设为首页收藏本站
开启辅助访问

【Android 逆向】frida 检测绕过

 您所在的位置:网站首页 process terminated 【Android 逆向】frida 检测绕过

【Android 逆向】frida 检测绕过

2024-03-03 00:47| 来源: 网络整理| 查看: 265

1. aaa.apk 安装到手机,是一个叫玩吧的应用 ./hooker ...... 23248 浏 览 器 com.browser2345_oem 32541 玩吧 com.wodi.who 2447 电话和短信存储 com.android.providers.telephony 2447 电话服务 com.android.phone 3264 电量和性能 com.miui.powerkeeper ...... 2. 启动hluda版frida server hluda-server-14.2.13-android-arm64 绕过一些对frida特征的检查

执行 frida -Uf com.wodi.who --no-pause,直接崩溃退出

Spawned `com.wodi.who`. Resuming main thread! [MI 5X::com.wodi.who]-> Process terminated [MI 5X::com.wodi.who]->

说明有对frida 附着到进程存在检测

3. 常用检测有 对 TracerPid 的检测,参考r0trace 的方案进行绕过 var ByPassTracerPid = function () { var fgetsPtr = Module.findExportByName("libc.so", "fgets"); var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']); Interceptor.replace(fgetsPtr, new NativeCallback(function (buffer, size, fp) { var retval = fgets(buffer, size, fp); var bufstr = Memory.readUtf8String(buffer); if (bufstr.indexOf("TracerPid:") > -1) { Memory.writeUtf8String(buffer, "TracerPid:\t0"); console.log("tracerpid replaced: " + Memory.readUtf8String(buffer)); } return retval; }, 'pointer', ['pointer', 'int', 'pointer'])); };

日志

Spawned `com.wodi.who`. Resuming main thread! [MI 5X::com.wodi.who]-> tracerpid replaced: TracerPid: 0 Process terminated [MI 5X::com.wodi.who]->

还是不行,看来还有别的地方检测

4.尝试hook pthread_create 来看一下哪里调用到了它 function hook_func() { var pthread_creat_addr = Module.findExportByName("libc.so", "pthread_create") Interceptor.attach(pthread_creat_addr,{ onEnter(args){ console.log("call pthread_create...") let func_addr = args[2] console.log("The thread function address is " + func_addr) console.log('pthread_create called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE) .map(DebugSymbol.fromAddress) .join('\n') + '\n'); } }) }

执行日志:

call pthread_create... The thread function address is 0xc0512129 The libmsaoaidsec.so base 0xc0501000 pthread_create called from: 0xc05123fd libmsaoaidsec.so!0x113fd 0xc0511ab7 libmsaoaidsec.so!0x10ab7 0xc0511bc1 libmsaoaidsec.so!0x10bc1 0xc050d5b9 libmsaoaidsec.so!_init+0x1ac 0xec63662b ...... tracerpid replaced: TracerPid: 0 Process terminated

可以看到 libmsaoaidsec.so 执行了0x113fd 后好像就出问题了,而且这个是在_init+0x1ac,很值得怀疑,看一下反汇编的代码

0xc0512129 - 0xc0501000 = 0x11129 可以看到这里看起来一个线程搞事情

int sub_113E0() { _DWORD *v0; // r4 pthread_t v2; // [sp+0h] [bp-10h] BYREF int v3; // [sp+4h] [bp-Ch] v0 = off_1FC04; v3 = *(_DWORD *)off_1FC04; pthread_create(&v2, 0, (void *(*)(void *))sub_11128, 0); return *v0 - v3; }

那么hook 掉这个 sub_11128 ,让他啥也不干,对应偏移地址 0x000113E0

Interceptor.replace(module.base.add(0x00011128+1), new NativeCallback(function() { console.log("0x00011129 replace success!!!") }, 'void', []))

执行日志

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** Build fingerprint: 'xiaomi/tiffany/tiffany:8.1.0/OPM1.171019.019/V11.0.3.0.ODBCNXM:user/release-keys' Revision: '0' ABI: 'arm' pid: 12322, tid: 12322, name: com.wodi.who >>> com.wodi.who tracerpid replaced: TracerPid: 0

全部代码

var ByPassTracerPid = function () { var fgetsPtr = Module.findExportByName("libc.so", "fgets"); var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']); Interceptor.replace(fgetsPtr, new NativeCallback(function (buffer, size, fp) { var retval = fgets(buffer, size, fp); var bufstr = Memory.readUtf8String(buffer); if (bufstr.indexOf("TracerPid:") > -1) { Memory.writeUtf8String(buffer, "TracerPid:\t0"); console.log("tracerpid replaced: " + Memory.readUtf8String(buffer)); } return retval; }, 'pointer', ['pointer', 'int', 'pointer'])); }; //setImmediate(ByPassTracerPid); function hook_dlopen(soName) { Interceptor.attach(Module.findExportByName(null, "dlopen"), { onEnter: function (args) { var pathptr = args[0]; if (pathptr !== undefined && pathptr != null) { var path = ptr(pathptr).readCString(); if (path.indexOf(soName) >= 0) { this.is_can_hook = true; } } }, onLeave: function (retval) { if (this.is_can_hook) { console.log("hook start..."); hook_func() } } } ); Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), { onEnter: function (args) { var pathptr = args[0]; if (pathptr !== undefined && pathptr != null) { var path = ptr(pathptr).readCString(); if (path.indexOf(soName) >= 0) { this.is_can_hook = true; } } }, onLeave: function (retval) { if (this.is_can_hook) { console.log("hook start..."); hook_func() } } } ); } function hook_func() { var pthread_creat_addr = Module.findExportByName("libc.so", "pthread_create") Interceptor.attach(pthread_creat_addr,{ onEnter(args){ console.log("call pthread_create...") let func_addr = args[2] console.log("The thread function address is " + func_addr) let libmsaoaidsec = Process.findModuleByName("libmsaoaidsec.so") if (libmsaoaidsec != null){ console.log("The libmsaoaidsec.so base " + libmsaoaidsec.base) bypass_thread(libmsaoaidsec) } console.log('pthread_create called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE) .map(DebugSymbol.fromAddress) .join('\n') + '\n'); } }) } function bypass_thread(module) { // Interceptor.replace(module.base.add(0x0000FA98+1), new NativeCallback(function() { // console.log("0x0000FA99 replace success!!!") // }, 'void', [])) Interceptor.replace(module.base.add(0x00011128+1), new NativeCallback(function() { console.log("0x00011129 replace success!!!") }, 'void', [])) P } function main() { ByPassTracerPid() hook_dlopen("libc.so") } setImmediate(main)


【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3