Skip to content

Instantly share code, notes, and snippets.

@SeeFlowerX
Last active May 14, 2024 13:17
Show Gist options
  • Save SeeFlowerX/80ffcd89dadb86ad681703aa1465cdbc to your computer and use it in GitHub Desktop.
Save SeeFlowerX/80ffcd89dadb86ad681703aa1465cdbc to your computer and use it in GitHub Desktop.
手工实现堆栈回溯,参考Frida-Seccomp
let mem_regions = [];
function read_maps(){
let libc = Process.getModuleByName("libc.so");
let fopen = new NativeFunction(libc.getExportByName("fopen"), "pointer", ["pointer", "pointer"]);
let fgets = new NativeFunction(libc.getExportByName("fgets"), "pointer", ["pointer", "int", "pointer"]);
let fclose = new NativeFunction(libc.getExportByName("fclose"), "int", ["pointer"]);
let filepath = Memory.allocUtf8String("/proc/self/maps");
let mode = Memory.allocUtf8String("r");
let file = fopen(filepath, mode);
let line = Memory.alloc(1024);
let results = [];
while (fgets(line, 1024, file).toInt32() != 0x0) {
let text = line.readCString();
if (text == null) {
break;
}
results.push(text);
}
fclose(file);
for (let index = 0; index < results.length; index++) {
let line = results[index];
let infos = line.split(" ");
let segment_path = infos[infos.length - 1];
if (segment_path) {
segment_path = segment_path.trim();
if (segment_path == "") {
segment_path = "UNKNOW";
}
}
let [addr_info, permission, offset] = infos[0].split(" ", 3);
let [start, end] = addr_info.split("-");
mem_regions.push({
"start": parseInt(`0x${start}`),
"end": parseInt(`0x${end}`),
"offset": parseInt(`0x${offset}`),
"path": segment_path,
"name": segment_path.split("/").pop(),
});
}
}
function get_addr_info(addr) {
let info_head = `${addr}`.padStart(16, " ");
let mem_region = find_mem_region(addr);
if (!mem_region) {
return `${info_head}[UNKNOW]`;
}
let base_addr = mem_region.start - mem_region.offset;
return `${info_head}[${mem_region.name}:${addr.sub(base_addr)}]`;
}
function find_mem_region(sp_addr) {
for (let index = 0; index < mem_regions.length; index++) {
let mem_region = mem_regions[index];
if (sp_addr >= mem_region.start && sp_addr < mem_region.end) {
return mem_region;
}
}
}
function stacktrace(pc, lr, fp, sp) {
let n = 0, stack_arr = [], fp_c = fp;
stack_arr[n++] = lr;
stack_arr[n++] = pc;
let mem_region = find_mem_region(sp);
if (!mem_region) {
console.log(`[stacktrace] can not find mem_region ${sp}`);
return stack_arr;
}
while (n < 32) {
if (parseInt(fp_c.toString()) < parseInt(sp.toString()) || fp_c < mem_region.start || fp_c > mem_region.end) {
break
}
let next_fp = fp_c.readPointer();
let lr = fp_c.add(8).readPointer();
fp_c = next_fp;
stack_arr[n++] = lr;
}
return stack_arr;
}
function hook_libsscronet(){
function hook_SSL_write(){
let symbol = "SSL_write";
let symbol_addr = libsscronet.getExportByName(symbol);
console.log(`[${symbol}] addr=${symbol_addr}`);
Interceptor.attach(symbol_addr, {
onEnter: function(args) {
this.ssl = args[0];
this.buf = args[1];
this.num = args[2];
this.info = stacktrace(this.context.pc, this.context.lr, this.context.fp, this.context.sp).map(get_addr_info).join("\n");
}, onLeave: function(retval){
let status = retval.toInt32();
console.log(`[${symbol}] retval=${status} SSL=${this.ssl} buf=${this.buf} num=${this.num}\n${this.info}`);
}
})
}
let libsscronet = Process.getModuleByName("libsscronet.so");
hook_SSL_write();
}
function main(){
read_maps();
hook_libsscronet();
}
setImmediate(main);
// frida -U -n 抖音 -l hook.js -o hook.log
// by SeeFlowerX
// 参考 https://github.com/Abbbbbi/Frida-Seccomp
@SeeFlowerX
Copy link
Author

hook效果输出

[SSL_write] addr=0x7b592a8570
[SSL_write] 6 SSL=0x7cc2b53e98 buf=0x7c42b2c450 num=0x6
    0x7b592a8570[libttboringssl.so:0x2b570]
    0x7b5833a61c[libsscronet.so:0x2e261c]
    0x7b5844f8b4[libsscronet.so:0x3f78b4]
    0x7b5844ed3c[libsscronet.so:0x3f6d3c]
    0x7b5844ebec[libsscronet.so:0x3f6bec]
    0x7b58451048[libsscronet.so:0x3f9048]
    0x7b58450f20[libsscronet.so:0x3f8f20]
    0x7b5845078c[libsscronet.so:0x3f878c]
    0x7b581e7580[libsscronet.so:0x18f580]
    0x7b581e7580[libsscronet.so:0x18f580]
    0x7b583383b0[libsscronet.so:0x2e03b0]
    0x7b581e7580[libsscronet.so:0x18f580]
    0x7b583a9e18[libsscronet.so:0x351e18]
    0x7b581e7580[libsscronet.so:0x18f580]
    0x7b583561f0[libsscronet.so:0x2fe1f0]
    0x7b581e7580[libsscronet.so:0x18f580]
    0x7b583e1fc4[libsscronet.so:0x389fc4]
    0x7b58314d84[libsscronet.so:0x2bcd84]
    0x7b582edcb4[libsscronet.so:0x295cb4]
    0x7b582db7f8[libsscronet.so:0x2837f8]
    0x7b582ffe14[libsscronet.so:0x2a7e14]
    0x7b5830c46c[libsscronet.so:0x2b446c]
    0x7ed3451694[libc.so:0xb1694]
    0x7ed33f10b0[libc.so:0x510b0]
             0x0[UNKNOW]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment