Tracing Struct Accesses with Struct Stalker: A Foray Into the Darkness of LLDB Scripting

Presented at REcon 2018, June 16, 2018, 10 a.m. (30 minutes)

Struct Stalker is an LLDB script that instruments processes to trace struct/object accesses in C/C++ applications. It recursively walks through all fields in a targeted variable variable to make each each one inaccessible through page permissions, and catches and processes all ensuing page faults to track memory accesses. This talk will cover the Struct Stalker tool and will additionally include a brief introduction to LLDB scripting that covers a bunch of useful stuff that the LLDB "documentation" does not.

Presenters:

• Jeff Dileo / chaosdata   as Jeff Dileo
  Jeff Dileo is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He also likes exotic candies.

Links:

• https://recon.cx/2018/montreal/schedule/events/106.html

Similar Presentations:

• REcon Brussels 2017 / Reverse engineering of file formats and network protocols using Kaitai Struct