-
-
[原创]FRIDA Patchs 16.0.9
-
发表于: 2023-2-15 00:16
-
FRIDA Patchs 16.0.9
# 其他版本需要修改编译版本号及对应 NDK 版本,还有代理地址
1 2 | # 14.2.17sudo apt-get update && sudo apt-get install -y build-essential curl git lib32stdc++-9-dev libc6-dev-i386 nodejs npm python3-dev python3-pip && git config --global http.proxy "http://192.168.1.6:7890" && git config --global https.proxy "https://192.168.1.6:7890" && git clone -b 14.2.17 --recurse-submodules https://github.com/frida/frida.git && wget https://dl.google.com/android/repository/android-ndk-r22b-linux-x86_64.zip && unzip android-ndk-r22b-linux-x86_64 && export ANDROID_NDK_ROOT=/home/k/Desktop/android-ndk-r22b && export PATH=$ANDROID_NDK_ROOT:$PATH && source ~/.bashrc && cd frida && make && python3 releng/generate-version-header.py "build/frida-version.h" && make core-android-arm64 && ls -alith build/frida-android-arm64/bin/ |
1 2 | # 最版本编译(16.0.9)sudo apt-get update && sudo apt-get install -y build-essential curl git lib32stdc++-9-dev libc6-dev-i386 nodejs npm python3-dev python3-pip && git config --global http.proxy "http://192.168.1.6:7890" && git config --global https.proxy "https://192.168.1.6:7890" && git clone --recurse-submodules https://github.com/frida/frida.git && wget https://dl.google.com/android/repository/android-ndk-r25c-linux.zip && unzip android-ndk-r25c-linux.zip && export ANDROID_NDK_ROOT=/home/k/Desktop/android-ndk-r25c && export PATH=$ANDROID_NDK_ROOT:$PATH && cd frida && make core-android-arm64 |
16.0.9 需要代理才能一遍过,在编译过程中会访问一个链接
安装 vscode
1 | sudo snap install code --classic && cd ~/Desktop/frida && code . |
1 2 | sudo snap install code --classic # vscode 安装code . # vscode 打开当前目录 |
huluwa Patch 姿势
这里修改的主要目录是 frida/frida-core 中的相关文件
https://github.com/hluwa/Patchs huluwa Patchs 似乎最新能支持15.1.25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # 如果你编译的版本与之 Patch 支持版本相符 则可以使用该命令进行一键 Patchgit config --global user.email "you@example.com" # 配置 git 信息git config --global user.name "Your Name"cd ~/Desktopgit clone https://github.com/AAAA-Project/Patchs.git # 克隆 huluwa Patchcd frida/frida-core/ # 进入 FRIDA 源码目录git am ../../Patchs/strongR-frida/frida-core/*.patch # 合并所有 Patchcd .. # 回到 FRIDA 根目录mark core-android-arm64 # 开始编译# 一键使用git config --global user.email "you@example.com" && git config --global user.name "Your Name" && cd ~/Desktop && git clone https://github.com/AAAA-Project/Patchs.git && cd frida/frida-core/ && git am ../../Patchs/strongR-frida/frida-core/*.patch && cd .. && mark core-android-arm64 |
huluwa Patch 解析
GLib 源码下载:http://ftp.gnome.org/pub/gnome/sources/glib/
GLib 帮助文档:https://docs.gtk.org/glib/func.base64_decode.html
字符串 frida:rpc
1 2 3 4 5 | - .add_string_value ("frida:rpc")+ .add_string_value ((string) GLib.Base64.decode("ZnJpZGE6cnBj="))- if (json.index_of ("\"frida:rpc\"") == -1)+ if (json.index_of ((string) GLib.Base64.decode("ImZyaWRhOnJwYyI=")) == -1) |
字符串 linjector
1 2 | - self->fifo_path = g_strdup_printf ("%s/linjector-%u", self->temp_path, self->id);+ self->fifo_path = g_strdup_printf ("%s/%p%u", self->temp_path, self ,self->id); |
字符串 frida-agent
1 2 3 4 5 6 7 8 9 10 11 | - agent = new AgentDescriptor (PathTemplate ("frida-agent-<arch>.so"),+ var random_prefix = GLib.Uuid.string_random(); // 随机前缀+ agent = new AgentDescriptor (PathTemplate (random_prefix + "-<arch>.so"), new Bytes.static (blob32.data), new Bytes.static (blob64.data), new AgentResource[] {- new AgentResource ("frida-agent-arm.so", new Bytes.static (emulated_arm.data), tempdir),- new AgentResource ("frida-agent-arm64.so", new Bytes.static (emulated_arm64.data), tempdir),+ new AgentResource (random_prefix + "-arm.so", new Bytes.static (emulated_arm.data), tempdir), // 去除frida-agent特征+ new AgentResource (random_prefix + "-arm64.so", new Bytes.static (emulated_arm64.data), tempdir), }, |
字符串 frida_agent_main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | // 修改所有 "frida_agent_main" 字符串为 "main"- var main_func_found = container.module.symbol ("frida_agent_main", out main_func_symbol);+ var main_func_found = container.module.symbol ("main", out main_func_symbol);- unowned string entrypoint = "frida_agent_main";+ unowned string entrypoint = "main";+ custom_script="$output_dir/../../../../frida-core/src/anti-anti-frida.py" // 读取文件目录 priv_dir="$output_dir/frida-agent@emb" else touch "$embedded_agent" fi+ if [ -f "$custom_script" ]; then+ python3 "$custom_script" "$embedded_agent"+ fi embedded_agents+=("$embedded_agent") } exit 1 fi+ if [ -f "$custom_script" ]; then+ python3 "$custom_script" "$embedded_agent"+ fi exec "$resource_compiler" --toolchain=gnu -c "$resource_config" -o "$output_dir/frida-data-agent" "$embedded_agent"- string entrypoint = "frida_agent_main";+ string entrypoint = "main";- var id = yield qinjector.inject_library_resource (pid, agent_desc, "frida_agent_main",+ var id = yield qinjector.inject_library_resource (pid, agent_desc, "main",- var id = yield winjector.inject_library_resource (pid, agent, "frida_agent_main",+ var id = yield winjector.inject_library_resource (pid, agent, "main",- var main_func_found = module.symbol ("frida_agent_main", out main_func_symbol);+ var main_func_found = module.symbol ("main", out main_func_symbol);- yield injector.inject_library_file (process.id, path, "frida_agent_main", data);+ yield injector.inject_library_file (process.id, path, "main", data); |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | # anti-anti-frida.pyimport liefimport sysimport randomimport osif __name__ == "__main__": input_file = sys.argv[1] print(f"[*] Patch frida-agent: {input_file}") random_name = "".join(random.sample("ABCDEFGHIJKLMNO", 5)) print(f"[*] Patch `frida` to `{random_name}``") binary = lief.parse(input_file) if not binary: exit() for symbol in binary.symbols: if symbol.name == "frida_agent_main": symbol.name = "main" if "frida" in symbol.name: symbol.name = symbol.name.replace("frida", random_name) if "FRIDA" in symbol.name: symbol.name = symbol.name.replace("FRIDA", random_name) binary.write(input_file) # gum-js-loop thread random_name = "".join(random.sample("abcdefghijklmn", 11)) print(f"[*] Patch `gum-js-loop` to `{random_name}`") os.system(f"sed -b -i s/gum-js-loop/{random_name}/g {input_file}") |
字符串 gum-js-loop gmain 进程名
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | # 在上面新建的 Python 文件修改为如下代码# anti-anti-frida.pyimport liefimport sysimport randomimport osif __name__ == "__main__": input_file = sys.argv[1] print(f"[*] Patch frida-agent: {input_file}") random_name = "".join(random.sample("ABCDEFGHIJKLMNO", 5)) print(f"[*] Patch `frida` to `{random_name}``") binary = lief.parse(input_file) if not binary: exit() for symbol in binary.symbols: if symbol.name == "frida_agent_main": symbol.name = "main" if "frida" in symbol.name: symbol.name = symbol.name.replace("frida", random_name) if "FRIDA" in symbol.name: symbol.name = symbol.name.replace("FRIDA", random_name) all_patch_string = ["FridaScriptEngine", "GLib-GIO", "GDBusProxy", "GumScript"] # 字符串特征修改 尽量与源字符一样 for section in binary.sections: # print(section.name) if section.name != ".rodata": continue for patch_str in all_patch_string: addr_all = section.search_all(patch_str) for addr in addr_all: print("current section name=" + section.name, "offset=", hex(section.file_offset + addr)) patch = [ord(n) for n in list(patch_str)[::-1]] binary.patch_address(section.file_offset + addr, patch) binary.write(input_file) # gum-js-loop thread random_name = "".join(random.sample("abcdefghijklmn", 11)) print(f"[*] Patch `gum-js-loop` to `{random_name}`") os.system(f"sed -b -i s/gum-js-loop/{random_name}/g {input_file}") # gmain thread random_name = "".join(random.sample("abcdefghijklmn", 5)) print(f"[*] Patch `gmain` to `{random_name}`") os.system(f"sed -b -i s/gmain/{random_name}/g {input_file}") |
目录 re.frida.server
1 2 3 4 5 | - private const string DEFAULT_DIRECTORY = "re.frida.server";+ private static string DEFAULT_DIRECTORY = null;private static int main (string[] args) {+ DEFAULT_DIRECTORY = GLib.Uuid.string_random(); // 随机字符串作为目录名 |
Unexpected command
这个不知道具体作用是什么
1 2 3 4 5 6 | namespace Frida.Droidy { case "OPEN": case "CLSE": case "WRTE":- throw new Error.PROTOCOL ("Unexpected command");+ break; // throw new Error.PROTOCOL ("Unexpected command"); |
手动 Patchs | 16.0.9
- 修改目录
frida/frida-core,tests目录下的文件不用去做修改 - 因为该 https://github.com/hluwa/Patchs 仅支持 15 的版本,所以 14 或 16 的版本可能需要手动进行修改,无法使用
git am一键 Patch - 建议 Paths 前完整编译一次,编译完成后备份源文件进行 Patch,避免被玩坏了又得重头再来
为了方便测试,在 Ubuntu 安装环境
12345678910111213141516171819202122# FRIDA 环境sudo pip3 install frida-tools lief# adb 安装sudo apt install-y android-tools-adb# 编译并推送到手机运行adb rootcd ~/Desktop/frida/&& make core-android-arm64# 编译64位!adb push ~/Desktop/frida/build/frida-android-arm64/bin/frida-server/system/lib64adb shell chmod777/system/lib64/fsadb shell ./system/lib64/fs-l0.0.0.0:9527# 查看手机IPadb shell ifconfig |grep Bcast# 查看端口监听sagit:/# netstat -tunlpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program Nametcp00127.0.0.1:270420.0.0.0:*LISTEN20043/fs# frida 标准端口监听tcp00127.0.0.1:95270.0.0.0:*LISTEN20238/fs# frida 非标准端口监听 | 非标准端口也无需端口转发 老版本的 FRIDA 才需要转发12345# 环境配置sudo pip3 install frida-tools lief && sudo apt install-y android-tools-adb# 一键命令(新建 build.sh 写入以下命令运行比较方便)adb root && cd ~/Desktop/frida/&& make core-android-arm64 && adb push ~/Desktop/frida/build/frida-android-arm64/bin/frida-server/system/lib64/fs && adb shell chmod777/system/lib64/fs && adb shell ./system/lib64/fs-l0.0.0.0:9527
Build.sh
1 | adb root && export ANDROID_NDK_ROOT=/home/k/Desktop/android-ndk-r25c && export PATH=$ANDROID_NDK_ROOT:$PATH && source ~/.bashrc && cd ~/Desktop/frida/ && make core-android-arm64 && adb push build/frida-android-arm64/bin/frida-server /system/lib64/fs && adb shell chmod 777 /system/lib64/fs && adb shell ./system/lib64/fs -l 0.0.0.0:9527 |
全局搜索执行修改
目录名修改 re.frida.server
re.frida.server目录会生成很多文件,frida 就是把其中的frida-agent-<32/64>.so注入到进程
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | // frida/frida-core/server/server.vala- private const string DEFAULT_DIRECTORY = "re.frida.server";+ private static string DEFAULT_DIRECTORY = null;private static int main (string[] args) {+ DEFAULT_DIRECTORY = GLib.Uuid.string_random(); // 随机目录名// frida/frida-core/server/server.vala- private const string DEFAULT_DIRECTORY = "re.frida.server";+ private const string DEFAULT_DIRECTORY = "IOserver"; // 建议修改为固定目录名⭐// 在 frida-server 运行时才会存在目录 __sagit:/ # ls -alit /data/local/tmp/ 2105359 drwxr-xr-x 2 root root 4096 2023-02-12 21:32 IOserver // 这个目录一般来说 frida-server 退出会删除, 但是也可能异常退出就不会被删除; 意味着如果是随机目录名就可能会随地 "大小便" 不进行处理2097154 drwxrwxrwx 3 system system 4096 2023-02-12 21:32 .2097200 -rwxrwxrwx 1 shell shell 41391568 2023-02-12 21:24 fs2097153 drwxr-x--x 6 root root 4096 2023-02-12 17:46 .. |
目录存放修改 re.frida.server
1 2 3 4 5 6 7 8 | // frida/frida-core/src/linux/system-linux.cif (getuid () == 0)- return g_strdup ("/data/local/tmp");+ return g_strdup ("/system/lib64");// 以后就会在目录 /system/lib64 生成所需文件,其他目录尝试会出权限问题// Unable to get frontmost application on MI 6: error creating directory /system/9527: Read-only file system// frida.PermissionDeniedError: error creating directory /bin/9527: Read-only file system |
字符串修改
linjector
1 2 3 | // frida/frida-core/src/linux/frida-helper-backend-glue.c- self->fifo_path = g_strdup_printf ("%s/linjector-%u", self->temp_path, self->id);+ self->fifo_path = g_strdup_printf ("%s/%p%u", self->temp_path, self ,self->id); |
frida-agent
这个是 re.frida.server 目录下的注入文件
1 2 3 4 5 6 7 8 9 10 11 | - agent = new AgentDescriptor (PathTemplate ("frida-agent-<arch>.so"),+ var random_prefix = GLib.Uuid.string_random(); // 随机前缀+ agent = new AgentDescriptor (PathTemplate (random_prefix + "-<arch>.so"), new Bytes.static (blob32.data), new Bytes.static (blob64.data), new AgentResource[] {- new AgentResource ("frida-agent-arm.so", new Bytes.static (emulated_arm.data), tempdir),- new AgentResource ("frida-agent-arm64.so", new Bytes.static (emulated_arm64.data), tempdir),+ new AgentResource (random_prefix + "-arm.so", new Bytes.static (emulated_arm.data), tempdir), // 去除frida-agent特征 修改为随机前缀+ new AgentResource (random_prefix + "-arm64.so", new Bytes.static (emulated_arm64.data), tempdir), // 去除frida-agent特征 修改为随机前缀 }, |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | sagit:/ # ls -alitr /system/lib64/62881400-731e-43cd-a359-6e795717188d/ total 365884481689 srw-rw-rw- 1 root root 0 2023-02-12 22:27 pipe-a9d2e03a7b2ae5826b9333aba83438bd5736713 srw-rw-rw- 1 root root 0 2023-02-12 22:27 pipe-384b91416c99237ee13372f8d87b31db4481694 prw-rw-rw- 1 root root 0 2023-02-12 22:27 linjector-14481692 -rwx------ 1 root root 2624112 2023-02-12 22:27 frida-helper-324481691 -rwxr-xr-x 1 root root 20142336 2023-02-12 22:27 7a9f4666-5fa6-4ec8-b030-3f019e05b68e-64.so // 随机名字4481690 -rwxr-xr-x 1 root root 14693860 2023-02-12 22:27 7a9f4666-5fa6-4ec8-b030-3f019e05b68e-32.so 23345 drwxr-xr-x 8 root root 13540 2023-02-12 22:27 ..4970580 srw-rw-rw- 1 root root 0 2023-02-12 22:27 pipe-5fe63df60d778fafde6fc5559736357b4492937 prw-rw-rw- 1 root root 0 2023-02-12 22:27 linjector-34492936 prw-rw-rw- 1 root root 0 2023-02-12 22:27 linjector-24481687 drwxr-xr-x 2 root root 220 2023-02-12 22:27 .sagit:/ # ls -alitr /data/local/tmp_back/re.frida.server/ total 366202097833 srw-rw-rw- 1 root root 0 2023-02-12 17:46 pipe-f47ac5882f95a69873c4ecae495ef7f42097814 srw-rw-rw- 1 root root 0 2023-02-12 17:46 pipe-b9e6c386ba48b51d881e4c066c01417f2097818 srw-rw-rw- 1 root root 0 2023-02-12 17:46 pipe-40bf4f01603822d132ad3e68d66f9dbd2097816 prw-rw-rw- 1 root root 0 2023-02-12 17:46 linjector-22097819 prw-rw-rw- 1 root root 0 2023-02-12 17:46 linjector-12097835 -rwx------ 1 root root 2623956 2023-02-12 17:46 frida-helper-322097831 -rwxr-xr-x 1 root root 20138088 2023-02-12 17:46 frida-agent-64.so // 原本的名字2097837 -rwxr-xr-x 1 root root 14693704 2023-02-12 17:46 frida-agent-32.so2105402 drwxrwxrwx 9 system system 4096 2023-02-12 17:46 ..2105421 drwxr-xr-x 2 root root 4096 2023-02-12 17:46 . |
frida:rpc
FRIDA 14.2.17 修改此项不成功,利用
lief进行全局 Patch 会出问题,总之 14 版本 frida:rpc 字符串修改不了(反正我没成功过,可以尝试使用 010Editor 或 ida 进行 Patch
如果修改为其他值还需要改动 PC 端的文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | // 这种修改不用对 PC 端进行改动// frida/frida-core/lib/interfaces/rpc.vala | 16.0.9 是 rpc.vala- .add_string_value ("frida:rpc") // 这个要改动两处+ .add_string_value ((string) GLib.Base64.decode("ZnJpZGE6cnBj="))- if (json.index_of ("\"frida:rpc\"") == -1)+ if (json.index_of ((string) GLib.Base64.decode("ImZyaWRhOnJwYyI=")) == -1)// 这种改动需要对 PC 端进行修改"frida:rpc" -> "fuck"// windows 改动〉which core.py├───┼───────┼─────────────────────────────────────────┼──────────┤│ 0 │ frida │ D:\B_Tool\Python3.8.5\Scripts\frida.exe │ false │╰───┴───────┴─────────────────────────────────────────┴──────────╯〉open D:\B_Tool\Python3.8.5\Lib\site-packages\frida\core.py |findstr "frida:rpc" message = ['frida:rpc', request_id] elif mtype == 'send' and isinstance(payload, list) and len(payload) > 0 and payload[0] == 'frida:rpc':// linux 改动cat /usr/local/lib/python3.10/dist-packages/frida/core.py |grep "frida:rpc" message = ['frida:rpc', request_id] elif mtype == 'send' and isinstance(payload, list) and len(payload) > 0 and payload[0] == 'frida:rpc':sudo sed -i 's/frida:rpc/fuck/g' /usr/local/lib/python3.10/dist-packages/frida/core.py // 命令行修改文本cat /usr/local/lib/python3.10/dist-packages/frida/core.py |grep "fuck" message = ['fuck', request_id] elif mtype == 'send' and isinstance(payload, list) and len(payload) > 0 and payload[0] == 'fuck': |
frida_agent_main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | // 这里是 14.2.17 的替换// frida/frida-core/src/agent-container.vala- var main_func_found = container.module.symbol ("frida_agent_main", out main_func_symbol);+ var main_func_found = container.module.symbol ("main", out main_func_symbol);// frida/frida-core/src/darwin/darwin-host-session.vala- unowned string entrypoint = "frida_agent_main";+ unowned string entrypoint = "main";// frida/frida-core/src/linux/linux-host-session.vala- string entrypoint = "frida_agent_main";+ string entrypoint = "main";// frida/frida-core/src/qnx/qnx-host-session.vala- var id = yield qinjector.inject_library_resource (pid, agent_desc, "frida_agent_main", t.remote_address,+ var id = yield qinjector.inject_library_resource (pid, agent_desc, "main", t.remote_address,// frida/frida-core/src/windows/windows-host-session.vala- var id = yield winjector.inject_library_resource (pid, agent, "frida_agent_main", t.remote_address, cancellable);+ var id = yield winjector.inject_library_resource (pid, agent, "main", t.remote_address, cancellable); |
gum-js-loop gmain gdbus 进程名
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # frida/frida-core/src/embed-agent.sh+ custom_script="$output_dir/../../../../frida-core/src/anti-frida.py" priv_dir="$output_dir/frida-agent@emb"+ if [ -f "$custom_script" ]; then+ python3 "$custom_script" "$embedded_agent"+ fi embedded_agents+=("$embedded_agent") echo "An agent must be provided" exit 1 fi+ if [ -f "$custom_script" ]; then+ python3 "$custom_script" "$embedded_agent"+ fi exec "$resource_compiler" --toolchain=gnu -c "$resource_config" -o "$output_dir/frida-data-agent" "$embedded_agent" |
Tips:记得安装依赖 sudo pip3 install lief
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | # frida/frida-core/src/anti-frida.py 新建 Python Script 命名为 anti-frida.pyimport liefimport sysimport randomimport osdef log_color(msg): print(f"\033[1;31;40m{msg}\033[0m")if __name__ == "__main__": input_file = sys.argv[1] log_color(f"[*] Patch frida-agent: {input_file}") random_name = "".join(random.sample("ABCDEFGHIJKLMNO", 5)) # generate random "frida-agent-arm/64.so" name log_color(f"[*] Patch `frida` to `{random_name}``") binary = lief.parse(input_file) if not binary: exit() for symbol in binary.symbols: # 修改符号名 if symbol.name == "frida_agent_main": symbol.name = "main" if "frida" in symbol.name: symbol.name = symbol.name.replace("frida", random_name) if "FRIDA" in symbol.name: symbol.name = symbol.name.replace("FRIDA", random_name) all_patch_string = ["FridaScriptEngine", "GLib-GIO", "GDBusProxy", "GumScript"] # 字符串特征修改 尽量与源字符一样 for section in binary.sections: log_color(section.name) if section.name != ".rodata": continue for patch_str in all_patch_string: addr_all = section.search_all(patch_str) # Patch 内存字符串 for addr in addr_all: patch = [ord(n) for n in list(patch_str)[::-1]] log_color(f"current section name={section.name} offset={hex(section.file_offset + addr)} {patch_str}-{"".join(list(patch_str)[::-1])}") binary.patch_address(section.file_offset + addr, patch) binary.write(input_file) # thread_gum_js_loop random_name = "".join(random.sample("abcdefghijklmn", 11)) log_color(f"[*] Patch `gum-js-loop` to `{random_name}`") os.system(f"sed -b -i s/gum-js-loop/{random_name}/g {input_file}") # thread_gmain random_name = "".join(random.sample("abcdefghijklmn", 5)) log_color(f"[*] Patch `gmain` to `{random_name}`") os.system(f"sed -b -i s/gmain/{random_name}/g {input_file}") # thread_gdbus random_name = "".join(random.sample("abcdefghijklmn", 5)) log_color(f"[*] Patch `gdbus` to `{random_name}`") os.system(f"sed -b -i s/gdbus/{random_name}/g {input_file}") |
一个检测案例
具体检测方法就留给你们自己去研究了~
ANTI FRID ARTICLE
- 推荐一些不错的 FRIDA 相关文章
- 从 inlinehook 角度检测 frida-Android
- 从 Frida源码学习ArtHook(一) · wuhx/AppInspect Wiki
- 从 Frida源码学习ArtHook(二) · wuhx/AppInspect Wiki
- Frida Internal - Part 1: 架构、Gum 与 V8
- Frida Internal - Part 2: 核心组件 frida-core
- Frida Internal - Part 3: Java Bridge 与 ART hook
- Frida 源码分析 | m4bln
- frida 源代码分析--进程注入和 server dbus 通讯架构分析
- LIEF 官方文档
- 多种姿势花样使用 Frida注入 | AshenOne
- 关于frida检测的一个新思路
- https://github.com/qtfreet00/AntiFrida
总结
其实还有很多字符串特征,想要 Patch 完全的话工作量可能有点大而且我觉得不太现实(我猜大胡子能做到!!
121|sagit:/$ ps-A |grep fridaroot8920111504228000S frida-helper-32建议把编译好的 frida 放在
/system/lib64使用- 一入对抗深似海~ 卷死我了都
这里还做了一个 16.0.9 的 Patchs 文件,暂时能过掉文章的检测案例,其他检测需要根据实际的对抗场景进行优化
12345678# 最版本编译(16.0.9)# 1.把 Patchs.zip 放在桌面# 2.Pathch后编译推送到手机执行 frida-server,期间把手机链接到虚拟机cd ~/Desktop && unzip Patchs.zip&& sudo apt-get update && sudo apt-get install-y build-essential curl git lib32stdc++-9-dev libc6-dev-i386 nodejs npm python3-dev python3-pip android-tools-adb && sudo pip3 install frida-tools lief && git config--globalhttp.proxy"http://192.168.1.6:7890"&& git config--globalhttps.proxy"https://192.168.1.6:7890"&& git config--globaluser.email"you@example.com"&& git config--globaluser.name"Your Name"&& git clone--recurse-submodules https://github.com/frida/frida.git && wget https://dl.google.com/android/repository/android-ndk-r25c-linux.zip&& unzip android-ndk-r25c-linux.zip&& export ANDROID_NDK_ROOT=/home/k/Desktop/android-ndk-r25c && export PATH=$ANDROID_NDK_ROOT:$PATH && cd frida/frida-core && git am ../../Patchs/*.patch && cd ../&& make core-android-arm64 && adb root && adb push build/frida-android-arm64/bin/frida-server/system/lib64/fs && adb shell chmod777/system/lib64/fs && adb shell ./system/lib64/fs-l0.0.0.0:9527# build.shadb root && export ANDROID_NDK_ROOT=/home/k/Desktop/android-ndk-r25c && export PATH=$ANDROID_NDK_ROOT:$PATH && source ~/.bashrc && cd ~/Desktop/frida/&& make core-android-arm64 && adb push build/frida-android-arm64/bin/frida-server/system/lib64/fs && adb shell chmod777/system/lib64/fs && adb shell ./system/lib64/fs-l0.0.0.0:9527patch 生成与合并(一些栗子
12345678910git config--globaluser.email"you@example.com"&& git config--globaluser.name"Your Name"git commit-a-m"io_re_frida_server"&& gitformat-patch HEAD^git reset--soft HEAD^# 撤销git add <文件> 更新要提交的内容git restore <文件> 丢弃工作区的改动git commit-m"提交说明"git commit-a-m"提交说明"$ gitformat-patch HEAD^^^^# 生成最近的4次commit的patch- 那些一大堆的脚本是打开 Ubuntu 终端输入自动运行编译的代码,傻瓜式编译~
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
也许我以前修改过这个目录权限吧 自己也可以测试放在其他目录 或者默认目录也一样 特征基本都修改了 |
|
|
有问题可以不修改目录的生成位置 |
|
|
|
|
|
|
|
|
老哥找到解决办法了吗 |
|
|
|
|
|
|
|
|
pool-frida 我也修改不成功 我的想法就是 patch 大部分特征+anti的脚本去进行对抗 单纯指望一次性修改掉所有特征我觉得不太现实 |
|
|
这个什么错误啊
最后于 2023-3-23 15:12
被Avenue-le编辑
,原因:
|
|
|
老哥解决了吗?一样的问题,启动服务直接重启 |
|
|
好像是system目录的问题,我挂载了能正常写入也是会重启,我把路径改到/data/local/tmp/目录下重新编译就正常了,不过楼主发的线程检测、map记录检测和fd检测都检测到了,应该特征就是这个路径 
|
|
|
这个检测不全是这个原因,你可以把检测的so用ida分析一下检测逻辑就明白检测了哪些点 |
|
|
|
|
|
在内核中修改 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2298,6 +2298,10 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, if (strncpy_from_user(comm, (char __user *)arg2, sizeof(me->comm) - 1) < 0) return -EFAULT; + if (!strcmp(comm, "pool-frida")) { + memcpy(comm, "pool-works", strlen(comm)); + pr_info("prctl rename from %d\n", me->pid); + } |
|
|
|
|
|
我是4.10内核 改了kernel/sys.c 这个位置确实可以了,忘了从内核下手 case PR_SET_NAME: comm[sizeof(me->comm) - 1] = 0; if (strncpy_from_user(comm, (char __user *)arg2, sizeof(me->comm) - 1) < 0) return -EFAULT; if (!strcmp(comm, "pool-frida")) { memcpy(comm, "pool-works", strlen(comm)); pr_info("prctl rename from %d\n", me->pid); } set_task_comm(me, comm); proc_comm_connector(me); break; |
|
|
补一个简单过PrettyMethod的检测方法,把手机的libart.so拖出来看PrettyMethod函数头原来的几个字节进行修改,这样改应该会对frida部分功能造成影响 function fridaInlineHookCheckPass(){ //PrettyMethod //获取libart模块 var libart = Process.findModuleByName("libart.so") console.log("libart base: " + libart.base); //打印原函数头字节 var PrettyMethod = libart.base.add(0x175475); console.log(myhexdump(Memory.readByteArray(PrettyMethod, 16))) //修改函数头字节 Memory.protect(PrettyMethod, 16, "rwx"); var p_fun = new NativePointer(PrettyMethod) p_fun.writeByteArray([0xF0, 0xB5, 0x85, 0xBD, 0x04, 0x46, 0x3E, 0x48, 0x0D, 0x46]) //修改代码段属性 Memory.protect(PrettyMethod, 16, "rx"); //再次打印函数头查看是否修改成功 console.log(myhexdump(Memory.readByteArray(PrettyMethod, 16))) } |
|
|
|
|
|
|
|
|
|
|
|
防止内存扫描吧
最后于 2024-1-8 15:24
被ldzspace编辑
,原因:
|
