heibai2006/frida-snippets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

refactoring reveal obfuscated native methods

Browse Source
This commit is contained in:
iddoeldor 2018-08-26 12:19:43 +03:00 committed by GitHub
parent e0f52d9bae
commit 44300f35af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
scripts/enumerateNativeMethods.js
View File

@ -1,14 +1,13 @@
var isLibARThooked = false;
// $ frida -Uf com.app --no-pause -l scripts.js
var fIntercepted = false;
function hookLibART() {
if (isLibARThooked === true) {
function revealNativeMethods() {
if (fIntercepted === true) {
return;
}
var symbols = Module.enumerateSymbolsSync("libart.so");
var addrRegisterNativeMethods;
var jclassAddress2NameMap = {};
for (i = 0; i < symbols.length; i++) {
var symbol = symbols[i];
var androidRunTimeSharedLibrary = "libart.so"; // may change between devices
Module.enumerateSymbolsSync(androidRunTimeSharedLibrary).forEach(function(symbol){
switch (symbol.name) {
case "_ZN3art3JNI21RegisterNativeMethodsEP7_JNIEnvP7_jclassPK15JNINativeMethodib":
/*
@ -16,22 +15,33 @@ function hookLibART() {
https://demangler.com/
art::JNI::RegisterNativeMethods(_JNIEnv*, _jclass*, JNINativeMethod const*, int, bool)
*/
addrRegisterNativeMethods = symbol.address;
console.log("RegisterNativeMethods is at " + addrRegisterNativeMethods);
Interceptor.attach(addrRegisterNativeMethods, {
var RegisterNativeMethodsPtr = symbol.address;
console.log("RegisterNativeMethods is at " + RegisterNativeMethodsPtr);
Interceptor.attach(RegisterNativeMethodsPtr, {
onEnter: function(args) {
var methodsPtr = ptr(args[2]);
var methodCount = parseInt(args[3]);
for (var i = 0; i < methodCount; i++) {
var namePtr = Memory.readPointer(methodsPtr.add(i * 12));
var sigPtr = Memory.readPointer(methodsPtr.add(i * 12 + 4));
var fnPtrPtr = Memory.readPointer(methodsPtr.add(i * 12 + 8));
var pSize = Process.pointerSize;
/*
https://android.googlesource.com/platform/libnativehelper/+/master/include_jni/jni.h#129
typedef struct {
const char* name;
const char* signature;
void* fnPtr;
} JNINativeMethod;
*/
var structSize = pSize * 3; // JNINativeMethod contains 3 pointers
var namePtr = Memory.readPointer(methodsPtr.add(i * structSize));
var sigPtr = Memory.readPointer(methodsPtr.add(i * structSize + pSize));
var fnPtrPtr = Memory.readPointer(methodsPtr.add(i * structSize + (pSize * 2)));
// output schema: className#methodName(arguments)returnVal@address
console.log(
// package & class, replacing forward slash with dot for convenience
jclassAddress2NameMap[args[0]].replace(/\//g, '.') +
'#' + Memory.readCString(namePtr) +
Memory.readCString(sigPtr) +
'@' + fnPtrPtr
'#' + Memory.readCString(namePtr) + // method
Memory.readCString(sigPtr) + // signature (arguments & return type)
'@' + fnPtrPtr // C side address
);
}
},
@ -49,16 +59,11 @@ function hookLibART() {
});
break;
}
}
isLibARThooked = true;
}
Java.perform(function () {
try {
hookLibART();
} catch (e) {
// safety first
console.error('[?]', e);
}
});
fIntercepted = true;
}
Java.perform(revealNativeMethods);
// TODO update
// https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md