软件逆向-这是一个 Frida V(伪)EH 示例(更新 x64 执行异常代码)
推荐 原创好久没有发技术贴了,看到好多,大大们都喜欢 VEH,小弟不才,一直学了好久的 frida,没学废。最近闲着蛋疼没事就研究了一下 frida 怎么 VEH。现在分享出来,抛转引玉器!
好了废话不多说,因为太简单了,没什么话可以说,直接上代码。
Talk is cheap. Show you My code.
顺便说一句,丢掉调试器,丢掉各种Loader各种Patcher吧,一个 frida 的 js 脚本就能干翻一切。
大佬们可以自己实现下 x64 下的代码(尝试下试硬件断点的方式,尝试下 VMP,TEP,WL,SE各种壳的替换机器码)
2023.1.14 更正个概念问题,免得误导大家(学院派),我原来看到Process.setExceptionHandler这个接口函数名,认为是基于进程的VEH,有大佬说 frida 的底层实现应该还是属于 SEH 的。VEH 的 V 代表向量意思(向量化异常vectored exception handle),通常VEH是以双向链表的形式保存在堆里面。修改下 frida 源码让他变真的 V 也不是不可能。另外,本来想研究下硬件执行断点的,发现接口也没有提供 DRx 寄存器,所以就只能更新个 x64 的执行异常了(内存的,非硬件执行断点异常),仅供交流娱乐,高手勿喷(标题也文字游戏处理了一下,姑且叫做伪VEH 吧,效果至少像 VEH)。
python3 安装 frida
然后把这个 js 放 exe 同级目录,在目录下 cmd 或者 PS运行下面命令就行
frida -f 010Editor.exe -l ./frida-veh-010-bs.js
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
/
/
"use strict"
console.log(
"\n"
);
console.warn(
"Frida.version = "
+
Frida.version);
console.log(
"Frida.heapSize = "
+
Frida.heapSize);
console.warn(
"Process.arch = "
+
Process.arch);
console.warn(
"Process.platform = "
+
Process.platform);
console.log(
"Process.pointerSize = "
+
Process.pointerSize);
console.log(
"\n"
);
console.error(
" 这是一个 Frida VEH 010 Editor 的牛逼示例"
)
console.error(
" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple "
);
console.error(
" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause "
);
/
/
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"x64"
) {
console.warn(
"\n"
,
"Coming soon :) "
,
"\n"
);
}
else
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"ia32"
) {
/
/
var editor
=
Process.findModuleByName(
"010Editor.exe"
);
console.log(
"010 editor base: "
, editor.base, typeof (editor.base));
var sub_patchaddr
=
editor.base.add(
0x31f7fa
);
console.log(
"010 editor VA: "
, sub_patchaddr, typeof (sub_patchaddr));
var buf
=
Memory.readByteArray(sub_patchaddr,
16
);
const cc_origin
=
Memory.readU8(sub_patchaddr);
console.log(
"cc_origin: "
, cc_origin, typeof (cc_origin));
console.log(hexdump(sub_patchaddr, { offset:
0
, length:
32
, header: true, ansi: true }));
/
/
VEH
Process.setExceptionHandler(function (details) {
console.log(
"\n"
,
"setExceptionHandler ==> address: "
, details.address);
console.error(JSON.stringify(details));
console.warn(
"RVA: "
, details.address.sub(editor.base));
/
/
console.log(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
/
/
restore
/
/
Memory.writeU8(sub_patchaddr,
0x55
);
Memory.writeU8(sub_patchaddr, cc_origin);
console.warn(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
console.log(
"eip: "
, details.context.eip);
console.log(
"pc: "
, details.context.pc);
console.log(
"eax: "
, details.context.eax);
/
/
details.context.eax
=
0xDB
;
details.context.eip
=
ptr(details.context.eip).add(
0x7
);
console.warn(
"eax: "
, details.context.eax);
console.warn(
"eip: "
, details.context.eip);
console.warn(
"pc: "
, details.context.pc);
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
return
true;
});
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
}
else
{
console.warn(
"\n"
,
"This platform and architecture are not supported :( "
,
"\n"
);
}
|
更新 x64 执行异常代码
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
/
/
"use strict"
console.log(
"\n"
);
console.warn(
"Frida.version = "
+
Frida.version);
console.log(
"Frida.heapSize = "
+
Frida.heapSize);
console.warn(
"Process.arch = "
+
Process.arch);
console.warn(
"Process.platform = "
+
Process.platform);
console.log(
"Process.pointerSize = "
+
Process.pointerSize);
console.log(
"\n"
);
console.error(
" 这是一个 Frida VEH 010 Editor 的牛逼示例"
)
console.error(
" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple "
);
console.error(
" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause "
);
/
/
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"x64"
) {
/
/
console.warn(
"\n"
,
"Coming soon :) "
,
"\n"
);
/
/
v13.
0.1
x64
/
/
.text:
00007FF6E91CEFA0
010editor
.exe:$
36EFA0
#36E3A0
var editor
=
Process.findModuleByName(
"010Editor.exe"
);
console.log(
"010 editor base: "
, editor.base, typeof (editor.base));
var sub_patchaddr
=
editor.base.add(
0x36efae
);
/
/
console.log(
"010 editor VA: "
, sub_patchaddr, typeof (sub_patchaddr));
var buf
=
Memory.readByteArray(sub_patchaddr,
16
);
const cc_origin
=
Memory.readU8(sub_patchaddr);
console.log(
"cc_origin: "
, cc_origin, typeof (cc_origin));
console.log(hexdump(sub_patchaddr.sub(
0xE
), { offset:
0
, length:
32
, header: true, ansi: true }));
/
/
console.warn(
"Process.id = "
, Process.
id
);
console.warn(
"Process.isDebuggerAttached() = "
, Process.isDebuggerAttached());
console.warn(
"Process.getCurrentThreadId() = "
, Process.getCurrentThreadId());
let threads
=
Process.enumerateThreads();
for
(let value
in
threads) {
console.log(JSON.stringify(threads[value]));
}
/
/
VEH
Process.setExceptionHandler(details
=
> {
console.error(JSON.stringify(details));
/
/
Memory.protect(details.memory.address, Process.pointerSize,
'rwx'
);
console.warn(JSON.stringify(details.memory));
/
/
Memory.writeU32(details.context.rcx.add(
0x30
),
1008
);
Memory.writeU32(details.context.rcx.add(
0x3C
),
1
);
Memory.writeU32(details.context.rcx.add(
0x44
),
47419
);
details.context.rax
=
0xDB
;
details.context.rip
=
ptr(details.context.rip).add(
0x7
);
console.warn(
"rax: "
, details.context.rax);
console.warn(
"rip: "
, details.context.rip);
console.warn(
"pc: "
, details.context.pc);
return
true;
/
/
goto PC
});
/
/
patchaddr
/
/
fetch decode execute
Interceptor.attach(sub_patchaddr.sub(
0x0
), {
onEnter(args) {
console.log(
"\n"
,
'onEnter'
, JSON.stringify({
_rip: this.context.rip,
_pc: this.context.pc,
_pointerSize: Process.pointerSize,
mprotect_ret: Memory.protect(this.context.rip,
1
,
'rw-'
),
errno: this.errno,
_lr: this.returnAddress
}, null,
2
));
console.log(
"设置任意地址,执行异常 OJBK"
);
}
});
}
else
if
(Process.platform
=
=
"windows"
&& Process.arch
=
=
"ia32"
) {
/
/
var editor
=
Process.findModuleByName(
"010Editor.exe"
);
console.log(
"010 editor base: "
, editor.base, typeof (editor.base));
var sub_patchaddr
=
editor.base.add(
0x31f7fa
);
console.log(
"010 editor VA: "
, sub_patchaddr, typeof (sub_patchaddr));
var buf
=
Memory.readByteArray(sub_patchaddr,
16
);
const cc_origin
=
Memory.readU8(sub_patchaddr);
console.log(
"cc_origin: "
, cc_origin, typeof (cc_origin));
console.log(hexdump(sub_patchaddr, { offset:
0
, length:
32
, header: true, ansi: true }));
/
/
VEH
Process.setExceptionHandler(function (details) {
console.log(
"\n"
,
"setExceptionHandler ==> address: "
, details.address);
console.error(JSON.stringify(details));
console.warn(
"RVA: "
, details.address.sub(editor.base));
/
/
console.log(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
/
/
restore
/
/
Memory.writeU8(sub_patchaddr,
0x55
);
Memory.writeU8(sub_patchaddr, cc_origin);
console.warn(
"eip[0]: "
+
ptr(Memory.readU8(details.context.eip)));
console.log(
"eip: "
, details.context.eip);
console.log(
"pc: "
, details.context.pc);
console.log(
"eax: "
, details.context.eax);
/
/
details.context.eax
=
0xDB
;
details.context.eip
=
ptr(details.context.eip).add(
0x7
);
console.warn(
"eax: "
, details.context.eax);
console.warn(
"eip: "
, details.context.eip);
console.warn(
"pc: "
, details.context.pc);
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
return
true;
});
/
/
int3
0xCC
Memory.protect(sub_patchaddr,
1
,
'rwx'
);
Memory.writeU8(sub_patchaddr,
0xcc
);
}
else
{
console.warn(
"\n"
,
"This platform and architecture are not supported :( "
,
"\n"
);
}
|
更多【这是一个 Frida V(伪)EH 示例(更新 x64 执行异常代码)】相关视频教程:www.yxfzedu.com
相关文章推荐
- Android安全- 安卓协议逆向 cxdx 分析与实现 - Android安全 CTF对抗 IOS安全
- Android安全-HoneyBadger系列二 Android App全量监控也来了 - Android安全 CTF对抗 IOS安全
- Android安全-HoneyBadger系列一 开篇,虚拟机调试器来了 - Android安全 CTF对抗 IOS安全
- 编程技术-为无源码的DLL增加接口功能 - Android安全 CTF对抗 IOS安全
- CTF对抗-Realworld CTF 2023 ChatUWU 详解 - Android安全 CTF对抗 IOS安全
- Android安全-frida源码编译详解 - Android安全 CTF对抗 IOS安全
- 软件逆向- PE格式:新建节并插入代码 - Android安全 CTF对抗 IOS安全
- 加壳脱壳- UPX源码学习和简单修改 - Android安全 CTF对抗 IOS安全
- 二进制漏洞-win越界写漏洞分析 CVE-2020-1054 - Android安全 CTF对抗 IOS安全
- Pwn-2022长城杯决赛pwn - Android安全 CTF对抗 IOS安全
- 软件逆向-Wibu Codemeter 7.3学习笔记——Codemeter服务端 - Android安全 CTF对抗 IOS安全
- Pwn-沙箱逃逸之google ctf 2019 Monochromatic writeup - Android安全 CTF对抗 IOS安全
- 软件逆向-Wibu Codemeter 7.3学习笔记——AxProtector壳初探 - Android安全 CTF对抗 IOS安全
- 企业安全-学习Kubernetes笔记——暴露站点服务(Ingress) - Android安全 CTF对抗 IOS安全
- 企业安全-学习Kubernetes笔记——部署数据库站点(MySql) - Android安全 CTF对抗 IOS安全
- 企业安全-学习Kubernetes笔记——部署web站点环境(PHP+Nginx) - Android安全 CTF对抗 IOS安全
- 企业安全-学习Kubernetes笔记——安装NFS驱动 - Android安全 CTF对抗 IOS安全
- 企业安全-学习Kubernetes笔记——kubeadm安装Kubernetes - Android安全 CTF对抗 IOS安全
- 软件逆向-wibu软授权(四) - Android安全 CTF对抗 IOS安全
- 软件逆向-使用IDAPython开发复制RVA的插件 - Android安全 CTF对抗 IOS安全
记录自己的技术轨迹
文章规则:
1):文章标题请尽量与文章内容相符
2):严禁色情、血腥、暴力
3):严禁发布任何形式的广告贴
4):严禁发表关于中国的政治类话题
5):严格遵守中国互联网法律法规
6):有侵权,疑问可发邮件至service@yxfzedu.com
