관리 메뉴

JHLBLUE

내가 쓸 frida 정리 본문

취약점진단

내가 쓸 frida 정리

JHLBLUE 2024. 7. 23. 12:37

1. adb 패키지 목록 출력

pm list packages

 

2. frida code

import frida, sys

javascript_root_bypass_code = open("jailbreak_bypass.js", "r", encoding="utf-8").read()

package_name = "com.samsung.android.provider.filterprovider"

device_manager = frida.get_device_manager()

# 디바이스가 여러개일 때
device_list = device_manager.enumerate_devices()  # 디바이스가 여러개일 때
device_android = None
device_ios = None
for item in device_list:
    if item.type == "usb":
        if item.name.find("Apple") >= 0 or item.name.find("iOS") >= 0:
            device_ios = item
        elif item.name.find("SM") >= 0:
            device_android = item

# 디바이스가 한개일 때
device_android = device_manager.get_usb_device()

if device_android is not None:
    pid = device_android.spawn([package_name])
    session = device_android.attach(pid)
    script = session.create_script(javascript_root_bypass_code)
    # script = session1.create_script(javascript_screen_code)
    script.load()
    device_android.resume(pid)

# cmd에서 frida가 종료되는걸 막기위해 사용
sys.stdin.read()

 

3. frida 모듈 정리

루팅 우회: https://codeshare.frida.re/@KishorBal/multiple-root-detection-bypass/

 

Frida CodeShare

 

codeshare.frida.re

 

USB 디버깅 우회(해당 코드는 Java.perform 코드 안에 넣어야 동작함)

var settingGlobal = Java.use('android.provider.Settings$Global');

settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
    //console.log("[*]settingGlobal.getInt(cr,name) : " + name);
    if (name == androidSettings[0]) {
        console.log('[+]Global.getInt(cr, name) Bypassed');
        return 0;
    }
    var ret = this.getInt(cr, name);
    return ret;
}

settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(cr, name, def) {
    //console.log("[*]settingGlobal.getInt(cr,name,def) : " + name);
    if (name == (androidSettings[0])) {
        console.log('[+]Global.getInt(cr, name, def) Bypassed');
        return 0;
    }
    var ret = this.getInt(cr, name, def);
    return ret;
}

settingGlobal.getFloat.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
    //console.log("[*]settingGlobal.getFloat(cr,name) : " + name);
    if (name == androidSettings[0]) {
        console.log('[+]Global.getFloat(cr, name) Bypassed');
        return 0;
    }
    var ret = this.getFloat(cr, name);
    return ret;
}

settingGlobal.getFloat.overload('android.content.ContentResolver', 'java.lang.String', 'float').implementation = function(cr, name, def) {
    //console.log("[*]settingGlobal.getFloat(cr,name,def) : " + name);
    if (name == androidSettings[0]) {
        console.log('[+]Global.getFloat(cr, name, def) Bypassed');
        return 0;
    }
    var ret = this.getFloat(cr, name, def);
    return ret;
}

settingGlobal.getLong.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
    //console.log("[*]settingGlobal.getLong(cr,name) : " + name);
    if (name == androidSettings[0]) {
        console.log('[+]Global.getLong(cr, name) Bypassed');
        return 0;
    }
    var ret = this.getLong(cr, name);
    return ret;
}

settingGlobal.getLong.overload('android.content.ContentResolver', 'java.lang.String', 'long').implementation = function(cr, name, def) {
    //console.log("[*]settingGlobal.getLong(cr,name,def) : " + name);
    if (name == androidSettings[0]) {
        console.log('[+]Global.getLong(cr, name, def) Bypassed');
        return 0;
    }
    var ret = this.getLong(cr, name, def);
    return ret;
}

settingGlobal.getString.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
    //console.log("[*]settingGlobal.getString(cr,name) : " + name);
    if (name == androidSettings[0]) {
        var stringClass = Java.use("java.lang.String");
        var stringInstance = stringClass.$new("0");

        console.log('[+]Global.getString(cr, name) Bypassed');
        return stringInstance;
    }
    var ret = this.getString(cr, name);
    return ret;
}

 

화면캡처 우회(이거 안되면 다른코드 찾아서 넣기)

var windowClass = Java.use('android.view.Window')
windowClass.addFlags.implementation = function(flag){
    console.log("addFlag called")
    console.log(flag)
}

 

4. magisk 모듈 정리

hiding magisk and root: https://github.com/rmnscnce/hsu

Magisk와 root 관련 파일 숨김

 

GitHub - rmnscnce/hsu: Hide Magisk and root system-wide to prevent any kinds of detection

Hide Magisk and root system-wide to prevent any kinds of detection - rmnscnce/hsu

github.com

설치 후 adb shell > su > hsu 순서로 사용

 

MagiskHluda: https://github.com/Exo1i/MagiskHluda

Magisk에 모듈로 설치하는 Hluda(Frida-Server)

 

GitHub - Exo1i/MagiskHluda: Run a more undetectable frida-server on boot using magisk 🔐✅

Run a more undetectable frida-server on boot using magisk 🔐✅ - Exo1i/MagiskHluda

github.com

 

Comments