原文始发于8ksecresearch:Frida Advanced Usage Part 8 – Frida Memory Operations Continued
Introduction 介绍
Welcome to another blog post in our Advanced Frida usage series. It is a continuation of our previous blog where we discussed Memory.scan, Memory.copy, and MemoryAccessMonitor JavaScript APIs in analyzing native Android libraries and how to utilize them in performing memory operations.
欢迎阅读我们高级 Frida 使用系列中的另一篇博文。这是我们之前博客的延续,我们在博客中讨论了 Memory.scan 、 Memory.copy 和 MemoryAccessMonitor JavaScript API 在分析原生 Android 库以及如何利用它们在执行内存操作时。
In this article, we will focus on the remaining Frida memory operations APIs, Memory.scanSync, Memory.protect, and Memory.patchCode.
在本文中,我们将重点介绍剩余的 Frida 内存操作 API、 Memory.scanSync Memory.protect 和 Memory.patchCode .
You can find the APK files used in this Blog at: You can find the APK files at: You can find the APK files at: https://github.com/8kSec/Blog-resources/tree/main/Frida-Series
您可以在以下位置找到此博客中使用的 APK 文件: 您可以在以下位置找到 APK 文件: 您可以在以下位置找到 APK 文件: https://github.com/8kSec/Blog-resources/tree/main/Frida-Series
Analysis 分析
In this tutorial, we will use different Android applications to show usage of each API in performing different the named memory operations.
在本教程中,我们将使用不同的 Android 应用程序来展示每个 API 在执行不同的命名内存操作中的用法。
Memory Protection 内存保护
Memory.protect Frida API allows one to update protection permissions of a given memory page region to allow read and write access permissions. This is helpful in modifying runtime memory for patching or execution of protected memory pages.
Memory.protect Frida API 允许更新给定内存页区域的保护权限以允许 read 和 write 访问权限。这有助于修改运行时内存以修补或执行受保护的内存页。
Frida version 16.2.1 introduced a Memory protection query that enables one to enumerate memory ranges satisfying the protection string argument to the Memory.queryProtection query API.
Frida 版本 16.2.1 引入了内存保护查询,使人们能够枚举满足 Memory.queryProtection 查询 API 字符串 protection 参数的内存范围。
In our example, we will use the snapseed application responsible for photo editing in Android applications to show the usage of the API.
在我们的示例中,我们将使用负责 Android 应用程序中照片编辑的 snapseed 应用程序来展示 API 的使用情况。
The steps we need to take are:
我们需要采取的步骤是:
-
Attach the Frida Process to the
snapseedapplication
将 Frida 进程附加到snapseed应用程序 -
Run
Process.enumerateModules()in the Frida Console to get all loaded Modules
在 Frida 控制台中运行Process.enumerateModules()以获取所有加载的模块 -
Get the module object of
libsnapped_native.so
libsnapped_native.so获取 -
Run
Memory.queryProtectionin the Frida Console
在 Frida 控制台中运行Memory.queryProtection -
Repeat the query with different protection parameters
使用不同的保护参数重复查询
To change the protection level of a memory region, we will use Memory.Protect API. It returns true or false depending on the success of the API.
要更改内存区域的保护级别,我们将使用 Memory.Protect API。它返回 true 或 false 取决于 API 的成功。
Writing Frida Script 编写弗里达脚本
Memory.Protect API to change the permissions of the snapseed library.
我们将创建一个脚本来使用 Memory.Protect API 来更改 snapseed 库的权限。
Steps taken are: 采取的步骤是:
-
Get the target module to hook
获取要挂钩的目标模块 -
Use the
Memory.Protectto query for at least read and write protection
使用Memory.Protectto 查询至少提供读写保护 -
Use the
Memory.Protectto query for read, write, and execute protection
使用Memory.Protectto 查询读取、写入和执行保护 -
Print out the protection results
打印出保护结果
Running Frida Script 运行 Frida 脚本
Let’s now test our Frida script.
现在让我们测试我们的 Frida 脚本。
From the above results, permissions allowed are at least `read` and `write` only.
从上述结果来看,允许的权限至少是“读取”和“写入”。
Memory Synchronous Scanning
内存同步扫描
Frida API is a synchronous version of Memory.scan used for finding occurrences of user patterns in a given memory range specified by the size. The returned array of matched objects contains absolute address and size as the properties.
Memory.scanSync Frida API 是用于 Memory.scan 查找由大小指定的给定内存范围内出现的用户模式的同步版本。返回的匹配对象数组包含绝对 address 属性和 size 属性。
TIn our example, we will use a simple android application that compares two strings and prints out You win
在我们的示例中,我们将使用一个简单的 android 应用程序来比较两个字符串,如果字符串匹配,则打印出 You win 消息。
Writing Frida Script 编写弗里达脚本
Memory.scan API to search for user patterns in the entire memory range of the target module.
我们编写一个 Frida 脚本来显示 Memory.scan API 的同步版本,以在目标模块的整个内存范围内搜索用户模式。
The API supports wildcard search using question marks ?? in the pattern string. In our analysis, we will use the question mark to match both eightksec string and eightksec-string in the application memory.
API 支持在模式字符串中使用问号 ?? 进行通配符搜索。在我们的分析中,我们将使用问号来匹配应用程序内存 eightksec string 和 eightksec-string 应用程序内存中的问号。
Steps we need to take:
我们需要采取的步骤:
-
Get the target module 获取目标模块
-
Write the pattern to search for
编写要搜索的模式 -
Scan memory using the
Memory.scanSyncAPI for the pattern
使用Memory.scanSyncAPI 扫描模式的内存 -
Print the matched objects address and size
打印匹配对象的地址和大小
Here is the full implementation script of the Memory.scanSync
下面是 Memory.scanSync API 的完整实现脚本
Running Frida Script 运行 Frida 脚本
Running the script against the application, we get the memory addresses of the matched patterns objects.
对应用程序运行脚本,我们得到匹配的模式对象的内存地址。
Interceptor
此外,该技术可用于在应用程序内存中搜索目标地址,并使用 frida Interceptor 来修补它们。
Memory Patching 内存修补
JavaScript API allows one to safely modify the specified size of bytes at a given memory address referenced as a nativePointer. Memory Patchode can be used together with writers to generate machine code directly written to the memory. The currently supported writers by Frida for different architectures are X86Writer, Arm64Writer, and ThumbWriter
Memory.patchCode JavaScript API 允许人们安全地修改给定内存地址处的指定 size 字节,该地址被引用为 nativePointer .Memory Patchode 可以与写入器一起使用,以生成直接写入内存的机器代码。Frida 目前支持的不同架构的编写器是 X86Writer 、 Arm64Writer 和 ThumbWriter.
To get the correct target architecture and size of the pointer run the following commands in the frida console Process.arch and Process.pointerSize
要获取正确的目标体系结构和指针大小,请在 frida 控制台中运行以下命令 Process.arch ,然后 Process.pointerSize.
In our analysis, we will use a simple Android application that checks if Frida debugger is hooked into it. It prints Frida detected if the process is hooked using Frida else it prints Frida not detected
在我们的分析中,我们将使用一个简单的 Android 应用程序来检查 Frida 调试器是否已挂钩到其中。 Frida detected 如果使用 Frida 挂钩该过程,它会打印, Frida not detected 否则它会打印
libeightksec.so
为了获得要钩住的分支的内存地址,我们使用 ghidra 对 libeightksec.so 库进行逆向工程并获取分支的偏移量。
0x001098c if the results of strstr are not NULL else the code will branch to 0x001019bc if the returned pointer is NULL.
从上面的汇编代码中,应用程序分支到 0x001098c 如果结果 strstr 不是 NULL 否则,如果返回的指针为 NULL,则代码将分支到 0x001019bc 。
The strstr is used for locating a substring and returns a pointer if found or NULL if the substring is not found.
用于 strstr 查找子字符串,如果找到或 NULL 未找到子字符串,则返回指针。
Writing Frida Script 编写弗里达脚本
-
Get the base address of the Module
获取模块的基址 -
Get the Frida Detected and Not detected branches
获取检测到和未检测到的 Frida 分支 -
Use
Memory.protectto change the permissions torwx
用于Memory.protect将权限更改为rwx -
Use
Memory.patchCodeto patch the Frida Detected branch
用于Memory.patchCode修补 Frida 检测到的分支 -
Clean up the memory after patching
修补后清理内存
Running Frida Script 运行 Frida 脚本
Let’s now test the script against our application.
现在让我们针对我们的应用程序测试脚本。
Check Frida button on the Application Interface, shows we have successfully altered the control flow of the program by Toasting Frida not detected
单击应用程序界面上的 Check Frida 按钮,表明我们已经在进程挂钩时通过 Toasting Frida not detected 成功更改了程序的控制流。
In real-world applications, Knowledge learned can be used in defeating various anti-debug mechanisms implemented by developers that might be roadblocks to further security analysis or debugging.
在实际应用中,所学的知识可用于击败开发人员实现的各种反调试机制,这些机制可能会成为进一步安全分析或调试的障碍。
Conclusion 结论
版权声明:admin 发表于 2024年4月16日 下午5:31。
转载请注明:Frida Advanced Usage Part 8 – Frida Memory Operations Continued | CTF导航
转载请注明:Frida Advanced Usage Part 8 – Frida Memory Operations Continued | CTF导航
相关文章
