-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathpatchCode.js
More file actions
133 lines (121 loc) · 5.6 KB
/
patchCode.js
File metadata and controls
133 lines (121 loc) · 5.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
const targetLib = "libnative-lib.so";
function main() {
// 先通过dlopen探索具体是哪个so文件在反frida调试
const adeAddr = Module.findExportByName(null, "android_dlopen_ext");
Interceptor.attach(adeAddr, {
onEnter: function (args) {
const pathptr = args[0];
this.isTarget = false;
if (pathptr) {
const path = ptr(pathptr).readCString();
console.log("[dylib open]: ", path);
if (path.includes(targetLib)) {
this.isTarget = true;
}
}
},
onLeave: function () {
// 对这个so文件的符号进行hook 看看具体是哪个函数引起的崩溃
if (this.isTarget) {
const baseAddr = Module.findBaseAddress(targetLib);
console.log("[dylib base address]: ", baseAddr);
/*
// 以JNI_OnLoad为例
const jniOnload = Module.findExportByName(targetLib, "JNI_OnLoad");
console.log("[hit JNI_OnLoad]: " + jniOnload);
// 如果有输出的话 说明检测点在JNI_OnLoad之中或者之后
// 否则可能在.init_proc .init_array .init_xxx等函数中
Interceptor.attach(jniOnload, {
onEnter: function (_args) {
// 反编译发现其中有检测frida和端口的代码
// 可以通过修改端口和使用魔改server绕过
// 还创建了一个线程 检测是否有java层hook
// hook后 & 0x80000 != 0
console.log("[func invoke]: JNI_OnLoad");
},
});
// 目标函数名
const funcAddr = Module.findExportByName(targetLib, "Java_com_r0ysue_test1_MainActivity_stringFromJNI");
console.log("[hit target func]: " + funcAddr);
Interceptor.attach(funcAddr, {
onEnter: function (_args) {
// 其中存在通过特征值0xd61f020058000050
// 检测pthread_create是否被hook
console.log("[func invoke]: Java_com_r0ysue_test1_MainActivity_stringFromJNI");
},
});
*/
/*
// 查看是否有新的线程被创建
Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), {
onEnter(args) {
// 先获取到线程函数的地址 也就是pthread_create的第三个参数
// 再计算偏移 这里是0x10448 后续对其进行置空
// 取消对pthread_create的hook 以免后续被检测
const threadFuncAddr = args[2];
console.log("The thread function address is " + ptr(threadFuncAddr).sub(baseAddr));
}
});
*/
/*
const newThreadFunc = baseAddr.add(0x10448);
console.log(Process.pageSize);
Memory.patchCode(newThreadFunc, 0x3c, function (code) {
const codeWriter = new Arm64Writer(code, { pc: newThreadFunc });
codeWriter.putNop();
codeWriter.flush();
});
*/
// 上述方式会报错
// 将调用pthread_create的指令nop掉
// .text:0000000000010984 4B F7 FF 97 BL .pthread_create
const newThreadFunc = baseAddr.add(0x10984);
Memory.patchCode(newThreadFunc, 0x4, function (code) {
const codeWriter = new Arm64Writer(code, { pc: newThreadFunc });
codeWriter.putNop();
codeWriter.flush();
});
// hook strstr
// strstr(v2, "frida")
// strstr(v2, ":69A2")
Interceptor.attach(Module.findExportByName("libc.so", "strstr"), {
onEnter: function (args) {
const keyWord = args[1].readCString();
if (keyWord.includes("frida") || keyWord.includes(":69A2")) {
this.isCheck = true;
}
},
onLeave: function (retval) {
if (this.isCheck) {
retval.replace(0);
this.isCheck = false;
}
}
});
// hook access
// access("/data/local/tmp/re.frida.server", 0)
Interceptor.attach(Module.findExportByName("libc.so", "access"), {
onEnter: function (args) {
const path = args[0].readCString();
if (path.includes("re.frida.server")) {
this.isCheck = true;
}
},
onLeave: function (retval) {
if (this.isCheck) {
retval.replace(-1);
this.isCheck = false;
}
},
});
}
}
});
Java.perform(() => {
const MainActivity = Java.use("com.r0ysue.test1.MainActivity");
MainActivity.mystr.implementation = function () {
return true;
};
});
}
setImmediate(main);