def main(parser) -> None:
print('---------------------------')
print("%s v%s" % (__file__, version))
print('---------------------------')
args = parser.parse_args()
if not args.scan and not args.dump:
print('No mode selected')
parser.print_help(sys.stderr)
sys.exit(1)
if args.spawn:
if check_proc(args.process):
frida.kill(args.process)
spawn_app(args.process)
if args.dump:
if args.addr and args.size:
read_memory(args.process, int(args.addr, 16), args.size)
else:
dump_memory(args.process, args.output, args.interactive, args.protection)
elif args.scan:
if not args.pattern and not args.string:
print('No scan pattern')
parser.print_help(sys.stderr)
sys.exit(1)
elif args.pattern:
scan_memory(args.process, args.pattern, args.interactive, args.protection)
elif args.string:
string = get_bytes(args.string)
print('Pattern is "%s"' % string)
scan_memory(args.process, string, args.interactive, args.protection)
def eval_script(self,
enable_shell=False,
disable_dns=False,
disable_send=False,
disable_com=False):
self.device = frida.get_local_device()
self.device.on('output', self.on_output)
self.device.on('lost', self.on_lost)
# Spawn and attach to the process
pid = frida.spawn(self.process_sample)
session = frida.attach(pid)
# attach to the session
with open("process_hooker.js") as fp:
script_js = fp.read()
self.script = session.create_script(script_js,
name="process_hooker.js")
self.script.on('message', self.on_message)
session.on('detached', self.on_detach)
self.script.on('destroyed', self.on_destroyed)
self.script.load()
# Set Script variables
print(' [*] Setting Script Vars...')
self.script.post({
"type": "set_script_vars",
"debug": self._debug,
"disable_dns": disable_dns,
"enable_shell": enable_shell,
"disable_send": disable_send,
"disable_com": disable_com
})
# Sleep for a second to ensure the vars are set..
time.sleep(1)
print(' [*] Hooking Process %s' % pid)
frida.resume(pid)
print(' Press ctrl-c to kill the process...')
# Keep the process running...
while True:
try:
time.sleep(0.5)
if self._process_terminated:
break
except KeyboardInterrupt:
break
if not self._process_terminated:
# Kill it with fire
frida.kill(pid)
def kill(self):
self.exec_one = self.__start_process
# make sure the process is gone
while psutil.pid_exists(self.pid):
frida.kill(self.pid)
CleanupPipe()
self.logger.info('Process {} is killed'.format(self.pid))
def main():
parser = argparse.ArgumentParser(description="Extract Injected PE")
parser.add_argument("infile", help="The file to unpack.")
parser.add_argument(
'--args',
dest="in_args",
default=None,
help="Specify arguments for exe as comma seperated list")
parser.add_argument(
'--out_file',
dest="out_file",
default=None,
help="Specify the file name to dump the PE. Default: out.bin")
parser.add_argument('-v',
'--verbose',
dest="verbose",
action='store_true',
default=False,
help="Print hooked API calls.")
parser.add_argument(
'--raw',
dest="dump_raw",
action='store_true',
default=False,
help="Don't attempt to reconstruct PE, dump raw memory to file.")
args = parser.parse_args()
infile = args.infile
filename = os.path.basename(infile)
cmd = [infile]
#Frida spawn takes args as a list with [0]=exe
if args.in_args != None:
cmd.extend(args.in_args.split(","))
### setup ###
if args.out_file != None:
frida_driver = FridaExtract(cmd, out_file=args.out_file)
else:
frida_driver = FridaExtract(cmd)
if args.dump_raw:
frida_driver.raw = True
frida_driver.inject_extract_script()
### set verbosity ###
if args.verbose:
frida_driver.set_verbose(True)
### execute! ###
frida_driver.go()
### temporary hack ###
# keep program open long enough to receive messages
raw_input("Started Dump: Press Enter to kill process at any time!\n\n")
frida.kill(frida_driver.pid)
def _process_message(self, message, data):
"""
Frida COMMS
"""
if message['type'] == 'send':
stanza = message['payload']
if stanza['name'] == '+log':
print stanza['payload'] + "\n"
try:
self.extract.post({'type': '+log-ack'})
except Exception as e:
pass
elif stanza['name'] == '+dump':
#{"address":<virtual_address>}, data: <bin_string>
if self.raw:
print " ".join([elem.encode("hex")
for elem in data]) + "\n"
#serialize data and store
self.dump[stanza["address"]] = [ord(elem) for elem in data]
try:
self.extract.post({'type': '+dump-ack'})
except Exception as e:
pass
elif stanza['name'] == '+flush':
print "Flush Message Buffers"
try:
self.extract.post({'type': '+flush-ack'})
except Exception as e:
pass
elif stanza['name'] == '+kill':
print "Kill Main Process: " + str(stanza['payload']) + "\n"
frida.kill(self.pid)
print "Dump Complete!\n\nPress Enter to quit."
try:
self.extract.post({'type': '+kill-ack'})
except Exception as e:
pass
elif stanza['name'] == '+pkill':
print "Kill Sub-Process: " + str(stanza['payload']) + "\n"
frida.kill(int(stanza['payload']))
if self.raw:
#self.dump_raw()
self.dump_raw_sections()
else:
self.rebuild_pe()
try:
self.extract.post({'type': '+pkill-ack'})
except Exception as e:
pass
else:
print "==========ERROR=========="
print message
print "========================="
def _process_message(self, message, data):
"""
Frida COMMS
"""
if message['type'] == 'send':
stanza = message['payload']
if stanza['name'] == '+log':
print stanza['payload'] + "\n"
try:
self.extract.post({ 'type': '+log-ack' })
except Exception as e:
pass
elif stanza['name'] == '+dump':
#{"address":<virtual_address>}, data: <bin_string>
if self.raw:
print " ".join([elem.encode("hex") for elem in data]) + "\n"
#serialize data and store
self.dump[stanza["address"]] = [ord(elem) for elem in data]
try:
self.extract.post({ 'type': '+dump-ack' })
except Exception as e:
pass
elif stanza['name'] == '+flush':
print "Flush Message Buffers"
try:
self.extract.post({ 'type': '+flush-ack' })
except Exception as e:
pass
elif stanza['name'] == '+kill':
print "Kill Main Process: " + str(stanza['payload']) + "\n"
frida.kill(self.pid)
print "Dump Complete!\n\nPress Enter to quit."
try:
self.extract.post({ 'type': '+kill-ack' })
except Exception as e:
pass
elif stanza['name'] == '+pkill':
print "Kill Sub-Process: " + str(stanza['payload']) + "\n"
frida.kill(int(stanza['payload']))
if self.raw:
#self.dump_raw()
self.dump_raw_sections()
else:
self.rebuild_pe()
try:
self.extract.post({ 'type': '+pkill-ack' })
except Exception as e:
pass
else:
print "==========ERROR=========="
print message
print "========================="
def kill(self):
self.logger.info('kill process')
'''
TODO
program won't terminate right away
fix this
'''
while psutil.pid_exists(self.pid):
frida.kill(self.pid)
'''
frida won't kill its thread without this
'''
self.session.detach()
def eval_script(self,
target_script,
debug=False,
enable_shell=False,
disable_dns=False,
disable_send=False,
disable_com=False):
# create the command args
cmd = [self.wsh_host, target_script]
# spawn the process
pid = frida.spawn(cmd)
session = frida.attach(pid)
# attach to the session
with open("wsh_hooker.js") as fp:
script_js = fp.read()
self.script = session.create_script(script_js, name="wsh_hooker.js")
self.script.on('message', self.on_message)
self.script.load()
# Set Script variables
print ' [*] Setting Script Vars...'
self.script.post({"type": "set_script_vars",
"debug": debug,
"disable_dns": disable_dns,
"enable_shell": enable_shell,
"disable_send": disable_send,
"disable_com": disable_com})
# Sleep for a second to ensure the vars are set..
time.sleep(1)
print ' [*] Hooking Process %s' % pid
frida.resume(pid)
# Keep process open
raw_input(" [!] Running Script. Ctrl+Z to detach from instrumented program.\n\n")
# print("[!] Ctrl+D on UNIX, Ctrl+Z on Windows/cmd.exe to detach from instrumented program.\n\n")
# sys.stdin.read()
# Kill it with fire
frida.kill(pid)
def spawn_binary(self):
if not self.pid:
if self.binary[:2] == './':
self.binary = self.binary[2:]
self.pid = frida.spawn(self.binary)
self.debug("Spawned binay {} with pid {}".format(
self.binary, self.pid))
self.pid = int(self.pid)
self.session = frida.attach(self.pid)
self.debug("Attached to process {}".format(self.pid))
self.load_script()
if self.error:
self.warn("error")
self.session.detach()
self.info("An error occoured while attaching!")
sys.exit(-1)
self.log('Tracing binary press control-D to terminate....')
sys.stdin.read()
try:
self.log('Detaching, this might take a second...')
if self.kill:
frida.kill(self.pid)
self.log('Killing process {}'.format(self.pid))
self.session.detach()
except frida.ProcessNotFoundError:
self.log('Process already terminated')
self.debug("Call Overview:")
self.debug(str(self.calls))
with open(self.out_file, "w+") as self.out_file:
result = dict()
result["deviVersion"] = 0.1
result["calls"] = self.calls
json.dump(result, self.out_file)
def main():
parser = argparse.ArgumentParser(description="Extract Injected PE")
parser.add_argument("infile", help="The file to unpack.")
parser.add_argument('--args',dest="in_args",default=None,help="Specify arguments for exe as comma seperated list")
parser.add_argument('--out_file',dest="out_file",default=None,help="Specify the file name to dump the PE. Default: out.bin")
parser.add_argument('-v','--verbose',dest="verbose",action='store_true',default=False,help="Print hooked API calls.")
parser.add_argument('--raw',dest="dump_raw",action='store_true',default=False,help="Don't attempt to reconstruct PE, dump raw memory to file.")
args = parser.parse_args()
infile = args.infile
filename = os.path.basename(infile)
cmd = [infile]
#Frida spawn takes args as a list with [0]=exe
if args.in_args != None:
cmd.extend(args.in_args.split(","))
### setup ###
if args.out_file != None:
frida_driver = FridaExtract(cmd, out_file=args.out_file)
else:
frida_driver = FridaExtract(cmd)
if args.dump_raw:
frida_driver.raw = True
frida_driver.inject_extract_script()
### set verbosity ###
if args.verbose:
frida_driver.set_verbose(True)
### execute! ###
frida_driver.go()
### temporary hack ###
# keep program open long enough to receive messages
raw_input("Started Dump: Press Enter to kill process at any time!\n\n")
frida.kill(frida_driver.pid)
path = args[1].readCString();
if (fd > 0) {
files[fd.toString()] = path;
}
}
});
Interceptor.attach(DebugSymbol.fromName('close').address, {
onEnter: function(args) {
fd = args[0].toInt32();
copy_file(fd, files[fd.toString()]);
},
onLeave: function(ret_vat){
delete files[fd.toString()];
console.log(files);
}
});
// TODO: what if the program does NOT call close?
"""
script = session.create_script(js)
script.on('message', on_message)
script.load()
time.sleep(5)
frida.resume(pid)
sys.stdin.read()
frida.kill(pid)