def spawn_app(process):
print('Spawning %s app.' % process)
pid = frida.spawn(shutil.which(process))
frida.resume(pid)
time.sleep(5)
print('Spawned.')
return pid
def main(target_process):
pid = frida.spawn([target_process])
session = frida.attach(pid)
script = session.create_script("""
lang=Module.findExportByName("kernel32","GetSystemDefaultLCID");
Interceptor.attach(lang, {
onEnter: function (args) {
console.log('Found backdoor function');
},
// When function is finished
onLeave: function (retval) {
retval=0x804;
console.log('Press F8 to enable read backdoor, Password: oneplus');
return retval;
}
});
""")
script.on('message', on_message)
script.load()
frida.resume(pid)
print("[!] Ctrl+D on UNIX, Ctrl+C on Windows/cmd.exe to detach from instrumented program.\n\n")
sys.stdin.read()
session.detach()
def eval_script(self,
enable_shell=False,
disable_dns=False,
disable_send=False,
disable_com=False):
self.device = frida.get_local_device()
self.device.on('output', self.on_output)
self.device.on('lost', self.on_lost)
# Spawn and attach to the process
pid = frida.spawn(self.process_sample)
session = frida.attach(pid)
# attach to the session
with open("process_hooker.js") as fp:
script_js = fp.read()
self.script = session.create_script(script_js,
name="process_hooker.js")
self.script.on('message', self.on_message)
session.on('detached', self.on_detach)
self.script.on('destroyed', self.on_destroyed)
self.script.load()
# Set Script variables
print(' [*] Setting Script Vars...')
self.script.post({
"type": "set_script_vars",
"debug": self._debug,
"disable_dns": disable_dns,
"enable_shell": enable_shell,
"disable_send": disable_send,
"disable_com": disable_com
})
# Sleep for a second to ensure the vars are set..
time.sleep(1)
print(' [*] Hooking Process %s' % pid)
frida.resume(pid)
print(' Press ctrl-c to kill the process...')
# Keep the process running...
while True:
try:
time.sleep(0.5)
if self._process_terminated:
break
except KeyboardInterrupt:
break
if not self._process_terminated:
# Kill it with fire
frida.kill(pid)
def spawn_local(appname):
print("[*] spawn a process on local machine")
# Attach to process on local machine
pid = frida.spawn([appname])
session = frida.attach(pid)
frida.resume(pid)
waitinterrupt()
def start2():
pid = frida.spawn('./TestAdd.exe')
session = frida.attach(pid)
script = session.create_script(code)
script.load()
frida.resume(pid)
def run(self):
while len(self._procstack) > 0:
name = self._procstack.pop()
print("[*] Attaching to: " + name)
pid = frida.spawn([name])
session = frida.attach(pid)
session.on('detached', self.on_detached)
script = session.create_script(code)
script.on('message', lambda m, d: self.on_message(m, d))
script.load()
frida.resume(pid)
with self._lock:
self._cond.wait()
frida.shutdown()
def start_process(self, cmd, args):
print("FridaAgent start_process called!")
#cmd = "C:\\Users\\A0502571\\AppData\\Local\\Programs\\Python\\Python37-32\\python.exe" # using sysnative to force x64 process
#args = [ cmd, "C:\\Users\A0502571\\Desktop\\private\\2019.07.15\\friTCP\\Cataclysm_Version\\friTCP\\ikeeby_socket_test\\client.py" ]
cmd_args = [cmd, args]
int_pid = frida.spawn(cmd_args)
pid = str(int_pid)
self.session_list[pid] = frida.attach(int_pid)
self.script_list[pid] = {}
self.inject_script(pid)
frida.resume(int_pid)
return pid
def eval_script(self,
target_script,
debug=False,
enable_shell=False,
disable_dns=False,
disable_send=False,
disable_com=False):
# create the command args
cmd = [self.wsh_host, target_script]
# spawn the process
pid = frida.spawn(cmd)
session = frida.attach(pid)
# attach to the session
with open("wsh_hooker.js") as fp:
script_js = fp.read()
self.script = session.create_script(script_js, name="wsh_hooker.js")
self.script.on('message', self.on_message)
self.script.load()
# Set Script variables
print ' [*] Setting Script Vars...'
self.script.post({"type": "set_script_vars",
"debug": debug,
"disable_dns": disable_dns,
"enable_shell": enable_shell,
"disable_send": disable_send,
"disable_com": disable_com})
# Sleep for a second to ensure the vars are set..
time.sleep(1)
print ' [*] Hooking Process %s' % pid
frida.resume(pid)
# Keep process open
raw_input(" [!] Running Script. Ctrl+Z to detach from instrumented program.\n\n")
# print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n")
# sys.stdin.read()
# Kill it with fire
frida.kill(pid)
def main():
args = init_args()
resume_proc = not args.pid
if args.find_proc:
pid = device.get_process(default_proc_name).pid
resume_proc = False
else:
pid = args.pid or frida.spawn([args.exe, "-w"], cwd=default_exe_path)
session = frida.attach(int(pid))
session.enable_debugger()
with open("main.js", "r") as f:
script = session.create_script(f.read())
script.on("message", on_message)
script.load()
if resume_proc:
frida.resume(pid)
while True:
cmd = sys.stdin.read()
if cmd:
handle_cmd(cmd.rstrip(), script)
def main(proc):
if checkIfProcessRunning(proc):
print('[+] Process %s is running!' % proc)
session = frida.attach(proc)
else:
print('[!] Process %s was not running!' % proc)
print('[+] Running process %s!' % proc)
session = frida.spawn(proc)
session = frida.attach(proc)
'''print(type(session))'''
script = session.create_script("""
var Mutex_addr = Module.findExportByName("kernel32.dll", "CreateMutexA")
console.log('[+] CreateMutex addr: ' + Mutex_addr);
Interceptor.attach(Mutex_addr,
{
onEnter: function (args)
{
console.log("[+] Entering to createMutex")
console.log('[+] lpName: ' + Memory.readUtf8String(args[2]));
},
onLeave: function (retval)
{
}
});
""")
script.on('message', on_message)
script.load()
try:
frida.resume(proc)
except:
pass
sys.stdin.read()
def main(target_process):
pid = frida.spawn([target_process])
session = frida.attach(pid)
script_file = open("example.js", "r")
script = session.create_script(script_file.read())
def on_message(message, data):
new_data = call_erlamsa(data)[:11]
print(str(data) + ' erlamsed to ' + str(new_data))
script.post(message = {'type': 'input'}, data = new_data)
script.on('message', on_message)
script.load()
frida.resume(pid)
print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n")
sys.stdin.read()
session.detach()
def load_script(self):
absolute_path = path.join(sys.path[0], "devi_frida_tracer.js")
script = self.session.create_script(
Path(absolute_path).read_text() %
(self.debug_level, self.module, self.symbol))
def on_message(message, data):
"""handle messages send by frida"""
self.debug("[{}] -> {}".format(message, data))
if message["type"] == "error":
self.error = True
self.warn(" - Frida Error - " + message["description"])
self.warn(message["stack"])
self.warn("lineNuber: " + str(message["lineNumber"]) +
", columnNumber: " + str(message["columnNumber"]))
elif message["type"] == "send":
if "callList" in message["payload"]:
self.calls.extend(message["payload"]["callList"])
elif "moduleMap" in message["payload"]:
pass
elif "symbolMap" in message["payload"]:
pass
elif "deviFinished" in message["payload"]:
self.log(message["payload"]["deviFinished"])
elif "deviError" in message["payload"]:
# Some Error occoured
self.error = True
self.warn(" - Error - " + message["payload"]["deviError"])
script.on("message", on_message)
script.load()
# only resume if spawed
# if we resume before we load the script we can not intercept main
try:
frida.resume(int(self.pid))
except frida.InvalidArgumentError:
pass
def go(self):
frida.resume(self.pid)
def go(self):
frida.resume(self.pid)
def go(self):
logl("resume pid:"+str(self.pid))
frida.resume(self.pid)
def hooker():
pid = options.atta
if options.spaw:
pid = [options.spaw]
pid = frida.spawn(pid)
session = frida.attach(pid)
script = session.create_script("""
var bufferaddr;
var bufferlen;
Interceptor.attach(Module.findExportByName("Ws2_32.dll", "send"),
{
onEnter: function (args) {
send("send",Memory.readByteArray(args[1], args[2].toInt32()));
}
}
);
Interceptor.attach(Module.findExportByName("Ws2_32.dll", "recv"),
{
onEnter: function(args) {
bufferaddr = args[1];
bufferlen = args[2].toInt32();
},
onLeave: function(args){
send("recv", Memory.readByteArray(bufferaddr, bufferlen))
}
}
);
""")
#If we want a shiny html output
if options.output:
file = open(options.output, "wb")
file.write(header)
#If crtl + c...
def signal_handler(signal, frame):
file.write(footer)
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
def on_message(message, data):
if message['payload'] == "recv":
global i
i = i + 1
print(colored("recv <-- " + str(len(data)) + " ", "red") + colored(str(i), "yellow"))
if options.verbose:
print(colored(binascii.hexlify(data), "red"))
if options.output:
file.write('<font color="red">' + str(i) + "-" + binascii.hexlify(data) + "</font><hr>")
if message['payload'] == "send":
i = i + 1
print(colored("send --> " + str(len(data)) + " ", "green") + colored(str(i), "yellow"))
if options.verbose:
print(colored(binascii.hexlify(data), "green"))
if options.output:
file.write('<font color="green">' + str(i) + "-" + binascii.hexlify(data) + "</font><hr>")
if options.spaw:
frida.resume(pid)
script.on('message', on_message)
script.load()
sys.stdin.read()
this.functionName = 'main()';
},
onLeave: function(retval) {
console.log('Exiting ' + this.functionName);
}
});
""")
def on_message(message, data):
# Print informational messages
if message['type'] == 'send':
print('\n[i] %s' % message['payload'])
# Get notified of errors in our JavaScript
elif message['type'] == 'error':
print('\n[!] %s' % message['stack'])
# Setup handler to process messages from JavaScript injected into process
script.on('message', on_message)
# Load our JavaScript into our process
script.load()
# Resume the process
frida.resume(pid)
# Keep Frida session alive until we detach it from the process
sys.stdin.read()
# Detach Frida session from process
session.detach()
def resume_process(self, pid):
print("FridaAgent resume_process called!")
frida.resume(pid)
def main(target_process):
pid = frida.spawn([target_process])
session = frida.attach(pid)
script = session.create_script("""
var seekoffset=0;
var seeklength=0;
var processname="";
var op = recv('param', function(value) {
var v = value.payload.split(",");
processname = v[0];
run();
});
function run()
{
var proc=Module.findBaseAddress(processname);
var base=Process.findRangeByAddress(proc);
var fileptr=Module.findExportByName("kernel32","SetFilePointer");
var readfileptr=Module.findExportByName("kernel32","ReadFile");
/*Memory.scan(base.base, 0x100000, "55????5D????FFFFFFE9",
{
onMatch: function(address,size)
{
console.log("Found MAlloc: "+ptr(address).toString(16));
Interceptor.attach(ptr(address), {
// When function is called, print out its parameters
onEnter: function (args) {
console.log("Entered at :"+address.toString(16))
this.length=args[0].toInt32();
if (args[0]<0x16000)
{
var subsize=args[0]
Interceptor.attach(readfileptr, {
onEnter: function (args) {
console.log('');
console.log('[+] ReadFileLength: ' + args[2]);
if (args[2].toString(16)==subsize.toString(16))
{
console.log('[+] Subsize: ' + subsize);
args[2]=ptr(seeklength);
console.log('[+] New ReadFileLength: ' + args[2]);
}
}
});
args[0]=ptr(seeklength);
console.log('[+] New DLength: ' + args[0]);
}
},
onLeave: function (retval) {
}
});
},
onComplete: function()
{
}
});*/
Memory.scan(base.base, 0x100000, "D1B5E39E",
{
onMatch: function(address,size)
{
var z=0;
for (z=address-50;z<address;z++)
{
var h=Memory.readU8(ptr(z));
if (h==0x55)
{
console.log("Detected AES: "+ptr(z).toString(16));
Interceptor.attach(ptr(z), { // Intercept calls to our SetAesDecrypt function
// When function is called, print out its parameters
onEnter: function (args) {
console.log('');
console.log('[+] AES-Length: ' + args[0]);
console.log('[+] AES-EDX: ' + Memory.readU32(this.context.edx).toString(16)); // Plaintext
this.length=args[0].toInt32();
this.xx=this.context.edx;
},
// When function is finished
onLeave: function (retval) {
dumpAddr('Data', this.xx, 16); // Print out data array, which will contain de/encrypted data as output
var dt=Memory.readByteArray(this.xx,this.length);
send('Output',dt);
console.log("Writing data.");
}
});
break;
}
}
},
onComplete: function()
{
}
});
/*Interceptor.attach(fileptr, {
onEnter: function (args) {
console.log('');
if (args[1]>0x0 && args[1]<0xFFFF0000)
{
console.log('[+] Seek: ' + args[1]);
args[1]=ptr(seekoffset);
}
},
// When function is finished
onLeave: function (retval) {
}
});*/
}
function dumpAddr(info, addr, size) {
if (addr.isNull())
return;
console.log('Data dump ' + info + ' :');
var buf = Memory.readByteArray(addr, size);
// If you want color magic, set ansi to true
console.log(hexdump(buf, { offset: 0, length: size, header: true, ansi: false }));
}
""")
script.on('message', on_message)
script.load()
script.post({'type': 'param', 'payload': str(target_process)})
frida.resume(pid)
print(
"[!] Ctrl+C on Windows/cmd.exe to detach from instrumented program.\n\n"
)
sys.stdin.read()
session.detach()
def spawn_and_hook(program, port=8080, filter="true"):
pid = frida.spawn(program)
hook(pid, port, filter)
frida.resume(pid)
