def spawn_app(process): print('Spawning %s app.' % process) pid = frida.spawn(shutil.which(process)) frida.resume(pid) time.sleep(5) print('Spawned.') return pid
def main(target_process): pid = frida.spawn([target_process]) session = frida.attach(pid) script = session.create_script(""" lang=Module.findExportByName("kernel32","GetSystemDefaultLCID"); Interceptor.attach(lang, { onEnter: function (args) { console.log('Found backdoor function'); }, // When function is finished onLeave: function (retval) { retval=0x804; console.log('Press F8 to enable read backdoor, Password: oneplus'); return retval; } }); """) script.on('message', on_message) script.load() frida.resume(pid) print("[!] Ctrl+D on UNIX, Ctrl+C on Windows/cmd.exe to detach from instrumented program.\n\n") sys.stdin.read() session.detach()
def eval_script(self, enable_shell=False, disable_dns=False, disable_send=False, disable_com=False): self.device = frida.get_local_device() self.device.on('output', self.on_output) self.device.on('lost', self.on_lost) # Spawn and attach to the process pid = frida.spawn(self.process_sample) session = frida.attach(pid) # attach to the session with open("process_hooker.js") as fp: script_js = fp.read() self.script = session.create_script(script_js, name="process_hooker.js") self.script.on('message', self.on_message) session.on('detached', self.on_detach) self.script.on('destroyed', self.on_destroyed) self.script.load() # Set Script variables print(' [*] Setting Script Vars...') self.script.post({ "type": "set_script_vars", "debug": self._debug, "disable_dns": disable_dns, "enable_shell": enable_shell, "disable_send": disable_send, "disable_com": disable_com }) # Sleep for a second to ensure the vars are set.. time.sleep(1) print(' [*] Hooking Process %s' % pid) frida.resume(pid) print(' Press ctrl-c to kill the process...') # Keep the process running... while True: try: time.sleep(0.5) if self._process_terminated: break except KeyboardInterrupt: break if not self._process_terminated: # Kill it with fire frida.kill(pid)
def spawn_local(appname): print("[*] spawn a process on local machine") # Attach to process on local machine pid = frida.spawn([appname]) session = frida.attach(pid) frida.resume(pid) waitinterrupt()
def start2(): pid = frida.spawn('./TestAdd.exe') session = frida.attach(pid) script = session.create_script(code) script.load() frida.resume(pid)
def run(self): while len(self._procstack) > 0: name = self._procstack.pop() print("[*] Attaching to: " + name) pid = frida.spawn([name]) session = frida.attach(pid) session.on('detached', self.on_detached) script = session.create_script(code) script.on('message', lambda m, d: self.on_message(m, d)) script.load() frida.resume(pid) with self._lock: self._cond.wait() frida.shutdown()
def start_process(self, cmd, args): print("FridaAgent start_process called!") #cmd = "C:\\Users\\A0502571\\AppData\\Local\\Programs\\Python\\Python37-32\\python.exe" # using sysnative to force x64 process #args = [ cmd, "C:\\Users\A0502571\\Desktop\\private\\2019.07.15\\friTCP\\Cataclysm_Version\\friTCP\\ikeeby_socket_test\\client.py" ] cmd_args = [cmd, args] int_pid = frida.spawn(cmd_args) pid = str(int_pid) self.session_list[pid] = frida.attach(int_pid) self.script_list[pid] = {} self.inject_script(pid) frida.resume(int_pid) return pid
def eval_script(self, target_script, debug=False, enable_shell=False, disable_dns=False, disable_send=False, disable_com=False): # create the command args cmd = [self.wsh_host, target_script] # spawn the process pid = frida.spawn(cmd) session = frida.attach(pid) # attach to the session with open("wsh_hooker.js") as fp: script_js = fp.read() self.script = session.create_script(script_js, name="wsh_hooker.js") self.script.on('message', self.on_message) self.script.load() # Set Script variables print ' [*] Setting Script Vars...' self.script.post({"type": "set_script_vars", "debug": debug, "disable_dns": disable_dns, "enable_shell": enable_shell, "disable_send": disable_send, "disable_com": disable_com}) # Sleep for a second to ensure the vars are set.. time.sleep(1) print ' [*] Hooking Process %s' % pid frida.resume(pid) # Keep process open raw_input(" [!] Running Script. Ctrl+Z to detach from instrumented program.\n\n") # print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n") # sys.stdin.read() # Kill it with fire frida.kill(pid)
def main(): args = init_args() resume_proc = not args.pid if args.find_proc: pid = device.get_process(default_proc_name).pid resume_proc = False else: pid = args.pid or frida.spawn([args.exe, "-w"], cwd=default_exe_path) session = frida.attach(int(pid)) session.enable_debugger() with open("main.js", "r") as f: script = session.create_script(f.read()) script.on("message", on_message) script.load() if resume_proc: frida.resume(pid) while True: cmd = sys.stdin.read() if cmd: handle_cmd(cmd.rstrip(), script)
def main(proc): if checkIfProcessRunning(proc): print('[+] Process %s is running!' % proc) session = frida.attach(proc) else: print('[!] Process %s was not running!' % proc) print('[+] Running process %s!' % proc) session = frida.spawn(proc) session = frida.attach(proc) '''print(type(session))''' script = session.create_script(""" var Mutex_addr = Module.findExportByName("kernel32.dll", "CreateMutexA") console.log('[+] CreateMutex addr: ' + Mutex_addr); Interceptor.attach(Mutex_addr, { onEnter: function (args) { console.log("[+] Entering to createMutex") console.log('[+] lpName: ' + Memory.readUtf8String(args[2])); }, onLeave: function (retval) { } }); """) script.on('message', on_message) script.load() try: frida.resume(proc) except: pass sys.stdin.read()
def main(target_process): pid = frida.spawn([target_process]) session = frida.attach(pid) script_file = open("example.js", "r") script = session.create_script(script_file.read()) def on_message(message, data): new_data = call_erlamsa(data)[:11] print(str(data) + ' erlamsed to ' + str(new_data)) script.post(message = {'type': 'input'}, data = new_data) script.on('message', on_message) script.load() frida.resume(pid) print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n") sys.stdin.read() session.detach()
def load_script(self): absolute_path = path.join(sys.path[0], "devi_frida_tracer.js") script = self.session.create_script( Path(absolute_path).read_text() % (self.debug_level, self.module, self.symbol)) def on_message(message, data): """handle messages send by frida""" self.debug("[{}] -> {}".format(message, data)) if message["type"] == "error": self.error = True self.warn(" - Frida Error - " + message["description"]) self.warn(message["stack"]) self.warn("lineNuber: " + str(message["lineNumber"]) + ", columnNumber: " + str(message["columnNumber"])) elif message["type"] == "send": if "callList" in message["payload"]: self.calls.extend(message["payload"]["callList"]) elif "moduleMap" in message["payload"]: pass elif "symbolMap" in message["payload"]: pass elif "deviFinished" in message["payload"]: self.log(message["payload"]["deviFinished"]) elif "deviError" in message["payload"]: # Some Error occoured self.error = True self.warn(" - Error - " + message["payload"]["deviError"]) script.on("message", on_message) script.load() # only resume if spawed # if we resume before we load the script we can not intercept main try: frida.resume(int(self.pid)) except frida.InvalidArgumentError: pass
def go(self): frida.resume(self.pid)
def go(self): logl("resume pid:"+str(self.pid)) frida.resume(self.pid)
def hooker(): pid = options.atta if options.spaw: pid = [options.spaw] pid = frida.spawn(pid) session = frida.attach(pid) script = session.create_script(""" var bufferaddr; var bufferlen; Interceptor.attach(Module.findExportByName("Ws2_32.dll", "send"), { onEnter: function (args) { send("send",Memory.readByteArray(args[1], args[2].toInt32())); } } ); Interceptor.attach(Module.findExportByName("Ws2_32.dll", "recv"), { onEnter: function(args) { bufferaddr = args[1]; bufferlen = args[2].toInt32(); }, onLeave: function(args){ send("recv", Memory.readByteArray(bufferaddr, bufferlen)) } } ); """) #If we want a shiny html output if options.output: file = open(options.output, "wb") file.write(header) #If crtl + c... def signal_handler(signal, frame): file.write(footer) sys.exit(0) signal.signal(signal.SIGINT, signal_handler) def on_message(message, data): if message['payload'] == "recv": global i i = i + 1 print(colored("recv <-- " + str(len(data)) + " ", "red") + colored(str(i), "yellow")) if options.verbose: print(colored(binascii.hexlify(data), "red")) if options.output: file.write('<font color="red">' + str(i) + "-" + binascii.hexlify(data) + "</font><hr>") if message['payload'] == "send": i = i + 1 print(colored("send --> " + str(len(data)) + " ", "green") + colored(str(i), "yellow")) if options.verbose: print(colored(binascii.hexlify(data), "green")) if options.output: file.write('<font color="green">' + str(i) + "-" + binascii.hexlify(data) + "</font><hr>") if options.spaw: frida.resume(pid) script.on('message', on_message) script.load() sys.stdin.read()
this.functionName = 'main()'; }, onLeave: function(retval) { console.log('Exiting ' + this.functionName); } }); """) def on_message(message, data): # Print informational messages if message['type'] == 'send': print('\n[i] %s' % message['payload']) # Get notified of errors in our JavaScript elif message['type'] == 'error': print('\n[!] %s' % message['stack']) # Setup handler to process messages from JavaScript injected into process script.on('message', on_message) # Load our JavaScript into our process script.load() # Resume the process frida.resume(pid) # Keep Frida session alive until we detach it from the process sys.stdin.read() # Detach Frida session from process session.detach()
def resume_process(self, pid): print("FridaAgent resume_process called!") frida.resume(pid)
def main(target_process): pid = frida.spawn([target_process]) session = frida.attach(pid) script = session.create_script(""" var seekoffset=0; var seeklength=0; var processname=""; var op = recv('param', function(value) { var v = value.payload.split(","); processname = v[0]; run(); }); function run() { var proc=Module.findBaseAddress(processname); var base=Process.findRangeByAddress(proc); var fileptr=Module.findExportByName("kernel32","SetFilePointer"); var readfileptr=Module.findExportByName("kernel32","ReadFile"); /*Memory.scan(base.base, 0x100000, "55????5D????FFFFFFE9", { onMatch: function(address,size) { console.log("Found MAlloc: "+ptr(address).toString(16)); Interceptor.attach(ptr(address), { // When function is called, print out its parameters onEnter: function (args) { console.log("Entered at :"+address.toString(16)) this.length=args[0].toInt32(); if (args[0]<0x16000) { var subsize=args[0] Interceptor.attach(readfileptr, { onEnter: function (args) { console.log(''); console.log('[+] ReadFileLength: ' + args[2]); if (args[2].toString(16)==subsize.toString(16)) { console.log('[+] Subsize: ' + subsize); args[2]=ptr(seeklength); console.log('[+] New ReadFileLength: ' + args[2]); } } }); args[0]=ptr(seeklength); console.log('[+] New DLength: ' + args[0]); } }, onLeave: function (retval) { } }); }, onComplete: function() { } });*/ Memory.scan(base.base, 0x100000, "D1B5E39E", { onMatch: function(address,size) { var z=0; for (z=address-50;z<address;z++) { var h=Memory.readU8(ptr(z)); if (h==0x55) { console.log("Detected AES: "+ptr(z).toString(16)); Interceptor.attach(ptr(z), { // Intercept calls to our SetAesDecrypt function // When function is called, print out its parameters onEnter: function (args) { console.log(''); console.log('[+] AES-Length: ' + args[0]); console.log('[+] AES-EDX: ' + Memory.readU32(this.context.edx).toString(16)); // Plaintext this.length=args[0].toInt32(); this.xx=this.context.edx; }, // When function is finished onLeave: function (retval) { dumpAddr('Data', this.xx, 16); // Print out data array, which will contain de/encrypted data as output var dt=Memory.readByteArray(this.xx,this.length); send('Output',dt); console.log("Writing data."); } }); break; } } }, onComplete: function() { } }); /*Interceptor.attach(fileptr, { onEnter: function (args) { console.log(''); if (args[1]>0x0 && args[1]<0xFFFF0000) { console.log('[+] Seek: ' + args[1]); args[1]=ptr(seekoffset); } }, // When function is finished onLeave: function (retval) { } });*/ } function dumpAddr(info, addr, size) { if (addr.isNull()) return; console.log('Data dump ' + info + ' :'); var buf = Memory.readByteArray(addr, size); // If you want color magic, set ansi to true console.log(hexdump(buf, { offset: 0, length: size, header: true, ansi: false })); } """) script.on('message', on_message) script.load() script.post({'type': 'param', 'payload': str(target_process)}) frida.resume(pid) print( "[!] Ctrl+C on Windows/cmd.exe to detach from instrumented program.\n\n" ) sys.stdin.read() session.detach()
def spawn_and_hook(program, port=8080, filter="true"): pid = frida.spawn(program) hook(pid, port, filter) frida.resume(pid)