《2023Anti-Frida加固样本分析.docx》由会员分享,可在线阅读,更多相关《2023Anti-Frida加固样本分析.docx(19页珍藏版)》请在三一办公上搜索。
1、分析某加固的AntRFrida保护分析过程找到检测所在的S。我们可以通过frida-trace快速进行系统函数的hook,首先我们需要知道loads。的函数一般为dlopen和android_dlopen_ext,所以先执行trida-trace-U-tcom.wuje.Chengxin-1dIopen可以观察到以下输出:PSE:antiantifridachenxinfrida-tracecom.wujie.ChengxindlopenInStrUmenting.dlopen:1.oadedhandlerat11EWantiantifridaWchenxinWhandlerslibdl.so
2、dlopen.isStartedtracingifunction.PressCtrl+Ctostop.-TID0x3a6f/240msdlopen()24msdlopen()246msdlopen()卜Iin;PSE:样本antiantifridachenxin_可以看到这里只显示了调用dlopen,但是参数没有输出,祖叩en的第一个参数即为所需Ioad的s。的名字(args0.readcstring()我们可以去提示的路径下修改dlopen.js脚本修改前:IHChengxinJsBdlopeajs3*ForfullAPIreference,see:https:fZda.redocsjava
3、script-apedsynchronous1.ywhenabouttoca1.1.d1.open.bouttoreturnfromd1.open.SeeonEdetai1.paramfunction1.og1.thisfunctionwithastringtoparamNativePointer)retva1.onEnter/on1.eave,butinsteadinvocation.inonEnter.bepresentedtotheuser,aNativePointerobject.thisobjectObjecta1.1.owingyoutoaccessstatestoredHowev
4、er,dousethistostorefunctionargumentsacrossparamobjectstateVOn1.eaVe(Iog,retval,state)*usethiswhichisanobjectforkeepingstate1.oca1.toan*/onEnter(log,args,state)log(dlopen();),chenin_handlers_libdl.soBdIopenjs5678910111213141516171819202122232425262728293031323334353637修改后:,thisobject-Objecta1.1.owing
5、youtostorestateforuseinon1.eave.paramfunction1.og-Ca1.lthisfunctionithastringtobepresentedtotheuser.,paramarrayargsFunctionargumentsrepresentedasanarrayofNativePointerobjects.*Foreamp1.euseargs0.readUtf8String()ifthefirstargumentisapointertoaCstringeItisalsopossib1.etomodifyargumentsbyassigningaNati
6、vePointerobjecttoane1.ementcparamobjectstate.OnlyoneJavaScriptfunctionexecuteatatimejsodonotWOrrtVaboutrace-conditions.ISChengxinjsIHdlopen.js3chenxin_handlers_libdl.soISdIopenJs4567891011121314IS1617181920212223242526272829303132333435363738ForfullAPIreference,/Ca1.1.eds.thisobject)paramfunction1.o
7、gparamarrayargsForeamp1.euseCIrgSftItisa1.sopossib1.etfrida-tracecom.wujie.ChengxindlopenInstrumenting.dlopen:1.oadedhandleratE:样本Wantiantifridachenxin_handlers_Wlibdl.sodlopen.JsStartedtracing1function.PressCtrlKtostop./TIDx3e92/241 msdIopen():libc.so242 msdlopen():libc.so247 msdlopen():Iibdatajar.
8、soProcesstermir现在dlopen的参数就显示出来了,但是这里load的三个SO显然是系统的s。而非app的SO,所以我们再hookandroid_dlopen_ext看看:PSE:样本antiantifri,dachenxinfrida-tracecxn.wujIe.Chengxinandroid_dlopen_extInstrumenting.android-dlopen-et:1.oadedhandleratE:样本Wantiantifridachenxin_handlers_libdl.soandroid_dlopen_ext.jsStartedtracing1functi
9、on.PressCtrltCtostop./TID0x406c/211msandroid.dlopen,et():systemframeworkoatarmorg.apache.http.legacy.odex216msandroiddlopenet():dataappcom.wujie.che11gxin-WZCaCd7ATEUlEIc9F17Xdg=oata11nbase.o_可以看到当IOad到IibDeXHelPer.so的时候,frida被杀掉了,所以我们初步可以判定做检测的位置在IibDexHelper.so首先我们可以通过hook字符串比较函数(比如StrStrWStrCmP等函
10、数)来观察是否传入了frida相关的字符串进行比较Interceptor.attach(Module.findEportByName(null,strstr),onEnter:function(args)if(args0.readCString().indexOf(frida)!:1args1.readCString().indexf(frida)!=-1|args0.readCString().indexOf(gum-js-loop)!=-largsl.readCString().indexf(gum-js-loop)!=-l|args0.readCString().indexOf(gmai
11、n)!=-1argsl.readCString().indexOf(g三ain)I=-1|args.readCString().i11dexf(Iinjector)!=-1argsl.readCString().indexf(Iinjector)!=-1console.log(nstrstr(+sl=t+args0.readCString()+,s2=w,+args1.readCString()+11,)i),on1.eave:function(retval)!);PSE:ffantiatifridacheninfrida-traceCM.wjie.CbengxinstrstrInstrume
12、nting.strstr:1.oadedhandleratE:样本antiantifridachenxin_handlers_1ibc.sostrstr.jsStartedtracing1function.PressCtrlCtostop.TIDx4dcd/246asstrstr(sl=,/data/local/tnip/re.frida.server/linjector-62,s2三co.wujie.chengxin)258asstrstr(5l=Md0e510OOdlc7200r-xp0e0103:064063246datalocaltmpre.frida.server/frida-age
13、nt32.so,sZB-lib/libart.so-)258ssstrstr(31=Mdlc720W-dlcca00Or-pe2103:06463246datalocaltmpre.frida.server/frida-agent-32.so,$2=Mlib/libart.soH)258sstrstr(slMdlccaOOe-dlcd80OOrw-pe78103:96463246datalocaltaprefrida.server/frida-age11t-32.sos2=wliblibart.so-)310sstrstr(sl=Md0e510OO-dlc72O0Or-xp103:064632
14、46datalocaltnpre.frida.server/fridaaget-32.so-,s2=-MblibdeHle.so)31asstrstr(sl=*,dlc72-dlccaO0Or-p0e2103:06463246datalocaltpre.frida.server/frida-agent-32.so”,s2=liblibdefile.so)31asstrstr(sl=odlcca00-dlcd8rw-pe78103:064063246datlocaltmpre.frida.server/frida-aget-32.so-,s2三liblibdefile.so)397asstrst
15、r(sl=Md0c51000dl=0)/console.log(openmaps:,pathname);while(parselnt(read(realFd,buffer,512)!=0)varone1.ine=Memory.readCString(buffer);if(one1.ine.indef(tmp)=-l)fiIe.write(one1.ine);elseconsole.log(one1.ine);)varfilename=Memory.alIocutf8string(fakePath);returnopen(filename,flag);)varfd=open(pathnamept
16、r,flag);/hread.sleep(l)returnfd;),int,pointer,int,J);执行后的输出如下:dlfe9000-dlff700rw-pe780103:06463243dlff7e-d23brw-p00O00:00open:dataappco.wujie.chengin-WZCaCd7ATEUlEIc9F17Xdg=ba5e.apkopen:procselfmapsdatalocaltmpre.frida.serverfrida-agent-32.sodll700OOdlf9100r-p00OO103:064063243dif9ieo-dife900r-p0e210
17、3:06463243dlfe9OOO-dlff70rw-pe78OO103:064063243dlff70O0-d203b00rw-p000O0000:00-dll7eer-xs02000:e56694187/memfd:/jit-cache(deleted)datalocaltnpre.frida.server/frida-agent-32.sodatalocaltmprefrida.server/frida-agent-32.sodatalocaltmpre.frida.server/frida-agent-32.soopen:open:open:open:dataappco*.wujie
18、.chengin-WZCaCd7ATUlEIc9F17Xdg=base.apkdataapco.wujie.chegin-wzcaCd7ATEUlElc9F17XdgsBbase.akapecom.android.runtiMe/lib/bionic/libc.soproc26096as-dll70e0r-xs0200000000:0566941807dii7-dif9ir-xp0000dlf9100-dlfe90r-p0e2000dlfe9-dlff75rw-pe78dlff7000d203b00Orwp103:064103:06/ie3:G6/00:00046324340632434632
19、43memfd:/jit-cache(deleted)datalocaltre.frida.server/frida-agent-32.sodatalocaltmpre.frida.server/frida-agent-32.sodatalocaltmpre.frida.server/frida-agent-32.soopen:open:open:OPen:open:open:open:open:open:open:open:open:open:open:)pen:IoPen:procselThankyouforusingFrida!IPSE:样本antiantifridachenxin通过观
20、察Iog可以发现,之前maps中frida相关的字符串没有出现在StrStT的参数中,说明我们已经过掉了这个检测点,但是Mda仍然被杀掉了,并且被杀掉之前app打开了procselftaskpidstatus文件,所以我们需要再去观察一下这些StatUS文件。检测点二通过观察发现,当app中注入了fida,那么frida的特征会在StatUS文件中的Name字段有所体现,这里我们可以通过其它没有检测frida的app做一个验证,如下图所示:./27177/statusperseus:/proc/27152口task#catrName:gdbusUmask:-077State:S(sleepin
21、g)Tgid:27152Ngid:0Pid:27177DPPid:6142TracerPid:0Uid:10323J.0323103235Gid:1032310323103235FDSize:128Groups:99972032350323VmPeak:5916520kBVmSize:5406868kBiVm1.ck:kBVmPin:kBVmHWM:118596kBVmRSS:115800kBRssAnon29496kBRssFile:86012kBRssShmem:292kBVmData:1216788kBVmStk:8192kBVmExe:28kBVm1.ib:186144kBDerseu
22、s:/Droc/27:1.52/task#catName:gmainIUmask:0077State:S(sleeping):Tgid:27152Ngid:0Pid:271765PPid:61425TracerPid:01.Uid:103231032310323Gid:103231032310323FDSize:128-Groups:99972032350323VmPeak:5916520kBVmSize:5406868kBVm1.ck:0kBVmPin:0kBVmHWM:118596kBVmRSS:115800kBRssAnon:29496kBRssFile86012kBRssShmem:2
23、92kBVmData:1216788kBVmStk:8192kBVmExe:28kB./27176/status103231032310323103232BiCQX:Z221S2ZX35k#cat./27178/status!-Name:gum-js-loopuUmask:0077rState:S(sleeping)rTgid:27152Ngid:0Pid:27178PPid:6142TracerPid:0Uid:103231032310323103230Gid:10323103231032310323FDSize:128Groups:99972032350323sVmPeak:5916520
24、kBsVmSize:5406868kBHm1.ck:0kBVmPin:0kB/VmHWM:118596kBiVmRSS:115800kBRssAnon:29496kBRssFile:86012kBRssShmerrl:292kBVmData:1216788kB所以我们可以通过上面伪造maps的方法去伪造task,修改脚本如下:constopenPtr=Module.getExportByName(,1ibe.so,open);constopen=newNativeFuncton(openPtr,int,pointer,int);varreadPtr=Module.findExportByNam
25、e(libe.so,read);varread=newNativeFunction(readPtr,int,nt,pointer,int*);varfakePath=datadatacom.pkgname/maps;varfile=newFile(fakePath,w);varbuffer=Memory.alIoc(512);varfakePath2=,datadatacom.pkgname/task;varfile2=newFile(fakePath2,w);varbuffer2=Memory.alloc(512);interceptor.replace(openPtr,newNativeC
26、al1back(functionCpathnameptr,flag)varpathname=Memory.readutf8string(pathnameptr);varrealFd=open(pathnameptr,flag);console,log(open:,pathname)if(pathname.inde0f(maps)=Opathname.inde0f(task)=O)vartemp=pathname.indexf(maps)=O?1:2;swtch(temp)case1:/console.log(openmaps:,pathname);whi1e(parselnt(read(rea
27、lFd,buffer,512)!=0)varone1.ine=Memory.readCString(buffer);if(one1.ine.indexf(tmp)=-l)file.write(one1.ine);else/console.log(one1.-ine);varfilename=Memory.al1ocutf8string(fakePath);returnopen(filename,flag);break;case2:/console.1og(opentask:,pathname);whiIeCparselnt(read(realFd,buffer2,512)!=0)varone1
28、.ine=Memory.readcstring(buffer2);varreplacestr=123if(one1.ine.IndexOf(gum-js-loop)!=-l)one1.ine=one1.ine.replace(,gum-js-loop,replacestr)if(one1.ine.inde0f(gmain)!=-l)one1.ine=one1.ine.replace(gmain,replacestr)file2.write(one1.ine);/console.1og(one1.ine)varfiIename=Memory.alIocUtf8String(fakePath2);
29、returnopen(filename,flag);break;varfd=open(pathnameptr,flag);/Thread.sleep(l)returnfd;,int,pointer,intf);上面的脚本执行完成后,其实frida还是会被断下来,但是查看输出的Iog我们可以看到替换是成功的:Mems-allowed:1|Mems_allowed_list:0!voluntary_ctxt_switches:53lnonvoluntary_ctxt.switches:3PTE:988kBVmPMD:16kBVmSwap:19556kName:123Umask:0077State:
30、S(sleeping)Tgid:22820Ngid:0Pid:22849PPid:6143TracerPid:0Uid:10341103411034110341Gid:10341103411034110341FDSize:128Groups:300399972034150341VmPeak:2010596kBVmSize:2010228kBVm1.ck:0kBVmPin:0kBVmHWM:148848kBVmRSS:148848kB但细心一点我们会发现,还有Tfrida相关的字符串出现在了Iog里(pool-frida)所以我们需要修改一下脚本:case2:/conso1.e.1.og(ope
31、ntask:m,pathname);while(parseInt(read(realFd,buffer2,512)!=u)varone1.ine=Memory.readCString(buffer2);varreplaceStr=12Bmif(one1.ine.indexf(pl-frida)!=-1)one1.ine=one1.ine.replace(pool-fridan,replaceStr)if(one1.ine.indexOf(Mgum-js-loopM)!=-l)one1.ine=one1.ine.replace(gum-js-loopjreplaceStr)if(one1.ine
32、.indexf(gnain,r)!=-l)one1.ine=one1.ine.replace(gmain,replaceStr)file2.write(one1.ine);/console.log(one1.ine)Svarfilename=Memory.allocUtf8String(fakePath2);returnopen(filename,flag);Ibreak;然后,执行!然后Mda又双恐强被终止了,所以还是继续看输出。检测点三通过输出可以看到上面还有个关于StrStr函数且参数为frida相关字符串的调用:open:dataappcom.wujie.chengxin-WZCaCd7ATEUlEIc9F17Xdg=oatarmbase.vdexopen:dataappcom.wujie.cheng
