记录常用的Frida的脚本
- template
///<reference path="~/../../Files/frida-gum.d.ts" />
function Wrapper(){};
var log = function(msg) { console.log(msg) };
var warn = function(msg) { console.warn(msg) };
var error = function(msg) { console.error(msg) };
Wrapper.allocStr = function(str) { Memory.allocUtf8String(str) };
Wrapper.getStr = function(addr) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.readUtf8String(addr);
}
Wrapper.putStr = function(addr, str) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.writeUtf8String(addr, str);
}
Wrapper.getByteArr = function (addr, l) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.readByteArray(addr, l);
}
Wrapper.getU8 = function(addr) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.readU8(addr);
}
Wrapper.putU8 = function (addr, n) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.writeU8(addr, n);
}
Wrapper.getU16 = function(addr) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.readU16(addr);
}
Wrapper.putU16 = function (addr, n) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.writeU16(addr, n);
}
Wrapper.getU32 = function (addr) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.readU32(addr);
}
Wrapper.putU32 = function (addr, n) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.writeU32(addr, n);
}
Wrapper.getU64 = function (addr) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.readU64(addr);
}
Wrapper.putU64 = function (addr, n) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.writeU64(addr, n);
}
Wrapper.getPt = function (addr) {
if (typeof addr == "number") {
addr = ptr(addr);
}
return Memory.readPointer(addr);
}
Wrapper.putPt = function (addr, n) {
if (typeof addr == "number") {
addr = ptr(addr);
}
if (typeof n == "number") {
n = ptr(n);
}
return Memory.writePointer(addr, n);
}
Wrapper.getExportFunction = function (type, name, ret, args) {
var nptr;
nptr = Module.findExportByName(null, name);
if (nptr === null) {
console.log("cannot find " + name);
return null;
} else {
if (type === "f") {
var funclet = new NativeFunction(nptr, ret, args);
if (typeof funclet === "undefined") {
console.log("parse error " + name);
return null;
}
return funclet;
} else if (type === "d") {
var datalet = Memory.readPointer(nptr);
if (typeof datalet === "undefined") {
console.log("parse error " + name);
return null;
}
return datalet;
}
}
}
Wrapper.dumpMemory = function (addr, length) {
console.log(hexdump(Memory.readByteArray(addr, length), {
offset: 0,
length: length,
header: true,
ansi: true
}));
}
// Hook function exported
Wrapper.hookNativeFunction = function(common,callback){
var functionPtr = null;
if(typeof common == "string"){
functionPtr = Module.findExportByName(null,common);
if(!functionPtr){
Wrapper.error("[!] Can't find export function " + common);
return;
}
}
else{
functionPtr = ptr(common);
}
Interceptor.attach(functionPtr, {
onEnter: function(args) {
callback('onEnter',args);
},
onLeave:function(retval){
callback('onLeave',retval);
}
});
}
/*
Wrapper.hookNativeFunction(Module.findExportByName(null,"open"),function(type,args){
switch(type){
case 'onEnter':
log(args[0].readUtf8String());
break;
case 'onLeave':
break;
}
})
*/
Wrapper.backtrace = function(){
console.log('CCCryptorCreate called from:\n' +
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
}
Wrapper.stalk = function(){
}
Wrapper.replace = function(func_addr,rettype,args,callback){
Interceptor.replace(func_addr,new NativeCallback(function () {
callback();
}, rettype, args));
}
Wrapper.getExportFunctionPtr = function(name){
return Module.findExportByName(null,name);
}
/* =============== ****** Logic Begin Here ****** =============== */
网友评论