在這里對其中的一部分API進(jìn)行了介紹，這篇文章繼續(xù)介紹后面的內(nèi)容。

通過這部分的介紹，可以發(fā)現(xiàn)通過Frida操縱內(nèi)存、查看模塊等信息是如此的簡單。操作內(nèi)存，最重要的自然就是打補(bǔ)丁了，邪惡的微笑。

@[toc]

Module對象

Module.load(path): loads the specified module from the filesystem path and returns a Module object. Throws an exception if the specified module cannot be loaded. 常用的API可以參考下面的代碼，注釋寫的很清楚：

Process.EnumererateModules()

Enumerates modules loaded right now, returning an array of Module objects.

1. //枚舉當(dāng)前加載的模塊

2. var process_Obj_Module_Arr = Process.enumerateModules();

3. for(var i = 0; i < process_Obj_Module_Arr.length; i++) {

4. //包含"lib"字符串的

5. if(process_Obj_Module_Arr[i].path.indexOf("lib")!=-1)

6. {

7. ? ? ? console.log("模塊名稱:",process_Obj_Module_Arr[i].name);

8. ? ? ? console.log("模塊地址:",process_Obj_Module_Arr[i].base);

9. ? ? ? console.log("大小:",process_Obj_Module_Arr[i].size);

10. ? ? ? console.log("文件系統(tǒng)路徑",process_Obj_Module_Arr[i].path);

11. }

12. }

enumerateImports(導(dǎo)入表)

Enumerates imports of module, returning an array of objects containing the following properties:

• type: string specifying either function or variable

• name: import name as a string

• module: module name as a string

• address: absolute address as a NativePointer

• slot: memory location where the import is stored, as a NativePointer

1. //枚舉模塊中所有中的所有導(dǎo)入表(Import)函數(shù)

2. function frida_Module_import() {

3. Java.perform(function () {

4. const hooks = Module.load('libc.so');

5. ? ? ?var Imports = hooks.enumerateImports();

6. for(var i = 0; i < Imports.length; i++) {

7. //函數(shù)類型

8. ? ? ? ? ?console.log("type:",Imports[i].type);

9. //函數(shù)名稱

10. ? ? ? ? ?console.log("name:",Imports[i].name);

11. //屬于的模塊

12. ? ? ? ? ?console.log("module:",Imports[i].module);

13. //函數(shù)地址

14. ? ? ? ? ?console.log("address:",Imports[i].address);

15. }

16. });

17. }

18. setImmediate(frida_Module_import,0);

enumerateExports(導(dǎo)出表)

Enumerates exports of module, returning an array of objects containing the following properties:

• type: string specifying either function or variable

• name: export name as a string

• address: absolute address as a NativePointer

1. var Exports = hooks.enumerateExports();

2. for(var i = 0; i < Exports.length; i++) {

3. //函數(shù)類型

4. ? ?console.log("type:",Exports[i].type);

5. //函數(shù)名稱

6. ? ?console.log("name:",Exports[i].name);

7. //函數(shù)地址

8. ? ?console.log("address:",Exports[i].address);

9. }

注：導(dǎo)出表和導(dǎo)入表后續(xù)文章會專門進(jìn)行介紹。簡單來說，導(dǎo)入表是這個庫依賴的函數(shù)表，而導(dǎo)出表是這個庫對外提供的函數(shù)表。

enumerateSymbols(符號表)

Enumerates symbols of module, returning an array of objects containing the following properties。

• isGlobal: boolean specifying whether symbol is globally visible

• type: string specifying one of:

• object (ELF)

• function (ELF)

• file (ELF)

• common (ELF)

• tls (ELF)

• unknown

• section

• undefined (Mach-O)

• absolute (Mach-O)

• prebound-undefined (Mach-O)

• indirect (Mach-O)

• section: if present, is an object containing:

• id: string containing section index, segment name (if applicable) and section name – same format as r2’s section IDs

• protection: protection like in Process.enumerateRanges()

• name: symbol name as a string

• address: absolute address as a NativePointer

• size: if present, a number specifying the symbol’s size in bytes

1. function frida_Module_symbol() {

2. Java.perform(function () {

3. const hooks = Module.load('libc.so');

4. ? ? ?var Symbol = hooks.enumerateSymbols();

5. for(var i = 0; i < Symbol.length; i++) {

6. ? ? ? ? ?console.log("isGlobal:",Symbol[i].isGlobal);

7. ? ? ? ? ?console.log("type:",Symbol[i].type);

8. ? ? ? ? ?console.log("section:",JSON.stringify(Symbol[i].section));

9. ? ? ? ? ?console.log("name:",Symbol[i].name);

10. ? ? ? ? ?console.log("address:",Symbol[i].address);

11. }

12. });

13. }

14. setImmediate(frida_Module_symbol,0);

運(yùn)行結(jié)果如下：

獲取export的絕對地址

返回so文件中Export函數(shù)庫中函數(shù)名稱為exportName函數(shù)的絕對地址。

Module.findExportByName(moduleName|null, exportName), Module.getExportByName(moduleName|null, exportName): returns the absolute address of the export named exportName in moduleName. If the module isn’t known you may pass null instead of its name, but this can be a costly search and should be avoided. In the event that no such module or export could be found, the find-prefixed function returns null whilst the get-prefixed function throws an exception.

1. function frida_Module_address() {

2. Java.perform(function () {

3. ? ? ?console.log("gets address of ?getExportByName :",Module.getExportByName('libc.so', 'gets'));

4. ? ? ? ?console.log("gets address of findExportByName:",Module.findExportByName('libc.so', 'gets'));

5. });

6. }

7. setImmediate(frida_Module_address,0);

運(yùn)行結(jié)果：

Memory對象

Memory的一些API通常是對內(nèi)存處理，譬如Memory.copy()復(fù)制內(nèi)存，又如writeByteArray寫入字節(jié)到指定內(nèi)存中。

Memory.scan

其主要功能是搜索內(nèi)存中以address地址開始，搜索長度為size，需要搜是條件是pattern，callbacks搜索之后的回調(diào)函數(shù)；此函數(shù)相當(dāng)于搜索內(nèi)存的功能。

Memory.scan(address, size, pattern, callbacks): scan memory for occurences of pattern in the memory range given by address and size.

• pattern must be of the form “13 37 ?? ff” to match 0x13 followed by 0x37 followed by any byte followed by 0xff. For more advanced matching it is also possible to specify an r2-style mask. The mask is bitwise AND-ed against both the needle and the haystack. To specify the mask append a : character after the needle, followed by the mask using the same syntax. For example: “13 37 13 37 : 1f ff ff f1”. For convenience it is also possible to specify nibble-level wildcards, like “?3 37 13 ?7”, which gets translated into masks behind the scenes.

  
  

• callbacks is an object with:

  
  

• onMatch: function (address, size): called with address containing the address of the occurence as a NativePointer and size specifying the size as a number.

  This function may return the string stop to cancel the memory scanning early.

• onError: function (reason): called with reason when there was a memory access error while scanning

• onComplete: function (): called when the memory range has been fully scanned

本文選取的的是領(lǐng)跑娛樂.apk，為一個賭博類的APP，后續(xù)會專門分析這個app。

對apk的解包在這里進(jìn)行了介紹，通過Radare2查看libgame.so這個庫的函數(shù)信息，如下：

匹配規(guī)則對應(yīng)的是opcode，下面的代碼將pattern設(shè)置為"08 c6 8f e2 ?? ca 8c e2"，正好匹配第一行和第二行的opcode。

1. var process_Obj_Module_Arr = Process.enumerateModules();

2. for(var i = 0; i < process_Obj_Module_Arr.length; i++) {

3. //包含"libgame"字符串的

4. if(process_Obj_Module_Arr[i].path.indexOf("libgame")!=-1)

5. {

6. ? ? ? ?console.log("模塊名稱:",process_Obj_Module_Arr[i].name);

7. ? ? ? ?console.log("模塊地址:",process_Obj_Module_Arr[i].base);

8. ? ? ? ?console.log("大小:",process_Obj_Module_Arr[i].size);

9. ? ? ? ?console.log("文件系統(tǒng)路徑",process_Obj_Module_Arr[i].path);

10. 
    

11. // Print its properties:

12. ? ? ? ? ?console.log(JSON.stringify(process_Obj_Module_Arr[i]));

13. 
    

14. // Dump it from its base address:

15. ? ? ? ? ?console.log(hexdump(process_Obj_Module_Arr[i].base));

16. 
    

17. // The pattern that you are interested in:

18. ? ? ? ? ?var pattern = '08 c6 8f e2 ?? ca 8c e2';

19. 
    

20. Memory.scan(process_Obj_Module_Arr[i].base, process_Obj_Module_Arr[i].size, pattern, {

21. ? ? ? ? ? ?onMatch: function (address, size) {

22. ? ? ? ? ? ? ?console.log('Memory.scan() found match at', address,

23. 'with size', size);

24. // Optionally stop scanning early:

25. return 'stop';

26. },

27. ? ? ? ? ? ?onComplete: function () {

28. ? ? ? ? ? ? ?console.log('Memory.scan() complete');

29. }

30. });

31. }

32. }

最終的運(yùn)行結(jié)果：

很容易可以計(jì)算出偏移：0xc429f3bc - 0xc4041000 = 0x25e3bc

同步搜索內(nèi)存數(shù)據(jù)Memory.scanSync

Memory.scanSync(address, size, pattern): synchronous version of scan() that returns an array of objects containing the following properties:

• address: absolute address as a NativePointer.

• size: size in bytes

1. console.log(JSON.stringify(Memory.scanSync(process_Obj_Module_Arr[i].base,process_Obj_Module_Arr[i].size,pattern)));

如果符合條件的信息比較多，容易導(dǎo)致卡死，慎用。

內(nèi)存分配Memory.alloc

在目標(biāo)進(jìn)程中的堆上申請size大小的內(nèi)存，并且會按照Process.pageSize對齊，返回一個NativePointer，并且申請的內(nèi)存如果在JavaScript里面沒有對這個內(nèi)存的使用的時候會自動釋放的。也就是說，如果你不想要這個內(nèi)存被釋放，你需要自己保存一份對這個內(nèi)存塊的引用。

Memory.alloc(size): allocate size bytes of memory on the heap, or, if size is a multiple of Process.pageSize, one or more raw memory pages managed by the OS. The returned value is a NativePointer and the underlying memory will be released when all JavaScript handles to it are gone. This means you need to keep a reference to it while the pointer is being used by code outside the JavaScript runtime.

1. function frida_Memory_Alloc() {

2. Java.perform(function () {

3. const r = Memory.alloc(10);

4. ? ? ? ?console.log(hexdump(r, {

5. ? ? ? ? ? ?offset: 0,

6. ? ? ? ? ? ?length: 10,

7. ? ? ? ? ? ?header: true,

8. ? ? ? ? ? ?ansi: false

9. }));

10. });

11. }

12. setImmediate(frida_Memory_Alloc,0);

以上代碼在目標(biāo)進(jìn)程中申請了10字節(jié)的空間

也可以使用： Memory.allocUtf8String(str) 分配utf字符串 Memory.allocUtf16String 分配utf16字符串 Memory.allocAnsiString 分配ansi字符串

內(nèi)存復(fù)制Memory.copy

類似與c語言中的memcpy

1. const r = Memory.alloc(10);

2. //復(fù)制以module.base地址開始的10個字節(jié) 那肯定會是7F 45 4C 46...因?yàn)橐粋€ELF文件的Magic屬性如此。

3. Memory.copy(r,process_Obj_Module_Arr[i].base,10);

4. console.log(hexdump(r, {

5. ? ?offset: 0,

6. ? ?length: 10,

7. ? ?header: true,

8. ? ?ansi: false

9. }));

寫入內(nèi)存Memory.writeByteArray

將字節(jié)數(shù)組寫入一個指定內(nèi)存，代碼示例如下:

1. ? ? ? ?var arr = [ 0x62, 0x20, 0x75,0x20, 0x72,0x20,0x6E,0x20,0x69,0x20,0x6E,0x20,0x67];

2. //申請一個新的內(nèi)存空間 返回指針 大小是arr.length

3. const r = Memory.alloc(arr.length);

4. //將arr數(shù)組寫入R地址中

5. Memory.writeByteArray(r,arr);

6. //輸出

7. ? ? ? ?console.log(hexdump(r, {

8. ? ? ? ? ? ?offset: 0,

9. ? ? ? ? ? ?length: arr.length,

10. ? ? ? ? ? ?header: true,

11. ? ? ? ? ? ?ansi: false

12. }));

結(jié)果如下：

讀取內(nèi)存Memory.readByteArray

將一個指定地址的數(shù)據(jù)，代碼示例如下:

1. ? ? ? ?var buffer = Memory.readByteArray(r, arr.length);

2. //輸出

3. ? ? ? ?console.log("Memory.readByteArray:");

4. ? ? ? ?console.log(hexdump(buffer, {

5. ? ? ? ? ? ?offset: 0,

6. ? ? ? ? ? ?length: arr.length,

7. ? ? ? ? ? ?header: true,

8. ? ? ? ? ? ?ansi: false

9. }));

結(jié)果同上。

公眾號

更多Frida相關(guān)內(nèi)容，歡迎關(guān)注我的公眾號:無情劍客