heibai2006/frida-snippets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

dump dynamically created files to local

Browse Source 
TODO add documentation
This commit is contained in:
Iddo 2018-04-23 19:00:54 +03:00 committed by GitHub
parent c1ce7e733f
commit 1f9ec7bf0b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 119 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
dump_dynamically_created_files.py Normal file
View File

@ -0,0 +1,119 @@
import os
import sys
import frida
APP_NAME = 'com.package.name'
def on_message(message, _ignored_data):
if message['type'] == 'send':
if type(message['payload']) == dict:
os.makedirs(os.path.dirname('./dump/{}/'.format(APP_NAME)), exist_ok=True) # create sub folder if not exist
with open('./dump/{}/{}'.format(APP_NAME, message['payload']['file']), 'w') as d:
for element in message['payload']['content']:
d.write(chr(element % 256))
d.close()
print('[*] Successfully dumped to {0}'.format(message['payload']['file']))
else:
print('[*] {0}'.format(message['payload'].encode('utf-8')))
else:
print(message)
js_code = """
Java.perform(function() {
var openedfile = "";
var data = {
"file": "",
"content": []
};
var isOpen = false;
var index = 0;
var fos = Java.use('java.io.FileOutputStream');
var fos_construct_2 = fos.$init.overload('java.lang.String');
var fos_construct_3 = fos.$init.overload('java.io.File');
var fos_construct_4 = fos.$init.overload('java.lang.String', 'boolean');
var fos_construct_5 = fos.$init.overload('java.io.File', 'boolean');
var fos_write_1 = fos.write.overload('[B', 'int', 'int');
var fos_close = fos.close;
function dump(data) {
send("Got " + data["content"].length + " bytes!");
var tmp_name = openedfile.split("/");
tmp_name = tmp_name[tmp_name.length - 1];
data["file"] = tmp_name;
send(data);
data["content"] = [];
index = 0;
}
fos_construct_2.implementation = function(file) {
var filename = file;
if (openedfile != filename) {
openedfile = filename;
send("File opened for write " + filename);
isOpen = true;
}
return fos_construct_2.call(this, file);
}
fos_construct_3.implementation = function(file) {
var filename = file.getAbsolutePath();
if (openedfile != filename) {
openedfile = filename;
send("File opened for write " + filename);
isOpen = true;
}
return fos_construct_3.call(this, file);
}
fos_construct_4.implementation = function(file, true_false) {
var filename = file;
if (openedfile != filename) {
openedfile = filename;
send("File opened for write " + filename);
isOpen = true;
}
return fos_construct_4.call(this, file, true_false);
}
fos_construct_5.implementation = function(file, true_false) {
var filename = file.getAbsolutePath();
if (openedfile != filename) {
openedfile = filename;
send("File opened for write " + filename);
isOpen = true;
}
return fos_construct_5.call(this, file, true_false);
}
fos_write_1.implementation = function(arr, offset, length) {
var i = 0;
for (i = offset; i < length; i = i + 1) {
data["content"][index] = arr[i];
index = index + 1;
}
return fos_write_1.call(this, arr, offset, length);
}
fos_close.implementation = function() {
dump(data);
return fos_close.call(this);
}
});
"""
device = frida.get_usb_device()
pid = device.spawn([APP_NAME])
session = device.attach(pid)
script = session.create_script(js_code)
print("[*] Intercepting [{}]".format(pid))
script.on('message', on_message)
script.load()
device.resume(APP_NAME)
sys.stdin.read()