@zsa233/frida-analykit-agent 2.0.0 → 2.0.2

package/src/lib/libc.ts

@@ -1,161 +0,0 @@
-import { mustType } from "../utils/utils.js"
-import { nativeFunctionOptions } from "../consts.js"
-
-
-const PROP_VALUE_MAX = 92
-
-
-export class Libc {
-    constructor() {
-        return new Proxy(this, {
-            get(target: any, prop: string) {
-                if (prop in target) {
-                    return target[prop];
-                }
-                if (prop[0] !== '$') {
-                    return target['$' + prop]
-                } else {
-                    return target[prop.substring(1)]
-                }
-            }
-        })
-    }
-
-    static readonly $libc = Process.findModuleByName('libc.so') || Module.load('libc.so')
-
-
-    $lazyLoadFunc<RetType extends NativeFunctionReturnType, ArgTypes extends NativeFunctionArgumentType[] | []>(
-        symName: string, retType: RetType, argTypes: ArgTypes,
-    ): NativeFunction<GetNativeFunctionReturnValue<RetType>, ResolveVariadic<Extract<GetNativeFunctionArgumentValue<ArgTypes>, unknown[]>>> & { $handle: NativePointer | undefined } {
-        let func: any = null
-        const wrapper = ((...args: any) => {
-            if (func === null) {
-                func = this.$nativeFunc(symName, retType, argTypes)
-            }
-            const ret = func(...args)
-            return ret
-        }) as any
-
-        Object.defineProperty(wrapper, '$handle', {
-            get() {
-                if (func === null) {
-                    func = this.$nativeFunc(symName, retType, argTypes)
-                }
-                return func.$handle
-            },
-            enumerable: true,
-        })
-
-        return wrapper
-    }
-
-
-
-    $nativeFunc<RetType extends NativeFunctionReturnType, ArgTypes extends NativeFunctionArgumentType[] | []>(
-        symName: string, retType: RetType, argTypes: ArgTypes,
-    ): NativeFunction<GetNativeFunctionReturnValue<RetType>, ResolveVariadic<Extract<GetNativeFunctionArgumentValue<ArgTypes>, unknown[]>>> & { $handle: NativePointer | undefined } {
-        const handle = mustType(Libc.$libc.findExportByName(symName))
-        const fn: any = new NativeFunction(
-            handle,
-            retType, argTypes, nativeFunctionOptions,
-        )
-        fn.$handle = handle 
-        return fn
-    }
-
-    // ssize_t readlink(const char *pathname, char *buf, size_t bufsiz);
-    readonly $readlink = this.$lazyLoadFunc('readlink', 'int', ['pointer', 'pointer', 'size_t'])
-    readlink(pathname: string, bufsize: number = 256): string | null {
-        const cfdPath = Memory.allocUtf8String(pathname)
-        const resolvedPath = Memory.alloc(bufsize)
-        const result = this.$readlink(cfdPath, resolvedPath, bufsize)
-        let link: string | null = null
-        if (result !== -1) {
-            link = resolvedPath.readCString()
-        }
-        return link
-    }
-
-    // DIR *opendir(const char *name);
-    readonly $opendir = this.$lazyLoadFunc('opendir', 'pointer', ['pointer'])
-    opendir(path: string) {
-        const cpath = Memory.allocUtf8String(path)
-        const dir = this.$opendir(cpath)
-        return dir
-    }
-
-    // FILE *fopen(const char *pathname, const char *mode);
-    readonly $fopen = this.$lazyLoadFunc('fopen', 'pointer', ['pointer', 'pointer'])
-    fopen(pathname: string, mode: string): NativePointer {
-        return this.$fopen(Memory.allocUtf8String(pathname), Memory.allocUtf8String(mode))
-    }
-
-    // int fclose(FILE *stream);
-    readonly fclose = this.$lazyLoadFunc('fclose', 'int', ['pointer'])
-
-    // int fputs(const char *str, FILE *stream);
-    readonly $fputs = this.$lazyLoadFunc('fputs', 'int', ['pointer', 'pointer'])
-    fputs(str: string, file: NativePointer) {
-        return this.$fputs(Memory.allocUtf8String(str), file)
-    }
-
-    // int fflush(FILE *stream);
-    readonly fflush = this.$lazyLoadFunc('fflush', 'int', ['pointer'])
-
-    // struct dirent *readdir(DIR *dirp);
-    readonly readdir = this.$lazyLoadFunc('readdir', 'pointer', ['pointer'])
-
-    // int closedir(DIR *dirp);
-    readonly closedir = this.$lazyLoadFunc('closedir', 'int', ['pointer'])
-
-    // int fileno(FILE *stream);
-    readonly fileno = this.$lazyLoadFunc('fileno', 'int', ['pointer'])
-
-    // pthread_t pthread_self(void);
-    readonly pthread_self = this.$lazyLoadFunc('pthread_self', 'int64', [])
-
-
-    // pid_t getpid(void);
-    readonly getpid = this.$lazyLoadFunc('getpid', 'uint', [])
-
-    // uid_t getuid(void);
-    readonly getuid = this.$lazyLoadFunc('getuid', 'uint', [])
-
-    // pid_t gettid(void);
-    readonly gettid = this.$lazyLoadFunc('gettid', 'uint', [])
-
-    // int clock_gettime(clockid_t clk_id, struct timespec *tp);
-    readonly $clock_gettime = this.$lazyLoadFunc('clock_gettime', 'int', ['int', 'pointer'])
-    clock_gettime(clk_id: number): {tv_sec: number, tv_nsec: number } | null {
-        const ps = Process.pointerSize
-        const tv = Memory.alloc(ps * 2)
-        const ret = this.$clock_gettime(clk_id, tv)
-        if(ret != 0) {
-            return null
-        }
-        return {
-            tv_sec: Number(tv[ps === 8 ? 'readU64' : 'readU32']()), 
-            tv_nsec: Number(tv.add(ps)[ps === 8 ? 'readU64' : 'readU32']()), 
-        }
-    }
-
-    // int __system_property_get(const char *name, char *value);
-    readonly $__system_property_get = this.$lazyLoadFunc('__system_property_get', 'int', ['pointer', 'pointer'])
-    __system_property_get(name: string): string {
-        const sdk_version_value = Memory.alloc(PROP_VALUE_MAX)
-        const ret = this.$__system_property_get(Memory.allocUtf8String(name), sdk_version_value)
-        if(ret < 0) {
-            console.error(`[__system_property_get] name[${name}] error[${ret}]`)
-        }
-        return sdk_version_value.readCString(ret) || ''
-    }
-
-    // char *getcwd(char *buf, size_t size);
-    readonly $getcwd = this.$lazyLoadFunc('getcwd', 'pointer', ['pointer', 'size_t'])
-    getcwd(): string | null {
-        const buff_size = 256
-        const buff = Memory.alloc(buff_size)
-        return this.$getcwd(buff, buff_size).readCString()
-    }
-
-}

package/src/lib/libssl.ts

@@ -1,95 +0,0 @@
-
-import { ElfModuleX, ElfFileFixer } from "../elf/module.js"
-import { nativeFunctionOptions } from "../consts.js"
-
-
-export class Libssl {
-    static $modx?: ElfModuleX
-
-    static $getModule(): ElfModuleX {
-        if (!this.$modx) {
-            let isNewLoad = false
-            const libsslModule = Process.findModuleByName('libssl.so') || (isNewLoad = true, Module.load('libssl.so'))
-            if (isNewLoad) {
-                console.error(`[libssl.so]为新加载module.`)
-            }
-            this.$modx = new ElfModuleX(
-                libsslModule,
-                [new ElfFileFixer(libsslModule.path)],
-                { symbolScanLimit: 50000 },
-            )
-        }
-        return this.$modx
-    }
-
-
-    static $nativeFunc<RetType extends NativeFunctionReturnType, ArgTypes extends NativeFunctionArgumentType[] | []>(
-        symName: string, retType: RetType, argTypes: ArgTypes,
-    ): NativeFunction<GetNativeFunctionReturnValue<RetType>, ResolveVariadic<Extract<GetNativeFunctionArgumentValue<ArgTypes>, unknown[]>>> & { $handle: NativePointer | undefined } {
-        const sym = this.$getModule().findSymbol(symName)
-        if (!sym || !sym.implPtr) {
-            // throw error if call
-            const throwFunc = function () {
-                throw new Error(`[Libssl] symbol[${symName}] Not Found!`)
-            } as any
-            throwFunc.$handle = null
-            return throwFunc
-        }
-
-        const handle = sym.implPtr
-
-        const fn: any = new NativeFunction(
-            handle,
-            retType, argTypes, nativeFunctionOptions,
-        )
-        fn.$handle = handle
-        return fn
-    }
-
-    static $lazyLoadFunc<RetType extends NativeFunctionReturnType, ArgTypes extends NativeFunctionArgumentType[] | []>(
-        symName: string, retType: RetType, argTypes: ArgTypes,
-    ): NativeFunction<GetNativeFunctionReturnValue<RetType>, ResolveVariadic<Extract<GetNativeFunctionArgumentValue<ArgTypes>, unknown[]>>> & { $handle: NativePointer | undefined } {
-        let func: any = null
-        const getFunc = () => {
-            if (func === null) { func = this.$nativeFunc(symName, retType, argTypes) }
-            return func
-        }
-
-        const wrapper = ((...args: any) => {
-            return getFunc()(...args)
-        }) as any
-
-        Object.defineProperty(wrapper, '$handle', {
-            get() { return getFunc().$handle },
-        })
-        return wrapper
-    }
-
-
-
-    // // int bssl::ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, size_t secret_len)
-    // static readonly ssl_log_secret = this.$lazyLoadFunc(
-    //     '_ZN4bssl14ssl_log_secretEPK6ssl_stPKcPKhm', 'bool', ['pointer', 'pointer', 'pointer', 'size_t']
-    // )
-
-    // void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, void(*cb)(const SSL *ssl, const char *line))
-    static readonly SSL_CTX_set_keylog_callback = this.$lazyLoadFunc(
-        'SSL_CTX_set_keylog_callback', 'void', ['pointer', 'pointer']
-    )
-
-    // void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl, const char *line)
-    static readonly SSL_CTX_get_keylog_callback = this.$lazyLoadFunc(
-        'SSL_CTX_get_keylog_callback', 'pointer', ['pointer']
-    )
-
-    // int SSL_connect(SSL *ssl)
-    static readonly SSL_connect = this.$lazyLoadFunc(
-        'SSL_connect', 'int', ['pointer']
-    )
-    
-    // SSL *SSL_new(SSL_CTX *ctx)
-    static readonly SSL_new = this.$lazyLoadFunc(
-        'SSL_new', 'pointer', ['pointer']
-    )
-
-}

package/src/message.ts

@@ -1,26 +0,0 @@
-
-
-
-
-export enum RPCMsgType {
-    BATCH = 'BATCH',
-    SCOPE_CALL = 'SCOPE_CALL',
-    SCOPE_EVAL = 'SCOPE_EVAL',
-    SCOPE_GET = 'SCOPE_GET',
-    ENUMERATE_OBJ_PROPS = 'ENUMERATE_OBJ_PROPS',
-    INIT_CONFIG = 'INIT_CONFIG',
-    SAVE_FILE = 'SAVE_FILE',
-    SSL_SECRET = 'SSL_SECRET',
-    PROGRESSING = 'PROGRESSING',
-}
-
-
-export enum batchSendSource {
-}
-
-
-export enum saveFileSource {
-    procMaps = 'procMaps',
-    textFile = 'textFile',
-    elfModule = 'elfModule',
-}

package/src/net/ssl.ts

@@ -1,360 +0,0 @@
-
-import { Config, setGlobalProperties } from "../config.js"
-import { RPCMsgType } from "../message.js"
-import { arrayBuffer2Hex, unwrapArgs } from "../utils/utils.js"
-import { ssl_st_structOf, SSL3_RANDOM_SIZE } from "./struct.js"
-import { help, NativePointerObject, ProgressNotify } from "../helper.js"
-import { Libssl } from "../lib/libssl.js"
-import { FuncHelper } from "../func.js"
-import { ElfModuleX } from "../elf/module.js"
-import { AdrlXref } from "../elf/xref.js"
-import { TextEncoder } from "../utils/text_endec.js"
-import { Subroutine } from "../elf/verifier.js"
-
-
-type SSL3_STATE = {
-    read_sequence: ArrayBuffer
-    cwrite_sequence: ArrayBuffer
-    server_random: ArrayBuffer
-    client_random: ArrayBuffer
-}
-
-
-interface SSLField {
-    method: NativePointer
-    config: NativePointer
-    version: number
-    max_send_fragment: number
-    rbio: NativePointer
-    wbio: NativePointer
-    do_handshake: NativePointer
-    s3: SSL3_STATE
-    d1: NativePointer
-    msg_callback: NativePointer
-    msg_callback_arg: NativePointer
-    initial_timeout_duration_ms: number
-    session: NativePointer
-    info_callback: NativePointer
-    ctx: NativePointer
-    session_ctx: NativePointer
-    ex_data: NativePointer
-}
-
-
-interface SSL extends SSLField { }
-
-const HEX_TABLE = '0123456789abcdef'
-
-
-
-export type SSLSecretLog = {
-    label: string
-    client_random: string
-    secret: string
-}
-
-class SSL extends NativePointerObject {
-    constructor(handle: NativePointer) {
-        super(handle)
-        for (let [field, offseter] of Object.entries(Process.pointerSize === 8 ? ssl_st_structOf.B64 : {})) {
-            Object.defineProperty(this, field, {
-                value: offseter(this.$handle),
-                writable: false,
-                enumerable: true,
-            })
-        }
-    }
-
-
-    static cbb_hex(bytes: ArrayBuffer, in_len: number): string {
-        const bs = new Uint8Array(bytes)
-        const hex_list: string[] = []
-        for (let i = 0; i < in_len; i++) {
-            hex_list.push(HEX_TABLE[bs[i] >> 4] + HEX_TABLE[bs[i] & 0xf])
-        }
-        return hex_list.join('')
-    }
-
-    secretlog(label: string, secret: ArrayBuffer, secret_len: number): SSLSecretLog {
-        return {
-            label,
-            client_random: SSL.cbb_hex(this.s3.client_random, SSL3_RANDOM_SIZE),
-            secret: SSL.cbb_hex(secret, secret_len),
-        }
-    }
-
-}
-
-
-
-function sendSSLSecret(tag: string, data: { label: string, client_random: string, secret: string }){
-    if (Config.OnRPC) {
-        help.$send({
-            type: RPCMsgType.SSL_SECRET,
-            data: {
-                tag: tag,
-                ...data
-            }
-        })
-    } else {
-        const file = help.getLogfile(tag, 'a')
-        file.writeLine(`${data.label} ${data.client_random} ${data.secret}`)
-        file.flush()
-    }
-}
-
-
-
-
-
-
-export class BoringSSL {
-    private mod: ElfModuleX | Module
-    constructor(mod: ElfModuleX | Module) {
-        this.mod = mod
-    }
-
-
-    static loadFromModule(mod: ElfModuleX | Module){
-        return new BoringSSL(mod)
-    }
-
-    scanKeylogFunc(
-        fullScan: boolean = false, 
-        verifier: (p: NativePointer) => NativePointer | null = this.verifyKeylogFunc,
-    ): NativePointer[] {
-        const prog = new ProgressNotify('BoringSSL::scanKeylogFunc')
-        
-        const mod = this.mod
-        const tryGetSegment = (name: string) => {
-            if (mod instanceof ElfModuleX) {
-                return mod.getSegment(name)
-            }
-            return null
-        }
-        const targetString = 'CLIENT_RANDOM'
-        const enc = new TextEncoder()
-        const strBuff = enc.encode(targetString).buffer as ArrayBuffer        
-        const scanPattern = arrayBuffer2Hex(strBuff) + " 00"
-        const targetScanRange = fullScan ? mod : (tryGetSegment('.rodata') || mod)
-
-        prog.notify({
-            intro: `开始扫描特征[${targetString}]`,
-            modx_name: mod.name,
-            modx_base: mod.base,
-            modx_size: mod.size,
-
-            scan_base: (targetScanRange ? targetScanRange : mod).base,
-            scan_size: (targetScanRange ? targetScanRange : mod).size,
-            scan_string: targetString,
-            scan_pattern: scanPattern,
-
-            next: 'help.scanMemory'
-        })
-
-        // 特征string 扫描
-        const stringTargets = help.scanMemory(
-            targetScanRange ? targetScanRange : mod,
-            scanPattern,
-            { limit: 0x10000 }
-        )
-
-        prog.notify({
-            intro: `捕获目标数[${stringTargets.length}]`,
-
-            targets: stringTargets.map(v => v.address),
-        })
-        if (!stringTargets.length) {
-            return []
-        }
-
-        prog.notify({
-            targets: stringTargets.map(v => v.address),
-        })
-
-        const guessBLs = []
-
-        for (const target of stringTargets) {            
-            const adrlScanRange = fullScan ? mod : (tryGetSegment('.text') || mod)
-            prog.notify({                
-                target: target.address,
-                scan_base: adrlScanRange.base,
-                scan_size: adrlScanRange.size,
-                
-                next: 'AdrlXref::scanAdrl'
-            })
-            
-            // adrl 目标引用扫描
-            const xref = new AdrlXref(target.address)
-            const adrlResults = xref.scanAdrl(adrlScanRange)
-
-            prog.notify({
-                intro: `特征[${target.address.sub(mod.base)}]引用关联数[${adrlResults.length}]`,
-
-                results: adrlResults,
-            })
-            
-            for(const adrl of adrlResults) {
-                const bls = []
-                // bl 函数调用（只考虑第一次bl
-                const bl = adrl.scanBL()
-                if(bl) {
-                    guessBLs.push(bl)
-                    bls.push(bl)
-                }
-                prog.notify({
-                    adrl: adrl,
-                    bls: bls,
-                })
-            }
-        }
-
-        const guessFuncs = []
-        for(const target of guessBLs) {
-            const funcPtr = ptr(target.insn.operands[0].value.toString())
-            guessFuncs.push(funcPtr)
-            prog.notify({
-                intro: `从[${target.src.$handle.sub(mod.base)}]猜测目标函数[${funcPtr.sub(mod.base)}]`,
-
-                bl: target,
-                func_ptr: funcPtr,
-            })
-        }
-        
-        // 进一步验证目标函数
-        return guessFuncs.reduce<NativePointer[]>((acc, v) => {
-            const p = verifier(v)
-            if(p) {
-                acc.push(p)
-            }
-            return acc
-        }, [])
-    }
-
-    verifyKeylogFunc(p: NativePointer): NativePointer | null {
-        const subroutine = Subroutine.loadFromPointer(p)
-        // thunk/tail call
-        const verifyResult = subroutine.scoreThunk()
-        if (verifyResult.score > 50 && verifyResult.eoi) {
-            const bInstr = verifyResult.eoi
-            switch (bInstr.mnemonic) {
-                case 'b':
-                    const target = bInstr.operands[0]
-                    return ptr(target.value.toString())
-                case 'br':
-                    // TODO:
-                    break
-            }
-        }
-        return p
-    }
-
-
-}
-
-
-
-class SSLTools extends NativePointerObject {
-    private static _libssl_hook: boolean = false
-
-    static newConsumer(tag: string = 'sslkey.log'): SSLSecretCallbackConsumer {
-        return new SSLSecretCallbackConsumer(tag)
-    }
-
-    static attachLibsslKeylogFunc(tag: string = 'sslkey.log'){
-        if (this._libssl_hook) {
-            return true
-        }
-        const handle = Libssl.SSL_new.$handle
-        if (!handle || handle.isNull()) {
-            return false
-        }
-        this._libssl_hook = true
-        Interceptor.attach(handle,{
-            onEnter(args) {
-                const [ctx] = unwrapArgs(args, 1)
-                this.ssl_ctx = ctx
-            },
-            onLeave(retval){
-                const ctx = this.ssl_ctx
-                Libssl.SSL_CTX_set_keylog_callback(ctx, FuncHelper.SSL_CTX_keylog_callback(
-                    Libssl.SSL_CTX_get_keylog_callback(ctx), 
-                    (impl: NativeFunction<NativePointer, Array<NativePointer>>, ssl: NativePointer, line: NativePointer) => {
-                        const str = line.readCString()
-                        if (str !== null) {
-                            const sep_list = str.split(' ')
-                            if(sep_list.length !== 3) {
-                                printErr(`[attachLogSecret] error to parse secret_log[${str}]`)
-                            }else{
-                                const [label, client_random, secret] = sep_list
-                                sendSSLSecret(tag, { label, client_random, secret })
-                            }
-                        }
-                        if(!impl.isNull()) {
-                            impl(ssl, line)
-                        }
-                    }
-                ))
-            }
-        })
-        return true
-    }
-
-    static attachBoringsslKeylogFunc(options: { mod?: ElfModuleX | Module, libname?: string }){
-        let { mod, libname } = options
-        if(!mod && !libname) {
-            throw new Error(`[attachBoringssl] mod和libname必须要指定一个`)
-        }
-        const prog = new ProgressNotify('SSLTools::attachBoringsslKeylogFunc')
-        if(!mod) {
-            mod = Process.getModuleByName(libname!)
-        }
-        const bor = new BoringSSL(mod)
-        const guessList = bor.scanKeylogFunc()
-        if(guessList.length != 1) {
-            throw new Error(`[attachBoringssl] 扫到的目标不存在或多个[${guessList.length}], 不执行attach。`)
-        }
-        Interceptor.attach(guessList[0], SSLTools.newConsumer('sslkey.log').Handler())
-        prog.log(mod!.name, `ssl_log_secret: ${guessList[0].sub(mod!.base)}`)
-    }
-
-
-}
-
-
-export class SSLSecretCallbackConsumer {
-    private tag: string
-
-    constructor(tag: string) {
-        this.tag = tag
-    }
-
-    Handler(): ScriptInvocationListenerCallbacks {
-        const that = this
-        return {
-            onEnter(args: InvocationArguments): void {
-                const [ssl, label, secret, secret_len] = unwrapArgs(args, 4)
-                const handle = new SSL(ssl)
-                const len = secret_len.toUInt32()
-                const data = handle.secretlog(label.readCString(), secret.readByteArray(len), len)
-                sendSSLSecret(that.tag, data)
-            },
-            onLeave(retval: InvocationReturnValue): void {
-
-            }
-        }
-    }
-
-}
-
-
-export { SSLTools }
-
-
-
-
-
-setGlobalProperties({
-    'SSLTools': SSLTools,
-    'BoringSSL': BoringSSL,
-})