Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[HOTFIX] RPC hook suggestions + Bug Fix #2301

Merged
merged 4 commits into from
Dec 7, 2023
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,15 +1,37 @@
//https://github.com/iddoeldor/frida-snippets#reveal-native-methods
//String comparison
Java.perform(function () {
send('[AUXILIARY] [String Compare] capturing all string comparisons')
var str = Java.use('java.lang.String'), objectClass = 'java.lang.Object';
str.equals.overload(objectClass).implementation = function (obj) {
var response = str.equals.overload(objectClass).call(this, obj);
if (obj) {
if (obj.toString().length > 5) {
send('[AUXILIARY] [String Compare] ' + str.toString.call(this) + ' == ' + obj.toString() + ' ? ' + response);
}
let Exception = Java.use('java.lang.Exception');
let javaString = Java.use('java.lang.String')
let objectClass = 'java.lang.Object';
var skiplist = ['android.app.SystemServiceRegistry.getSystemService']
javaString.equals.overload(objectClass).implementation = function (obj) {
var response = javaString.equals.overload(objectClass).call(this, obj);
if (obj && obj.toString().length > 5) {
var stack = [];
var calledFrom = Exception.$new().getStackTrace().toString().split(',');
// Otherwise capture string comparisons
let i = 0;
do {
i = i + 1;
stack.push(calledFrom[i]);
} while (i <= 5);
var skipClass, skipMethod = false;
skiplist.forEach(function (toSkip) {
if (calledFrom[4].includes(toSkip))
skipClass = true;
});
if (!skipClass) {
var data = {
caller: stack,
string1: javaString.toString.call(this),
string2: obj.toString(),
return: response,
}
send('[AUXILIARY] [String Compare] ' + JSON.stringify(data, null, 2));
}
}
return response;
}
});
});

Original file line number Diff line number Diff line change
@@ -1,40 +1,42 @@
// Based on https://github.com/sensepost/objection/blob/f8e78d8a29574c6dadd2b953a63207b45a19b1cf/objection/hooks/android/clipboard/monitor.js
var ActivityThread = Java.use('android.app.ActivityThread');
var ClipboardManager = Java.use('android.content.ClipboardManager');
var CLIPBOARD_SERVICE = 'clipboard';

var currentApplication = ActivityThread.currentApplication();
var context = currentApplication.getApplicationContext();

var clipboard_handle = context.getApplicationContext().getSystemService(CLIPBOARD_SERVICE);
var clipboard = Java.cast(clipboard_handle, ClipboardManager);

// Variable used for the current string data
var string_data;

function check_clipboard_data() {

Java.perform(function () {

var primary_clip = clipboard.getPrimaryClip();

// If we have managed to get the primary clipboard and there are
// items stored in it, process an update.
if (primary_clip != null && primary_clip.getItemCount() > 0) {

var data = primary_clip.getItemAt(0).coerceToText(context).toString();

// If the data is the same, just stop.
if (string_data == data) {
return;
var ActivityThread = Java.use('android.app.ActivityThread');
var ClipboardManager = Java.use('android.content.ClipboardManager');
var CLIPBOARD_SERVICE = 'clipboard';

var currentApplication = ActivityThread.currentApplication();
var context = currentApplication.getApplicationContext();

var clipboard_handle = context.getApplicationContext().getSystemService(CLIPBOARD_SERVICE);
var clipboard = Java.cast(clipboard_handle, ClipboardManager);

setInterval(function(){

var primary_clip = clipboard.getPrimaryClip();

// If we have managed to get the primary clipboard and there are
// items stored in it, process an update.
if (primary_clip != null && primary_clip.getItemCount() > 0) {

var data = primary_clip.getItemAt(0).coerceToText(context).toString();

// If the data is the same, just stop.
if (string_data == data) {
return;
}

// Update the data with the new string and report back.
string_data = data;
send('mobsf-android-clipboard:' + data);
}

// Update the data with the new string and report back.
string_data = data;
send('mobsf-android-clipboard:' + data);
}
// Poll every 5 seconds
}, 1000 * 5);
});
}

// Poll every 5 seconds
setInterval(check_clipboard_data, 1000 * 5);
check_clipboard_data();
Original file line number Diff line number Diff line change
Expand Up @@ -132,38 +132,46 @@ Java.perform(function() {
console.error(e);
}
})
Interceptor.attach(Module.findExportByName(null, "exit"), {
onEnter: function(args) {
console.warn("Native Exit() Called :-->:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n") + "\n");
},
onLeave: function(retval) {}
});
Interceptor.attach(Module.findExportByName(null, "abort"), {
onEnter: function(args) {
console.warn("Native Abort() Called :-->:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n") + "\n");
},
onLeave: function(retval) {}
});
var fork = Module.findExportByName(null, "fork")
Interceptor.attach(fork, {
onEnter: function(args) {},
onLeave: function(retval) {
var pid = parseInt(retval.toString(16), 16)
console.log("Second Process PID : ", pid)
}
})
Interceptor.attach(Module.findExportByName("libc.so", "system"), {
onEnter: function(args) {
var cmd = Memory.readCString(args[0]);
if (cmd.indexOf("kill") != -1) {
console.log("Bypass native system: " + cmd);
var NewKill = args[0].writeUtf8String("bypassed");
args[0] = ptr(NewKill);
}
},
onLeave: function(retval) {}
});

try {
Interceptor.attach(Module.findExportByName(null, "exit"), {
onEnter: function(args) {
console.warn("Native Exit() Called :-->:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n") + "\n");
},
onLeave: function(retval) {}
});
} catch (e) {}
try {
Interceptor.attach(Module.findExportByName(null, "abort"), {
onEnter: function(args) {
console.warn("Native Abort() Called :-->:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n") + "\n");
},
onLeave: function(retval) {}
});
} catch (e) {}
try {
var fork = Module.findExportByName(null, "fork")
Interceptor.attach(fork, {
onEnter: function(args) {},
onLeave: function(retval) {
var pid = parseInt(retval.toString(16), 16)
console.log("Second Process PID : ", pid)
}
})
} catch (e) {}
try {
Interceptor.attach(Module.findExportByName("libc.so", "system"), {
onEnter: function(args) {
var cmd = Memory.readCString(args[0]);
if (cmd.indexOf("kill") != -1) {
console.log("Bypass native system: " + cmd);
var NewKill = args[0].writeUtf8String("bypassed");
args[0] = ptr(NewKill);
}
},
onLeave: function(retval) {}
});
} catch (e) {}
try {
var abortPtr = Module.getExportByName('libc.so', 'abort');
var abort = new NativeFunction(abortPtr, 'int', ['int']);
var exitPtr = Module.getExportByName('libc.so', 'exit');
Expand Down Expand Up @@ -200,4 +208,4 @@ Interceptor.attach(Module.findExportByName("libc.so", "system"), {
console.log('Shutdown Replaced');
return 0;
}, 'int', ['int', 'int']));

} catch (e) {}
Loading