过掉某加固2023年9月的frida检测

查看 90|回复 9
作者:rhtnll   


360.jpg (57.99 KB, 下载次数: 2)
下载附件
2024-7-14 19:32 上传



1.hook pthread_create
[Asm] 纯文本查看 复制代码setImmediate(check_pthread_create);
function check_pthread_create() {
    var pthread_create_addr = Module.findExportByName(null, 'pthread_create');

    var pthread_create = new NativeFunction(pthread_create_addr, "int", ["pointer", "pointer", "pointer", "pointer"]);
    Interceptor.replace(pthread_create_addr, new NativeCallback(function (parg0, parg1, parg2, parg3) {
        var so_name = Process.findModuleByAddress(parg2).name;
        var so_path = Process.findModuleByAddress(parg2).path;
        var so_base = Module.getBaseAddress(so_name);
        var offset = parg2 - so_base;
        var PC = 0;
        if ((so_name.indexOf("libjiagu") > -1)) {
            console.log("======")
            console.log("find thread func offset", so_name, offset.toString(16));
            Thread.backtrace(this.context, Backtracer.ACCURATE).map(addr_in_so);

            var check_list = []//1769036,1771844
            if (check_list.indexOf(offset)!==-1) {
                console.log("check bypass")
            } else {
                PC = pthread_create(parg0, parg1, parg2, parg3);
            }
        } else {
            PC = pthread_create(parg0, parg1, parg2, parg3);
        }
        return PC;
    }, "int", ["pointer", "pointer", "pointer", "pointer"]))
}
function addr_in_so(addr){
    var process_Obj_Module_Arr = Process.enumerateModules();
    for(var i = 0; i process_Obj_Module_Arr.base && addr
输出日志如下
[Asm] 纯文本查看 复制代码Spawned `com.oacia.apk_protect`. Resuming main thread!
[Remote::com.oacia.apk_protect ]-> ======
find thread func offset libjiagu_64.so 1ac1f0   
7e210e71bc is in libjiagu_64.so offset: 0x1ac1bc
7e210e71bc is in libjiagu_64.so offset: 0x1ac1bc
======
find thread func offset libjiagu_64.so 1b0944   
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1ae778   
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1afe2c
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1afe4c
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1b29b8
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1b26b4
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1b26b4
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
======
find thread func offset libjiagu_64.so 1b26b4
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 1a6d4c
======
find thread func offset libjiagu_64.so 1a6d4c
find thread func offset libjiagu_64.so 1a6d4c
7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4
7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4
7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4
======
======
find thread func offset libjiagu_64.so 128db8
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
======
find thread func offset libjiagu_64.so 128db8
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
======
find thread func offset libjiagu_64.so 128db8
7e20f52710 is in libjiagu_64.so offset: 0x17710
7e20f52710 is in libjiagu_64.so offset: 0x17710
Process terminated
我们发现 pthread_create 的调用都指向了同一个地址 0x17710
拜读大佬文章后(https://bbs.kanxue.com/thread-280609.htm)已经知道这里是用libffi动态调用函数了,那么可以直接hook寄存器x6过掉检测
[Asm] 纯文本查看 复制代码function isValidPointer(curPtr){
    let MinValidPointer = 0x10000
    var isValid = curPtr > MinValidPointer
    return isValid
}
function my_hook_dlopen(soName='') {
    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
        {
            onEnter: function (args) {
                var pathptr = args[0];
                if (pathptr !== undefined && pathptr != null) {
                    var path = ptr(pathptr).readCString();
                    //console.log(path);
                    if (path.indexOf(soName) >= 0) {
                        this.is_can_hook = true;
                    }
                }
            },
            onLeave: function (retval) {
                if (this.is_can_hook) {
                    anti_frida_check();
                }
            }
        }
    );
}
function anti_frida_check(){
    var module = Process.findModuleByName("libjiagu_64.so");
    Interceptor.attach(module.base.add(0x1770c), {
        onEnter: function (args) {
            try{
                if (isValidPointer(this.context.x6) && isValidPointer(this.context.x0)) {
                    var s = this.context.x6.readCString();
                    if (s.indexOf("tmp") !== -1 ||
                        s.indexOf("frida") !== -1 ||
                        s.indexOf("gum-js-loop") !== -1 ||
                        s.indexOf("gmain") !== -1 ||
                        s.indexOf("gdbus") !== -1 ||
                        s.indexOf("pool-frida") !== -1||
                        s.indexOf("linjector")!==-1 ||
                        s.indexOf("/proc/")!==-1){
                        //console.log(s)
                        Memory.protect(this.context.x0, Process.pointerSize, "rwx");
                        var replace_str=""
                        for(var i=0;i
至此就过掉了frida检测,又可以愉快地hook了
[Asm] 纯文本查看 复制代码[Remote::com.oacia.apk_protect ]->
[Remote::com.oacia.apk_protect ]-> Java
{
    "ACC_ABSTRACT": 1024,      
    "ACC_BRIDGE": 64,
    "ACC_FINAL": 16,
    "ACC_NATIVE": 256,
    "ACC_PRIVATE": 2,
    "ACC_PROTECTED": 4,
    "ACC_PUBLIC": 1,
    "ACC_STATIC": 8,
    "ACC_STRICT": 2048,
    "ACC_SYNCHRONIZED": 32,     
    "ACC_SYNTHETIC": 4096,      
    "ACC_VARARGS": 128,
    "_apiError": null,
    "_cachedIsAppProcess": null,
    "_initialized": true,      
    "_pendingMainOps": [],
    "_pendingVmOps": [],
    "_pollListener": null,
    "_wakeupHandler": null,
    "api": {
        "$delete": "0x7752a54f4c",
        "$new": "0x7752a54e78",
        "JNI_GetCreatedJavaVMs": "0x76b8e5fd24",
        "addLocalReference": null,
        "art::ClassLinker::VisitClassLoaders": "0x76b8c9f348",
        "art::ClassLinker::VisitClasses": "0x76b8c9f3d0",
        "art::Dbg::SetJdwpAllowed": "0x76b8cefc10",
        "art::Instrumentation::Deoptimize": "0x76b8dd7b30",
        "art::Instrumentation::DeoptimizeEverything": "0x76b8dd8630",
        "art::JavaVMExt::AddGlobalRef": "0x76b8e5b408",
        "art::Monitor::TranslateLocation": "0x76b8f5c0fc",
        "art::ReaderWriterMutex::ExclusiveLock": "0x76b8c81a00",
        "art::ReaderWriterMutex::ExclusiveUnlock": "0x76b8c81d24",
        "art::Runtime::DeoptimizeBootImage": "0x76b902e020",
        "art::StackVisitor::GetMethod": "0x76b9046f6c",
        "art::StackVisitor::StackVisitor": "0x76b9048238",
        "art::StackVisitor::WalkStack": "0x76b9045a58",
        "art::Thread::CurrentFromGdb": "0x76b90738e8",
        "art::Thread::DecodeJObject": "0x76b906dc90",
        "art::Thread::GetLongJumpContext": "0x76b9074088",
        "art::ThreadList::ResumeAll": "0x76b90815e4",
        "art::ThreadList::SuspendAll": "0x76b9080de8",
        "art::interpreter::GetNterpEntryPoint": "0x76b91371c8",
        "art::jni::JniIdManager::DecodeMethodId": "0x76b8e63bb4",
        "art::mirror::Class::GetDescriptor": "0x76b8f31a74",
        "artClassLinker": {
            "address": "0xb4000076bc49ac00",
            "quickGenericJniTrampoline": "0x6f63f030",
            "quickImtConflictTrampoline": "0x6f63f040",
            "quickResolutionTrampoline": "0x6f63f050",
            "quickToInterpreterBridgeTrampoline": "0x6f63f060"
        },
        "artHeap": "0xb4000076bc429700",
        "artInstrumentation": "0xb4000076bc4d2f20",
        "artNterpEntryPoint": "0x76b8c00090",
        "artQuickGenericJniTrampoline": "0x76b8c1a2c0",
        "artQuickResolutionTrampoline": "0x76b8c1a180",
        "artQuickToInterpreterBridge": "0x76b8c1a430",
        "artRuntime": "0xb4000076bc4d2c00",
        "artThreadList": "0xb4000076bc438000",
        "flavor": "art",
        "kAccCompileDontBother": 33554432,
        "module": {
            "base": "0x76b8a00000",
            "name": "libart.so",
            "path": "/apex/com.android.art/lib64/libart.so",
            "size": 10584064
        },
        "vm": "0xb4000076bc490380"
    },
    "classFactory": {
        "_classHandles": {
            "capacity": 10,
            "items": {}
        },
        "_classes": {},
        "_loader": null,
        "_patchedMethods": {},
        "_types": [
            {},
            {}
        ],
        "cacheDir": "/data/local/tmp",
        "codeCacheDir": "/data/local/tmp/dalvik-cache",
        "tempFileNaming": {
            "prefix": "frida",
            "suffix": ""
        }
    },
    "vm": {
        "handle": "0xb4000076bc490380"
    }
}
[Remote::com.oacia.apk_protect ]->

文本, 代码

makmak79   

厉害了!感谢分享
debug_cat   

标题说的是23.9月的,能否给个样本学习一下呢
Jorathan   

学习一下
xixicoco   

分析的比较透彻
rhtnll
OP
  


debug_cat 发表于 2024-7-15 14:36
标题说的是23.9月的,能否给个样本学习一下呢

https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3
Zshltd   


rhtnll 发表于 2024-7-15 18:06
https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3

我还是小白,看了好多课都说这个frida,它能干什么呢,请教下
debug_cat   


rhtnll 发表于 2024-7-15 18:06
https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3

谢谢啦!!!
Vincent2018   

学习了学习了
rhtnll
OP
  


Zshltd 发表于 2024-7-15 22:24
我还是小白,看了好多课都说这个frida,它能干什么呢,请教下

frida是hook框架
您需要登录后才可以回帖 登录 | 立即注册

返回顶部