Mafunzo ya Frida 1

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Hii ni muhtasari wa chapisho: https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1
APK: https://github.com/t0thkr1s/frida-demo/releases
Source Code: https://github.com/t0thkr1s/frida-demo

Python

Frida inakuruhusu insert JavaScript code ndani ya functions za running application. Lakini unaweza kutumia python ili call the hooks na hata kuinteract na hooks.

Huu ni python skripti rahisi ambayo unaweza kutumia na mifano yote iliyopendekezwa katika mafunzo haya:

#hooking.py
import frida, sys

with open(sys.argv[1], 'r') as f:
jscode = f.read()
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()

Ita script:

python hooking.py <hookN.js>

Ni muhimu kujua jinsi ya kutumia python na frida, lakini kwa mifano hii pia unaweza kuita Frida moja kwa moja ukitumia command line frida tools:

frida -U --no-pause -l hookN.js -f infosecadventures.fridademo

Hook 1 - Boolean Bypass

Hapa unaweza kuona jinsi ya hook methodi ya boolean (checkPin) kutoka kwenye darasa: infosecadventures.fridademo.utils.PinUtil

//hook1.js
Java.perform(function () {
console.log("[ * ] Starting implementation override...")
var MainActivity = Java.use("infosecadventures.fridademo.utils.PinUtil")
MainActivity.checkPin.implementation = function (pin) {
console.log("[ + ] PIN check successfully bypassed!")
return true
}
})

python hooking.py hook1.js

Mirar: La funcion recibe como parametro un String, no hace falta overload?

Hook 2 - Function Bruteforce

Non-Static Function

Ikiwa unataka kuita non-static function ya class, lazima kwanza uwe na instance ya class hiyo. Kisha, unaweza kutumia instance hiyo kuita function.\ Ili kufanya hivyo, unaweza kupata instance iliyopo na kuitumia:

Java.perform(function () {
console.log("[ * ] Starting PIN Brute-force, please wait...")
Java.choose("infosecadventures.fridademo.utils.PinUtil", {
onMatch: function (instance) {
console.log("[ * ] Instance found in memory: " + instance)
for (var i = 1000; i < 9999; i++) {
if (instance.checkPin(i + "") == true) {
console.log("[ + ] Found correct PIN: " + i)
break
}
}
},
onComplete: function () {},
})
})

Katika kesi hii hayaifanyi kazi kwa sababu hakuna instance yoyote na function ni Static

Static Function

Ikiwa function ni Static, unaweza tu kuiita:

//hook2.js
Java.perform(function () {
console.log("[ * ] Starting PIN Brute-force, please wait...")
var PinUtil = Java.use("infosecadventures.fridademo.utils.PinUtil")

for (var i = 1000; i < 9999; i++) {
if (PinUtil.checkPin(i + "") == true) {
console.log("[ + ] Found correct PIN: " + i)
}
}
})

Hook 3 - Kupata vigezo na thamani iliyorejeshwa

Unaweza hook function na kuifanya ichapishe thamani ya vigezo vilivyopitishwa na thamani ya iliyorejeshwa:

//hook3.js
Java.perform(function () {
console.log("[ * ] Starting implementation override...")

var EncryptionUtil = Java.use(
"infosecadventures.fridademo.utils.EncryptionUtil"
)
EncryptionUtil.encrypt.implementation = function (key, value) {
console.log("Key: " + key)
console.log("Value: " + value)
var encrypted_ret = this.encrypt(key, value) //Call the original function
console.log("Encrypted value: " + encrypted_ret)
return encrypted_ret
}
})

Hooking on recent Android versions (14/15/16)

  • Kuanzia Frida 17.1.x+ Java hooking kwenye Android 14–16 imekuwa imara tena (ART quick entrypoint offsets zilirekebishwa). Ikiwa Java.choose hairudishi chochote kwenye Android 14+, sasisha frida-server/gadget na vifurushi vya CLI/Python hadi >=17.1.5.
  • Programu zenye anti-debug checks mapema mara nyingi zinakufa kabla ya attach. Tumia spawn ili hooks zipakuliwe kabla ya onCreate:
frida -U -f infosecadventures.fridademo -l hook1.js --no-pause
  • Wakati kuna overloads nyingi, chagua lengo kwa uwazi:
var Cls = Java.use("com.example.Class")
Cls.doThing.overload('java.lang.String', 'int').implementation = function(s, i) {
return this.doThing(s, i)
}

Uingizaji wa kificho na Zygisk Gadget

Baadhi ya programu zinagundua ptrace au frida-server. Moduli za Magisk/Zygisk zinaweza kupakia frida-gadget ndani ya Zygote ili hakuna mchakato utafuatiliwa na ptrace:

  1. Sakinisha moduli ya Zygisk gadget (kwa mfano, zygisk-gadget) kisha anzisha tena kifaa.
  2. Sanidi paketi lengwa na ucheleweshaji wa hiari ili kupita ukaguzi wa kuanzisho:
adb shell "su -c 'echo infosecadventures.fridademo,5000 > /data/local/tmp/re.zyg.fri/target_packages'"
  1. Anzisha programu kisha uambatane na jina la kifaa:
frida -U -n Gadget -l hook3.js

Kwa sababu gadget imeingizwa na Zygote, APK integrity checks zinabaki bila kuathiriwa na basic ptrace/Frida string checks kawaida hufeli.

Muhimu

Katika tutorial hii ume-hook methods kwa kutumia jina la method na .implementation. Lakini ikiwa kungekuwa na more than one method yenye jina sawa, utahitaji specify the method unayotaka ku-hook kuonyesha aina za arguments.

Unaweza kuona hiyo katika tutorial inayofuata.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks