function
loadGson() {
Java.openClassFile(
"/data/local/tmp/xiaosheng-dex-tool.dex"
).load();
var
js = Java.use(
"com.xiaosheng.tool.json.Gson"
);
var
gson = js.$
new
();
return
gson;
}
function
hook_dlopen_ext() {
Interceptor.attach(Module.findExportByName(
null
,
"android_dlopen_ext"
),
{
onEnter:
function
(args) {
var
pathptr = args[0];
if
(pathptr !== undefined && pathptr !=
null
) {
var
path = ptr(pathptr).readCString();
console.log(
"load "
+ path);
}
}
}
);
}
function
hook_dlopenAndExt() {
Interceptor.attach(Module.findExportByName(
null
,
"dlopen"
), {
onEnter:
function
(args) {
var
pathptr = args[0];
if
(pathptr !== undefined && pathptr !=
null
) {
var
path = ptr(pathptr).readCString();
console.log(
"load "
+ path);
}
},
onLeave:
function
(retval) {
}
})
Interceptor.attach(Module.findExportByName(
null
,
"android_dlopen_ext"
), {
onEnter:
function
(args) {
var
pathptr = args[0];
if
(pathptr !== undefined && pathptr !=
null
) {
var
path = ptr(pathptr).readCString();
console.log(
"load "
+ path);
}
},
onLeave:
function
(retval) {
}
});
}
function
hook_open() {
var
pth = Module.findExportByName(
null
,
"open"
);
Interceptor.attach(ptr(pth), {
onEnter:
function
(args) {
this
.filename = args[0];
console.log(
""
,
this
.filename.readCString())
if
(
this
.filename.readCString().indexOf(
".so"
) != -1) {
args[0] = ptr(0)
}
}, onLeave:
function
(retval) {
return
retval;
}
})
}
function
hookProcess() {
var
process = Java.use(
"android.os.Process"
);
process.killProcess.implementation =
function
(pid) {
console.log(
"kill process:"
+ pid)
}
}
function
hookExit() {
var
ByPassTracerPid =
function
() {
var
fgetsPtr = Module.findExportByName(
"libc.so"
,
"fgets"
);
var
fgets =
new
NativeFunction(fgetsPtr,
'pointer'
, [
'pointer'
,
'int'
,
'pointer'
]);
Interceptor.replace(fgetsPtr,
new
NativeCallback(
function
(buffer, size, fp) {
var
retval = fgets(buffer, size, fp);
var
bufstr = Memory.readUtf8String(buffer);
if
(bufstr.indexOf(
"TracerPid:"
) > -1) {
Memory.writeUtf8String(buffer,
"TracerPid:\t0"
);
console.log(
"tracerpid replaced: "
+ Memory.readUtf8String(buffer));
}
return
retval;
},
'pointer'
, [
'pointer'
,
'int'
,
'pointer'
]));
};
}
function
hook_Pthreadfunc() {
var
pthread_creat_addr = Module.findExportByName(
"libc.so"
,
"pthread_create"
)
Interceptor.attach(pthread_creat_addr, {
onEnter(args) {
console.log(
"call pthread_create..."
)
let func_addr = args[2]
console.log(
"The thread function address is "
+ func_addr)
try
{
console.log(
'pthread_create called from:\n'
+ Thread.backtrace(
this
.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress)
.join(
'\n'
)
+
'\n'
);
}
catch
(e) {
}
}
})
}
function
hookBaseExit() {
function
main() {
const openPtr = Module.getExportByName(
'libc.so'
,
'open'
);
const open =
new
NativeFunction(openPtr,
'int'
, [
'pointer'
,
'int'
]);
var
readPtr = Module.findExportByName(
"libc.so"
,
"read"
);
var
read =
new
NativeFunction(readPtr,
'int'
, [
'int'
,
'pointer'
,
"int"
]);
var
fakePath =
"/data/local/tmp/fakeMap"
;
var
file =
new
File(fakePath,
"w"
);
var
buffer = Memory.alloc(512);
Interceptor.replace(openPtr,
new
NativeCallback(
function
(pathnameptr, flag) {
var
pathname = Memory.readUtf8String(pathnameptr);
var
realFd = open(pathnameptr, flag);
if
(pathname.indexOf(
"maps"
) != 0) {
while
(parseInt(read(realFd, buffer, 512)) !== 0) {
var
oneLine = Memory.readCString(buffer);
if
(oneLine.indexOf(
"tmp"
) === -1) {
file.write(oneLine);
}
}
var
filename = Memory.allocUtf8String(fakePath);
return
open(filename, flag);
}
var
fd = open(pathnameptr, flag);
return
fd;
},
'int'
, [
'pointer'
,
'int'
]));
}
setImmediate(main)
}
function
replace_str() {
var
pt_strstr = Module.findExportByName(
"libc.so"
,
'strstr'
);
var
pt_strcmp = Module.findExportByName(
"libc.so"
,
'strcmp'
);
Interceptor.attach(pt_strstr, {
onEnter:
function
(args) {
var
str1 = args[0].readCString();
var
str2 = args[1].readCString();
if
(str2.indexOf(
"tmp"
) !== -1 ||
str2.indexOf(
"frida"
) !== -1 ||
str2.indexOf(
"gum-js-loop"
) !== -1 ||
str2.indexOf(
"gmain"
) !== -1 ||
str2.indexOf(
"gdbus"
) !== -1 ||
str2.indexOf(
"pool-frida"
) !== -1 ||
str2.indexOf(
"linjector"
) !== -1) {
this
.hook =
true
;
}
}, onLeave:
function
(retval) {
if
(
this
.hook) {
retval.replace(0);
}
}
});
Interceptor.attach(pt_strcmp, {
onEnter:
function
(args) {
var
str1 = args[0].readCString();
var
str2 = args[1].readCString();
if
(str2.indexOf(
"tmp"
) !== -1 ||
str2.indexOf(
"frida"
) !== -1 ||
str2.indexOf(
"gum-js-loop"
) !== -1 ||
str2.indexOf(
"gmain"
) !== -1 ||
str2.indexOf(
"gdbus"
) !== -1 ||
str2.indexOf(
"pool-frida"
) !== -1 ||
str2.indexOf(
"linjector"
) !== -1) {
this
.hook =
true
;
}
}, onLeave:
function
(retval) {
if
(
this
.hook) {
retval.replace(0);
}
}
})
}
function
anti_maps() {
var
pt_strstr = Module.findExportByName(
"libc.so"
,
'strstr'
);
var
pt_strcmp = Module.findExportByName(
"libc.so"
,
'strcmp'
);
Interceptor.attach(pt_strstr, {
onEnter:
function
(args) {
var
str1 = args[0].readCString();
var
str2 = args[1].readCString();
if
(str2.indexOf(
"REJECT"
) !== -1 || str2.indexOf(
"frida"
) !== -1) {
this
.hook =
true
;
}
},
onLeave:
function
(retval) {
if
(
this
.hook) {
retval.replace(0);
}
}
});
Interceptor.attach(pt_strcmp, {
onEnter:
function
(args) {
var
str1 = args[0].readCString();
var
str2 = args[1].readCString();
if
(str2.indexOf(
"REJECT"
) !== -1 || str2.indexOf(
"frida"
) !== -1) {
this
.hook =
true
;
}
},
onLeave:
function
(retval) {
if
(
this
.hook) {
retval.replace(0);
}
}
});
}
const STD_STRING_SIZE = 3 * Process.pointerSize;
class StdString {
constructor() {
this
.handle = Memory.alloc(STD_STRING_SIZE);
}
dispose() {
const [data, isTiny] =
this
._getData();
if
(!isTiny) {
Java.api.$
delete
(data);
}
}
disposeToString() {
const result =
this
.toString();
this
.dispose();
return
result;
}
toString() {
const [data] =
this
._getData();
return
data.readUtf8String();
}
_getData() {
const str =
this
.handle;
const isTiny = (str.readU8() & 1) === 0;
const data = isTiny ? str.add(1) : str.add(2 * Process.pointerSize).readPointer();
return
[data, isTiny];
}
}
function
prettyMethod(method_id, withSignature) {
const result =
new
StdString();
Java.api[
'art::ArtMethod::PrettyMethod'
](result, method_id, withSignature ? 1 : 0);
return
result.disposeToString();
}
function
hook_libc_exit() {
var
exit = Module.findExportByName(
"libc.so"
,
"exit"
);
console.log(
"native:"
+ exit);
Interceptor.attach(exit, {
onEnter:
function
(args) {
try
{
console.log(Thread.backtrace(
this
.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join(
"\n"
));
}
catch
(e) {
console.log(e)
}
},
onLeave:
function
(retval) {
}
});
}
function
anti_exit() {
const exit_ptr = Module.findExportByName(
null
,
'_exit'
);
console.log(
"anti_kill, kill_ptr:"
+ exit_ptr)
if
(
null
== exit_ptr) {
return
;
}
Interceptor.replace(exit_ptr,
new
NativeCallback(
function
(code) {
if
(
null
==
this
) {
return
0;
}
console.log(
"kill debug entry,lr"
)
return
0;
},
'int'
, [
'int'
,
'int'
]));
}
function
anti_kill() {
const kill_ptr = Module.findExportByName(
null
,
'kill'
);
console.log(
"anti_kill, kill_ptr:"
+ kill_ptr)
if
(
null
== kill_ptr) {
return
;
}
Interceptor.replace(kill_ptr,
new
NativeCallback(
function
(ptid, code) {
if
(
null
==
this
) {
return
0;
}
console.log(
"kill debug entry,lr"
)
return
0;
},
'int'
, [
'int'
,
'int'
]));
}