过掉某加固2023年9月的frida检测

rhtnll

1.hook pthread_create

[Asm] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

setImmediate(check_pthread_create);   function check_pthread_create() {     var pthread_create_addr = Module.findExportByName(null, 'pthread_create');        var pthread_create = new NativeFunction(pthread_create_addr, "int", ["pointer", "pointer", "pointer", "pointer"]);     Interceptor.replace(pthread_create_addr, new NativeCallback(function (parg0, parg1, parg2, parg3) {         var so_name = Process.findModuleByAddress(parg2).name;         var so_path = Process.findModuleByAddress(parg2).path;         var so_base = Module.getBaseAddress(so_name);         var offset = parg2 - so_base;         var PC = 0;         if ((so_name.indexOf("libjiagu") > -1)) {             console.log("======")             console.log("find thread func offset", so_name, offset.toString(16));             Thread.backtrace(this.context, Backtracer.ACCURATE).map(addr_in_so);                var check_list = []//1769036,1771844             if (check_list.indexOf(offset)!==-1) {                 console.log("check bypass")             } else {                 PC = pthread_create(parg0, parg1, parg2, parg3);             }         } else {             PC = pthread_create(parg0, parg1, parg2, parg3);         }         return PC;     }, "int", ["pointer", "pointer", "pointer", "pointer"])) }   function addr_in_so(addr){     var process_Obj_Module_Arr = Process.enumerateModules();     for(var i = 0; i < process_Obj_Module_Arr.length; i++) {         if(addr>process_Obj_Module_Arr[i].base && addr<process_Obj_Module_Arr[i].base.add(process_Obj_Module_Arr[i].size)){             console.log(addr.toString(16),"is in",process_Obj_Module_Arr[i].name,"offset: 0x"+(addr-process_Obj_Module_Arr[i].base).toString(16));         }     } }

输出日志如下

[Asm] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74

Spawned `com.oacia.apk_protect`. Resuming main thread! [Remote::com.oacia.apk_protect ]-> ====== find thread func offset libjiagu_64.so 1ac1f0   7e210e71bc is in libjiagu_64.so offset: 0x1ac1bc 7e210e71bc is in libjiagu_64.so offset: 0x1ac1bc ====== find thread func offset libjiagu_64.so 1b0944   7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1ae778   7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1afe2c 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1afe4c 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1b29b8 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1b26b4 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1a6d4c 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1b26b4 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1a6d4c ====== find thread func offset libjiagu_64.so 1b26b4 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1a6d4c 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1a6d4c 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 1a6d4c ====== find thread func offset libjiagu_64.so 1a6d4c find thread func offset libjiagu_64.so 1a6d4c 7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4 7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4 7e210e2ad4 is in libjiagu_64.so offset: 0x1a7ad4 ====== ====== find thread func offset libjiagu_64.so 128db8 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== ====== find thread func offset libjiagu_64.so 128db8 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 ====== find thread func offset libjiagu_64.so 128db8 7e20f52710 is in libjiagu_64.so offset: 0x17710 7e20f52710 is in libjiagu_64.so offset: 0x17710 Process terminated

我们发现 pthread_create 的调用都指向了同一个地址 0x17710

拜读大佬文章后（https://bbs.kanxue.com/thread-280609.htm）已经知道这里是用libffi动态调用函数了，那么可以直接hook寄存器x6过掉检测

[Asm] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

function isValidPointer(curPtr){     let MinValidPointer = 0x10000     var isValid = curPtr > MinValidPointer     return isValid }   function my_hook_dlopen(soName='') {     Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),         {             onEnter: function (args) {                 var pathptr = args[0];                 if (pathptr !== undefined && pathptr != null) {                     var path = ptr(pathptr).readCString();                     //console.log(path);                     if (path.indexOf(soName) >= 0) {                         this.is_can_hook = true;                     }                 }             },             onLeave: function (retval) {                 if (this.is_can_hook) {                     anti_frida_check();                 }             }         }     ); }   function anti_frida_check(){     var module = Process.findModuleByName("libjiagu_64.so");     Interceptor.attach(module.base.add(0x1770c), {         onEnter: function (args) {             try{                 if (isValidPointer(this.context.x6) && isValidPointer(this.context.x0)) {                     var s = this.context.x6.readCString();                     if (s.indexOf("tmp") !== -1 ||                         s.indexOf("frida") !== -1 ||                         s.indexOf("gum-js-loop") !== -1 ||                         s.indexOf("gmain") !== -1 ||                         s.indexOf("gdbus") !== -1 ||                         s.indexOf("pool-frida") !== -1||                         s.indexOf("linjector")!==-1 ||                         s.indexOf("/proc/")!==-1){                         //console.log(s)                           Memory.protect(this.context.x0, Process.pointerSize, "rwx");                           var replace_str=""                         for(var i=0;i<s.length;i++){                             replace_str+="000"                         }                           this.context.x0.writeUtf8String(replace_str);                     }                 }             }             catch (e){                }         },         onLeave: function (ret) {         }     }); }   setImmediate(my_hook_dlopen,'libjiagu');

至此就过掉了frida检测，又可以愉快地hook了

[Asm] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97

[Remote::com.oacia.apk_protect ]-> [Remote::com.oacia.apk_protect ]-> Java {     "ACC_ABSTRACT": 1024,           "ACC_BRIDGE": 64,     "ACC_FINAL": 16,     "ACC_NATIVE": 256,     "ACC_PRIVATE": 2,     "ACC_PROTECTED": 4,     "ACC_PUBLIC": 1,     "ACC_STATIC": 8,     "ACC_STRICT": 2048,     "ACC_SYNCHRONIZED": 32,         "ACC_SYNTHETIC": 4096,          "ACC_VARARGS": 128,     "_apiError": null,     "_cachedIsAppProcess": null,     "_initialized": true,           "_pendingMainOps": [],     "_pendingVmOps": [],     "_pollListener": null,     "_wakeupHandler": null,     "api": {         "$delete": "0x7752a54f4c",         "$new": "0x7752a54e78",         "JNI_GetCreatedJavaVMs": "0x76b8e5fd24",         "addLocalReference": null,         "art::ClassLinker::VisitClassLoaders": "0x76b8c9f348",         "art::ClassLinker::VisitClasses": "0x76b8c9f3d0",         "art::Dbg::SetJdwpAllowed": "0x76b8cefc10",         "art::Instrumentation::Deoptimize": "0x76b8dd7b30",         "art::Instrumentation::DeoptimizeEverything": "0x76b8dd8630",         "art::JavaVMExt::AddGlobalRef": "0x76b8e5b408",         "art::Monitor::TranslateLocation": "0x76b8f5c0fc",         "art::ReaderWriterMutex::ExclusiveLock": "0x76b8c81a00",         "art::ReaderWriterMutex::ExclusiveUnlock": "0x76b8c81d24",         "art::Runtime::DeoptimizeBootImage": "0x76b902e020",         "art::StackVisitor::GetMethod": "0x76b9046f6c",         "art::StackVisitor::StackVisitor": "0x76b9048238",         "art::StackVisitor::WalkStack": "0x76b9045a58",         "art::Thread::CurrentFromGdb": "0x76b90738e8",         "art::Thread::DecodeJObject": "0x76b906dc90",         "art::Thread::GetLongJumpContext": "0x76b9074088",         "art::ThreadList::ResumeAll": "0x76b90815e4",         "art::ThreadList::SuspendAll": "0x76b9080de8",         "art::interpreter::GetNterpEntryPoint": "0x76b91371c8",         "art::jni::JniIdManager::DecodeMethodId": "0x76b8e63bb4",         "art::mirror::Class::GetDescriptor": "0x76b8f31a74",         "artClassLinker": {             "address": "0xb4000076bc49ac00",             "quickGenericJniTrampoline": "0x6f63f030",             "quickImtConflictTrampoline": "0x6f63f040",             "quickResolutionTrampoline": "0x6f63f050",             "quickToInterpreterBridgeTrampoline": "0x6f63f060"         },         "artHeap": "0xb4000076bc429700",         "artInstrumentation": "0xb4000076bc4d2f20",         "artNterpEntryPoint": "0x76b8c00090",         "artQuickGenericJniTrampoline": "0x76b8c1a2c0",         "artQuickResolutionTrampoline": "0x76b8c1a180",         "artQuickToInterpreterBridge": "0x76b8c1a430",         "artRuntime": "0xb4000076bc4d2c00",         "artThreadList": "0xb4000076bc438000",         "flavor": "art",         "kAccCompileDontBother": 33554432,         "module": {             "base": "0x76b8a00000",             "name": "libart.so",             "path": "/apex/com.android.art/lib64/libart.so",             "size": 10584064         },         "vm": "0xb4000076bc490380"     },     "classFactory": {         "_classHandles": {             "capacity": 10,             "items": {}         },         "_classes": {},         "_loader": null,         "_patchedMethods": {},         "_types": [             {},             {}         ],         "cacheDir": "/data/local/tmp",         "codeCacheDir": "/data/local/tmp/dalvik-cache",         "tempFileNaming": {             "prefix": "frida",             "suffix": ""         }     },     "vm": {         "handle": "0xb4000076bc490380"     } } [Remote::com.oacia.apk_protect ]->

makmak79

厉害了！感谢分享

debug_cat

标题说的是23.9月的，能否给个样本学习一下呢

Jorathan

学习一下

xixicoco

分析的比较透彻

rhtnll

debug_cat 发表于 2024-7-15 14:36
标题说的是23.9月的，能否给个样本学习一下呢

https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3

Zshltd

rhtnll 发表于 2024-7-15 18:06
https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3

我还是小白，看了好多课都说这个frida，它能干什么呢，请教下

debug_cat

rhtnll 发表于 2024-7-15 18:06
https://www.123pan.com/s/YLf1jv-mIZLd.html提取码:vhG3

谢谢啦！！！

Vincent2018

学习了学习了

rhtnll

Zshltd 发表于 2024-7-15 22:24
我还是小白，看了好多课都说这个frida，它能干什么呢，请教下

frida是hook框架