Ejemplo n.º 1
0
def main(parser) -> None:
    print('---------------------------')
    print("%s v%s" % (__file__, version))
    print('---------------------------')
    args = parser.parse_args()

    if not args.scan and not args.dump:
        print('No mode selected')
        parser.print_help(sys.stderr)
        sys.exit(1)

    if args.spawn:
        if check_proc(args.process):
            frida.kill(args.process)
        spawn_app(args.process)

    if args.dump:
        if args.addr and args.size:
            read_memory(args.process, int(args.addr, 16), args.size)
        else:
            dump_memory(args.process, args.output, args.interactive, args.protection)
    elif args.scan:
        if not args.pattern and not args.string:
            print('No scan pattern')
            parser.print_help(sys.stderr)
            sys.exit(1)
        elif args.pattern:
            scan_memory(args.process, args.pattern, args.interactive, args.protection)
        elif args.string:
            string = get_bytes(args.string)
            print('Pattern is "%s"' % string)
            scan_memory(args.process, string, args.interactive, args.protection)
Ejemplo n.º 2
0
    def eval_script(self,
                    enable_shell=False,
                    disable_dns=False,
                    disable_send=False,
                    disable_com=False):

        self.device = frida.get_local_device()
        self.device.on('output', self.on_output)
        self.device.on('lost', self.on_lost)

        # Spawn and attach to the process
        pid = frida.spawn(self.process_sample)
        session = frida.attach(pid)

        # attach to the session
        with open("process_hooker.js") as fp:
            script_js = fp.read()

        self.script = session.create_script(script_js,
                                            name="process_hooker.js")

        self.script.on('message', self.on_message)

        session.on('detached', self.on_detach)

        self.script.on('destroyed', self.on_destroyed)

        self.script.load()

        # Set Script variables
        print(' [*] Setting Script Vars...')
        self.script.post({
            "type": "set_script_vars",
            "debug": self._debug,
            "disable_dns": disable_dns,
            "enable_shell": enable_shell,
            "disable_send": disable_send,
            "disable_com": disable_com
        })

        # Sleep for a second to ensure the vars are set..
        time.sleep(1)

        print(' [*] Hooking Process %s' % pid)
        frida.resume(pid)

        print(' Press ctrl-c to kill the process...')
        # Keep the process running...
        while True:
            try:
                time.sleep(0.5)
                if self._process_terminated:
                    break
            except KeyboardInterrupt:
                break

        if not self._process_terminated:
            # Kill it with fire
            frida.kill(pid)
Ejemplo n.º 3
0
	def kill(self):
		self.exec_one = self.__start_process
		# make sure the process is gone
		while psutil.pid_exists(self.pid):
			frida.kill(self.pid)
		CleanupPipe()
		
		self.logger.info('Process {} is killed'.format(self.pid))
Ejemplo n.º 4
0
def main():
    parser = argparse.ArgumentParser(description="Extract Injected PE")
    parser.add_argument("infile", help="The file to unpack.")
    parser.add_argument(
        '--args',
        dest="in_args",
        default=None,
        help="Specify arguments for exe as comma seperated list")
    parser.add_argument(
        '--out_file',
        dest="out_file",
        default=None,
        help="Specify the file name to dump the PE. Default: out.bin")
    parser.add_argument('-v',
                        '--verbose',
                        dest="verbose",
                        action='store_true',
                        default=False,
                        help="Print hooked API calls.")
    parser.add_argument(
        '--raw',
        dest="dump_raw",
        action='store_true',
        default=False,
        help="Don't attempt to reconstruct PE, dump raw memory to file.")
    args = parser.parse_args()

    infile = args.infile
    filename = os.path.basename(infile)

    cmd = [infile]

    #Frida spawn takes args as a list with [0]=exe
    if args.in_args != None:
        cmd.extend(args.in_args.split(","))

    ### setup ###
    if args.out_file != None:
        frida_driver = FridaExtract(cmd, out_file=args.out_file)
    else:
        frida_driver = FridaExtract(cmd)

    if args.dump_raw:
        frida_driver.raw = True

    frida_driver.inject_extract_script()

    ### set verbosity ###
    if args.verbose:
        frida_driver.set_verbose(True)

    ### execute! ###
    frida_driver.go()

    ### temporary hack ###
    # keep program open long enough to receive messages
    raw_input("Started Dump: Press Enter to kill process at any time!\n\n")
    frida.kill(frida_driver.pid)
Ejemplo n.º 5
0
    def _process_message(self, message, data):
        """
            Frida COMMS
        """
        if message['type'] == 'send':
            stanza = message['payload']
            if stanza['name'] == '+log':
                print stanza['payload'] + "\n"
                try:
                    self.extract.post({'type': '+log-ack'})
                except Exception as e:
                    pass

            elif stanza['name'] == '+dump':
                #{"address":<virtual_address>}, data: <bin_string>
                if self.raw:
                    print " ".join([elem.encode("hex")
                                    for elem in data]) + "\n"
                #serialize data and store
                self.dump[stanza["address"]] = [ord(elem) for elem in data]
                try:
                    self.extract.post({'type': '+dump-ack'})
                except Exception as e:
                    pass

            elif stanza['name'] == '+flush':
                print "Flush Message Buffers"
                try:
                    self.extract.post({'type': '+flush-ack'})
                except Exception as e:
                    pass

            elif stanza['name'] == '+kill':
                print "Kill Main Process: " + str(stanza['payload']) + "\n"
                frida.kill(self.pid)
                print "Dump Complete!\n\nPress Enter to quit."
                try:
                    self.extract.post({'type': '+kill-ack'})
                except Exception as e:
                    pass

            elif stanza['name'] == '+pkill':
                print "Kill Sub-Process: " + str(stanza['payload']) + "\n"
                frida.kill(int(stanza['payload']))
                if self.raw:
                    #self.dump_raw()
                    self.dump_raw_sections()

                else:
                    self.rebuild_pe()
                try:
                    self.extract.post({'type': '+pkill-ack'})
                except Exception as e:
                    pass
        else:
            print "==========ERROR=========="
            print message
            print "========================="
Ejemplo n.º 6
0
    def _process_message(self, message, data):
        """
            Frida COMMS
        """
        if message['type'] == 'send':
            stanza = message['payload']
            if stanza['name'] == '+log':
                print stanza['payload'] + "\n"
                try:
                    self.extract.post({ 'type': '+log-ack' })
                except Exception as e:
                    pass

            elif stanza['name'] == '+dump':
                #{"address":<virtual_address>}, data: <bin_string>
                if self.raw:
                    print " ".join([elem.encode("hex")  for elem in data]) + "\n"
                #serialize data and store 
                self.dump[stanza["address"]] = [ord(elem) for elem in data]
                try:
                    self.extract.post({ 'type': '+dump-ack' })
                except Exception as e:
                    pass

            elif stanza['name'] == '+flush':
                print "Flush Message Buffers"
                try:
                    self.extract.post({ 'type': '+flush-ack' })
                except Exception as e:
                    pass

            elif stanza['name'] == '+kill':
                print "Kill Main Process: " + str(stanza['payload']) + "\n"
                frida.kill(self.pid)
                print "Dump Complete!\n\nPress Enter to quit."
                try:
                    self.extract.post({ 'type': '+kill-ack' })
                except Exception as e:
                    pass

            elif stanza['name'] == '+pkill':
                print "Kill Sub-Process: " + str(stanza['payload']) + "\n"
                frida.kill(int(stanza['payload']))
                if self.raw:
                    #self.dump_raw()
                    self.dump_raw_sections()

                else:
                    self.rebuild_pe()
                try:
                    self.extract.post({ 'type': '+pkill-ack' })
                except Exception as e:
                    pass
        else:
            print "==========ERROR=========="
            print message
            print "========================="
Ejemplo n.º 7
0
    def kill(self):
        self.logger.info('kill process')
        '''
		TODO
		program won't terminate right away
		fix this
		'''
        while psutil.pid_exists(self.pid):
            frida.kill(self.pid)
        '''
		frida won't kill its thread without this
		'''
        self.session.detach()
Ejemplo n.º 8
0
    def eval_script(self,
                    target_script,
                    debug=False,
                    enable_shell=False,
                    disable_dns=False,
                    disable_send=False,
                    disable_com=False):

        # create the command args
        cmd = [self.wsh_host, target_script]

        # spawn the process
        pid = frida.spawn(cmd)
        session = frida.attach(pid)

        # attach to the session
        with open("wsh_hooker.js") as fp:
            script_js = fp.read()

        self.script = session.create_script(script_js, name="wsh_hooker.js")
        self.script.on('message', self.on_message)
        self.script.load()

        # Set Script variables
        print ' [*] Setting Script Vars...'
        self.script.post({"type": "set_script_vars",
                          "debug": debug,
                          "disable_dns": disable_dns,
                          "enable_shell": enable_shell,
                          "disable_send": disable_send,
                          "disable_com": disable_com})

        # Sleep for a second to ensure the vars are set..
        time.sleep(1)

        print ' [*] Hooking Process %s' % pid
        frida.resume(pid)

        # Keep process open
        raw_input(" [!] Running Script. Ctrl+Z to detach from instrumented program.\n\n")
        # print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n")
        # sys.stdin.read()

        # Kill it with fire
        frida.kill(pid)
Ejemplo n.º 9
0
    def spawn_binary(self):

        if not self.pid:
            if self.binary[:2] == './':
                self.binary = self.binary[2:]

            self.pid = frida.spawn(self.binary)
            self.debug("Spawned binay {} with pid {}".format(
                self.binary, self.pid))
        self.pid = int(self.pid)
        self.session = frida.attach(self.pid)
        self.debug("Attached to process {}".format(self.pid))

        self.load_script()

        if self.error:
            self.warn("error")
            self.session.detach()
            self.info("An error occoured while attaching!")
            sys.exit(-1)

        self.log('Tracing binary press control-D to terminate....')

        sys.stdin.read()

        try:
            self.log('Detaching, this might take a second...')
            if self.kill:
                frida.kill(self.pid)
                self.log('Killing process {}'.format(self.pid))
            self.session.detach()
        except frida.ProcessNotFoundError:
            self.log('Process already terminated')
        self.debug("Call Overview:")
        self.debug(str(self.calls))

        with open(self.out_file, "w+") as self.out_file:
            result = dict()
            result["deviVersion"] = 0.1
            result["calls"] = self.calls
            json.dump(result, self.out_file)
Ejemplo n.º 10
0
def main():
    parser = argparse.ArgumentParser(description="Extract Injected PE")
    parser.add_argument("infile", help="The file to unpack.")
    parser.add_argument('--args',dest="in_args",default=None,help="Specify arguments for exe as comma seperated list")
    parser.add_argument('--out_file',dest="out_file",default=None,help="Specify the file name to dump the PE. Default: out.bin")
    parser.add_argument('-v','--verbose',dest="verbose",action='store_true',default=False,help="Print hooked API calls.")
    parser.add_argument('--raw',dest="dump_raw",action='store_true',default=False,help="Don't attempt to reconstruct PE, dump raw memory to file.")
    args = parser.parse_args()
    
    infile = args.infile
    filename = os.path.basename(infile)

    cmd = [infile]

    #Frida spawn takes args as a list with [0]=exe
    if args.in_args != None:
        cmd.extend(args.in_args.split(","))

    ### setup ###
    if args.out_file != None:
        frida_driver = FridaExtract(cmd, out_file=args.out_file)
    else:
        frida_driver = FridaExtract(cmd)

    if args.dump_raw:
        frida_driver.raw = True 

    frida_driver.inject_extract_script()

    ### set verbosity ###
    if args.verbose:
        frida_driver.set_verbose(True)

    ### execute! ###
    frida_driver.go()

    ### temporary hack ###
    # keep program open long enough to receive messages 
    raw_input("Started Dump: Press Enter to kill process at any time!\n\n")
    frida.kill(frida_driver.pid)
Ejemplo n.º 11
0
        path = args[1].readCString();
        if (fd > 0) {
            files[fd.toString()] = path;
        }
    }
});

Interceptor.attach(DebugSymbol.fromName('close').address, {
    onEnter: function(args) {
        fd = args[0].toInt32();
        copy_file(fd, files[fd.toString()]);
    },
    onLeave: function(ret_vat){
        delete files[fd.toString()];
        console.log(files);
    }
});

// TODO: what if the program does NOT call close?

"""

script = session.create_script(js)
script.on('message', on_message)
script.load()
time.sleep(5)
frida.resume(pid)

sys.stdin.read()
frida.kill(pid)