Obligatory Environment Details
1. Windows 10 Enterprise Evaluation v1809
Setup & Debug
In each step, where applicable, the superscript numbers reference the official Mozilla Documentation. This would help with troubleshooting when required.
1. Getting SpiderMonkey Source.
- Get the latest Mozilla-build 1. Use default installation settings.
- Run the
start-shell.bat
file inC:\mozilla-build
- From within a new Shell navigate to a location where you would want the source to reside
- Fetch the source using mecurial
hg clone https://hg.mozilla.org/mozilla-central
This is going to take some time
SpiderMonkey requires some pre-requisites as mention in Mozilla build docs.
- Follow the instructions from Getting-Ready till Required Tools. During the Visual Studio Setup also select clang for Windows in the individual components.
- Download and Install Microsoft Visual C++ Compiler for Python
- Install .NET Framework 3.5 from "Turn Windows Features Off or On"
- launch the start-shell.bat script and navigate to your repo location
- Execute the following command to properly configure your environment and catch any missing deps
- In the js/src folder create a build directory. Mine is called BUILD_DBG.OBJ (as recommended by Mozilla)
mozilla-central/js/src$ mkdir BUILD_DBG.OBJ
- From within the new directory run the following commands
mozilla-central$
./mach bootstrap
mozilla-central/js/src/BUILD_DBG.OBJ$ autoconf-2.13 #Note the official docs use autoconf2.13 but checking C:\mozilla-build\msys\local\bin we see the correct command
mozilla-central/js/src/BUILD_DBG.OBJ$ ../configure --enable-debug --disable-optimize --enable-nspr-build
mozilla-central/js/src/BUILD_DBG.OBJ$ mozmake -j4 -s
3. DebuggingWe want to be able to instrument the JS engine from within the debugger and break into it to examine memory. We would be using WinDbg.
- Install the WinDbg Preview App from the Windows Store. You can find the app by searching WinDBG in Cortana search box. If you prefer, you can install WinDbg by following these instructions from Download Debugging Tools for Windows
- Configure WinDbg as a Postmortem debugger by following these instructions from Microsoft
- Configure Symbol path in the debugger
.sympath srv*c:\symbols*https://msdl.microsoft.com/download/symbols
.sympath+ srv*C:\symbols*https://symbols.mozilla.org/
- Next, we would be using a tool by @0vercl0k. Follow the installation guide on GitHub
- Note that to use the command interface on the debugger, you'll have to
have attached to a process. You can start and attach to the JS shell at
/path/to/debug/build/dist/bin/js.exe
- Note that to use the command interface on the debugger, you'll have to
have attached to a process. You can start and attach to the JS shell at
- Install python3.7 from Python
- Two notable functions only available in Debug build of JS shell are
dumpObject()
andobjectAddress()
- Now we should be set to start our Journey
Resources
- https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Windows_Prerequisites
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Build_Documentation
- https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/#setting-it-up
Into the Weeds
I originally tried to use the source from GitHub using the following command.
git clone --depth 1 https://github.com/mozilla/gecko-dev.git
The build time using this method was supposed to be significantly faster. However, I ran into problems running step 7 using that source.The major reason was
./mach bootstrap
which is supposed to help with dependencies only works with the Mecurial source. Technically, I could go through the code, see what it does and validate the environment myself but that would be way too much work (I think).Now, there's definitely a way to use Mecurial and still get cloning to complete in a significantly shorter time but I did not explore this option. Feel free to share your quick clone/build tips in the comment below.
Oh, I almost forgot. Step 2 and 3 where written after multiple fails in step 5. So you may have more fails but that means step 5 is really doing it's job. Just make the fix to your environment as it suggest. Also it does take sometime.
I also ran into problems using the following options for configure.
--host=x86_64-pc-mingw32 --target=x86_64-pc-mingw32
. Definitely, If you have some advice regarding this please share in the comments! But I don't think we need this.I ran config without the
--enable-nspr-build
option and mozmake failed with 'prinit.h' not found
. This was frustrating because I thought I had done everything right. A quick check on my configure and I returned here to update Step 7!In the debugging stage. Setting the symbols path, at this point of writing. I'm not sure if that step is required. I seemed to be able to find symbols without specifying the symbols path. This is probably a result of the debug build.
Special Thanks to 0vercl0k, his blog on Introduction to SpiderMonkey Exploitation3 is a useful reference as I compare and contrast with LiveOverflow's work on Webkit. It has really helped fast-track my progress
No comments:
Post a Comment