分析下frida对函数和函数内部的地址hook时的操作,通过本次的学习可以掌握fridahook时对原有函数的修改和寄存器的分配变化。
⊙一、环境准备
⊙二、函数hook分析
⊙三、流程梳理
⊙四、总结
一、环境准备
小米8、frida环境、ida
在as创建ndk demo
如下所示:
其中 md5.cpp:
/* Constants for MD5Transform routine.*/static unsigned char PADDING[64] = {0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};/* F, G, H and I are basic MD5 functions.*//* ROTATE_LEFT rotates x left n bits.*//* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.Rotation is separate from addition to prevent recomputation.*/(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac);(a) = ROTATE_LEFT ((a), (s));(a) += (b);}(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac);(a) = ROTATE_LEFT ((a), (s));(a) += (b);}(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac);(a) = ROTATE_LEFT ((a), (s));(a) += (b);}(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac);(a) = ROTATE_LEFT ((a), (s));(a) += (b);}/* MD5 initialization. Begins an MD5 operation, writing a new context.*/void MD5Init (MD5_CTX *context){context->count[0] = context->count[1] = 0;/* Load magic initialization constants.*/context->state[0] = 0x67452301;context->state[1] = 0xefcdab89;context->state[2] = 0x98badcfe;context->state[3] = 0x10325476;}/* MD5 block update operation. Continues an MD5 message-digestoperation, processing another message block, and updating thecontext.*/void MD5Update (MD5_CTX *context,unsigned char *input,unsigned int inputLen){unsigned int i, index, partLen;/* Compute number of bytes mod 64 */index = (unsigned int)((context->count[0] >> 3) & 0x3F);/* Update number of bits */if ((context->count[0] += ((UINT4)inputLen << 3))< ((UINT4)inputLen << 3))context->count[1]++;context->count[1] += ((UINT4)inputLen >> 29);partLen = 64 - index;/* Transform as many times as possible.*/if (inputLen >= partLen) {MD5_memcpy((POINTER)&context->buffer[index], (POINTER)input, partLen);MD5Transform (context->state, context->buffer);for (i = partLen; i + 63 < inputLen; i += 64)MD5Transform (context->state, &input[i]);index = 0;}elsei = 0;/* Buffer remaining input */MD5_memcpy((POINTER)&context->buffer[index], (POINTER)&input[i],inputLen-i);}/* MD5 finalization. Ends an MD5 message-digest operation, writing thethe message digest and zeroizing the context.*/void MD5Final (unsigned char digest[16], MD5_CTX *context){unsigned char bits[8];unsigned int index, padLen;/* Save number of bits */Encode (bits, context->count, 8);/* Pad out to 56 mod 64.*/index = (unsigned int)((context->count[0] >> 3) & 0x3f);padLen = (index < 56) ? (56 - index) : (120 - index);MD5Update (context, PADDING, padLen);/* Append length (before padding) */MD5Update (context, bits, 8);/* Store state in digest */Encode (digest, context->state, 16);/* Zeroize sensitive information.*/MD5_memset ((POINTER)context, 0, sizeof (*context));}/* MD5 basic transformation. Transforms state based on block.*/static void MD5Transform (UINT4 state[4], unsigned char block[64]){UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];Decode (x, block, 64);/* Round 1 */FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 *//* Round 2 */GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 *//* Round 3 */HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 *//* Round 4 */II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */state[0] += a;state[1] += b;state[2] += c;state[3] += d;/* Zeroize sensitive information.*/MD5_memset ((POINTER)x, 0, sizeof (x));}/* Encodes input (UINT4) into output (unsigned char). Assumes len isa multiple of 4.*/static void Encode (unsigned char *output, UINT4 *input, unsigned int len){unsigned int i, j;for (i = 0, j = 0; j < len; i++, j += 4) {output[j] = (unsigned char)(input[i] & 0xff);output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);}}/* Decodes input (unsigned char) into output (UINT4). Assumes len isa multiple of 4.*/static void Decode (UINT4 *output, unsigned char *input, unsigned int len){unsigned int i, j;for (i = 0, j = 0; j < len; i++, j += 4)output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |(((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);}/* Note: Replace "for loop" with standard memcpy if possible.*/static void MD5_memcpy (POINTER output, POINTER input, unsigned int len){unsigned int i;for (i = 0; i < len; i++)output[i] = input[i];}/* Note: Replace "for loop" with standard memset if possible.*/static void MD5_memset (POINTER output, int value, unsigned int len){unsigned int i;for (i = 0; i < len; i++)((char *)output)[i] = (char)value;}
其中:md5.h
/* POINTER defines a generic pointer type */typedef unsigned char *POINTER;/* UINT2 defines a two byte word */typedef unsigned short int UINT2;/* UINT4 defines a four byte word */typedef unsigned long int UINT4;/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.If using PROTOTYPES, then PROTO_LIST returns the list, otherwise itreturns an empty list.*//* MD5 context. */typedef struct tagMD5_CTX{UINT4 state[4]; /* state (ABCD) */UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */unsigned char buffer[64]; /* input buffer */} MD5_CTX;extern "C" {voidMD5Init(MD5_CTX *context);voidMD5Update(MD5_CTX *context,unsignedchar *input,unsignedint inputLen);voidMD5Final(unsignedchar digest[16], MD5_CTX *context);staticvoidMD5Transform(UINT4 state[4], unsignedchar block[64]);staticvoidEncode(unsignedchar *output, UINT4 *input, unsignedint len);staticvoidDecode(UINT4 *output, unsignedchar *input, unsignedint len);staticvoidMD5_memcpy(POINTER output, POINTER input, unsignedint len);staticvoidMD5_memset(POINTER output, int value, unsignedint len);}
二、函数hook分析
主要对Java_com_re_myapplication_MainActivity_stringFromJNI
然后使用frida进行hook,其代码如下:
console.log("[+] Frida脚本已加载,开始注入 com.re.myapplication");// 封装函数:Hook JNI函数function hookJNIFunction() {console.log("[+] 开始Hook JNI函数...");// 等待模块加载Interceptor.attach(Module.findExportByName("libmyapplication.so", "Java_com_re_myapplication_MainActivity_stringFromJNI"), {onEnter: function(args) {console.log("[+] Java_com_re_myapplication_MainActivity_stringFromJNI 被调用");console.log("[+] JNIEnv:", args[0]);console.log("[+] jobject:", args[1]);// 保存参数以便在onLeave中使用this.args = args;},onLeave: function(retval) {console.log("[+] Java_com_re_myapplication_MainActivity_stringFromJNI 返回值:", retval);// 如果返回值是字符串指针,尝试读取字符串内容if (!retval.isNull()) {try {var str = Java.vm.getEnv().getStringUtfChars(retval, null);console.log("[+] 返回的字符串内容:", str);} catch (e) {console.log("[+] 无法读取返回字符串:", e.message);}}console.log("[+] JNI函数执行完成");}});console.log("[+] JNI函数Hook设置完成");}// 主函数:执行所有Hookfunction main() {console.log("[+] 开始执行Hook操作...");// Hook Java层// 等待一段时间后Hook so库(确保模块已加载)setTimeout(function() {// 尝试直接Hook JNI函数hookJNIFunction();console.log("[+] 所有Hook操作完成");}, 2000);}// 执行主函数main();console.log("[+] Frida脚本加载完成");
启动hook后,ida附加,调试被fridahook的函数:
其中上图粉色框为hook后的函数,绿色框为未被hook的函数,两者对比,发现函数头的16个字节被修改。
在这里我们记下几个特殊的值:
so在内存中加载的起始地址为:
被替换的四条指令中,发现构建了个跳板,跳转到x16,寄存器里面了(如下图所示)
然后0x79A1041408这个地址,我们F7步入:
步入后其实分三段:
1、0x79A1041408的第一段:保存现场
2、
0x79A1041408的第二段:
跳转到sub_79443f77d8:其实去frida_agent_64的,然后调用onEnter
3、
0x79A1041408的第三段
下图中的从【sp】取值,取得这个值为0x9A104140C
PS1:x30=0x9A104140C是什么呢?
其实就是下图粉色的那个地址,这个粉色的地方frida为什么处理把他赋值为X30呢,这次先保持疑问,后面的内容会解答,这里先交ps1。
OMG,调试的时候断了,地址可能不同。。。
现在替换为
然后我们接着看看第三段的下半部分:恢复了寄存器,并且RET到x16寄存器,X16寄存器做什么呢?
我们看X16寄存器的地方:这个我们很熟悉,其实是frida把原始的16个字节(四条指令)给拷贝过来了,X16寄存器的值是stringFromJNI的起始地址,这里注意一个点,STP X29,X30,[SP,#0x150],这个X30就是_7A266F200,这个地址。
然后接着F7执行:发现,到了stringFromJNI+ 16的地址位置,
一直F8到函数的结尾
这个数值又出现了,其实他返回到粉色这里
然后接着F7走到了上方图片的BR X16
BR X16其实也是分三段
1、第一段保存现场
2、第二段去frida_agent_64里执行onLeave函数
3、第三段去恢复现场并跳转到函数原有ret的地方
三、流程总结
三、总结
总而言之,frida通过替换前面指令,跳转到自己的内存空间,再通过跳板执行原有被替换的四条指令,然后根据跳转到frida的虚拟空间,执行的onEnter,然后又根据X30的值存入能够触发返回OnLeave的地址,通过函数必压X30进堆栈,ret前恢复现场的时候灵活的跳转到OnLeave的空间,在OnLoave的空间内,又跳转到了原始函数ret返回的地址。
学习逆向可以关注我朋友:
我是BestToYou,分享工作或日常学习中关于Android、iOS逆向及安全防护的一些思路和一些自己闲暇时刻调试的一些程序,文中若有错误或者不足的地方,恳请大家联系我批评指正。
原文始发于微信公众号(二进制科学):frida如何对函数进行hook
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论