|
|
/**It should be launch earlier in order to be aware of a maximun quantity of file descriptors.
@author @FrenchYeti*/Java.perform(function() {
// ============= Config
var CONFIG = { // if TRUE enable data dump
printEnable: true, // if TRUE enable libc.so open/read/write hook
printLibc: false, // if TRUE print the stack trace for each hook
printStackTrace: false, // to filter the file path whose data want to be dumped in ASCII
dump_ascii_If_Path_contains: [".log", ".xml", ".prop"], // to filter the file path whose data want to be NOT dumped in hexdump (useful for big chunk and excessive reads)
dump_hex_If_Path_NOT_contains: [".png", "/proc/self/task", "/system/lib", "base.apk", "cacert"], // to filter the file path whose data want to be NOT dumped fron libc read/write (useful for big chunk and excessive reads)
dump_raw_If_Path_NOT_contains: [".png", "/proc/self/task", "/system/lib", "base.apk", "cacert"] }
// ============= Keep a trace of file descriptor, path, and so
var TraceFD = {}; var TraceFS = {}; var TraceFile = {}; var TraceSysFD = {};
// ============= Get classes
var CLS = { File: Java.use("java.io.File"), FileInputStream: Java.use("java.io.FileInputStream"), FileOutputStream: Java.use("java.io.FileOutputStream"), String: Java.use("java.lang.String"), FileChannel: Java.use("java.nio.channels.FileChannel"), FileDescriptor: Java.use("java.io.FileDescriptor"), Thread: Java.use("java.lang.Thread"), StackTraceElement: Java.use("java.lang.StackTraceElement"), AndroidDbSQLite: Java.use("android.database.sqlite.SQLiteDatabase") }; var File = { new: [ CLS.File.$init.overload("java.io.File", "java.lang.String"), CLS.File.$init.overload("java.lang.String"), CLS.File.$init.overload("java.lang.String", "java.lang.String"), CLS.File.$init.overload("java.net.URI"), ] }; var FileInputStream = { new: [ CLS.FileInputStream.$init.overload("java.io.File"), CLS.FileInputStream.$init.overload("java.io.FileDescriptor"), CLS.FileInputStream.$init.overload("java.lang.String"), ], read: [ CLS.FileInputStream.read.overload(), CLS.FileInputStream.read.overload("[B"), CLS.FileInputStream.read.overload("[B", "int", "int"), ], }; var FileOuputStream = { new: [ CLS.FileOutputStream.$init.overload("java.io.File"), CLS.FileOutputStream.$init.overload("java.io.File", "boolean"), CLS.FileOutputStream.$init.overload("java.io.FileDescriptor"), CLS.FileOutputStream.$init.overload("java.lang.String"), CLS.FileOutputStream.$init.overload("java.lang.String", "boolean") ], write: [ CLS.FileOutputStream.write.overload("[B"), CLS.FileOutputStream.write.overload("int"), CLS.FileOutputStream.write.overload("[B", "int", "int"), ], };
// ============= Hook implementation
File.new[1].implementation = function(a0) { prettyLog("[Java::File.new.1] New file : " + a0);
var ret = File.new[1].call(this, a0); var f = Java.cast(this, CLS.File); TraceFile["f" + this.hashCode()] = a0;
return ret; } File.new[2].implementation = function(a0, a1) { prettyLog("[Java::File.read.2] New file : " + a0 + "/" + a1);
var ret = File.new[2].call(this, a0, a1);; var f = Java.cast(this, CLS.File); TraceFile["f" + this.hashCode()] = a0 + "/" + a1;
return ret; }
FileInputStream.new[0].implementation = function(a0) { var file = Java.cast(a0, CLS.File); var fname = TraceFile["f" + file.hashCode()];
if (fname == null) { var p = file.getAbsolutePath(); if (p !== null) fname = TraceFile["f" + file.hashCode()] = p; } if (fname == null) fname = "[unknow]"
prettyLog("[Java::FileInputStream.new.0] New input stream from file (" + fname + "): ");
var fis = FileInputStream.new[0].call(this, a0) var f = Java.cast(this, CLS.FileInputStream);
TraceFS["fd" + this.hashCode()] = fname;
var fd = Java.cast(this.getFD(), CLS.FileDescriptor);
TraceFD["fd" + fd.hashCode()] = fname;
return fis; }
FileInputStream.read[1].implementation = function(a0) { var fname = TraceFS["fd" + this.hashCode()]; var fd = null; if (fname == null) { fd = Java.cast(this.getFD(), CLS.FileDescriptor); fname = TraceFD["fd" + fd.hashCode()] } if (fname == null) fname = "[unknow]";
var b = Java.array('byte', a0);
prettyLog("[Java::FileInputStream.read.1] Read from file,offset (" + fname + "," + a0 + "):\n" + prettyPrint(fname, b));
return FileInputStream.read[1].call(this, a0); } FileInputStream.read[2].implementation = function(a0, a1, a2) { var fname = TraceFS["fd" + this.hashCode()]; var fd = null; if (fname == null) { fd = Java.cast(this.getFD(), CLS.FileDescriptor); fname = TraceFD["fd" + fd.hashCode()] } if (fname == null) fname = "[unknow]";
var b = Java.array('byte', a0);
prettyLog("[Java::FileInputStream.read.2] Read from file,offset,len (" + fname + "," + a1 + "," + a2 + ")\n" + prettyPrint(fname, b));
return FileInputStream.read[2].call(this, a0, a1, a2); }
// =============== File Output Stream ============
FileOuputStream.new[0].implementation = function(a0) { var file = Java.cast(a0, CLS.File); var fname = TraceFile["f" + file.hashCode()];
if (fname == null) fname = "[unknow]<File:" + file.hashCode() + ">";
prettyLog("[Java::FileOuputStream.new.0] New output stream to file (" + fname + "): ");
var fis = FileOuputStream.new[0].call(this, a0);
TraceFS["fd" + this.hashCode()] = fname;
var fd = Java.cast(this.getFD(), CLS.FileDescriptor); TraceFD["fd" + fd.hashCode()] = fname;
return fis; }
FileOuputStream.new[1].implementation = function(a0) { var file = Java.cast(a0, CLS.File); var fname = TraceFile["f" + file.hashCode()];
if (fname == null) fname = "[unknow]";
prettyLog("[Java::FileOuputStream.new.1] New output stream to file (" + fname + "): \n");
var fis = FileOuputStream.new[1].call(this, a0);
TraceFS["fd" + this.hashCode()] = fname;
var fd = Java.cast(this.getFD(), CLS.FileDescriptor);
TraceFD["fd" + fd.hashCode()] = fname;
return fis; }
FileOuputStream.new[2].implementation = function(a0) { var fd = Java.cast(a0, CLS.FileDescriptor); var fname = TraceFD["fd" + fd.hashCode()];
if (fname == null) fname = "[unknow]";
prettyLog("[Java::FileOuputStream.new.2] New output stream to FileDescriptor (" + fname + "): \n"); var fis = FileOuputStream.new[1].call(this, a0)
TraceFS["fd" + this.hashCode()] = fname;
return fis; } FileOuputStream.new[3].implementation = function(a0) { prettyLog("[Java::FileOuputStream.new.3] New output stream to file (str=" + a0 + "): \n");
var fis = FileOuputStream.new[1].call(this, a0)
TraceFS["fd" + this.hashCode()] = a0; var fd = Java.cast(this.getFD(), CLS.FileDescriptor); TraceFD["fd" + fd.hashCode()] = a0;
return fis; } FileOuputStream.new[4].implementation = function(a0) { prettyLog("[Java::FileOuputStream.new.4] New output stream to file (str=" + a0 + ",bool): \n");
var fis = FileOuputStream.new[1].call(this, a0) TraceFS["fd" + this.hashCode()] = a0; var fd = Java.cast(this.getFD(), CLS.FileDescriptor); TraceFD["fd" + fd.hashCode()] = a0;
return fis; }
FileOuputStream.write[0].implementation = function(a0) { var fname = TraceFS["fd" + this.hashCode()]; var fd = null;
if (fname == null) { fd = Java.cast(this.getFD(), CLS.FileDescriptor); fname = TraceFD["fd" + fd.hashCode()] } if (fname == null) fname = "[unknow]";
prettyLog("[Java::FileOuputStream.write.0] Write byte array (" + fname + "):\n" + prettyPrint(fname, a0));
return FileOuputStream.write[0].call(this, a0); } FileOuputStream.write[1].implementation = function(a0) {
var fname = TraceFS["fd" + this.hashCode()]; var fd = null; if (fname == null) { fd = Java.cast(this.getFD(), CLS.FileDescriptor); fname = TraceFD["fd" + fd.hashCode()] } if (fname == null) fname = "[unknow]";
prettyLog("[Java::FileOuputStream.write.1] Write int (" + fname + "): " + a0);
return FileOuputStream.write[1].call(this, a0); } FileOuputStream.write[2].implementation = function(a0, a1, a2) {
var fname = TraceFS["fd" + this.hashCode()]; var fd = null; if (fname == null) { fd = Java.cast(this.getFD(), CLS.FileDescriptor); fname = TraceFD["fd" + fd.hashCode()] if (fname == null) fname = "[unknow], fd=" + this.hashCode(); }
prettyLog("[Java::FileOuputStream.write.2] Write " + a2 + " bytes from " + a1 + " (" + fname + "):\n" + prettyPrint(fname, a0));
return FileOuputStream.write[2].call(this, a0, a1, a2); }
// native hooks
Interceptor.attach( Module.findExportByName("libc.so", "read"), { // fd, buff, len
onEnter: function(args) { if (CONFIG.printLibc === true) { var bfr = args[1], sz = args[2].toInt32(); var path = (TraceSysFD["fd-" + args[0].toInt32()] != null) ? TraceSysFD["fd-" + args[0].toInt32()] : "[unknow path]";
prettyLog("[Libc::read] Read FD (" + path + "," + bfr + "," + sz + ")\n" + rawPrint(path, Memory.readByteArray(bfr, sz))); } }, onLeave: function(ret) {
} } );
Interceptor.attach( Module.findExportByName("libc.so", "open"), { // path, flags, mode
onEnter: function(args) { this.path = Memory.readCString(args[0]); }, onLeave: function(ret) { TraceSysFD["fd-" + ret.toInt32()] = this.path; if (CONFIG.printLibc === true) prettyLog("[Libc::open] Open file '" + this.path + "' (fd: " + ret.toInt32() + ")"); } } );
Interceptor.attach( Module.findExportByName("libc.so", "write"), { // fd, buff, count
onEnter: function(args) { if (CONFIG.printLibc === true) { var bfr = args[1], sz = args[2].toInt32(); var path = (TraceSysFD["fd-" + args[0].toInt32()] != null) ? TraceSysFD["fd-" + args[0].toInt32()] : "[unknow path]";
prettyLog("[Libc::write] Write FD (" + path + "," + bfr + "," + sz + ")\n" + rawPrint(path, Memory.readByteArray(bfr, sz))); } }, onLeave: function(ret) {
} } );
// helper functions
function prettyLog(str) { console.log("---------------------------\n" + str); if (CONFIG.printStackTrace === true) { printStackTrace(); } }
function prettyPrint(path, buffer) { if (CONFIG.printEnable === false) return "";
if (contains(path, CONFIG.dump_ascii_If_Path_contains)) { return b2s(buffer); } else if (!contains(path, CONFIG.dump_hex_If_Path_NOT_contains)) { return hexdump(b2s(buffer)); } return "[dump skipped by config]"; }
function rawPrint(path, buffer) { if (CONFIG.printEnable === false) return "";
if (!contains(path, CONFIG.dump_raw_If_Path_NOT_contains)) { return hexdump(buffer); } return "[dump skipped by config]"; }
function contains(path, patterns) { for (var i = 0; i < patterns.length; i++) if (path.indexOf(patterns[i]) > -1) return true; return false; }
function printStackTrace() { var th = Java.cast(CLS.Thread.currentThread(), CLS.Thread); var stack = th.getStackTrace(), e = null;
for (var i = 0; i < stack.length; i++) { console.log("\t" + stack[i].getClassName() + "." + stack[i].getMethodName() + "(" + stack[i].getFileName() + ")"); } }
function isZero(block) { var m = /^[0\s]+$/.exec(block); return m != null && m.length > 0 && (m[0] == block); }
function hexdump(buffer, blockSize) { blockSize = blockSize || 16; var lines = []; var hex = "0123456789ABCDEF"; var prevZero = false, ctrZero = 0; for (var b = 0; b < buffer.length; b += blockSize) { var block = buffer.slice(b, Math.min(b + blockSize, buffer.length)); var addr = ("0000" + b.toString(16)).slice(-4); var codes = block.split('').map(function(ch) { var code = ch.charCodeAt(0); return " " + hex[(0xF0 & code) >> 4] + hex[0x0F & code]; }).join(""); codes += " ".repeat(blockSize - block.length); var chars = block.replace(/[\\x00-\\x1F\\x20\n]/g, '.'); chars += " ".repeat(blockSize - block.length); if (isZero(codes)) { ctrZero += blockSize; prevZero = true; } else { if (prevZero) { lines.push("\t [" + ctrZero + "] bytes of zeroes"); } lines.push(addr + " " + codes + " " + chars); prevZero = false; ctrZero = 0; } } if (prevZero) { lines.push("\t [" + ctrZero + "] bytes of zeroes"); } return lines.join("\\n"); }
function b2s(array) { var result = ""; for (var i = 0; i < array.length; i++) { result += String.fromCharCode(modulus(array[i], 256)); } return result; }
function modulus(x, n) { return ((x % n) + n) % n; }
});
|
