From 1f9ec7bf0bf155684daf575102f20ff0cbb8f630 Mon Sep 17 00:00:00 2001 From: Iddo Date: Mon, 23 Apr 2018 19:00:54 +0300 Subject: [PATCH] dump dynamically created files to local TODO add documentation --- dump_dynamically_created_files.py | 119 ++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 dump_dynamically_created_files.py diff --git a/dump_dynamically_created_files.py b/dump_dynamically_created_files.py new file mode 100644 index 0000000..a4c1ded --- /dev/null +++ b/dump_dynamically_created_files.py @@ -0,0 +1,119 @@ +import os +import sys +import frida + +APP_NAME = 'com.package.name' + + +def on_message(message, _ignored_data): + if message['type'] == 'send': + if type(message['payload']) == dict: + os.makedirs(os.path.dirname('./dump/{}/'.format(APP_NAME)), exist_ok=True) # create sub folder if not exist + with open('./dump/{}/{}'.format(APP_NAME, message['payload']['file']), 'w') as d: + for element in message['payload']['content']: + d.write(chr(element % 256)) + d.close() + print('[*] Successfully dumped to {0}'.format(message['payload']['file'])) + else: + print('[*] {0}'.format(message['payload'].encode('utf-8'))) + else: + print(message) + + +js_code = """ + Java.perform(function() { + var openedfile = ""; + var data = { + "file": "", + "content": [] + }; + var isOpen = false; + var index = 0; + + var fos = Java.use('java.io.FileOutputStream'); + + var fos_construct_2 = fos.$init.overload('java.lang.String'); + var fos_construct_3 = fos.$init.overload('java.io.File'); + var fos_construct_4 = fos.$init.overload('java.lang.String', 'boolean'); + var fos_construct_5 = fos.$init.overload('java.io.File', 'boolean'); + + var fos_write_1 = fos.write.overload('[B', 'int', 'int'); + + var fos_close = fos.close; + + function dump(data) { + send("Got " + data["content"].length + " bytes!"); + var tmp_name = openedfile.split("/"); + tmp_name = tmp_name[tmp_name.length - 1]; + data["file"] = tmp_name; + send(data); + data["content"] = []; + index = 0; + } + + fos_construct_2.implementation = function(file) { + var filename = file; + if (openedfile != filename) { + openedfile = filename; + send("File opened for write " + filename); + isOpen = true; + } + return fos_construct_2.call(this, file); + } + + fos_construct_3.implementation = function(file) { + var filename = file.getAbsolutePath(); + if (openedfile != filename) { + openedfile = filename; + send("File opened for write " + filename); + isOpen = true; + } + return fos_construct_3.call(this, file); + } + + fos_construct_4.implementation = function(file, true_false) { + var filename = file; + if (openedfile != filename) { + openedfile = filename; + send("File opened for write " + filename); + isOpen = true; + } + return fos_construct_4.call(this, file, true_false); + } + + fos_construct_5.implementation = function(file, true_false) { + var filename = file.getAbsolutePath(); + if (openedfile != filename) { + openedfile = filename; + send("File opened for write " + filename); + isOpen = true; + } + return fos_construct_5.call(this, file, true_false); + } + + fos_write_1.implementation = function(arr, offset, length) { + var i = 0; + for (i = offset; i < length; i = i + 1) { + data["content"][index] = arr[i]; + index = index + 1; + } + return fos_write_1.call(this, arr, offset, length); + } + + fos_close.implementation = function() { + dump(data); + return fos_close.call(this); + } + + }); +""" + +device = frida.get_usb_device() +pid = device.spawn([APP_NAME]) +session = device.attach(pid) +script = session.create_script(js_code) +print("[*] Intercepting [{}]".format(pid)) +script.on('message', on_message) +script.load() +device.resume(APP_NAME) +sys.stdin.read()