-
-
Notifications
You must be signed in to change notification settings - Fork 3.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[HOTFIX] More Android & iOS Frida Scripts (#2299)
Improved existing frida scripts More Android & iOS frida Scripts Code QA
- Loading branch information
1 parent
ae929dc
commit 87c054b
Showing
34 changed files
with
2,968 additions
and
24 deletions.
There are no files selected for viewing
194 changes: 192 additions & 2 deletions
194
mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/debugger_check_bypass.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,198 @@ | ||
| Java.perform(function () { | ||
| // send("[Debugger Check Bypass] Activated"); | ||
| try { | ||
| // Bypass isDebuggerConnected() check | ||
| var Debug = Java.use('android.os.Debug'); | ||
| Debug.isDebuggerConnected.implementation = function () { | ||
| send('[Debugger Check Bypass] isDebuggerConnected() bypassed'); | ||
| send('[Debugger Check] isDebuggerConnected() check bypassed'); | ||
| return false; | ||
| } | ||
| } catch(e){} | ||
| }); | ||
| // Following are based on: https://github.com/apkunpacker/FridaScripts | ||
| try { | ||
| /* Bypass Frida Detection Based On Port Number */ | ||
| Interceptor.attach(Module.findExportByName("libc.so", "connect"), { | ||
| onEnter: function(args) { | ||
| var memory = Memory.readByteArray(args[1], 64); | ||
| var b = new Uint8Array(memory); | ||
| if (b[2] == 0x69 && b[3] == 0xa2 && b[4] == 0x7f && b[5] == 0x00 && b[6] == 0x00 && b[7] == 0x01) { | ||
| this.frida_detection = true; | ||
| } | ||
| }, | ||
| onLeave: function(retval) { | ||
| if (this.frida_detection) { | ||
| send("[Debugger Check] Frida Port detection bypassed"); | ||
| retval.replace(-1); | ||
| } | ||
| } | ||
| }); | ||
| } catch(e){} | ||
| try { | ||
| Interceptor.attach(Module.findExportByName(null, "connect"), { | ||
| onEnter: function(args) { | ||
| var family = Memory.readU16(args[1]); | ||
| if (family !== 2) { | ||
| return | ||
| } | ||
| var port = Memory.readU16(args[1].add(2)); | ||
| port = ((port & 0xff) << 8) | (port >> 8); | ||
| if (port === 27042) { | ||
| send('[Debugger Check] Frida Port detection bypassed'); | ||
| Memory.writeU16(args[1].add(2), 0x0101); | ||
| } | ||
| } | ||
| }); | ||
| } catch(e){} | ||
| try { | ||
| /* Bypass TracerPid Detection Based On Pid Status */ | ||
| var fgetsPtr = Module.findExportByName("libc.so", "fgets"); | ||
| var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']); | ||
| Interceptor.replace(fgetsPtr, new NativeCallback(function(buffer, size, fp) { | ||
| var retval = fgets(buffer, size, fp); | ||
| var bufstr = Memory.readUtf8String(buffer); | ||
| if (bufstr.indexOf("TracerPid:") > -1) { | ||
| Memory.writeUtf8String(buffer, "TracerPid:\t0"); | ||
| send("[Debugger Check] TracerPID check bypassed"); | ||
| } | ||
| return retval; | ||
| }, 'pointer', ['pointer', 'int', 'pointer'])) | ||
| } catch(e){} | ||
|
|
||
| try { | ||
| /* Bypass Ptrace Checks */ | ||
| Interceptor.attach(Module.findExportByName(null, "ptrace"), { | ||
| onEnter: function(args) {}, | ||
| onLeave: function(retval) { | ||
| send("[Debugger Check] Ptrace check bypassed"); | ||
| retval.replace(0); | ||
| } | ||
| }) | ||
| } catch(e){} | ||
|
|
||
| try { | ||
| /* Watch Child Process Forking */ | ||
| var fork = Module.findExportByName(null, "fork") | ||
| Interceptor.attach(fork, { | ||
| onEnter: function(args) {}, | ||
| onLeave: function(retval) { | ||
| var pid = parseInt(retval.toString(16), 16) | ||
| send("[Debugger Check] Hook fork child process PID: " + pid) | ||
| } | ||
| }) | ||
| } catch(e){} | ||
|
|
||
|
|
||
| /* Xposed Detection Bypass */ | ||
| Java.perform(function() { | ||
| try { | ||
| var cont = Java.use("java.lang.String"); | ||
| cont.contains.overload("java.lang.CharSequence").implementation = function(checks) { | ||
| var check = checks.toString(); | ||
| if (check.indexOf("libdexposed") >= 0 || check.indexOf("libsubstrate.so") >= 0 || check.indexOf("libepic.so") >= 0 || check.indexOf("libxposed") >= 0) { | ||
| var BypassCheck = "libpkmkb.so"; | ||
| send("[Debugger Check] Xposed library check bypassed"); | ||
| return this.contains.call(this, BypassCheck); | ||
| } | ||
| return this.contains.call(this, checks); | ||
| } | ||
| } catch (erro) { | ||
| console.error(erro); | ||
| } | ||
| try { | ||
| var StacktraceEle = Java.use("java.lang.StackTraceElement"); | ||
| StacktraceEle.getClassName.overload().implementation = function() { | ||
| var Flag = false; | ||
| var ClazzName = this.getClassName(); | ||
| if (ClazzName.indexOf("com.saurik.substrate.MS$2") >= 0 || ClazzName.indexOf("de.robv.android.xposed.XposedBridge") >= 0) { | ||
| send("[Debugger Check] Debugger detection check bypassed for class: " + this.getClassName()); | ||
| Flag = true; | ||
| if (Flag) { | ||
| var StacktraceEle = Java.use("java.lang.StackTraceElement"); | ||
| StacktraceEle.getClassName.overload().implementation = function() { | ||
| var gMN = this.getMethodName(); | ||
| if (gMN.indexOf("handleHookedMethod") >= 0 || gMN.indexOf("invoked") >= 0) { | ||
| send("[Debugger Check] Debugger detection check bypassed for method: " + this.getMethodName()); | ||
| return "bye.pass"; | ||
| } | ||
| return this.getMethodName(); | ||
| } | ||
| } | ||
| return "com.android.vending" | ||
| } | ||
| return this.getClassName(); | ||
| } | ||
| } catch (errr) { | ||
| console.error(errr); | ||
| } | ||
| }) | ||
| /* VPN Related Checks */ | ||
| Java.perform(function() { | ||
| var NInterface = Java.use("java.net.NetworkInterface"); | ||
| try { | ||
| var NInterface = Java.use("java.net.NetworkInterface"); | ||
| NInterface.getName.overload().implementation = function() { | ||
| var IName = this.getName(); | ||
| if (IName == "tun0" || IName == "ppp0" || IName == "p2p0" || IName == "ccmni0" || IName == "tun") { | ||
| send("[Debugger Check] Bypassed Network Interface name check: " + JSON.stringify(this.getName())); | ||
| return "Bypass"; | ||
| } | ||
| return this.getName(); | ||
| } | ||
| } catch (err) { | ||
| console.error(err); | ||
| } | ||
| // HTTP(s) Proxy check | ||
| try { | ||
| var GetProperty = Java.use("java.lang.System"); | ||
| GetProperty.getProperty.overload("java.lang.String").implementation = function(getprop) { | ||
| if (getprop.indexOf("http.proxyHost") >= 0 || getprop.indexOf("http.proxyPort") >= 0) { | ||
| var newprop = "CKMKB" | ||
| send("[Debugger Check] HTTP(s) proxy check bypassed") | ||
| return this.getProperty.call(this, newprop); | ||
| } | ||
| return this.getProperty(getprop); | ||
| } | ||
| } catch (err) { | ||
| console.error(err); | ||
| } | ||
| // NetworkCapabilities check | ||
| try { | ||
| var NCap = Java.use("android.net.NetworkCapabilities"); | ||
| NCap.hasTransport.overload("int").implementation = function(values) { | ||
| if (values == 4){ | ||
| send("[Debugger Check] HasTransportcheck bypassed") | ||
| return false; | ||
| } else | ||
| return this.hasTransport(values); | ||
| } | ||
| } catch (e) { | ||
| console.error(e); | ||
| } | ||
| }) | ||
| /* Developer Mod Check Bypass */ | ||
| Java.perform(function() { | ||
| try{ | ||
| var SSecure = Java.use("android.provider.Settings$Secure"); | ||
| SSecure.getStringForUser.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(Content, Name, Flag) { | ||
| if (Name.indexOf("development_settings_enabled") >= 0) { | ||
| send("[Debugger Check] Developer mode check bypassed for: " + Name) | ||
| return this.getStringForUser.call(this, Content, "bypassed", Flag); | ||
| } | ||
| return this.getStringForUser(Content, Name, Flag); | ||
| } | ||
| } catch(e){} | ||
| }) | ||
|
|
||
| /* Playstore install source check */ | ||
| Java.perform(function() { | ||
| try{ | ||
| var Installer = Java.use("android.app.ApplicationPackageManager"); | ||
| Installer.getInstallerPackageName.overload('java.lang.String').implementation = function(Str) { | ||
| var playPkg = "com.android.vending"; | ||
| if (Str.toString().indexOf(playPkg) < 0) { | ||
| send("[Debugger Check] Play Store install source check bypassed. Original value: "+ Str.toString()); | ||
| return playPkg; | ||
| } | ||
| } | ||
| } catch(e){} | ||
| }) |
Oops, something went wrong.