首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]这是一个 Frida V(伪)EH 示例(更新 x64 执行异常代码)
发表于: 2022-11-30 10:24 14541

[原创]这是一个 Frida V(伪)EH 示例(更新 x64 执行异常代码)

dryzh 活跃值
2022-11-30 10:24
14541

好久没有发技术贴了,看到好多,大大们都喜欢 VEH,小弟不才,一直学了好久的 frida,没学废。最近闲着蛋疼没事就研究了一下 frida 怎么 VEH。现在分享出来,抛转引玉器!

好了废话不多说,因为太简单了,没什么话可以说,直接上代码。

顺便说一句,丢掉调试器,丢掉各种Loader各种Patcher吧,一个 frida 的 js 脚本就能干翻一切。
大佬们可以自己实现下 x64 下的代码(尝试下试硬件断点的方式,尝试下 VMP,TEP,WL,SE各种壳的替换机器码)

python3 安装 frida

pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple

然后把这个 js 放 exe 同级目录,在目录下 cmd 或者 PS运行下面命令就行

frida -f 010Editor.exe -l ./frida-veh-010-bs.js

更新 x64 执行异常代码

 
 
 
 
//"use strict"
console.log("\n");
console.warn("Frida.version = " + Frida.version);
console.log("Frida.heapSize = " + Frida.heapSize);
console.warn("Process.arch = " + Process.arch);
console.warn("Process.platform = " + Process.platform);
console.log("Process.pointerSize = " + Process.pointerSize);
console.log("\n");
console.error(" 这是一个 Frida VEH 010 Editor 的牛逼示例")
console.error(" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple ");
console.error(" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause ");
//
if (Process.platform == "windows" && Process.arch == "x64") {
    console.warn("\n", "Coming soon :) ", "\n");
} else if (Process.platform == "windows" && Process.arch == "ia32") {
    //
    var editor = Process.findModuleByName("010Editor.exe");
    console.log("010 editor base: ", editor.base, typeof (editor.base));
    var sub_patchaddr = editor.base.add(0x31f7fa);
    console.log("010 editor VA: ", sub_patchaddr, typeof (sub_patchaddr));
    var buf = Memory.readByteArray(sub_patchaddr, 16);
    const cc_origin = Memory.readU8(sub_patchaddr);
    console.log("cc_origin: ", cc_origin, typeof (cc_origin));
    console.log(hexdump(sub_patchaddr, { offset: 0, length: 32, header: true, ansi: true }));
    // VEH
    Process.setExceptionHandler(function (details) {
        console.log("\n", "setExceptionHandler ==> address: ", details.address);
        console.error(JSON.stringify(details));
        console.warn("RVA: ", details.address.sub(editor.base));
        //
        console.log("eip[0]: " + ptr(Memory.readU8(details.context.eip)));
        // restore
        //Memory.writeU8(sub_patchaddr, 0x55);
        Memory.writeU8(sub_patchaddr, cc_origin);
        console.warn("eip[0]: " + ptr(Memory.readU8(details.context.eip)));
 
        console.log("eip: ", details.context.eip);
        console.log("pc: ", details.context.pc);
        console.log("eax: ", details.context.eax);
        //
        details.context.eax = 0xDB;
        details.context.eip = ptr(details.context.eip).add(0x7);
        console.warn("eax: ", details.context.eax);
        console.warn("eip: ", details.context.eip);
        console.warn("pc: ", details.context.pc);
        // int3  0xCC
        Memory.protect(sub_patchaddr, 1, 'rwx');
        Memory.writeU8(sub_patchaddr, 0xcc);
        return true;
    });
    // int3  0xCC
    Memory.protect(sub_patchaddr, 1, 'rwx');
    Memory.writeU8(sub_patchaddr, 0xcc);
} else {
    console.warn("\n", "This platform and architecture are not supported :( ", "\n");
}
//"use strict"
console.log("\n");
console.warn("Frida.version = " + Frida.version);
console.log("Frida.heapSize = " + Frida.heapSize);
console.warn("Process.arch = " + Process.arch);
console.warn("Process.platform = " + Process.platform);
console.log("Process.pointerSize = " + Process.pointerSize);
console.log("\n");
console.error(" 这是一个 Frida VEH 010 Editor 的牛逼示例")
console.error(" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple ");
console.error(" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause ");
//
if (Process.platform == "windows" && Process.arch == "x64") {
    console.warn("\n", "Coming soon :) ", "\n");
} else if (Process.platform == "windows" && Process.arch == "ia32") {
    //
    var editor = Process.findModuleByName("010Editor.exe");
    console.log("010 editor base: ", editor.base, typeof (editor.base));
    var sub_patchaddr = editor.base.add(0x31f7fa);
    console.log("010 editor VA: ", sub_patchaddr, typeof (sub_patchaddr));
    var buf = Memory.readByteArray(sub_patchaddr, 16);
    const cc_origin = Memory.readU8(sub_patchaddr);
    console.log("cc_origin: ", cc_origin, typeof (cc_origin));
    console.log(hexdump(sub_patchaddr, { offset: 0, length: 32, header: true, ansi: true }));
    // VEH
    Process.setExceptionHandler(function (details) {
        console.log("\n", "setExceptionHandler ==> address: ", details.address);
        console.error(JSON.stringify(details));
        console.warn("RVA: ", details.address.sub(editor.base));
        //
        console.log("eip[0]: " + ptr(Memory.readU8(details.context.eip)));
        // restore
        //Memory.writeU8(sub_patchaddr, 0x55);
        Memory.writeU8(sub_patchaddr, cc_origin);
        console.warn("eip[0]: " + ptr(Memory.readU8(details.context.eip)));
 
        console.log("eip: ", details.context.eip);
        console.log("pc: ", details.context.pc);
        console.log("eax: ", details.context.eax);
        //
        details.context.eax = 0xDB;
        details.context.eip = ptr(details.context.eip).add(0x7);
        console.warn("eax: ", details.context.eax);
        console.warn("eip: ", details.context.eip);
        console.warn("pc: ", details.context.pc);
        // int3  0xCC
        Memory.protect(sub_patchaddr, 1, 'rwx');
        Memory.writeU8(sub_patchaddr, 0xcc);
        return true;
    });
    // int3  0xCC
    Memory.protect(sub_patchaddr, 1, 'rwx');
    Memory.writeU8(sub_patchaddr, 0xcc);
} else {
    console.warn("\n", "This platform and architecture are not supported :( ", "\n");
}
//"use strict"
console.log("\n");
console.warn("Frida.version = " + Frida.version);
console.log("Frida.heapSize = " + Frida.heapSize);
console.warn("Process.arch = " + Process.arch);
console.warn("Process.platform = " + Process.platform);
console.log("Process.pointerSize = " + Process.pointerSize);
console.log("\n");
console.error(" 这是一个 Frida VEH 010 Editor 的牛逼示例")
console.error(" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple ");
console.error(" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause ");
//
if (Process.platform == "windows" && Process.arch == "x64") {
    // console.warn("\n", "Coming soon :) ", "\n");
 
    // v13.0.1 x64
    // .text:00007FF6E91CEFA0 010editor.exe:$36EFA0 #36E3A0
    var editor = Process.findModuleByName("010Editor.exe");
    console.log("010 editor base: ", editor.base, typeof (editor.base));
    var sub_patchaddr = editor.base.add(0x36efae);
    //
    console.log("010 editor VA: ", sub_patchaddr, typeof (sub_patchaddr));
    var buf = Memory.readByteArray(sub_patchaddr, 16);
    const cc_origin = Memory.readU8(sub_patchaddr);
    console.log("cc_origin: ", cc_origin, typeof (cc_origin));
    console.log(hexdump(sub_patchaddr.sub(0xE), { offset: 0, length: 32, header: true, ansi: true }));
    //
    console.warn("Process.id = ", Process.id);
    console.warn("Process.isDebuggerAttached() = ", Process.isDebuggerAttached());
    console.warn("Process.getCurrentThreadId() = ", Process.getCurrentThreadId());
    let threads = Process.enumerateThreads();
    for (let value in threads) {
        console.log(JSON.stringify(threads[value]));
    }
 
    // VEH
    Process.setExceptionHandler(details => {
        console.error(JSON.stringify(details));
        //
        Memory.protect(details.memory.address, Process.pointerSize, 'rwx');
        console.warn(JSON.stringify(details.memory));
        //
        Memory.writeU32(details.context.rcx.add(0x30), 1008);
        Memory.writeU32(details.context.rcx.add(0x3C), 1);
        Memory.writeU32(details.context.rcx.add(0x44), 47419);
        details.context.rax = 0xDB;
        details.context.rip = ptr(details.context.rip).add(0x7);
        console.warn("rax: ", details.context.rax);
        console.warn("rip: ", details.context.rip);
        console.warn("pc: ", details.context.pc);
 
        return true; // goto PC
    });
 
    // patchaddr 
    // fetch decode execute
    Interceptor.attach(sub_patchaddr.sub(0x0), {
        onEnter(args) {
            console.log("\n", 'onEnter', JSON.stringify({
                _rip: this.context.rip,
                _pc: this.context.pc,
                _pointerSize: Process.pointerSize,
                mprotect_ret: Memory.protect(this.context.rip, 1, 'rw-'),
                errno: this.errno,
                _lr: this.returnAddress
            }, null, 2));
            console.log("设置任意地址,执行异常 OJBK");
        }
    });
 
} else if (Process.platform == "windows" && Process.arch == "ia32") {
    //
    var editor = Process.findModuleByName("010Editor.exe");
    console.log("010 editor base: ", editor.base, typeof (editor.base));
    var sub_patchaddr = editor.base.add(0x31f7fa);
    console.log("010 editor VA: ", sub_patchaddr, typeof (sub_patchaddr));
    var buf = Memory.readByteArray(sub_patchaddr, 16);
    const cc_origin = Memory.readU8(sub_patchaddr);
    console.log("cc_origin: ", cc_origin, typeof (cc_origin));
    console.log(hexdump(sub_patchaddr, { offset: 0, length: 32, header: true, ansi: true }));
    // VEH
    Process.setExceptionHandler(function (details) {
        console.log("\n", "setExceptionHandler ==> address: ", details.address);
        console.error(JSON.stringify(details));
        console.warn("RVA: ", details.address.sub(editor.base));
        //
        console.log("eip[0]: " + ptr(Memory.readU8(details.context.eip)));
        // restore
        //Memory.writeU8(sub_patchaddr, 0x55);
        Memory.writeU8(sub_patchaddr, cc_origin);
        console.warn("eip[0]: " + ptr(Memory.readU8(details.context.eip)));
 
        console.log("eip: ", details.context.eip);
        console.log("pc: ", details.context.pc);
        console.log("eax: ", details.context.eax);
        //
        details.context.eax = 0xDB;
        details.context.eip = ptr(details.context.eip).add(0x7);
        console.warn("eax: ", details.context.eax);
        console.warn("eip: ", details.context.eip);
        console.warn("pc: ", details.context.pc);
        // int3  0xCC
        Memory.protect(sub_patchaddr, 1, 'rwx');
        Memory.writeU8(sub_patchaddr, 0xcc);
        return true;
    });
    // int3  0xCC
    Memory.protect(sub_patchaddr, 1, 'rwx');
    Memory.writeU8(sub_patchaddr, 0xcc);
} else {
    console.warn("\n", "This platform and architecture are not supported :( ", "\n");
}
//"use strict"
console.log("\n");
console.warn("Frida.version = " + Frida.version);
console.log("Frida.heapSize = " + Frida.heapSize);
console.warn("Process.arch = " + Process.arch);
console.warn("Process.platform = " + Process.platform);
console.log("Process.pointerSize = " + Process.pointerSize);
console.log("\n");
console.error(" 这是一个 Frida VEH 010 Editor 的牛逼示例")
console.error(" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple ");
console.error(" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause ");
//
if (Process.platform == "windows" && Process.arch == "x64") {
    // console.warn("\n", "Coming soon :) ", "\n");
 
    // v13.0.1 x64
    // .text:00007FF6E91CEFA0 010editor.exe:$36EFA0 #36E3A0
    var editor = Process.findModuleByName("010Editor.exe");
    console.log("010 editor base: ", editor.base, typeof (editor.base));
    var sub_patchaddr = editor.base.add(0x36efae);
    //
    console.log("010 editor VA: ", sub_patchaddr, typeof (sub_patchaddr));
    var buf = Memory.readByteArray(sub_patchaddr, 16);

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2023-1-14 21:25 被dryzh编辑 ,原因: 更新 x64 执行异常代码
上传的附件:
收藏
免费 10
支持
分享
最新回复 (17)
海风月影
雪    币: 7309
活跃值: (3788)
能力值: (RANK:1130 )
在线值:
发帖
回帖
粉丝
私信
2
不错,高级!
2022-11-30 15:46
1
小菜鸟一
雪    币: 1145
活跃值: (4227)
能力值: ( LV5,RANK:69 )
在线值:
发帖
回帖
粉丝
私信
3
高级货,收藏
2022-11-30 18:14
1
yikuaiyingbi
雪    币: 1014
活跃值: (582)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
有beyond的吗
2022-11-30 22:46
0
jgs
雪    币: 8924
活跃值: (5147)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
jgs
5
一个新的解锁方法
2022-12-1 12:48
0
dryzh
雪    币: 888
活跃值: (2375)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
6
yikuaiyingbi 有beyond的吗[em_86]

beyond compare? 主题是讨论 VEH 啊。 破解 bc4 一字节替换公钥Keygen 算号是可以的。

2022-12-1 14:11
0
鸭子咯咯哒
雪    币: 1041
活跃值: (733)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
请教下下断点如何在Android上实现
2022-12-2 10:21
0
dryzh
雪    币: 888
活跃值: (2375)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
8
鸭子咯咯哒 请教下下断点如何在Android上实现

VEH 我只见过 Windows 上有这个概念,Process.setExceptionHandler这个 api 在其他平台不知道好使不,等我试试效果再说。

最后于 2022-12-4 07:27 被dryzh编辑 ,原因:
2022-12-4 07:12
0
黑洛
雪    币: 6124
活跃值: (4671)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
私信
9
高级玩法
2022-12-4 09:58
0
kakasasa
雪    币: 576
活跃值: (2035)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
mark,有空再试试
2022-12-4 13:10
0
tDasm
雪    币: 14872
活跃值: (6093)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
 如果没记错,setExceptionHandler应该是SEH,不是VEH。
2022-12-5 16:34
0
dryzh
雪    币: 888
活跃值: (2375)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
12
tDasm 如果没记错,setExceptionHandler应该是SEH,不是VEH。
是,大佬说的没错。SEH 是相对 C++来说应该是全平台通用。VEH 是相对 Windows 进程来说的一种异常机制。
2022-12-5 19:01
0
mb_vfyweamk
雪    币: 1
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
13
dryzh 是,大佬说的没错[em_63]。SEH 是相对 C++来说应该是全平台通用。VEH 是相对 Windows 进程来说的一种异常机制。
大佬,  scitools需要再帮忙一下
2023-6-7 16:51
0
默NJ
雪    币: 2466
活跃值: (4561)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
14
veh没有硬断就缺少灵魂了啊
2023-8-6 21:12
0
秋狝
雪    币: 3125
活跃值: (30891)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
15
感谢分享
2023-8-7 09:20
1
dryzh
雪    币: 888
活跃值: (2375)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
16
默NJ veh没有硬断就缺少灵魂了啊
frida 期待大佬 PR 加入硬断造福人类
2023-12-15 22:58
0
dryzh
雪    币: 888
活跃值: (2375)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
17
mb_vfyweamk 大佬, scitools需要再帮忙一下
我要是没记错的话,给你算过两台还是三台了。又来白嫖?
2023-12-15 23:00
0
戀人未滿
雪    币: 28
活跃值: (415)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
18
向大佬学习的每一天
2023-12-20 18:52
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//