好久没有发技术贴了,看到好多,大大们都喜欢 VEH,小弟不才,一直学了好久的 frida,没学废。最近闲着蛋疼没事就研究了一下 frida 怎么 VEH。现在分享出来,抛转引玉器!
好了废话不多说,因为太简单了,没什么话可以说,直接上代码。
顺便说一句,丢掉调试器,丢掉各种Loader各种Patcher吧,一个 frida 的 js 脚本就能干翻一切。
大佬们可以自己实现下 x64 下的代码(尝试下试硬件断点的方式,尝试下 VMP,TEP,WL,SE各种壳的替换机器码)
python3 安装 frida
pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple
然后把这个 js 放 exe 同级目录,在目录下 cmd 或者 PS运行下面命令就行
frida -f 010Editor.exe -l ./frida-veh-010-bs.js
更新 x64 执行异常代码
/
/
"use strict"
console.log(
"\n"
);
console.warn(
"Frida.version = "
+
Frida.version);
console.log(
"Frida.heapSize = "
+
Frida.heapSize);
console.warn(
"Process.arch = "
+
Process.arch);
console.warn(
"Process.platform = "
+
Process.platform);
console.log(
"Process.pointerSize = "
+
Process.pointerSize);
console.log(
"\n"
);
console.error(
" 这是一个 Frida VEH 010 Editor 的牛逼示例"
)
console.error(
" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple "
);
console.error(
" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause "
);
/
/
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"x64"
) {
console.warn(
"\n"
,
"Coming soon :) "
,
"\n"
);
}
else
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"ia32"
) {
/
/
var editor
=
Process.findModuleByName(
"010Editor.exe"
);
console.log(
"010 editor base: "
, editor.base, typeof (editor.base));
var sub_patchaddr
=
editor.base.add(
0x31f7fa
);
console.log(
"010 editor VA: "
, sub_patchaddr, typeof (sub_patchaddr));
var buf
=
Memory.readByteArray(sub_patchaddr,
16
);
const cc_origin
=
Memory.readU8(sub_patchaddr);
console.log(
"cc_origin: "
, cc_origin, typeof (cc_origin));
console.log(hexdump(sub_patchaddr, { offset:
0
, length:
32
, header: true, ansi: true }));
/
/
VEH
Process.setExceptionHandler(function (details) {
console.log(
"\n"
,
"setExceptionHandler ==> address: "
, details.address);
console.error(JSON.stringify(details));
console.warn(
"RVA: "
, details.address.sub(editor.base));
/
/
console.log(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
/
/
restore
/
/
Memory.writeU8(sub_patchaddr,
0x55
);
Memory.writeU8(sub_patchaddr, cc_origin);
console.warn(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
console.log(
"eip: "
, details.context.eip);
console.log(
"pc: "
, details.context.pc);
console.log(
"eax: "
, details.context.eax);
/
/
details.context.eax
=
0xDB
;
details.context.eip
=
ptr(details.context.eip).add(
0x7
);
console.warn(
"eax: "
, details.context.eax);
console.warn(
"eip: "
, details.context.eip);
console.warn(
"pc: "
, details.context.pc);
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
return
true;
});
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
}
else
{
console.warn(
"\n"
,
"This platform and architecture are not supported :( "
,
"\n"
);
}
/
/
"use strict"
console.log(
"\n"
);
console.warn(
"Frida.version = "
+
Frida.version);
console.log(
"Frida.heapSize = "
+
Frida.heapSize);
console.warn(
"Process.arch = "
+
Process.arch);
console.warn(
"Process.platform = "
+
Process.platform);
console.log(
"Process.pointerSize = "
+
Process.pointerSize);
console.log(
"\n"
);
console.error(
" 这是一个 Frida VEH 010 Editor 的牛逼示例"
)
console.error(
" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple "
);
console.error(
" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause "
);
/
/
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"x64"
) {
console.warn(
"\n"
,
"Coming soon :) "
,
"\n"
);
}
else
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"ia32"
) {
/
/
var editor
=
Process.findModuleByName(
"010Editor.exe"
);
console.log(
"010 editor base: "
, editor.base, typeof (editor.base));
var sub_patchaddr
=
editor.base.add(
0x31f7fa
);
console.log(
"010 editor VA: "
, sub_patchaddr, typeof (sub_patchaddr));
var buf
=
Memory.readByteArray(sub_patchaddr,
16
);
const cc_origin
=
Memory.readU8(sub_patchaddr);
console.log(
"cc_origin: "
, cc_origin, typeof (cc_origin));
console.log(hexdump(sub_patchaddr, { offset:
0
, length:
32
, header: true, ansi: true }));
/
/
VEH
Process.setExceptionHandler(function (details) {
console.log(
"\n"
,
"setExceptionHandler ==> address: "
, details.address);
console.error(JSON.stringify(details));
console.warn(
"RVA: "
, details.address.sub(editor.base));
/
/
console.log(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
/
/
restore
/
/
Memory.writeU8(sub_patchaddr,
0x55
);
Memory.writeU8(sub_patchaddr, cc_origin);
console.warn(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
console.log(
"eip: "
, details.context.eip);
console.log(
"pc: "
, details.context.pc);
console.log(
"eax: "
, details.context.eax);
/
/
details.context.eax
=
0xDB
;
details.context.eip
=
ptr(details.context.eip).add(
0x7
);
console.warn(
"eax: "
, details.context.eax);
console.warn(
"eip: "
, details.context.eip);
console.warn(
"pc: "
, details.context.pc);
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
return
true;
});
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
}
else
{
console.warn(
"\n"
,
"This platform and architecture are not supported :( "
,
"\n"
);
}
/
/
"use strict"
console.log(
"\n"
);
console.warn(
"Frida.version = "
+
Frida.version);
console.log(
"Frida.heapSize = "
+
Frida.heapSize);
console.warn(
"Process.arch = "
+
Process.arch);
console.warn(
"Process.platform = "
+
Process.platform);
console.log(
"Process.pointerSize = "
+
Process.pointerSize);
console.log(
"\n"
);
console.error(
" 这是一个 Frida VEH 010 Editor 的牛逼示例"
)
console.error(
" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple "
);
console.error(
" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause "
);
/
/
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"x64"
) {
/
/
console.warn(
"\n"
,
"Coming soon :) "
,
"\n"
);
/
/
v13.
0.1
x64
/
/
.text:
00007FF6E91CEFA0
010editor
.exe:$
36EFA0
var editor
=
Process.findModuleByName(
"010Editor.exe"
);
console.log(
"010 editor base: "
, editor.base, typeof (editor.base));
var sub_patchaddr
=
editor.base.add(
0x36efae
);
/
/
console.log(
"010 editor VA: "
, sub_patchaddr, typeof (sub_patchaddr));
var buf
=
Memory.readByteArray(sub_patchaddr,
16
);
const cc_origin
=
Memory.readU8(sub_patchaddr);
console.log(
"cc_origin: "
, cc_origin, typeof (cc_origin));
console.log(hexdump(sub_patchaddr.sub(
0xE
), { offset:
0
, length:
32
, header: true, ansi: true }));
/
/
console.warn(
"Process.id = "
, Process.
id
);
console.warn(
"Process.isDebuggerAttached() = "
, Process.isDebuggerAttached());
console.warn(
"Process.getCurrentThreadId() = "
, Process.getCurrentThreadId());
let threads
=
Process.enumerateThreads();
for
(let value
in
threads) {
console.log(JSON.stringify(threads[value]));
}
/
/
VEH
Process.setExceptionHandler(details
=
> {
console.error(JSON.stringify(details));
/
/
Memory.protect(details.memory.address, Process.pointerSize,
'rwx'
);
console.warn(JSON.stringify(details.memory));
/
/
Memory.writeU32(details.context.rcx.add(
0x30
),
1008
);
Memory.writeU32(details.context.rcx.add(
0x3C
),
1
);
Memory.writeU32(details.context.rcx.add(
0x44
),
47419
);
details.context.rax
=
0xDB
;
details.context.rip
=
ptr(details.context.rip).add(
0x7
);
console.warn(
"rax: "
, details.context.rax);
console.warn(
"rip: "
, details.context.rip);
console.warn(
"pc: "
, details.context.pc);
return
true;
/
/
goto PC
});
/
/
patchaddr
/
/
fetch decode execute
Interceptor.attach(sub_patchaddr.sub(
0x0
), {
onEnter(args) {
console.log(
"\n"
,
'onEnter'
, JSON.stringify({
_rip: this.context.rip,
_pc: this.context.pc,
_pointerSize: Process.pointerSize,
mprotect_ret: Memory.protect(this.context.rip,
1
,
'rw-'
),
errno: this.errno,
_lr: this.returnAddress
}, null,
2
));
console.log(
"设置任意地址,执行异常 OJBK"
);
}
});
}
else
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"ia32"
) {
/
/
var editor
=
Process.findModuleByName(
"010Editor.exe"
);
console.log(
"010 editor base: "
, editor.base, typeof (editor.base));
var sub_patchaddr
=
editor.base.add(
0x31f7fa
);
console.log(
"010 editor VA: "
, sub_patchaddr, typeof (sub_patchaddr));
var buf
=
Memory.readByteArray(sub_patchaddr,
16
);
const cc_origin
=
Memory.readU8(sub_patchaddr);
console.log(
"cc_origin: "
, cc_origin, typeof (cc_origin));
console.log(hexdump(sub_patchaddr, { offset:
0
, length:
32
, header: true, ansi: true }));
/
/
VEH
Process.setExceptionHandler(function (details) {
console.log(
"\n"
,
"setExceptionHandler ==> address: "
, details.address);
console.error(JSON.stringify(details));
console.warn(
"RVA: "
, details.address.sub(editor.base));
/
/
console.log(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
/
/
restore
/
/
Memory.writeU8(sub_patchaddr,
0x55
);
Memory.writeU8(sub_patchaddr, cc_origin);
console.warn(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
console.log(
"eip: "
, details.context.eip);
console.log(
"pc: "
, details.context.pc);
console.log(
"eax: "
, details.context.eax);
/
/
details.context.eax
=
0xDB
;
details.context.eip
=
ptr(details.context.eip).add(
0x7
);
console.warn(
"eax: "
, details.context.eax);
console.warn(
"eip: "
, details.context.eip);
console.warn(
"pc: "
, details.context.pc);
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
return
true;
});
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
}
else
{
console.warn(
"\n"
,
"This platform and architecture are not supported :( "
,
"\n"
);
}
/
/
"use strict"
console.log(
"\n"
);
console.warn(
"Frida.version = "
+
Frida.version);
console.log(
"Frida.heapSize = "
+
Frida.heapSize);
console.warn(
"Process.arch = "
+
Process.arch);
console.warn(
"Process.platform = "
+
Process.platform);
console.log(
"Process.pointerSize = "
+
Process.pointerSize);
console.log(
"\n"
);
console.error(
" 这是一个 Frida VEH 010 Editor 的牛逼示例"
)
console.error(
" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple "
);
console.error(
" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause "
);
/
/
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"x64"
) {
/
/
console.warn(
"\n"
,
"Coming soon :) "
,
"\n"
);
/
/
v13.
0.1
x64
/
/
.text:
00007FF6E91CEFA0
010editor
.exe:$
36EFA0
var editor
=
Process.findModuleByName(
"010Editor.exe"
);
console.log(
"010 editor base: "
, editor.base, typeof (editor.base));
var sub_patchaddr
=
editor.base.add(
0x36efae
);
/
/
console.log(
"010 editor VA: "
, sub_patchaddr, typeof (sub_patchaddr));
var buf
=
Memory.readByteArray(sub_patchaddr,
16
);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2023-1-14 21:25
被dryzh编辑
,原因: 更新 x64 执行异常代码