heibai2006/frida-snippets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

..syntax highlighting

Browse Source
This commit is contained in:
iddoeldor 2018-08-08 02:19:49 +03:00 committed by GitHub
parent 86bf7f4af9
commit 3bc49495a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
README.md
View File

@ -23,24 +23,22 @@
- [TODO list](#todos) - [TODO list](#todos)
#### Intercept and backtrace low level open #### Intercept and backtrace low level open
``` ```javascript
Interceptor.attach(Module.findExportByName("/system/lib/libc.so", "open"), { Interceptor.attach(Module.findExportByName("/system/lib/libc.so", "open"), {
onEnter: function(args) { onEnter: function(args) {
// debug only the intended calls // debug only the intended calls
this.flag = false; this.flag = false;
var filename = Memory.readCString(ptr(args[0])); var filename = Memory.readCString(ptr(args[0]));
if (filename.indexOf("epsi") != -1) if (filename.indexOf("epsi") != -1)
this.flag = true; this.flag = true;
if (this.flag) { if (this.flag)
console.log("file name [ " + Memory.readCString(ptr(args[0])) + console.log("file name [ " + Memory.readCString(ptr(args[0])) +
" ]\nBacktrace:" + " ]\nBacktrace:" +
Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n\t") Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n\t")
); );
}
}, },
onLeave: function(retval) { onLeave: function(retval) {
if (this.flag) if (this.flag) console.warn("\nretval: " + retval);
console.warn("\nretval: " + retval);
} }
}); });
``` ```
@ -51,7 +49,7 @@ And save to a file
$ frida -U com.pkg -qe 'Java.perform(function(){Java.enumerateLoadedClasses({"onMatch":function(c){console.log(c);}});});' -o pkg.classes $ frida -U com.pkg -qe 'Java.perform(function(){Java.enumerateLoadedClasses({"onMatch":function(c){console.log(c);}});});' -o pkg.classes
``` ```
Search for class Search for class
``` ```javascript
Java.enumerateLoadedClasses({ Java.enumerateLoadedClasses({
onMatch: function(aClass) { onMatch: function(aClass) {
if (aClass.match("/classname/i")) // match a regex with case insensitive flag if (aClass.match("/classname/i")) // match a regex with case insensitive flag
@ -62,18 +60,15 @@ Java.enumerateLoadedClasses({
``` ```
#### Java class methods #### Java class methods
``` ```javascript
Object.getOwnPropertyNames(Java.use('com.company.CustomClass').__proto__).join('\n\t') Object.getOwnPropertyNames(Java.use('com.company.CustomClass').__proto__).join('\n\t')
``` ```
#### Dump iOS class hierarchy #### Dump iOS class hierarchy
```
/*
Object.keys(ObjC.classes) will list all available Objective C classes, Object.keys(ObjC.classes) will list all available Objective C classes,
but actually this will return all classes loaded in current process, including system frameworks. but actually this will return all classes loaded in current process, including system frameworks.
If we want something like weak_classdump, to list classes from executable it self only, Objective C runtime already provides such function objc_copyClassNamesForImage If we want something like weak_classdump, to list classes from executable it self only, Objective C runtime already provides such function [objc_copyClassNamesForImage](#https://developer.apple.com/documentation/objectivec/1418485-objc_copyclassnamesforimage?language=objc)
https://developer.apple.com/documentation/objectivec/1418485-objc_copyclassnamesforimage?language=objc ```javascript
*/
var objc_copyClassNamesForImage = new NativeFunction( var objc_copyClassNamesForImage = new NativeFunction(
Module.findExportByName(null, 'objc_copyClassNamesForImage'), Module.findExportByName(null, 'objc_copyClassNamesForImage'),
'pointer', 'pointer',
@ -116,7 +111,7 @@ send(tree);
#### iOS instance members values #### iOS instance members values
Print map of members (with values) for each class instance Print map of members (with values) for each class instance
``` ```javascript
ObjC.choose(ObjC.classes[clazz], { ObjC.choose(ObjC.classes[clazz], {
onMatch: function (obj) { onMatch: function (obj) {
console.log('onMatch: ', obj); console.log('onMatch: ', obj);
@ -131,7 +126,7 @@ ObjC.choose(ObjC.classes[clazz], {
``` ```
#### iOS extract cookies #### iOS extract cookies
``` ```javascript
var cookieJar = []; var cookieJar = [];
var cookies = ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies(); var cookies = ObjC.classes.NSHTTPCookieStorage.sharedHTTPCookieStorage().cookies();
for (var i = 0, l = cookies.count(); i < l; i++) { for (var i = 0, l = cookies.count(); i < l; i++) {
@ -143,11 +138,11 @@ ObjC.choose(ObjC.classes[clazz], {
#### List modules #### List modules
``` ```
$ frida -Uq com.android. -e "Process.enumerateModules({onMatch: function(m){console.log('-' + m.name)},onComplete:function(){}})" $ frida -Uq com.android. -e "Process.enumerateModules({onMatch: function(m){console.log('-' + m.name)},onComplete:function(){}})"
.... ....
-libsqlite.so -libsqlite.so
``` ```
``` ```javascript
Process.enumerateModulesSync() Process.enumerateModulesSync()
.filter(function(m){ return m['path'].toLowerCase().indexOf('app') !=-1 ; }) .filter(function(m){ return m['path'].toLowerCase().indexOf('app') !=-1 ; })
.forEach(function(m) { .forEach(function(m) {
@ -187,7 +182,7 @@ Process.enumerateModulesSync()
24878 ms | sqlite3_free() 24878 ms | sqlite3_free()
``` ```
#### SQLite hook #### SQLite hook
``` ```javascript
Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2'), { Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2'), {
onEnter: function(args) { onEnter: function(args) {
console.log('DB: ' + Memory.readUtf16String(args[0]) + '\tSQL: ' + Memory.readUtf16String(args[1])); console.log('DB: ' + Memory.readUtf16String(args[0]) + '\tSQL: ' + Memory.readUtf16String(args[1]));
@ -197,7 +192,7 @@ Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2
#### Hook refelaction: #### Hook refelaction:
`java.lang.reflect.Method#invoke(Object obj, Object... args, boolean bool)` `java.lang.reflect.Method#invoke(Object obj, Object... args, boolean bool)`
``` ```javascript
Java.use('java.lang.reflect.Method').invoke.overload('java.lang.Object', '[Ljava.lang.Object;', 'boolean').implementation = function(a,b,c) { Java.use('java.lang.reflect.Method').invoke.overload('java.lang.Object', '[Ljava.lang.Object;', 'boolean').implementation = function(a,b,c) {
console.log('hooked!', a, b, c); console.log('hooked!', a, b, c);
return this.invoke(a,b,c); return this.invoke(a,b,c);
@ -205,7 +200,7 @@ Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2
``` ```
#### Hook constructor #### Hook constructor
``` ```javascript
Java.use('java.lang.StringBuilder').$init.overload('java.lang.String').implementation = function(stringArgument) { Java.use('java.lang.StringBuilder').$init.overload('java.lang.String').implementation = function(stringArgument) {
console.log("c'tor"); console.log("c'tor");
return this(stringArgument); return this(stringArgument);
@ -213,7 +208,7 @@ Java.use('java.lang.StringBuilder').$init.overload('java.lang.String').implement
``` ```
#### Hook JNI by address #### Hook JNI by address
Hook native method by module name and method address and print arguments Hook native method by module name and method address and print arguments
``` ```javascript
var moduleName = "libfoo.so"; var moduleName = "libfoo.so";
var nativeFuncAddr = 0x1234; // $ nm --demangle --dynamic libfoo.so | grep "Class::method(" var nativeFuncAddr = 0x1234; // $ nm --demangle --dynamic libfoo.so | grep "Class::method("
@ -242,7 +237,7 @@ Interceptor.attach(Module.findExportByName(null, "dlopen"), {
``` ```
#### Print runtime strings #### Print runtime strings
Print created StringBuilder & StringBuffer & Stacktrace Print created StringBuilder & StringBuffer & Stacktrace
``` ```javascript
Java.perform(function() { Java.perform(function() {
['java.lang.StringBuilder', 'java.lang.StringBuffer'].forEach(function(clazz, i) { ['java.lang.StringBuilder', 'java.lang.StringBuffer'].forEach(function(clazz, i) {
console.log('[?] ' + i + ' = ' + clazz); console.log('[?] ' + i + ' = ' + clazz);
@ -263,7 +258,7 @@ Java.perform(function() {
``` ```
#### Find iOS application UUID #### Find iOS application UUID
Get UUID for specific path when attached to an app by reading plist file under each app container Get UUID for specific path when attached to an app by reading plist file under each app container
``` ```javascript
var PLACEHOLDER = '{UUID}'; var PLACEHOLDER = '{UUID}';
function extractUUIDfromPath(path) { function extractUUIDfromPath(path) {
var bundleIdentifier = String(ObjC.classes.NSBundle.mainBundle().objectForInfoDictionaryKey_('CFBundleIdentifier')); var bundleIdentifier = String(ObjC.classes.NSBundle.mainBundle().objectForInfoDictionaryKey_('CFBundleIdentifier'));
@ -290,7 +285,7 @@ console.log( extractUUIDfromPath('/var/mobile/Containers/Data/Application/' + PL
``` ```
#### Observe iOS class #### Observe iOS class
``` ```javascript
function observeClass(name) { function observeClass(name) {
var k = ObjC.classes[name]; var k = ObjC.classes[name];
k.$ownMethods.forEach(function(m) { k.$ownMethods.forEach(function(m) {
@ -348,7 +343,7 @@ RET: 0xabcdef
#### File Access #### File Access
iOS file access iOS file access
``` ```javascript
Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementation, { Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementation, {
onEnter: function (args) { onEnter: function (args) {
console.log('open' , ObjC.Object(args[2]).toString()); console.log('open' , ObjC.Object(args[2]).toString());
@ -357,7 +352,7 @@ Interceptor.attach(ObjC.classes.NSFileManager['- fileExistsAtPath:'].implementat
``` ```
#### Webview URLS #### Webview URLS
``` ```javascript
Java.use("android.webkit.WebView").loadUrl.overload("java.lang.String").implementation = function (s) { Java.use("android.webkit.WebView").loadUrl.overload("java.lang.String").implementation = function (s) {
send(s.toString()); send(s.toString());
this.loadUrl.overload("java.lang.String").call(this, s); this.loadUrl.overload("java.lang.String").call(this, s);
@ -366,7 +361,7 @@ Java.use("android.webkit.WebView").loadUrl.overload("java.lang.String").implemen
#### Await for condition #### Await for condition
Await until specific DLL will load in Unity app, can implement hot swap Await until specific DLL will load in Unity app, can implement hot swap
``` ```javascript
var awaitForCondition = function(callback) { var awaitForCondition = function(callback) {
var int = setInterval(function() { var int = setInterval(function() {
if (Module.findExportByName(null, "mono_get_root_domain")) { if (Module.findExportByName(null, "mono_get_root_domain")) {
@ -410,7 +405,7 @@ Java.perform(function() {
``` ```
#### Android make Toast #### Android make Toast
``` ```javascript
Java.scheduleOnMainThread(function() { Java.scheduleOnMainThread(function() {
Java.use("android.widget.Toast") Java.use("android.widget.Toast")
.makeText( .makeText(
@ -423,7 +418,7 @@ Java.scheduleOnMainThread(function() {
``` ```
#### Hook java io InputStream #### Hook java io InputStream
``` ```javascript
function binaryToHexToAscii(array, readLimit) { function binaryToHexToAscii(array, readLimit) {
var result = []; var result = [];
// read 100 bytes #performance // read 100 bytes #performance