JHLBLUE
내가 쓸 frida 정리 본문
1. adb 패키지 목록 출력
pm list packages
2. frida code
import frida, sys
javascript_root_bypass_code = open("jailbreak_bypass.js", "r", encoding="utf-8").read()
package_name = "com.samsung.android.provider.filterprovider"
device_manager = frida.get_device_manager()
# 디바이스가 여러개일 때
device_list = device_manager.enumerate_devices() # 디바이스가 여러개일 때
device_android = None
device_ios = None
for item in device_list:
if item.type == "usb":
if item.name.find("Apple") >= 0 or item.name.find("iOS") >= 0:
device_ios = item
elif item.name.find("SM") >= 0:
device_android = item
# 디바이스가 한개일 때
device_android = device_manager.get_usb_device()
if device_android is not None:
pid = device_android.spawn([package_name])
session = device_android.attach(pid)
script = session.create_script(javascript_root_bypass_code)
# script = session1.create_script(javascript_screen_code)
script.load()
device_android.resume(pid)
# cmd에서 frida가 종료되는걸 막기위해 사용
sys.stdin.read()
3. frida 모듈 정리
루팅 우회: https://codeshare.frida.re/@KishorBal/multiple-root-detection-bypass/
USB 디버깅 우회(해당 코드는 Java.perform 코드 안에 넣어야 동작함)
var settingGlobal = Java.use('android.provider.Settings$Global');
settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingGlobal.getInt(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getInt(cr, name) Bypassed');
return 0;
}
var ret = this.getInt(cr, name);
return ret;
}
settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(cr, name, def) {
//console.log("[*]settingGlobal.getInt(cr,name,def) : " + name);
if (name == (androidSettings[0])) {
console.log('[+]Global.getInt(cr, name, def) Bypassed');
return 0;
}
var ret = this.getInt(cr, name, def);
return ret;
}
settingGlobal.getFloat.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingGlobal.getFloat(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getFloat(cr, name) Bypassed');
return 0;
}
var ret = this.getFloat(cr, name);
return ret;
}
settingGlobal.getFloat.overload('android.content.ContentResolver', 'java.lang.String', 'float').implementation = function(cr, name, def) {
//console.log("[*]settingGlobal.getFloat(cr,name,def) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getFloat(cr, name, def) Bypassed');
return 0;
}
var ret = this.getFloat(cr, name, def);
return ret;
}
settingGlobal.getLong.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingGlobal.getLong(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getLong(cr, name) Bypassed');
return 0;
}
var ret = this.getLong(cr, name);
return ret;
}
settingGlobal.getLong.overload('android.content.ContentResolver', 'java.lang.String', 'long').implementation = function(cr, name, def) {
//console.log("[*]settingGlobal.getLong(cr,name,def) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getLong(cr, name, def) Bypassed');
return 0;
}
var ret = this.getLong(cr, name, def);
return ret;
}
settingGlobal.getString.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingGlobal.getString(cr,name) : " + name);
if (name == androidSettings[0]) {
var stringClass = Java.use("java.lang.String");
var stringInstance = stringClass.$new("0");
console.log('[+]Global.getString(cr, name) Bypassed');
return stringInstance;
}
var ret = this.getString(cr, name);
return ret;
}
화면캡처 우회(이거 안되면 다른코드 찾아서 넣기)
var windowClass = Java.use('android.view.Window')
windowClass.addFlags.implementation = function(flag){
console.log("addFlag called")
console.log(flag)
}
4. magisk 모듈 정리
hiding magisk and root: https://github.com/rmnscnce/hsu
Magisk와 root 관련 파일 숨김
설치 후 adb shell > su > hsu 순서로 사용
MagiskHluda: https://github.com/Exo1i/MagiskHluda
Magisk에 모듈로 설치하는 Hluda(Frida-Server)
'취약점진단' 카테고리의 다른 글
NoPE Proxy + Android/iOS 설정으로 Non-HTTP(TCP) 통신 확인하기 (1) | 2024.06.03 |
---|
Comments