《2023Anti-Frida加固样本分析.docx》由会员分享,可在线阅读,更多相关《2023Anti-Frida加固样本分析.docx(19页珍藏版)》请在第壹文秘上搜索。
1、分析某加固的AntRFrida保护分析过程找到检测所在的S。我们可以通过frida-trace快速进行系统函数的hook,首先我们需要知道loads。的函数一般为dlopen和android_dlopen_ext,所以先执行trida-trace-U-tcom.wuje.Chengxin-1dIopen可以观察到以下输出:PSE:antiantifridachenxinfrida-tracecom.wujie.ChengxindlopenInStrUmenting.dlopen:1.oadedhandlerat11EWantiantifridaWchenxinWhandlerslibdl.so
2、dlopen.isStartedtracingifunction.PressCtrl+Ctostop.-TID0x3a6f/240msdlopen()24msdlopen()246msdlopen()卜Iin;PSE:样本antiantifridachenxin_可以看到这里只显示了调用dlopen,但是参数没有输出,祖叩en的第一个参数即为所需Ioad的s。的名字(args0.readcstring()我们可以去提示的路径下修改dlopen.js脚本修改前:IHChengxinJsBdlopeajs3*ForfullAPIreference,see:https:fZda.redocsjava
3、script-apedsynchronous1.ywhenabouttoca1.1.d1.open.bouttoreturnfromd1.open.SeeonEdetai1.paramfunction1.og1.thisfunctionwithastringtoparamNativePointer)retva1.onEnter/on1.eave,butinsteadinvocation.inonEnter.bepresentedtotheuser,aNativePointerobject.thisobjectObjecta1.1.owingyoutoaccessstatestoredHowev
4、er,dousethistostorefunctionargumentsacrossparamobjectstateVOn1.eaVe(Iog,retval,state)*usethiswhichisanobjectforkeepingstate1.oca1.toan*/onEnter(log,args,state)log(dlopen();),chenin_handlers_libdl.soBdIopenjs5678910111213141516171819202122232425262728293031323334353637修改后:,thisobject-Objecta1.1.owing
5、youtostorestateforuseinon1.eave.paramfunction1.og-Ca1.lthisfunctionithastringtobepresentedtotheuser.,paramarrayargsFunctionargumentsrepresentedasanarrayofNativePointerobjects.*Foreamp1.euseargs0.readUtf8String()ifthefirstargumentisapointertoaCstringeItisalsopossib1.etomodifyargumentsbyassigningaNati
6、vePointerobjecttoane1.ementcparamobjectstate.OnlyoneJavaScriptfunctionexecuteatatimejsodonotWOrrtVaboutrace-conditions.ISChengxinjsIHdlopen.js3chenxin_handlers_libdl.soISdIopenJs4567891011121314IS1617181920212223242526272829303132333435363738ForfullAPIreference,/Ca1.1.eds.thisobject)paramfunction1.o
7、gparamarrayargsForeamp1.euseCIrgSftItisa1.sopossib1.etfrida-tracecom.wujie.ChengxindlopenInstrumenting.dlopen:1.oadedhandleratE:样本Wantiantifridachenxin_handlers_Wlibdl.sodlopen.JsStartedtracing1function.PressCtrlKtostop./TIDx3e92/241 msdIopen():libc.so242 msdlopen():libc.so247 msdlopen():Iibdatajar.
8、soProcesstermir现在dlopen的参数就显示出来了,但是这里load的三个SO显然是系统的s。而非app的SO,所以我们再hookandroid_dlopen_ext看看:PSE:样本antiantifri,dachenxinfrida-tracecxn.wujIe.Chengxinandroid_dlopen_extInstrumenting.android-dlopen-et:1.oadedhandleratE:样本Wantiantifridachenxin_handlers_libdl.soandroid_dlopen_ext.jsStartedtracing1functi
9、on.PressCtrltCtostop./TID0x406c/211msandroid.dlopen,et():systemframeworkoatarmorg.apache.http.legacy.odex216msandroiddlopenet():dataappcom.wujie.che11gxin-WZCaCd7ATEUlEIc9F17Xdg=oata11nbase.o_可以看到当IOad到IibDeXHelPer.so的时候,frida被杀掉了,所以我们初步可以判定做检测的位置在IibDexHelper.so首先我们可以通过hook字符串比较函数(比如StrStrWStrCmP等函
10、数)来观察是否传入了frida相关的字符串进行比较Interceptor.attach(Module.findEportByName(null,strstr),onEnter:function(args)if(args0.readCString().indexOf(frida)!:1args1.readCString().indexf(frida)!=-1|args0.readCString().indexOf(gum-js-loop)!=-largsl.readCString().indexf(gum-js-loop)!=-l|args0.readCString().indexOf(gmai
11、n)!=-1argsl.readCString().indexOf(g三ain)I=-1|args.readCString().i11dexf(Iinjector)!=-1argsl.readCString().indexf(Iinjector)!=-1console.log(nstrstr(+sl=t+args0.readCString()+,s2=w,+args1.readCString()+11,)i),on1.eave:function(retval)!);PSE:ffantiatifridacheninfrida-traceCM.wjie.CbengxinstrstrInstrumenting.strstr:1.oadedhandleratE:样本antiantifridachenxin_handlers_1ibc.sostrstr.jsStartedtracing1fu