標籤:

【OSG】【非越獄調試】通過案例入門Frida-安裝firda及其基本功能

02-02

完整版請移步看雪論壇:【OSG】【非越獄調試】通過案例入門Frida-安裝firda及其基本功能-『iOS安全』-看雪安全論壇

安裝firda

在Macos上安裝Frida

這步比較簡單 直接使用「pip install --user frida」

實驗

實驗一 setting up

參考 frida.re/docs/functions

編譯 hello ,簡單hook

編譯hello,獲取函數f的地址,再用對應hook腳本進行hook,再運行hook會有許可權提示,是否控制另外一個進程,授權後就能獲取函數f hook對應的參數。

hello 運行終端 n$ ./hello nnf() is at 0x1043c6ed0nnNumber: 0nNumber: 1nNumber: 3nNumber: 4nNumber: 5 nnnhook 腳本運行終端nn$ python hook.py 0x1043c6ed0n{utype: usend, upayload: 58}n{utype: usend, upayload: 59}n{utype: usend, upayload: 60}n{utype: usend, upayload: 61}n{utype: usend, upayload: 62}n

修改函數參數

修改python腳本,修改傳入參數

hello 運行終端 n./hello nf() is at 0x10fc80ed0nNumber: 0nNumber: 1nNumber: 2n...nNumber: 44nNumber: 1337nNumber: 1337nNumber: 1337nNumber: 1337nNumber: 1337nNumber: 72nNumber: 73nNumber: 74 nnnhook 腳本運行終端nn$ python modify.py 0x10fc80ed0n

調用函數

修改python腳本,增加對應的調用

hello 運行終端 n./hello nf() is at 0x10d20ded0nNumber: 0nNumber: 1nNumber: 2nNumber: 3nn...nNumber: 21nNumber: 1911nNumber: 1911nNumber: 1911nNumber: 22nNumber: 23nnnhook 腳本運行終端nn$ python call.py 0x10d20ded0n

實驗二

注入字元串與函數調用

hi 運行終端 n./hinf() is at 0x10b719eb0ns is at 0x10b719f90nString: Testing!nString: Testing!nString: Testing!nString: Testing!nString: Testing!nString: Testing!nString: TESTMEPLZ!nString: Testing!nString: Testing!nnnhook 腳本運行終端nn$ python stringhook.py 0x10b719eb0n

注入內存對象

需要3個終端 依次運行,等腳本運行後,在client終端按回車鍵

client 運行終端 n./client 127.0.0.1nconnect() is at: 0x7fff8b697528nnHeres the serv_addr buffer:n00 02 13 88 7f 00 00 01 00 00 00 00 00 00 00 00nnPress ENTER key to Continuennnnetcat 運行終端nnc -l 5001nHello there!nnnhook 腳本運行終端npython struct_mod.pyn[i] Allocating memory and writing bytes...n[i] Injecting malicious byte array:n

實驗三 對目標進程 收發信息

參考 frida.re/docs/messages/

收發信息

hello 運行終端n./hello nf() is at 0x1024d4ed0nNumber: 0nNumber: 1nNumber: 2n...nNumber: 79nNumber: 160 //從這個數開始 是rpc腳本 發給hello進程的nNumber: 162nNumber: 164nNumber: 166nNumber: 168nNumber: 170nNumber: 172nNumber: 174n...nNumber: 224nNumber: 226nNumber: 228 //後面rpc腳本停止了nNumber: 115nNumber: 116nNumber: 117nn腳本nn python rpc.py 0x1024d4ed0n{utype: usend, upayload: u0x50}n{utype: usend, upayload: u0x51}n{utype: usend, upayload: u0x52}n{utype: usend, upayload: u0x53}n{utype: usend, upayload: u0x54}n{utype: usend, upayload: u0x55}n{utype: usend, upayload: u0x56}n{utype: usend, upayload: u0x57}n{utype: usend, upayload: u0x58}n...n{utype: usend, upayload: u0x70}n{utype: usend, upayload: u0x71}n{utype: usend, upayload: u0x72} n

推薦閱讀:

一個有 15 個頁面的項目怎麼規範 css 樣式?
iOS和Android上的Cortana大家初次使用的感覺如何?
如何評價「跑飯+」APP?
如何做好一名移動部門的開發經理?

TAG:iOS |