log binder transactions

2020-09-04 14:15:38 +03:00 · 2020-09-04 14:15:38 +03:00 · 7257797be2
commit 7257797be2
parent d115483d32
1 changed files with 91 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -23,6 +23,7 @@
 <details>
 <summary>Android</summary>

+* [`Binder transactions`](#binder-transactions)
 * [`Get system property`](#system-property-get)
 * [`Reveal manually registered native symbols`](#reveal-native-methods)
 * [`Enumerate loaded classes`](#enumerate-loaded-classes) 
@ -583,6 +584,96 @@ Interceptor.attach(Module.findExportByName(null, '__system_property_get'), {
 <br>[⬆ Back to top](#table-of-contents)


+#### Binder transactions
+
+```js
+var LAST_MSG = '';
+Java.perform(() => {
+  Interceptor.attach(Module.findExportByName('libbinder.so', 'ioctl'), {
+    onEnter: function(args) {
+      var binder_write_read_ptr = args[2];
+      if (args[1] == 0xC0306201) { // BINDER_WRITE_READ
+        var binder_write_read = {
+          // 'fd': args[0].toInt32(),
+          'write_size': binder_write_read_ptr.readU64(),
+          'write_consumed': binder_write_read_ptr.add(Process.pointerSize).readU64(),
+          'write_buffer': binder_write_read_ptr.add(Process.pointerSize * 2).readPointer(),
+        }
+        if (binder_write_read.write_size > 0) {
+          var ptr = binder_write_read.write_buffer.add(binder_write_read.write_consumed + 4);
+          switch (binder_write_read.write_buffer.readU32() & 0xff) {
+              case 0: // BC_TRANSACTION
+              case 1: // BC_REPLY
+                var binder_transaction_data = {
+                  'target': {
+                    'handle': ptr.readU32(),
+                    'ptr': ptr.readPointer()
+                  },
+                  'cookie': ptr.add(8).readPointer(),
+                  'code': ptr.add(16).readU32(),
+                  'flags': ptr.add(20).readU32(),
+                  'sender_pid': ptr.add(24).readS32(),
+                  'sender_euid': ptr.add(28).readU32(),
+                  'data_size': ptr.add(32).readU64(),
+                  'offsets_size': ptr.add(40).readU64(),
+                  'data': {
+                    'ptr': {
+                      'buffer': ptr.add(48).readPointer(),
+                      'offsets': ptr.add(56).readPointer()
+                    },
+                    'buf': ptr.add(48).readByteArray(8)
+                  }
+                }
+                var _log = hexdump(binder_transaction_data.data.ptr.buffer, { length: binder_transaction_data.data_size, ansi: true });
+                if (LAST_MSG.toString() != _log.toString()) {
+                  console.log(JSON.stringify(binder_transaction_data, null, 2));
+                  console.log(_log);
+                }
+                break;
+          }
+        }
+      }
+    }
+  });
+});
+```
+
+<details>
+<summary>Output example</summary>
+
+```sh
+{
+  "target": {
+    "handle": 16,
+    "ptr": "0x10"
+  },
+  "cookie": "0x0",
+  "code": 22,
+  "flags": 16,
+  "sender_pid": 0,
+  "sender_euid": 0,
+  "data_size": "68",
+  "offsets_size": "0",
+  "data": {
+    "ptr": {
+      "buffer": "0x78dce3dcf0",
+      "offsets": "0x0"
+    },
+    "buf": {}
+  }
+}
+             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
+78dce3dcf0  04 00 40 01 1d 00 00 00 61 00 6e 00 64 00 72 00  ..@.....a.n.d.r.
+78dce3dd00  6f 00 69 00 64 00 2e 00 6e 00 65 00 74 00 2e 00  o.i.d...n.e.t...
+78dce3dd10  77 00 69 00 66 00 69 00 2e 00 49 00 57 00 69 00  w.i.f.i...I.W.i.
+78dce3dd20  66 00 69 00 4d 00 61 00 6e 00 61 00 67 00 65 00  f.i.M.a.n.a.g.e.
+78dce3dd30  72 00 00 00                                      r...
+```
+	
+</details>
+
+<br>[⬆ Back to top](#table-of-contents)
+

 #### Reveal native methods