注册网站步骤,为什么php导入数据库会乱码,网站做相片,南昌企业网站建设公司哪个好这里整理一些常用的frida脚本#xff0c;和ghidra 一起食用风味更佳#xff5e;
Trace RegisterNatives
注意到从java到c的绑定中#xff0c;可能会在JNI_OnLoad动态的执行RegisterNatives方法来绑定java层的函数到c行数#xff0c;可以通过这个方法#xff0c;来吧运行…这里整理一些常用的frida脚本和ghidra 一起食用风味更佳
Trace RegisterNatives
注意到从java到c的绑定中可能会在JNI_OnLoad动态的执行RegisterNatives方法来绑定java层的函数到c行数可以通过这个方法来吧运行时时绑定的地址关联起来。 获取地址之后ghidra 按G填入地址即跳转到目标位置
let nativeMethods {methods:[]}
let addrRegisterNatives null
var yeshen_module_base undefinedconst OURLIB libEngineNative.so // Replace with yoursProcess.enumerateModules().forEach(function (m) { Module.enumerateSymbolsSync(m.name).forEach(function (s) { if (s.name.includes(RegisterNatives) (!s.name.includes(CheckJNI))) { addrRegisterNatives s.address} })
})Interceptor.attach(addrRegisterNatives, {// jint RegisterNatives(JNIEnv *env, jclass clazz, const JNINativeMethod *methods, jint nMethods);onEnter: function (args) {var calledFromLibnOffset String(DebugSymbol.fromAddress(this.returnAddress))if(!calledFromLibnOffset.includes(OURLIB)){ // Filter out a few calls return}// console.log(\nenv-RegisterNatives())var nMethods parseInt(args[3]);// console.log(\tnMethodsnMethods);var class_name Java.vm.tryGetEnv().getClassName(args[1]);// console.log(\tclazz.nameclass_name)// console.log(\tmethods[]:);var methods_ptr ptr(args[2]);for (var i 0; i nMethods; i) {var name_ptr Memory.readPointer(methods_ptr.add(i * Process.pointerSize*3));var methodName Memory.readCString(name_ptr);var sig_ptr Memory.readPointer(methods_ptr.add(i * Process.pointerSize*3 Process.pointerSize));var sig Memory.readCString(sig_ptr);// console.log(\t\tmethodName(), sig:, sig)var fnPtr_ptr Memory.readPointer(methods_ptr.add(i * Process.pointerSize*3 Process.pointerSize*2));var find_module Process.findModuleByAddress(fnPtr_ptr);yeshen_module_base find_module.base;var fnPtr_ptr_ghidra ptr(fnPtr_ptr).sub(find_module.base).add(0x00100000)// console.log(\t\t\tfnPtr:, fnPtr_ptr, ghidraOffset:, fnPtr_ptr_ghidra);nativeMethods[methods].push({ghidraOffset : fnPtr_ptr_ghidra,methodName : class_name.methodName})}}
})// let the script run for a bit,
// then dump the nativeMethods object on the Frida interpreter
// or uncomment the console.log statements to dump all invocations like below:// env-RegisterNatives()
// nMethods1
// clazz.namecom.app.jni.PhoneControllerHelper
// methods[]:
// handleSendIM2Message(), sig: (Lcom/app/jni/MessageWrite;)Z
// fnPtr: 0x733a924280 ghidraOffset: 0x1d7280
Trace sprintf
注意到sprintf可能会把关键的信息拼接出来所以挂一个把目标so的这个函数调用打出来
var libyeshenbaseModule libyeshen.so
const sprintfAddress Module.findExportByName(libyeshenbaseModule, sprintf);
Interceptor.attach(sprintfAddress, {onEnter: function (args) {this.args1 args[0];var fnPtr_ptr_ghidra ptr(this.returnAddress).sub(yeshen_module_base).add(0x00100000)var caller DebugSymbol.fromAddress(this.returnAddress);this.args2 sprintf is called from: caller ,ghidraOffset: fnPtr_ptr_ghidra;},onLeave: function (retval) {ALOGE(sprintf result: Memory.readUtf8String(this.args1) , this.args2);}
});Trace opendir
禁止目标so对opendir的访问和记录。
var libyeshenbaseModule libyeshen.so
Interceptor.attach(Module.findExportByName(libyeshenbaseModule, opendir), {onEnter: function (args) {var filename Memory.readUtf8String(args[0]);if(filename.startsWith(/proc/self/net) || filename.startsWith(/sbin) || filename /|| filename /sys/devices/system/cpu){args[0] ptr(0);ALOGE(opendir: filename forbidden.);}else{ALOGE(opendir: filename);}},onLeave: function (retval) {}
});Trace readdir
Interceptor.attach(Module.findExportByName(libyeshenbaseModule, readdir), {onEnter: function (args) {var filename Memory.readUtf8String(args[0]);ALOGE(readdir: filename);},onLeave: function (retval) {}
});Trace fread
Interceptor.attach(Module.findExportByName(libyeshenbaseModule, fread), {onEnter: function (args) {var buffer args[0];var size args[1];var nmemb args[2];var file args[3];// var data Memory.readUtf8String(buffer, size);ALOGE(fread: buffer , size: size , nmemb: nmemb , file: file );// ,data: data);// ALOGE(--fread end)},onLeave: function (retval) {}
});Trace open read
Interceptor.attach(Module.findExportByName(libyeshenbaseModule, open), {onEnter: function (args) {var path Memory.readUtf8String(args[0]);// if(path.startsWith(/proc) path.endsWith(/maps)){if (path /data || path /data/app || path /mnt || path /system/framework || path /sbin || path /proc/cpuinfo || path /proc/self/net || path /proc/self/net/unix){ALOGE(Access to path is denied); args[0] ptr(-1);// 修改返回值为 -1表示打开文件失败}else if (path.startsWith(/proc) (path.endsWith(/maps) || path.endsWith(/status) || path.endsWith(/cmdline) || path.endsWith(/meminfo) || path.endsWith(/stat))) {ALOGE(Access to path is denied); args[0] ptr(-1);// 修改返回值为 -1表示打开文件失败}else {ALOGE(open path: path);}}
});Interceptor.attach(Module.findExportByName(libyeshenbaseModule, read), {onEnter: function (args) {var fd args[0].toInt32();var buffer args[1];var count args[2].toInt32();var data Memory.readUtf8String(buffer, count);ALOGE(---read fd: fd , count: count ,data: data);ALOGE(---read end)}
});Trace custom address read in ghidra
var target_ptr_ghidra_1 0x001063e8;
var target_ptr_apply_1 ptr(target_ptr_ghidra_1).sub(0x00100000).add(yeshen_module_base);
Interceptor.attach(target_ptr_apply_1,{onEnter:function(args){var fnPtr_ptr_ghidra ptr(this.returnAddress).sub(yeshen_module_base).add(0x00100000)this.input ,input: Memory.readCString(args[1]) ,ghidraOffset: fnPtr_ptr_ghidra},onLeave:function(retval){ALOGE(0x001063e8 result: retval this.input);// 0x001063e8 result:0x0,inputx86,ghidraOffset:0x11ab68retval.replace(0);}
});Replace custom address‘s function to void
var target_ptr_ghidra_root 0x11e7b0;
var target_ptr_apply_root ptr(target_ptr_ghidra_root).sub(0x00100000).add(yeshen_module_base)
Interceptor.replace(target_ptr_apply_root, new NativeCallback(() {// ALOGE(void 0x1e7b0 called)
}, void, []));
