@zsa233/frida-analykit-agent 2.0.0

package/src/jni/struct.ts

@@ -0,0 +1,217 @@
+
+
+export enum IndirectRefKind {
+    kHandleScopeOrInvalid = 0,  // <<stack indirect reference table or invalid reference>>
+    kLocal = 1,                 // <<local reference>>
+    kGlobal = 2,                // <<global reference>>
+    kWeakGlobal = 3,            // <<weak global reference>>
+    kLastKind = kWeakGlobal
+}
+
+
+export enum JNI_VT {
+    FindClass = 6,
+    FromReflectedMethod = 7,
+    ToReflectedMethod = 9,
+    GetSuperclass = 10,
+    Throw = 13,
+    ThrowNew = 14,
+    ExceptionOccurred = 15,
+    ExceptionDescribe = 16,
+    ExceptionClear = 17,
+    FatalError = 18,
+
+    PushLocalFrame = 19,
+    PopLocalFrame = 20,
+
+    NewGlobalRef = 21,
+    DeleteGlobalRef = 22,
+    DeleteLocalRef = 23,
+    NewLocalRef = 23,
+    IsSameObject = 24,
+    NewObject = 28,
+    NewObjectV = 29,
+    NewObjectA = 30,
+    GetObjectClass = 31,
+    GetMethodID = 33,
+
+    CallObjectMethod = 34,
+    CallObjectMethodV = 35,
+    CallObjectMethodA = 36,
+
+    CallBooleanMethod = 37,
+    CallBooleanMethodV = 38,
+    CallBooleanMethodA = 39,
+
+    CallByteMethod = 40,
+    CallByteMethodV = 41,
+    CallByteMethodA = 42,
+
+    CallCharMethod = 43,
+    CallCharMethodV = 44,
+    CallCharMethodA = 45,
+
+    CallShortMethod = 46,
+    CallShortMethodV = 47,
+    CallShortMethodA = 48,
+
+    CallIntMethod = 49,
+    CallIntMethodV = 50,
+    CallIntMethodA = 51,
+
+    CallLongMethod = 52,
+    CallLongMethodV = 53,
+    CallLongMethodA = 54,
+
+    CallFloatMethod = 55,
+    CallFloatMethodV = 56,
+    CallFloatMethodA = 57,
+
+    CallDoubleMethod = 58,
+    CallDoubleMethodV = 59,
+    CallDoubleMethodA = 60,
+
+    CallVoidMethod = 61,
+    CallVoidMethodV = 62,
+    CallVoidMethodA = 63,
+
+    CallNonvirtualObjectMethod = 64,
+    CallNonvirtualObjectMethodV = 65,
+    CallNonvirtualObjectMethodA = 66,
+
+    CallNonvirtualBooleanMethod = 67,
+    CallNonvirtualBooleanMethodV = 68,
+    CallNonvirtualBooleanMethodA = 69,
+
+    CallNonvirtualByteMethod = 70,
+    CallNonvirtualByteMethodV = 71,
+    CallNonvirtualByteMethodA = 72,
+
+    CallNonvirtualCharMethod = 73,
+    CallNonvirtualCharMethodV = 74,
+    CallNonvirtualCharMethodA = 75,
+
+    CallNonvirtualShortMethod = 76,
+    CallNonvirtualShortMethodV = 77,
+    CallNonvirtualShortMethodA = 78,
+
+    CallNonvirtualIntMethod = 79,
+    CallNonvirtualIntMethodV = 80,
+    CallNonvirtualIntMethodA = 81,
+
+    CallNonvirtualLongMethod = 82,
+    CallNonvirtualLongMethodV = 83,
+    CallNonvirtualLongMethodA = 84,
+
+    CallNonvirtualFloatMethod = 85,
+    CallNonvirtualFloatMethodV = 86,
+    CallNonvirtualFloatMethodA = 87,
+
+    CallNonvirtualDoubleMethod = 88,
+    CallNonvirtualDoubleMethodV = 89,
+    CallNonvirtualDoubleMethodA = 90,
+
+    CallNonvirtualVoidMethod = 91,
+    CallNonvirtualVoidMethodV = 92,
+    CallNonvirtualVoidMethodA = 93,
+    
+    GetFieldID = 94,
+    GetObjectField = 95,
+    GetBooleanField = 96,
+    GetByteField = 97,
+    GetCharField = 98,
+    GetShortField = 99,
+    GetIntField = 100,
+    GetLongField = 101,
+    GetFloatField = 102,
+    GetDoubleField = 103,
+
+    GetStaticMethodID = 113,
+    
+    CallStaticObjectMethod = 114,
+    CallStaticObjectMethodV = 115,
+    CallStaticObjectMethodA = 116,
+
+    CallStaticBooleanMethod = 117,
+    CallStaticBooleanMethodV = 118,
+    CallStaticBooleanMethodA = 119,
+
+    CallStaticByteMethod = 120,
+    CallStaticByteMethodV = 121,
+    CallStaticByteMethodA = 122,
+
+    CallStaticCharMethod = 123,
+    CallStaticCharMethodV = 124,
+    CallStaticCharMethodA = 125,
+
+    CallStaticShortMethod = 126,
+    CallStaticShortMethodV = 127,
+    CallStaticShortMethodA = 128,
+
+    CallStaticIntMethod = 129,
+    CallStaticIntMethodV = 130,
+    CallStaticIntMethodA = 131,
+
+    CallStaticLongMethod = 132,
+    CallStaticLongMethodV = 133,
+    CallStaticLongMethodA = 134,
+
+    CallStaticFloatMethod = 135,
+    CallStaticFloatMethodV = 136,
+    CallStaticFloatMethodA = 137,
+
+    CallStaticDoubleMethod = 138,
+    CallStaticDoubleMethodV = 139,
+    CallStaticDoubleMethodA = 140,
+
+    CallStaticVoidMethod = 141,
+    CallStaticVoidMethodV = 142,
+    CallStaticVoidMethodA = 143,
+
+    GetStaticFieldID = 144,
+    GetStaticObjectField = 145,
+    GetStaticBooleanField = 146,
+    GetStaticByteField = 147,
+    GetStaticCharField = 148,
+    GetStaticShortField = 149,
+    GetStaticIntField = 150,
+    GetStaticLongField = 151,
+    GetStaticFloatField = 152,
+    GetStaticDoubleField = 153,
+
+    GetStringLength = 164,
+    GetStringChars = 165,
+    ReleaseStringChars = 166,
+
+    GetStringUTFLength = 168,
+    GetStringUTFChars = 169,
+    ReleaseStringUTFChars = 170,
+
+    GetArrayLength = 171,
+    GetObjectArrayElement = 173,
+
+    GetBooleanArrayElements = 183,
+    GetByteArrayElements = 184,
+    GetCharArrayElements = 185,
+    GetShortArrayElements = 186,
+    GetIntArrayElements = 187,
+    GetLongArrayElements = 188,
+    GetFloatArrayElements = 189,
+    GetDoubleArrayElements = 190,
+
+    ReleaseBooleanArrayElements = 191,
+    ReleaseByteArrayElements = 192,
+    ReleaseCharArrayElements = 193,
+    ReleaseShortArrayElements = 194,
+    ReleaseIntArrayElements = 195,
+    ReleaseLongArrayElements = 196,
+    ReleaseFloatArrayElements = 197,
+    ReleaseDoubleArrayElements = 198,
+
+    RegisterNatives = 215,
+    UnregisterNatives = 216,
+
+    GetStringCritical = 224,
+    DeleteWeakGlobalRef = 227,
+    ExceptionCheck = 228,
+}

package/src/lib/libc.ts

@@ -0,0 +1,161 @@
+import { mustType } from "../utils/utils.js"
+import { nativeFunctionOptions } from "../consts.js"
+
+
+const PROP_VALUE_MAX = 92
+
+
+export class Libc {
+    constructor() {
+        return new Proxy(this, {
+            get(target: any, prop: string) {
+                if (prop in target) {
+                    return target[prop];
+                }
+                if (prop[0] !== '$') {
+                    return target['$' + prop]
+                } else {
+                    return target[prop.substring(1)]
+                }
+            }
+        })
+    }
+
+    static readonly $libc = Process.findModuleByName('libc.so') || Module.load('libc.so')
+
+
+    $lazyLoadFunc<RetType extends NativeFunctionReturnType, ArgTypes extends NativeFunctionArgumentType[] | []>(
+        symName: string, retType: RetType, argTypes: ArgTypes,
+    ): NativeFunction<GetNativeFunctionReturnValue<RetType>, ResolveVariadic<Extract<GetNativeFunctionArgumentValue<ArgTypes>, unknown[]>>> & { $handle: NativePointer | undefined } {
+        let func: any = null
+        const wrapper = ((...args: any) => {
+            if (func === null) {
+                func = this.$nativeFunc(symName, retType, argTypes)
+            }
+            const ret = func(...args)
+            return ret
+        }) as any
+
+        Object.defineProperty(wrapper, '$handle', {
+            get() {
+                if (func === null) {
+                    func = this.$nativeFunc(symName, retType, argTypes)
+                }
+                return func.$handle
+            },
+            enumerable: true,
+        })
+
+        return wrapper
+    }
+
+
+
+    $nativeFunc<RetType extends NativeFunctionReturnType, ArgTypes extends NativeFunctionArgumentType[] | []>(
+        symName: string, retType: RetType, argTypes: ArgTypes,
+    ): NativeFunction<GetNativeFunctionReturnValue<RetType>, ResolveVariadic<Extract<GetNativeFunctionArgumentValue<ArgTypes>, unknown[]>>> & { $handle: NativePointer | undefined } {
+        const handle = mustType(Libc.$libc.findExportByName(symName))
+        const fn: any = new NativeFunction(
+            handle,
+            retType, argTypes, nativeFunctionOptions,
+        )
+        fn.$handle = handle 
+        return fn
+    }
+
+    // ssize_t readlink(const char *pathname, char *buf, size_t bufsiz);
+    readonly $readlink = this.$lazyLoadFunc('readlink', 'int', ['pointer', 'pointer', 'size_t'])
+    readlink(pathname: string, bufsize: number = 256): string | null {
+        const cfdPath = Memory.allocUtf8String(pathname)
+        const resolvedPath = Memory.alloc(bufsize)
+        const result = this.$readlink(cfdPath, resolvedPath, bufsize)
+        let link: string | null = null
+        if (result !== -1) {
+            link = resolvedPath.readCString()
+        }
+        return link
+    }
+
+    // DIR *opendir(const char *name);
+    readonly $opendir = this.$lazyLoadFunc('opendir', 'pointer', ['pointer'])
+    opendir(path: string) {
+        const cpath = Memory.allocUtf8String(path)
+        const dir = this.$opendir(cpath)
+        return dir
+    }
+
+    // FILE *fopen(const char *pathname, const char *mode);
+    readonly $fopen = this.$lazyLoadFunc('fopen', 'pointer', ['pointer', 'pointer'])
+    fopen(pathname: string, mode: string): NativePointer {
+        return this.$fopen(Memory.allocUtf8String(pathname), Memory.allocUtf8String(mode))
+    }
+
+    // int fclose(FILE *stream);
+    readonly fclose = this.$lazyLoadFunc('fclose', 'int', ['pointer'])
+
+    // int fputs(const char *str, FILE *stream);
+    readonly $fputs = this.$lazyLoadFunc('fputs', 'int', ['pointer', 'pointer'])
+    fputs(str: string, file: NativePointer) {
+        return this.$fputs(Memory.allocUtf8String(str), file)
+    }
+
+    // int fflush(FILE *stream);
+    readonly fflush = this.$lazyLoadFunc('fflush', 'int', ['pointer'])
+
+    // struct dirent *readdir(DIR *dirp);
+    readonly readdir = this.$lazyLoadFunc('readdir', 'pointer', ['pointer'])
+
+    // int closedir(DIR *dirp);
+    readonly closedir = this.$lazyLoadFunc('closedir', 'int', ['pointer'])
+
+    // int fileno(FILE *stream);
+    readonly fileno = this.$lazyLoadFunc('fileno', 'int', ['pointer'])
+
+    // pthread_t pthread_self(void);
+    readonly pthread_self = this.$lazyLoadFunc('pthread_self', 'int64', [])
+
+
+    // pid_t getpid(void);
+    readonly getpid = this.$lazyLoadFunc('getpid', 'uint', [])
+
+    // uid_t getuid(void);
+    readonly getuid = this.$lazyLoadFunc('getuid', 'uint', [])
+
+    // pid_t gettid(void);
+    readonly gettid = this.$lazyLoadFunc('gettid', 'uint', [])
+
+    // int clock_gettime(clockid_t clk_id, struct timespec *tp);
+    readonly $clock_gettime = this.$lazyLoadFunc('clock_gettime', 'int', ['int', 'pointer'])
+    clock_gettime(clk_id: number): {tv_sec: number, tv_nsec: number } | null {
+        const ps = Process.pointerSize
+        const tv = Memory.alloc(ps * 2)
+        const ret = this.$clock_gettime(clk_id, tv)
+        if(ret != 0) {
+            return null
+        }
+        return {
+            tv_sec: Number(tv[ps === 8 ? 'readU64' : 'readU32']()), 
+            tv_nsec: Number(tv.add(ps)[ps === 8 ? 'readU64' : 'readU32']()), 
+        }
+    }
+
+    // int __system_property_get(const char *name, char *value);
+    readonly $__system_property_get = this.$lazyLoadFunc('__system_property_get', 'int', ['pointer', 'pointer'])
+    __system_property_get(name: string): string {
+        const sdk_version_value = Memory.alloc(PROP_VALUE_MAX)
+        const ret = this.$__system_property_get(Memory.allocUtf8String(name), sdk_version_value)
+        if(ret < 0) {
+            console.error(`[__system_property_get] name[${name}] error[${ret}]`)
+        }
+        return sdk_version_value.readCString(ret) || ''
+    }
+
+    // char *getcwd(char *buf, size_t size);
+    readonly $getcwd = this.$lazyLoadFunc('getcwd', 'pointer', ['pointer', 'size_t'])
+    getcwd(): string | null {
+        const buff_size = 256
+        const buff = Memory.alloc(buff_size)
+        return this.$getcwd(buff, buff_size).readCString()
+    }
+
+}

package/src/lib/libssl.ts

@@ -0,0 +1,95 @@
+
+import { ElfModuleX, ElfFileFixer } from "../elf/module.js"
+import { nativeFunctionOptions } from "../consts.js"
+
+
+export class Libssl {
+    static $modx?: ElfModuleX
+
+    static $getModule(): ElfModuleX {
+        if (!this.$modx) {
+            let isNewLoad = false
+            const libsslModule = Process.findModuleByName('libssl.so') || (isNewLoad = true, Module.load('libssl.so'))
+            if (isNewLoad) {
+                console.error(`[libssl.so]为新加载module.`)
+            }
+            this.$modx = new ElfModuleX(
+                libsslModule,
+                [new ElfFileFixer(libsslModule.path)],
+                { symbolScanLimit: 50000 },
+            )
+        }
+        return this.$modx
+    }
+
+
+    static $nativeFunc<RetType extends NativeFunctionReturnType, ArgTypes extends NativeFunctionArgumentType[] | []>(
+        symName: string, retType: RetType, argTypes: ArgTypes,
+    ): NativeFunction<GetNativeFunctionReturnValue<RetType>, ResolveVariadic<Extract<GetNativeFunctionArgumentValue<ArgTypes>, unknown[]>>> & { $handle: NativePointer | undefined } {
+        const sym = this.$getModule().findSymbol(symName)
+        if (!sym || !sym.implPtr) {
+            // throw error if call
+            const throwFunc = function () {
+                throw new Error(`[Libssl] symbol[${symName}] Not Found!`)
+            } as any
+            throwFunc.$handle = null
+            return throwFunc
+        }
+
+        const handle = sym.implPtr
+
+        const fn: any = new NativeFunction(
+            handle,
+            retType, argTypes, nativeFunctionOptions,
+        )
+        fn.$handle = handle
+        return fn
+    }
+
+    static $lazyLoadFunc<RetType extends NativeFunctionReturnType, ArgTypes extends NativeFunctionArgumentType[] | []>(
+        symName: string, retType: RetType, argTypes: ArgTypes,
+    ): NativeFunction<GetNativeFunctionReturnValue<RetType>, ResolveVariadic<Extract<GetNativeFunctionArgumentValue<ArgTypes>, unknown[]>>> & { $handle: NativePointer | undefined } {
+        let func: any = null
+        const getFunc = () => {
+            if (func === null) { func = this.$nativeFunc(symName, retType, argTypes) }
+            return func
+        }
+
+        const wrapper = ((...args: any) => {
+            return getFunc()(...args)
+        }) as any
+
+        Object.defineProperty(wrapper, '$handle', {
+            get() { return getFunc().$handle },
+        })
+        return wrapper
+    }
+
+
+
+    // // int bssl::ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, size_t secret_len)
+    // static readonly ssl_log_secret = this.$lazyLoadFunc(
+    //     '_ZN4bssl14ssl_log_secretEPK6ssl_stPKcPKhm', 'bool', ['pointer', 'pointer', 'pointer', 'size_t']
+    // )
+
+    // void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, void(*cb)(const SSL *ssl, const char *line))
+    static readonly SSL_CTX_set_keylog_callback = this.$lazyLoadFunc(
+        'SSL_CTX_set_keylog_callback', 'void', ['pointer', 'pointer']
+    )
+
+    // void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl, const char *line)
+    static readonly SSL_CTX_get_keylog_callback = this.$lazyLoadFunc(
+        'SSL_CTX_get_keylog_callback', 'pointer', ['pointer']
+    )
+
+    // int SSL_connect(SSL *ssl)
+    static readonly SSL_connect = this.$lazyLoadFunc(
+        'SSL_connect', 'int', ['pointer']
+    )
+    
+    // SSL *SSL_new(SSL_CTX *ctx)
+    static readonly SSL_new = this.$lazyLoadFunc(
+        'SSL_new', 'pointer', ['pointer']
+    )
+
+}

package/src/message.ts

@@ -0,0 +1,26 @@
+
+
+
+
+export enum RPCMsgType {
+    BATCH = 'BATCH',
+    SCOPE_CALL = 'SCOPE_CALL',
+    SCOPE_EVAL = 'SCOPE_EVAL',
+    SCOPE_GET = 'SCOPE_GET',
+    ENUMERATE_OBJ_PROPS = 'ENUMERATE_OBJ_PROPS',
+    INIT_CONFIG = 'INIT_CONFIG',
+    SAVE_FILE = 'SAVE_FILE',
+    SSL_SECRET = 'SSL_SECRET',
+    PROGRESSING = 'PROGRESSING',
+}
+
+
+export enum batchSendSource {
+}
+
+
+export enum saveFileSource {
+    procMaps = 'procMaps',
+    textFile = 'textFile',
+    elfModule = 'elfModule',
+}