frida hook 中间函数,并打印寄存器
frida 支持全平台,不想傻傻的在 C++ 写 inline hook,还是脚本快。AOB 签名第一个 hook 位置,中间 aob 模式 6A 00 8B CE E8 ?? ?? ?? ?? EB,不够 5 字节,还调用了一个 CALL,需要找到目的地址目的地址 aob 模式 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00
蹦床结果蹦床代码,下面使用 frida 写入字节码和反汇编。
注意分配的页面内存不能在闭包里,不然会被释放掉 hook 多处,复制粘贴,闭包实现。
frida hook
send('init hook!');
var exeModule = Process.getModuleByName('hexin_001.exe');
let thunkPage = null;
let thunkOffset = 0;
const thunkRelocators = {
ia32: global.X86Relocator,
x64: global.X86Relocator,
arm: global.ThumbRelocator,
arm64: global.Arm64Relocator
};
const thunkWriters = {
ia32: global.X86Writer,
x64: global.X86Writer,
arm: global.ThumbWriter,
arm64: global.Arm64Writer
};
function makeThunk(size, write) {
if (thunkPage === null) {
thunkPage = Memory.alloc(Process.pageSize);
}
const thunk = thunkPage.add(thunkOffset);
const arch = Process.arch;
const Writer = thunkWriters;
Memory.patchCode(thunk, size, code => {
const writer = new Writer(code, {
pc: thunk
});
write(writer);
writer.flush();
if (writer.offset > size) {
throw new Error(`Wrote ${writer.offset}, exceeding maximum of ${size}`);
}
});
thunkOffset += size;
return (arch === 'arm') ? thunk.or(1) : thunk;
}
const print_ecx = new NativeCallback(value => {
console.log('ecx value: ' + value);
}, 'void', ['pointer']);
// 0x008E089E
// 这个必须在全局分配内存,不能在闭包分配,不然会被释放掉
//var trampoline = Memory.alloc(Process.pageSize);
((module, hook_addpress_pattern) => {
var other_function_address = Memory.scanSync(module.base, module.size, "6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 34 53 55 56 57 8B F9 8D 4F 3C 89 7C 24 1C E8 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 8B F0 85 F6").address;
console.log('other_function_address:' + other_function_address);
var hook_address = Memory.scanSync(module.base, module.size, hook_addpress_pattern).address;
var ret_address = hook_address.add(9);
let trampoline = makeThunk(64, cw => {
cw.putBytes();
cw.putPushfx();
cw.putPushax();
cw.putCallAddressWithAlignedArguments(print_ecx, ['ecx']);
cw.putPopax();
cw.putPopfx();
cw.putCallAddress(other_function_address);
cw.putJmpAddress(ret_address);
cw.flush();
});
console.log('trampoline address: ' + trampoline);
Memory.patchCode(hook_address, 9, code => {
var cw = new X86Writer(code, {
pc: hook_address
});
cw.putJmpAddress(trampoline);
cw.putNopPadding(4);
cw.flush();
});
})(exeModule, "6A 00 8B CE E8 ?? ?? ?? ?? EB 0B 8D 8E 68 04 00 00 E8 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 75 0E 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB 62 8B 40 1C 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00");
JavaScript下一步应该写一个 x64dbg 插件,自动生成 js 代码,就像 CE 的 AOB injection。 重新排一下版吧 这排版没有阅读的欲望啊。 资料不错.排下版. 可以选择代码模式. 帖子需要审核,来不及排版,已经修正过,等待吧 非常棒的学习知识,谢谢大佬 正在学习用frida hook windows程序,写的很好,学习了 dsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
页:
[1]