Frida文件操作

2020-09-06 23:24 作者:無情劍客Burning 0人讀過 | 我要投稿

在前面的文章中介紹了數(shù)據(jù)庫的操作，這篇文章主要介紹文件的操作。

當(dāng)你在使用程序的時候，可以動態(tài)修改程序的文件操作，其實是很恐怖的，比如，本來是往文件中寫入100元錢，但是經(jīng)過動態(tài)修改后變成了0元，據(jù)此可以腦洞大開一下。 @[toc]

基礎(chǔ)概念

Linux下文件描述符

一個Linux進(jìn)程啟動后，會在內(nèi)核空間創(chuàng)建一個PCB進(jìn)程控制塊，PCB是一個進(jìn)程的私有財產(chǎn)。這個PCB中有一個已打開文件描述符表，記錄著所有該進(jìn)程打開的文件描述符以及對應(yīng)的file結(jié)構(gòu)體地址。

默認(rèn)情況下，啟動一個Linux進(jìn)程后，會打開三個文件，分別是標(biāo)準(zhǔn)輸入、標(biāo)準(zhǔn)輸出、標(biāo)準(zhǔn)錯誤分別使用了0、1 、2號文件描述符。

當(dāng)該進(jìn)程使用函數(shù)open打開一個新的文件時，一般會在內(nèi)核空間申請一個file結(jié)構(gòu)體，并且把3號文件描述符對應(yīng)的file指針指向file結(jié)構(gòu)體。

v-node table entry是虛擬文件系統(tǒng)對應(yīng)的文件節(jié)點，i-node是磁盤文件系統(tǒng)對應(yīng)的文件節(jié)點。通過這兩個節(jié)點就能找到最終的磁盤文件。舉個例子：

#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
int main(int argc,char *argv[]){
int fd = open("./1.c",O_RDWR);
? printf("fd=%d\n",fd);
}

程序運行結(jié)果是: fd=3

每一個進(jìn)程只有一個process table entry，一般情況下默認(rèn)使用 fd 0、fd1、fd2，新打開的文件1.c將使用fd 3，后續(xù)的文件描述符的值以此類推。

文件描述符含義0標(biāo)準(zhǔn)輸入1標(biāo)準(zhǔn)輸出2標(biāo)準(zhǔn)錯誤輸出

JavaScript Promise對象

ECMAscript 6 原生提供了 Promise 對象。Promise 對象代表了未來將要發(fā)生的事件，用來傳遞異步操作的消息。

var myFirstPromise = new Promise(function(resolve, reject){
//當(dāng)異步代碼執(zhí)行成功時，我們才會調(diào)用resolve(...), 當(dāng)異步代碼失敗時就會調(diào)用reject(...)
//在本例中，我們使用setTimeout(...)來模擬異步代碼，實際編碼時可能是XHR請求或是HTML5的一些API方法.
? ?setTimeout(function(){
? ? ? ?resolve("歡迎關(guān)注我的微信公眾號:無情劍客!"); //代碼正常執(zhí)行！
}, 250);
});
myFirstPromise.then(function(successMessage){
//successMessage的值是上面調(diào)用resolve(...)方法傳入的值.
//successMessage參數(shù)不一定非要是字符串類型，這里只是舉個例子
? ?document.write("Yay! " + successMessage);
});

Promise簡化了對error的處理，上面的代碼我們也可以這樣寫：

promise.then(onFulfilled).catch(onRejected)

更多Promise的內(nèi)容，后續(xù)會專門介紹。

Android Activity生命周期

為了在 Activity 生命周期的各個階段之間導(dǎo)航轉(zhuǎn)換，Activity 類提供六個核心回調(diào)：onCreate()、onStart()、onResume()、onPause()、onStop() 和 onDestroy()。當(dāng) Activity 進(jìn)入新狀態(tài)時，系統(tǒng)會調(diào)用其中每個回調(diào)。

文件和流

文件File

new File(filePath, mode): open or create the file at filePath with the mode string specifying how it should be opened. For example "wb" to open the file for writing in binary mode (this is the same format as fopen() from the C standard library).
write(data): synchronously write data to the file, where data is either a string or a buffer as returned by NativePointer#readByteArray
flush(): flush any buffered data to the underlying file
close(): close the file. You should call this function when you’re done with the file unless you are fine with this happening when the object is garbage-collected or the script is unloaded. 舉個例子，hook Activity的onResume函數(shù)，當(dāng)回調(diào)onResume函數(shù)的時候，先通過File操作向'/data/data/com.lingpao.lpcf622b/files/chat/test.txt'這個文件中寫入'hello world'，最后調(diào)用系統(tǒng)的onResume回調(diào)。這里只是舉例，實際情況可能需要保存一些重要的數(shù)據(jù)或者修改一些重要的數(shù)據(jù)。

import frida,sys
def on_message(message, data):
if message['type'] == 'send':
? ? ? ?print(" {0}".format(message['payload']))
else:
? ? ? ?print(message)
pass
session = frida.get_usb_device().attach("com.lingpao.lpcf622b")
jscode = """
if(Java.available){
Java.perform(function(){
? ? ? ? ?var Activity = Java.use('android.app.Activity');
Activity.onResume.implementation = function () {
? ? ? ? ? ? ? ?send('onResume() got called! ');
? ? ? ? ? ? ? ?var file = new File('/data/data/com.lingpao.lpcf622b/files/chat/test.txt', 'wb');
? ? ? ? ? ? ? ?file.write('hello world');
? ? ? ? ? ? ? ?file.flush();
? ? ? ? ? ? ? ?file.close();
this.onResume();
};
});
}
"""
script = session.create_script(jscode)
script.on("message", on_message)
print(' Start attach')
script.load()
sys.stdin.read()

輸入流InputStream

All methods are fully asynchronous and return Promise objects.

close(): close the stream, releasing resources related to it. Once the stream is closed, all other operations will fail. Closing a stream multiple times is allowed and will not result in an error.
read(size): read up to size bytes from the stream. The returned Promise receives an ArrayBuffer up to size bytes long. End of stream is signalled through an empty buffer.
readAll(size): keep reading from the stream until exactly size bytes have been consumed. The returned Promise receives an ArrayBuffer that is exactly size bytes long. Premature error or end of stream results in the Promise getting rejected with an error, where the Error object has a partialData property containing the incomplete data.

在類Unix系統(tǒng)中，獲取輸入流的方式:

new UnixInputStream(fd[, options]): create a new InputStream from the specified file descriptor fd. You may also supply an options object with autoClose set to true to make the stream close the underlying file descriptor when the stream is released, either through close() or future garbage-collection.

在Windwos平臺下，獲取輸入流的方式:

new Win32InputStream(handle[, options]): create a new InputStream from the specified handle, which is a Windows HANDLE value. You may also supply an options object with autoClose set to true to make the stream close the underlying handle when the stream is released, either through close() or future garbage-collection.

Android是基于Linux系統(tǒng)的，所以屬于類Unix系統(tǒng)，具體代碼示例，在前面的文章中對Intercepter進(jìn)行了介紹，這里對open函數(shù)進(jìn)行替換，對打開的文件讀取輸入流。

var openPtr = Module.getExportByName(null, 'open');
var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);
Interceptor.replace(openPtr, new NativeCallback(function (pathPtr, flags) {
?var path = pathPtr.readUtf8String();
?console.log('Opening "' + path + '"');
?var fd = open(pathPtr, flags);
if (fd > 0){
? ?var input = new UnixInputStream(fd);
? ?var promise = input.read(1000);
? ?promise.then(function(result){
? ? ?console.log(' burning'+hexdump(result,{lenght:1000}));
}).catch(function(error){
? ? ?console.log(' fail:'+error);
});
}
?console.log('Got fd: ' + fd);
return fd;
}, 'int', ['pointer', 'int']));

運行結(jié)果如下。

輸出流OutputStream

All methods are fully asynchronous and return Promise objects.

close(): close the stream, releasing resources related to it. Once the stream is closed, all other operations will fail. Closing a stream multiple times is allowed and will not result in an error.
write(data): try to write data to the stream. The data value is either an ArrayBuffer or an array of integers between 0 and 255. The returned Promise receives a Number specifying how many bytes of data were written to the stream.
writeAll(data): keep writing to the stream until all of data has been written. The data value is either an ArrayBuffer or an array of integers between 0 and 255. Premature error or end of stream results in an error, where the Error object has a partialSize property specifying how many bytes of data were written to the stream before the error occurred.
writeMemoryRegion(address, size): try to write size bytes to the stream, reading them from address, which is a NativePointer. The returned Promise receives a Number specifying how many bytes of data were written to the stream.

在類Unix系統(tǒng)中，獲取輸出流的方式:

new UnixOutputStream(fd[, options]): create a new OutputStream from the specified file descriptor fd. You may also supply an options object with autoClose set to true to make the stream close the underlying file descriptor when the stream is released, either through close() or future garbage-collection.

在Windwos平臺下，獲取輸出流的方式:

new Win32OutputStream(handle[, options]): create a new OutputStream from the specified handle, which is a Windows HANDLE value. You may also supply an options object with autoClose set to true to make the stream close the underlying handle when the stream is released, either through close() or future garbage-collection.

具體使用，可參考InputStream的使用。

輸入輸出流

輸入和輸出都是相對的。高中物理講過火車上的人，以車做參考系，人是靜止的，但是如果以樹做參考系人是運動的，那末輸入輸出的參考系是什么？

內(nèi)存。往內(nèi)存中寫就是輸入，從內(nèi)存中向文件中寫就是輸出。

寫在最后

預(yù)告一下，下篇Frida的文章說網(wǎng)絡(luò)，網(wǎng)絡(luò)的本質(zhì)其實還是文件。

公眾號

更多Frida相關(guān)的內(nèi)容，歡飲關(guān)注我的微信公眾號:無情劍客。

標(biāo)簽：