def frida_runner(app_name, script_name, verbose, host): """ Attach Frida script to an app running on a device """ try: content = open(script_name, 'r').read() device_id = DEVICE_ID_PLACEHOLDER script_text = SCRIPT_WRAPPER % locals() script_text = script_text % 1 if verbose: _print_with_line_no(script_text) print('Starting session...') if host: remote_device = frida.get_device_manager().add_remote_device(host) session = remote_device.attach(app_name) else: session = frida.get_usb_device().attach(app_name) script = session.create_script(script_text) script.on('message', on_message) script.load() print('Connected') sys.stdin.read() except Exception as e: print(e)
def init_session(): try: session = None if platform == 'ios' or platform == 'android': try: device = frida.get_usb_device() except Exception as e: print colored(str(e), "red") traceback.print_exc() if platform == 'android': print colored("Troubleshooting Help", "blue") print colored("HINT: Is USB Debugging enabled?", "blue") print colored("HINT: Is `frida-server` running on mobile device (with +x permissions)?", "blue") print colored("HINT: Is `adb` daemon running?", "blue") sys.exit(1) elif platform == "ios": print colored("Troubleshooting Help", "blue") print colored("HINT: Have you installed `frida` module from Cydia?", "blue") print colored("HINT: Have used `ipa_installer` to inject the `FridaGadget` shared lbrary?", "blue") sys.exit(1) elif platform == 'macos': device = frida.get_local_device() else: print colored('[ERROR] Unsupported Platform', 'red') sys.exit(1) pid = None if app_name: try: if platform == 'android' and spawn == 1: print colored("Now Spawning %s" % app_name, "green") pid = device.spawn([app_name]) time.sleep(5) session = device.attach(pid) time.sleep(5) elif (platform == 'ios' or platform == 'macos') and spawn == 1: bundleID = getBundleID(device, app_name, platform) if bundleID: print colored("Now Spawning %s" % bundleID, "green") pid = device.spawn([bundleID]) time.sleep(5) session = device.attach(pid) else: print colored("[ERROR] Can't spawn %s" % app_name, "red") traceback.print_exc() sys.exit(1) else: session = device.attach(app_name) except Exception as e: print colored('[ERROR] ' + str(e), 'red') traceback.print_exc() if session: print colored('[INFO] Attached to %s' % (app_name), 'yellow') session.on('detached', on_detached) except Exception as e: print colored('[ERROR] ' + str(e), 'red') traceback.print_exc() sys.exit(1) return device, session, pid
def main(): if args.show_devices: for i,device in enumerate(frida.get_device_manager().enumerate_devices()): print "Index: {} | {}".format(i,device) return #Get device if args.device is None: #no args supplied, use USB device = frida.get_usb_device() else: #use device_id if supplied device = get_device(args.device) printlog("Device Connected: {}".format(device.name), 'ok') try: pid = device.spawn([package_name]) #spawned process with pid at suspended state except (frida.TransportError, frida.NotSupportedError, frida.ExecutableNotFoundError) as e: printlog(e.message, 'error') return except Exception: raise printlog("Spawned target with PID: {}".format(pid), 'debug') process = device.attach(pid) #get a debug session from pid printlog("Process attached!", 'ok') device.resume(pid) #resume process from suspended state #Create dumps directory, if it does not exist if not os.path.exists(dump_directory_location): os.makedirs(dump_directory_location) printlog( "Created Dumps Directory: {}".format(dump_directory_location), 'debug') else: printlog( "Dumps Directory: {}".format(dump_directory_location), 'debug') script = process.create_script(instrument_debugger_checks()) script.on('message',get_messages_from_js) printlog("Hook script start!", 'debug') script.load() try: sys.stdin.read() except KeyboardInterrupt: printlog("\r", 'raw') printlog("Abort script acknowledged, cleaning up...".format(pid)) device.kill(pid) printlog("Killed target with PID: {}".format(pid), 'debug') printlog("Script Exit.") return except Exception: raise
def begin_instrumentation(appName, script_source): device = frida.get_usb_device() try: session = device.attach(appName) except Exception as e: print colored('[ERROR]: ' + str(e), "red") sys.exit() try: script = session.create_script(script_source) script.on('message', on_message) script.load() except Exception as e: print colored('[ERROR]: ' + str(e), "red") sys.exit()
def __init__(self, handlers, device=None): """ Initialize the Injector with a mapping apps to handlers. :param handlers: A mapping between a process we want to hook and a handler. Each handler provides the script we want to inject and an optional on_message function. :type handlers: dict :param device: An attached device or None if you want to attach to the USB device. :type device: frida.core.Device """ self.device = device or frida.get_usb_device() self.handlers = handlers self._pending = [] self.active_sessions = [] self._do_spawn_gating = False self._event = threading.Event()
def __spawn_and_inject__(self, package_name, script_path): """ :param package_name: :param script_path: :return: """ print(f"[*] Staring at {datetime.now().strftime('%H:%M:%S')}") if os.path.isabs(script_path) is False: script_path = os.path.abspath(script_path) output_script = os.path.join(self.temp_script_path, os.path.basename(script_path)) self.__compile_javascript__(script_path, output_script) script_content = open(output_script, encoding="utf-8").read() script_content = script_content.replace("__PACKAGE_NAME__", package_name) device = frida.get_usb_device() pid = self.__get_process_pid__(device, package_name) if pid != -1: device.kill(package_name) time.sleep(0.1) self.exec_command("adb", "shell", "monkey", "-p", package_name, "-c", "android.intent.category.LAUNCHER", "1") pid = -1 for i in range(15): pid = self.__get_process_pid__(device, package_name) if pid != -1: break time.sleep(0.05) if pid == -1: logger.error(f"Run package {package_name} failed.") return logger.info(f"Injecting {os.path.basename(script_path)} to {package_name}({pid})") self.__start_session__(device, pid, script_content)
def module_pre(self): def launch_spawn(): # Launching the app self.printer.info("Spawning the app...") pid = device.spawn([self.APP_METADATA['bundle_id']]) # Attaching to the process self.printer.info("Attaching to process: %s" % pid) self.session = device.attach(pid) if self.options['resume']: self.printer.verbose("Resuming the app's process...") device.resume(pid) def launch_attach(): # Launching the app self.printer.info("Launching the app...") self.device.app.open(self.APP_METADATA['bundle_id']) pid = int(self.device.app.search_pid(self.APP_METADATA['binary_name'])) # Attaching to the process self.printer.info("Attaching to process: %s" % pid) self.session = device.attach(pid) # Run FridaModule setup function FridaModule.module_pre(self) # Get an handle to the device import frida if self.device.is_usb(): self.printer.debug("Connected over USB") device = frida.get_usb_device() else: self.printer.debug("Connected over Wi-Fi") device = frida.get_device_manager().enumerate_devices()[1] # Spawn/attach to the process if self.options['spawn']: launch_spawn() else: launch_attach() # Prepare results self.results = [] return 1
def init_session(): try: session = None if platform == 'ios' or platform == 'android': device = frida.get_usb_device() elif platform == 'mac': device = frida.get_local_device() else: print colored('[ERROR] Unsupported platform', 'red') sys.exit() if app_name: try: session = device.attach(app_name) except Exception as e: print colored('[ERROR] ' + str(e), 'red') traceback.print_exc() if session: print colored('[INFO] Attached to %s' % (app_name), 'yellow') session.on('detached', on_detached) except Exception as e: print colored('[ERROR] ' + str(e), 'red') traceback.print_exc() sys.exit(1) return device, session
def show_packages(): global device try: remote = request.args.get('remote') if device == None: if len(remote) != 0: # check remote ip address try: socket.inet_aton(remote) print "adding remote device to device manager : ",remote device=frida.get_device_manager().add_remote_device(remote) print "remote device : ", device except socket.error: return render_template('intro.html') else: device = frida.get_usb_device() # get list of apps packages=device.enumerate_processes() print packages except frida.ServerNotRunningError : return render_template('error.html',error="cannot connect to remote :(") return render_template('packages_list.html', packages=packages)
send("Hooked the target method : " + sel); var obj = ObjC.Object(args[2]); send("[+] File : " + obj.toString()); var obj = ObjC.Object(args[3]); send("[+] Content : " + obj.toString()); var obj = ObjC.Object(args[4]); send("[+] Attributes : " + obj.toString()); } }); } else { console.log("Objective-C Runtime is not available!"); } """ return hook if __name__ == '__main__': try: session = frida.get_usb_device().attach(str(sys.argv[1])) script = session.create_script(do_hook()) script.on('message', on_message) script.load() sys.stdin.read() except KeyboardInterrupt: sys.exit(0)
import frida, sys def on_message(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message) jscode = """ Java.perform(function () { var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity'); MainActivity.onClick.implementation = function (v) { send("Hook Start..."); this.onClick(v); this.n.value = 0; this.m.value = 2; this.cnt.value = 999; send("Success!") } }); """ process = frida.get_usb_device().attach( 'com.example.seccon2015.rock_paper_scissors') script = process.create_script(jscode) script.on('message', on_message) script.load() sys.stdin.read()
import frida, sys def on_message(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message) jscode = """ Java.perform(function () { var MainActivity = Java.use('com.android.insecurebankv2.PostLogin'); MainActivity.doesSUexist.implementation = function () { console.log('Done: doesSUexist'); return false; }; MainActivity.doesSuperuserApkExist.implementation = function (b) { console.log('Done: doesSuperuserApkExist'); return false; }; }); """ process = frida.get_usb_device().attach('com.android.insecurebankv2') script = process.create_script(jscode) script.on('message', on_message) script.load() sys.stdin.read()
util.getMsg.implementation = function(){ console.log("Hook Start..."); console.log("return : " + this.getMsg()); return this.getMsg(); } }); } """ def on_message(message, data): if message['type'] == 'send': print(" {0}".format(message['payload'])) else: print(message) # 查找USB设备并附加到目标进程 session = frida.get_usb_device().attach('com.qzdsp.tiktok') # 在目标进程里创建脚本 script = session.create_script(jscode) # 注册消息回调 script.on('message', on_message) # 加载创建好的javascript脚本 script.load() # 读取系统输入 sys.stdin.read()
var extra = extraByteMap[(ch >> 3) & 0x07]; if (!(ch & 0x40) || !extra || ((index + extra) > count)) return null; ch = ch & (0x3F >> extra); for (;extra > 0;extra -= 1) { var chx = bArray[index++]; if ((chx & 0xC0) != 0x80) return null; ch = (ch << 6) | (chx & 0x3F); } } str += String.fromCharCode(ch); } console.log("HMAC-Key: "+str); return this.init(v); }; }); """ process = frida.get_usb_device(1).attach('com.tellm.android.app') script = process.create_script(jscode) script.on('message', on_message) print('Running...') script.load() sys.stdin.read()
}, onLeave: function(retval) { console.log("INPUT AFTER END OF FUNCTION:"); var buf = Memory.readByteArray(this.bufPtr, this.bufLen); console.log(hexdump(buf, { offset: 0, length: this.bufLen, header: true, ansi: true })); } }); """ return hook_code device = frida.get_usb_device() print u"Device Found: {}".format(device.name) pid = device.spawn([package_name]) #spawned process with pid at suspended state print "Spawned with PID: {}".format(pid) process = device.attach(pid) #get a debug session from pid print "Process attached!" device.resume(pid) #resume process from suspended state script = process.create_script(instrument_debugger_checks()) script.on('message',get_messages_from_js) script.load() sys.stdin.read()
import frida import sys if __name__ == '__main__': jscode = open('script.js', 'r').read() process = frida.get_usb_device().attach('com.ss.android.ugc.aweme') script = process.create_script(jscode) print('[*] Running CTF') script.load() sys.stdin.read()
rSAPublicKeySpec.$init.overload('java.math.BigInteger','java.math.BigInteger').implementation = function (a,b) { showStacks(); var result = this.$init(a,b); send("======================================"); //send("RSA密钥:" + bytesToBase64(a)); send("RSA密钥N:" + a.toString(16)); send("RSA密钥E:" + b.toString(16)); return result; } }); """ print(sys.argv[1]) fw = open(sys.argv[1], 'w+', encoding='utf-8') def message(message, data): if message["type"] == 'send': # print(u"[*] {0}".format(message['payload'])) fw.write(u"[*] {0}\n".format(message['payload'])) fw.flush() else: # print(message) pass process = frida.get_usb_device().attach(sys.argv[1]) script = process.create_script(jsCode) script.on("message", message) script.load() sys.stdin.read()
} var ret = this.getProperty(param1); return ret; } }); } """ def on_message(message, data): if message['type'] == 'send': print(" {0}".format(message['payload'])) else: print(message) # 查找USB设备并附加到目标进程 session = frida.get_usb_device().attach('com.fenzotech.jimu') # 在目标进程里创建脚本 script = session.create_script(jscode) # 注册消息回调 script.on('message', on_message) # 加载创建好的javascript脚本 script.load() # 读取系统输入 sys.stdin.read()
def attchProcess(processname): process = frida.get_usb_device().attch(processname)
return if (message['payload']['function'] == 'SharedPrefernece'): sharedPreference_hook(message) else: pass if __name__ == "__main__": # pcap logging print("[+] START") print("[I] Press Ctrl+C to stop logging.") if (1 == 1): session = frida.get_usb_device().attach(application) else: device = frida.get_usb_device() pid = device.spawn(application) device.attach(pid) device.resume(pid) script = session.create_script(_FRIDA_SCRIPT) script.on('message', on_message) script.load() try: sys.stdin.read() except KeyboardInterrupt: pass session.detach()
console.log(param3); console.log(param4); console.log(param5); this.$init("Leo","man",18,99.5,true); } }); } """ def on_message(message, data): if message['type'] == 'send': print(" {0}".format(message['payload'])) else: print(message) # 查找USB设备并附加到目标进程 session = frida.get_usb_device().attach('com.my.fridademo') # 在目标进程里创建脚本 script = session.create_script(jscode) # 注册消息回调 script.on('message', on_message) # 加载创建好的javascript脚本 script.load() # 读取系统输入 sys.stdin.read()
var Classz = Java.use("java.net.URL"); Classz.$init.overload("java.lang.String").implementation=function(param1){ console.log(param1); this.$init(param1); } }); } """ def on_message(message, data): if message['type'] == 'send': print(" {0}".format(message['payload'])) else: print(message) # 查找USB设备并附加到目标进程 session = frida.get_usb_device().attach('com.wuba') # 在目标进程里创建脚本 script = session.create_script(jscode) # 注册消息回调 script.on('message', on_message) # 加载创建好的javascript脚本 script.load() # 读取系统输入 sys.stdin.read()
Java.perform(function () { var TM = Java.use("android.os.Debug"); TM.isDebuggerConnected.implementation = function () { send("Called - isDebuggerConnected()"); return false; }; var TMS = Java.use("android.telephony.TelephonyManager"); TMS.getDeviceId.implementation = function () { send("Called - deviceID()"); return "pwn3d"; }; }); },0); """ return hook_code process = frida.get_usb_device().attach(package_name) script = process.create_script(instrument_debugger_checks()) script.on('message',get_messages_from_js) script.load() sys.stdin.read()
import codecs import frida from time import sleep #session = frida.get_usb_device().attach('Grand Summoners') session = frida.get_usb_device().spawn("jp.goodsmile.grandsummonersglobal") # frida -U --no-pause -f "jp.goodsmile.grandsummonersglobal" -l ./hooks.js with codecs.open('./hooks.js', 'r', 'utf-8') as f: source = f.read() script = session.create_script(source) script.load() #rpc = script.exports #session.detach()
import os def on_message(message, data): if message["type"] == "error": print("[*]Message: ") for key, value in message.items(): print(key, ":", value) elif message["type"] == "send": print("[*]", message["payload"]) else: print("[*]Message: ", message) print("[*]Payload: ", data) device = frida.get_usb_device() # 获取usb设备 processId = device.spawn("com.tencent.mm") # 重启应用,返回进程ID device.resume(processId) # 防止附着后进程失效,重启一下 time.sleep(10) attachSession = device.attach(processId) # 附着微信的进程,并返回进程的会话 # attachSession = device.attach("com.tencent.mm") # 附着微信的进程,并返回进程的会话 with open(os.listdir("./")[0], "r", encoding="utf-8") as f: jscode = f.read() script = attachSession.create_script(jscode) # 创建一个新的js脚本 script.on("message", on_message) # 设置 message 回调函数 print('[*] Running CTF') script.load() # 加载js脚本运行结果
STRINGS = arguments.strings MAX_SIZE = 20971520 PERMS = 'rw-' if arguments.read_only: PERMS = 'r--' if arguments.verbose: DEBUG_LEVEL = logging.DEBUG logging.basicConfig(format='%(levelname)s:%(message)s', level=DEBUG_LEVEL) # Start a new Session session = None try: if USB: session = frida.get_usb_device().attach(APP_NAME) else: session = frida.attach(APP_NAME) except: print "Can't connect to App. Have you connected the device?" sys.exit(0) # Selecting Output directory if arguments.out is not None: DIRECTORY = arguments.out if os.path.isdir(DIRECTORY): print "Output directory is set to: " + DIRECTORY else: print "The selected output directory does not exist!" sys.exit(1)
''') print("\033[1;34m[*]___author___: @noobpk\033[1;37m") print("\033[1;34m[*]___version___: 1.1\033[1;37m") print("") def parse_hook(filename): print('[*] Script: ' + filename) hook = open(filename, 'r') script = session.create_script(hook.read()) script.load() if __name__ == '__main__': try: parser = argparse.ArgumentParser() parser.add_argument('package', help='Spawn a new process and attach') parser.add_argument('script', help='Print stack trace for each hook') args = parser.parse_args() print('[*] Spawning: ' + args.package) pid = frida.get_usb_device().spawn(args.package) session = frida.get_usb_device().attach(pid) parse_hook(args.script) frida.get_usb_device().resume(pid) print('---------------Done-----------------') sys.stdin.read() except KeyboardInterrupt: sys.exit(0)
self.wfile.write(self.rfile.read(content_length)) do_RESPONSE = do_REQUEST def echo_server_thread(): print('start echo server at port {}'.format(ECHO_PORT)) server = HTTPServer(('', ECHO_PORT), RequestHandler) server.serve_forever() t = Thread(target=echo_server_thread) t.daemon = True t.start() session = frida.get_usb_device().attach('支付宝') script = session.create_script(''' try{ var className = "DTURLRequestOperation"; var funcName = "- addHTTPBodyParameter:forKey:"; var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]'); console.log("[*] Class Name: " + className); console.log("[*] Method Name: " + funcName); Interceptor.attach(hook.implementation, { onEnter: function(args) { var v = new ObjC.Object(args[2]); send({type: 'REQ', data: v.toString()})
import frida,sys jscode=""" """ process = frida.get_usb_device().attach('com.fingersoft.hillclimb') print('[*] process') script = process.create_script(jscode) def on_message(message,data): print (message) script.on("message",on_message) script.load() sys.stdin.read()
var Activity = Java.use("org.apache.http.client.methods.HttpPost"); Activity.$init.overload('java.lang.String').implementation = function(a){ console.log("HttpPost is called") console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new())) this.$init.overload('java.lang.String').call(this, a) } var Activity3 = Java.use("java.net.URL"); Activity3.$init.overload('java.lang.String').implementation = function(a){ console.log("URL is called") this.$init.overload('java.lang.String').call(this, a) } console.log("=== hooking finish ====") }); console.log("[*] Finish "); """ device = frida.get_usb_device(timeout=10) pid = device.spawn("com.ibk.smsmanager") process = device.attach(pid) script = process.create_script(j_code) script.on('message', on_message) print('[*] on Going') script.load() sys.stdin.read()
def ssl_log(process, pcap=None, verbose=False, remote=False): """Decrypts and logs a process's SSL traffic. Hooks the functions SSL_read() and SSL_write() in a given process and logs the decrypted data to the console and/or to a pcap file. Args: process: The target process's name (as a string) or process ID (as an int). pcap: The file path to which the pcap file should be written. verbose: If True, log the decrypted traffic to the console. Raises: NotImplementedError: Not running on a Linux or macOS system. """ if platform.system() not in ("Darwin", "Linux"): raise NotImplementedError( "This function is only implemented for Linux and " "macOS systems.") def log_pcap(pcap_file, ssl_session_id, function, src_addr, src_port, dst_addr, dst_port, data): """Writes the captured data to a pcap file. Args: pcap_file: The opened pcap file. ssl_session_id: The SSL session ID for the communication. function: The function that was intercepted ("SSL_read" or "SSL_write"). src_addr: The source address of the logged packet. src_port: The source port of the logged packet. dst_addr: The destination address of the logged packet. dst_port: The destination port of the logged packet. data: The decrypted packet data. """ t = time.time() if ssl_session_id not in ssl_sessions: ssl_sessions[ssl_session_id] = (random.randint(0, 0xFFFFFFFF), random.randint(0, 0xFFFFFFFF)) client_sent, server_sent = ssl_sessions[ssl_session_id] if function == "SSL_read": seq, ack = (server_sent, client_sent) else: seq, ack = (client_sent, server_sent) for writes in ( # PCAP record (packet) header ("=I", int(t)), # Timestamp seconds ("=I", int((t * 1000000) % 1000000)), # Timestamp microseconds ("=I", int(40 + len(data))), # Number of octets saved ("=i", int(40 + len(data))), # Actual length of packet # IPv4 header (">B", 0x45), # Version and Header Length (">B", 0), # Type of Service (">H", 40 + len(data)), # Total Length (">H", 0), # Identification (">H", 0x4000), # Flags and Fragment Offset (">B", 0xFF), # Time to Live (">B", 6), # Protocol (">H", 0), # Header Checksum (">I", src_addr), # Source Address (">I", dst_addr), # Destination Address # TCP header (">H", src_port), # Source Port (">H", dst_port), # Destination Port (">I", seq), # Sequence Number (">I", ack), # Acknowledgment Number (">H", 0x5018), # Header Length and Flags (">H", 0xFFFF), # Window Size (">H", 0), # Checksum (">H", 0)): # Urgent Pointer pcap_file.write(struct.pack(writes[0], writes[1])) pcap_file.write(data) if function == "SSL_read": server_sent += len(data) else: client_sent += len(data) ssl_sessions[ssl_session_id] = (client_sent, server_sent) def on_message(message, data): """Callback for errors and messages sent from Frida-injected JavaScript. Logs captured packet data received from JavaScript to the console and/or a pcap file. See https://www.frida.re/docs/messages/ for more detail on Frida's messages. Args: message: A dictionary containing the message "type" and other fields dependent on message type. data: The string of captured decrypted data. """ if message["type"] == "error": pprint.pprint(message) os.kill(os.getpid(), signal.SIGTERM) return if len(data) == 0: return p = message["payload"] p["src_port"] = socket.ntohs(p["src_port"]) p["dst_port"] = socket.ntohs(p["dst_port"]) p["src_addr"] = socket.ntohl(p["src_addr"]) p["dst_addr"] = socket.ntohl(p["dst_addr"]) if verbose: src_addr = socket.inet_ntop(socket.AF_INET, struct.pack(">I", p["src_addr"])) dst_addr = socket.inet_ntop(socket.AF_INET, struct.pack(">I", p["dst_addr"])) print("SSL Session: " + p["ssl_session_id"]) print("[%s] %s:%d --> %s:%d" % (p["function"], src_addr, p["src_port"], dst_addr, p["dst_port"])) hexdump.hexdump(data) print() if pcap: log_pcap(pcap_file, p["ssl_session_id"], p["function"], p["src_addr"], p["src_port"], p["dst_addr"], p["dst_port"], data) device = frida.get_usb_device() if remote: pid = device.spawn([process]) session = device.attach(pid) # session=frida.get_remote_device().attach(process) else: session = frida.attach(process) if pcap: pcap_file = open(pcap, "wb", 0) for writes in ( ("=I", 0xa1b2c3d4), # Magic number ("=H", 2), # Major version number ("=H", 4), # Minor version number ("=i", time.timezone), # GMT to local correction ("=I", 0), # Accuracy of timestamps ("=I", 65535), # Max length of captured packets ("=I", 228)): # Data link type (LINKTYPE_IPV4) pcap_file.write(struct.pack(writes[0], writes[1])) scriptname = "ssl_logger_script.js" fd = open(scriptname, "r") script = session.create_script(fd.read()) fd.close() script.on("message", on_message) script.load() if remote: device.resume(pid) print("Press Ctrl+C to stop logging.") try: signal.pause() except KeyboardInterrupt: pass session.detach() if pcap: pcap_file.close()
payload = str(message['payload']) + '\n' sc.sendto(payload.encode(), ('127.0.0.1', 5585)) print(str(message['payload']) + '\n') except: print('error') elif message['type'] == 'error': try: print(str(message['stack']) + '\n') except: print('error') else: print("something...") jscode = ''' ''' if __name__ == "__main__": print("[*] Start Process ...") PACKAGE_NAME = sys.argv[1] try: process = frida.get_usb_device().attach(PACKAGE_NAME) script = process.create_script(jscode) script.on('message', on_message) script.load() sys.stdin.read() except Exception as error: print(error)
# console.log('----------------'); # }, # onLeave: function(retval) { # } # }) # """ # jscode = """ # var pointer = Module.findBaseAddress("libjdpdj.so").add(0x35E7E + 1); # console.log("hmac_sha256 pointer: ", pointer); # # Interceptor.attach(pointer, { # onEnter: function(args) { # console.log("参数1:", Memory.readUtf8String(args[0])); # console.log("参数2:", parseInt(args[1])); # console.log("参数3:", Memory.readCString(args[2])); # console.log("参数4:", parseInt(args[3])); # console.log('---------------'); # }, # onLeave:function(retval){ # } # }); # """ process = frida.get_usb_device().attach('com.jingdong.pdj') script = process.create_script(jscode) script.on('message', on_message) print('[*] Running CTF') script.load() sys.stdin.read()
def on_message(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message) jscode = """ Java.perform(function () { var class_u = Java.use("com.sensetime.senseid.sdk.liveness.interactive.common.util.StringUtil"); class_u.sha256 = function (str) { console.log("Success"); console.log("str:", str); var result = this.sha256(str); console.log(result); return result; }; }); """ process = frida.get_usb_device().attach('cn.roleft.mobile.liaoliaoapp') script = process.create_script(jscode) script.on('message', on_message) print('[*] Running CTF') script.load() sys.stdin.read()
def frida_device(self): return frida.get_usb_device()
import frida import sys session = frida.get_usb_device(1000000).attach("com.instagram.android") script = session.create_script(""" fscrambler = Module.findExportByName(null,"_ZN9Scrambler9getStringESs"); Interceptor.attach(ptr(fscrambler), { onLeave: function (retval) { send("key: " + Memory.readCString(retval)); } }); """) def on_message(message, data): print(message) script.on('message', on_message) script.load() sys.stdin.read()
import codecs import frida from time import sleep session = frida.get_usb_device().attach('Telegram') with codecs.open('./audiobox_rpc.js', 'r', 'utf-8') as f: source = f.read() script = session.create_script(source) script.load() rpc = script.exports rpc.sms() sleep(1) rpc.email() sleep(1) rpc.lock() sleep(1) rpc.photo() session.detach()
def start_frida(x,bleeh): process = frida.get_usb_device().attach(bleeh) script = process.create_script(x) script.on('message',get_messages_from_js) script.load()
Java.perform(function () { // Function to hook is defined here var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity'); // Whenever button is clicked MainActivity.onClick.implementation = function (v) { // Show a message to know that the function got called send('onClick'); // Call the original onClick handler this.onClick(v); // Set our values after running the original onClick handler this.m.value = 0; this.n.value = 1; this.cnt.value = 999; // Log to the console that it's done, and we should have the flag! console.log('Done:' + JSON.stringify(this.cnt)); }; }); """ process = frida.get_usb_device().attach('com.example.seccon2015.rock_paper_scissors') script = process.create_script(jscode) script.on('message', on_message) print('[*] Running CTF') script.load() sys.stdin.read()
import frida import sys session = frida.get_usb_device().attach(88906) script_string = """ if (ObjC.available) { try { var className = "WCDeviceStepObject"; var funcName = "- m7StepCount"; var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]'); console.log("[*] Class Name: " + className); console.log("[*] Method Name: " + funcName); Interceptor.attach(hook.implementation, { onEnter: function(args) { var arg0 = new ObjC.Object(args[0]); console.log("arg0:"+ arg0.toString()); }, onLeave: function(retval) { var retvalue = new ObjC.Object(retval); console.log("retval:"+ retvalue.toString()); newretval=ptr("0x5000"); retval.replace(newretval); console.log("newretval:"+ retval); } }); } catch(err)
util.a.overload("int").implementation = function(p1){ console.log("p1 : " + p1); this.a(p1); } }); } """ def on_message(message, data): if message['type'] == 'send': print(" {0}".format(message['payload'])) else: print(message) # 查找USB设备并附加到目标进程 session = frida.get_usb_device().attach('com.uustock.dayi') # 在目标进程里创建脚本 script = session.create_script(jscode) # 注册消息回调 script.on('message', on_message) # 加载创建好的javascript脚本 script.load() # 读取系统输入 sys.stdin.read()
instance.onReceive(context,ins2); }, onComplete:function(){ } }); }); """ def get_message(message,data): if 'payload' in message: print message['payload'] else: print message s = frida.get_usb_device(1).attach("com.tamu.ctf.hidden") script = s.create_script(jsnative) script.on('message',get_message) script.load() pause()
def init(): global session if session == None: session = frida.get_usb_device()
else: if message['type'] == 'error': print (message['stack']) else: print_result(message) def kill_process(): cmd = "adb shell pm clear {} 1> /dev/null".format(APP_NAME) os.system(cmd) kill_process() try: with codecs.open("hooks.js", 'r', encoding='utf8') as f: jscode = f.read() device = frida.get_usb_device(timeout=5) pid = device.spawn([APP_NAME]) session = device.attach(pid) script = session.create_script(jscode) device.resume(APP_NAME) script.on('message', on_message) print ("[*] Intercepting on {} (pid:{})...".format(APP_NAME,pid)) script.load() sys.stdin.read() except KeyboardInterrupt: print ("[!] Killing app...") kill_process() time.sleep(1) kill_process()
STRINGS = arguments.strings MAX_SIZE = 20971520 PERMS = 'rw-' if arguments.read_only: PERMS = 'r--' if arguments.verbose: DEBUG_LEVEL = logging.DEBUG logging.basicConfig(format='%(levelname)s:%(message)s', level=DEBUG_LEVEL) # Start a new Session session = None try: if USB: session = frida.get_usb_device().attach(APP_NAME) else: session = frida.attach(APP_NAME) except Exception as e: print("Can't connect to App. Have you connected the device?") logging.debug(str(e)) sys.exit() # Selecting Output directory if arguments.out is not None: DIRECTORY = arguments.out if os.path.isdir(DIRECTORY): print("Output directory is set to: " + DIRECTORY) else: print("The selected output directory does not exist!") sys.exit(1)
if __name__ == '__main__': try: parser = OptionParser(usage="usage: %prog [options] <process_to_hook>",version="%prog 1.0") parser.add_option("-A", "--attach", action="store_true", default=False,help="Attach to a running process") parser.add_option("-S", "--spawn", action="store_true", default=False,help="Spawn a new process and attach") parser.add_option("-P", "--pid", action="store_true", default=False,help="Attach to a pid process") parser.add_option("-R", "--resume", action="store_true", default=False,help="Resume Process") parser.add_option("-f", "--function", action="store", dest="function", help="Name of the Function") parser.add_option("-a", "--address", action="store", dest="address", help="Address to attach") (options, args) = parser.parse_args() if (options.spawn): print ("[*] Spawning "+ str(args[0])) pid = frida.get_usb_device().spawn([args[0]]) session = frida.get_usb_device().attach(pid) elif (options.attach): print ("[*] Attaching to process "+str(args[0])) session = frida.get_usb_device().attach(str(args[0])) elif (options.pid): print ("[*] Attaching to PID "+str(args[0])) session = frida.get_usb_device().attach(str(args[0])) elif (options.resume): session = frida.get_usb_device().resume() sys.exit(0) else: print ("Error") print ("[X] Option not selected. View --help option.") sys.exit(0)
import os import frida import json import sys def on_message(message, payload): if 'payload' in message: message = message['payload'] print(message) else: print(message) if not os.path.exists('compiled_agent.js'): print('use `npm install` to build the agent') exit(0) d = frida.get_usb_device() pid = d.spawn('com.my.target') session = d.attach(pid) script = session.create_script(open('compiled_agent.js', 'r').read()) script.on('message', on_message) script.load() d.resume(pid) sys.stdin.read()
def init_session(): try: session = None if platform == 'ios' or platform == 'android': try: device = frida.get_usb_device(3) # added timeout to wait for 3 seconds except Exception as e: print colored(str(e), "red") traceback.print_exc() if platform == 'android': print colored("Troubleshooting Help", "blue") print colored("HINT: Is USB Debugging enabled?", "blue") print colored("HINT: Is `frida-server` running on mobile device (with +x permissions)?", "blue") print colored("HINT: Is `adb` daemon running?", "blue") sys.exit(1) elif platform == "ios": print colored("Troubleshooting Help", "blue") print colored("HINT: Have you installed `frida` module from Cydia?", "blue") print colored("HINT: Have used `ipa_installer` to inject the `FridaGadget` shared lbrary?", "blue") sys.exit(1) elif platform == 'iossim': try: device = frida.get_remote_device() except Exception as e: # print traceback.print_exc() print colored("Troubleshooting Help", "blue") print colored("HINT: Have you successfully integrated the FridaGadget dylib with the XCode Project?", "blue") print colored("HINT: Do you see a message similar to \"[Frida INFO] Listening on 127.0.0.1 TCP port 27042\" on XCode console logs?", "blue") sys.exit(1) elif platform == 'macos': device = frida.get_local_device() else: print colored('[ERROR] Unsupported Platform', 'red') sys.exit(1) pid = None if app_name: try: if platform == 'android' and spawn == 1: print colored("Now Spawning %s" % app_name, "green") pid = device.spawn([app_name]) #time.sleep(5) session = device.attach(pid) #time.sleep(5) elif (platform == 'ios' or platform == 'macos') and spawn == 1: bundleID = getBundleID(device, app_name, platform) if bundleID: print colored("Now Spawning %s" % bundleID, "green") pid = device.spawn([bundleID]) #time.sleep(5) session = device.attach(pid) else: print colored("[ERROR] Can't spawn %s" % app_name, "red") traceback.print_exc() sys.exit(1) else: arg_to_attach = app_name if app_name.isdigit(): arg_to_attach = int(app_name) session = device.attach(arg_to_attach) except Exception as e: print colored('[ERROR] ' + str(e), 'red') traceback.print_exc() if session: print colored('[INFO] Attached to %s' % (app_name), 'yellow') session.on('detached', on_detached) except Exception as e: print colored('[ERROR] ' + str(e), 'red') traceback.print_exc() sys.exit(1) return device, session, pid
# this.cnt.value = 999; // Log to the console that it's done, and we should have the flag! console.log('Done:' + JSON.stringify(this.cnt)); }; }); """ jscode2 = """ Java.perform(function () { console.log("枚举所有类..."); Java.enumerateLoadedClasses({ onMatch: function (_className) { if (_className.split(".")[1] === "example") { console.log("[->]t" + _className); } }, onComplete: function () { console.log("枚举所有类 complete"); } }); }); """ process = frida.get_usb_device().attach('com.example.myfridatest') script = process.create_script(jscode1) script.on('message', on_message) print('[*] Running CTF') script.load() sys.stdin.read()