oct 15, 2022
Tracing instruction in lldb debugger.Just a python-script for lldb.

lldb-trace Tracing instruction in lldb debugger. just a python-script for lldb. How to use it? Break at an address where you want to begin tracing. Im

null 156 Jan 1, 2023
Little helper to run Steam apps under Proton with a GDB debugger

protongdb A small little helper for running games with Proton and debugging with GDB Requirements At least Python 3.5 protontricks pip package and its

Joshie 21 Nov 27, 2022
A simple rubber duck debugger

Rubber Duck Debugger I found myself many times asking a question on StackOverflow or to one of my colleagues just for finding the solution simply by d

null 1 Nov 10, 2021
Visual Interaction with Code - A portable visual debugger for python

VIC Visual Interaction with Code A simple tool for debugging and interacting with running python code. This tool is designed to make it easy to inspec

Nathan Blank 1 Nov 16, 2021
Hdbg - Historical Debugger

hdbg - Historical Debugger This is in no way a finished product. Do not use this

Fivreld 2 Jan 2, 2022
Trashdbg - TrashDBG the world's worse debugger

The world's worse debugger Over the course of multiple OALABS Twitch streams we

OALabs 21 Jun 17, 2022
🔥 Pyflame: A Ptracing Profiler For Python. This project is deprecated and not maintained.

Pyflame: A Ptracing Profiler For Python (This project is deprecated and not maintained.) Pyflame is a high performance profiling tool that generates f

Uber Archive 3k Jan 7, 2023
Parsing ELF and DWARF in Python

pyelftools pyelftools is a pure-Python library for parsing and analyzing ELF files and DWARF debugging information. See the User's guide for more deta

Eli Bendersky 1.6k Jan 4, 2023
Code2flow generates call graphs for dynamic programming language. Code2flow supports Python, Javascript, Ruby, and PHP.

Code2flow generates call graphs for dynamic programming language. Code2flow supports Python, Javascript, Ruby, and PHP.

Scott Rogowski 3k Jan 1, 2023