Frida Scripts QA, Frida Session Injection QA

mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/root_bypass.js

@@ -130,12 +130,12 @@ Java.performNow(function () {
             }
         }
         if (shouldModifyCommand) {
-            send("[RootDetection Bypass] ProcessBuilder " + cmd);
+            send("[RootDetection Bypass] ProcessBuilder " + JSON.stringify(cmd));
             this.command.call(this, ["grep"]);
             return this.start.call(this);
         }
         if (cmd.indexOf("su") != -1) {
-            send("[RootDetection Bypass] ProcessBuilder " + cmd);
+            send("[RootDetection Bypass] ProcessBuilder " + JSON.stringify(cmd));
             this.command.call(this, ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]);
             return this.start.call(this);
         }

mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/app-environment.js

@@ -0,0 +1,18 @@
+// Based on https://github.com/sensepost/objection/blob/f8e78d8a29574c6dadd2b953a63207b45a19b1cf/objection/hooks/android/filesystem/environment.js
+var ActivityThread = Java.use('android.app.ActivityThread');
+
+var currentApplication = ActivityThread.currentApplication();
+var context = currentApplication.getApplicationContext();
+
+var data = {
+
+    filesDirectory: context.getFilesDir().getAbsolutePath().toString(),
+    cacheDirectory: context.getCacheDir().getAbsolutePath().toString(),
+    externalCacheDirectory: context.getExternalCacheDir().getAbsolutePath().toString(),
+    codeCacheDirectory: 'getCodeCacheDir' in context ? context.getCodeCacheDir().getAbsolutePath().toString() : 'n/a',
+    obbDir: context.getObbDir().getAbsolutePath().toString(),
+    packageCodePath: context.getPackageCodePath().toString()
+};
+
+
+send(JSON.stringify(data, null, 2));

mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/crypto-dump-keystore.js

@@ -0,0 +1,42 @@
+// https://github.com/sensepost/objection/blob/f8e78d8a29574c6dadd2b953a63207b45a19b1cf/objection/hooks/android/keystore/list.js
+// Dump entries in the Android Keystore, together with a flag
+// indicating if its a key or a certificate.
+//
+// Ref: https://developer.android.com/reference/java/security/KeyStore.html
+
+var KeyStore = Java.use('java.security.KeyStore');
+var entries = [];
+
+// Prepare the AndroidKeyStore keystore provider and load it. 
+// Maybe at a later stage we should support adding other stores
+// like from file or JKS.
+var ks = KeyStore.getInstance('AndroidKeyStore');
+ks.load(null, null);
+
+// Get the aliases and loop through them. The aliases() method
+// return an Enumeration<String> type.
+var aliases = ks.aliases();
+
+while (aliases.hasMoreElements()) {
+
+    var alias = aliases.nextElement();
+
+    entries.push({
+        'alias': alias.toString(),
+        'is_key': ks.isKeyEntry(alias),
+        'is_certificate': ks.isCertificateEntry(alias)
+    })
+}
+
+
+send(JSON.stringify(entries, null, 2));
+
+// - Sample Java
+//
+// KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
+// ks.load(null);
+// Enumeration<String> aliases = ks.aliases();
+//
+// while(aliases.hasMoreElements()) {
+//     Log.e("E", "Aliases = " + aliases.nextElement());
+// }

mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/device-environment.js

@@ -0,0 +1,20 @@
+var Build = Java.use('android.os.Build');
+
+var ActivityThread = Java.use('android.app.ActivityThread');
+
+var currentApplication = ActivityThread.currentApplication();
+var context = currentApplication.getApplicationContext();
+
+var data = {
+    application_name: context.getPackageName(),
+    model: Build.MODEL.value.toString(),
+    board: Build.BOARD.value.toString(),
+    brand: Build.BRAND.value.toString(),
+    device: Build.DEVICE.value.toString(),
+    host: Build.HOST.value.toString(),
+    id: Build.ID.value.toString(),
+    product: Build.PRODUCT.value.toString(),
+    user: Build.USER.value.toString(),
+    version: Java.androidVersion
+}
+send(JSON.stringify(data, null, 2));

mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/dump-clipboard.js

@@ -0,0 +1,41 @@
+// Based on https://github.com/sensepost/objection/blob/f8e78d8a29574c6dadd2b953a63207b45a19b1cf/objection/hooks/android/clipboard/monitor.js
+var ActivityThread = Java.use('android.app.ActivityThread');
+var ClipboardManager = Java.use('android.content.ClipboardManager');
+var CLIPBOARD_SERVICE = 'clipboard';
+
+var currentApplication = ActivityThread.currentApplication();
+var context = currentApplication.getApplicationContext();
+
+var clipboard_handle = context.getApplicationContext().getSystemService(CLIPBOARD_SERVICE);
+var clipboard = Java.cast(clipboard_handle, ClipboardManager);
+
+// Variable used for the current string data
+var string_data;
+
+function check_clipboard_data() {
+
+    Java.perform(function () {
+
+        var primary_clip = clipboard.getPrimaryClip();
+
+        // If we have managed to get the primary clipboard and there are
+        // items stored in it, process an update.
+        if (primary_clip != null && primary_clip.getItemCount() > 0) {
+
+            var data = primary_clip.getItemAt(0).coerceToText(context).toString();
+
+            // If the data is the same, just stop.
+            if (string_data == data) {
+                return;
+            }
+
+            // Update the data with the new string and report back.
+            string_data = data;
+            send(JSON.stringify(data, null, 2));
+
+        }
+    });
+}
+
+// Poll every 5 seconds
+setInterval(check_clipboard_data, 1000 * 5);

mobsf/templates/dynamic_analysis/android/dynamic_analyzer.html

@@ -1251,6 +1251,7 @@ <h4 class="modal-title">Run TLS/SSL Security Tests - {{ package }}</h4>
 
 // Frida Session
 $("#frida_session").click(function() {
+  $( "input[name='default_hooks']:checkbox" ).prop( "checked", false );
   frida_instrument('session');
   return false;  
 }); 

mobsf/templates/dynamic_analysis/ios/dynamic_analyzer.html

@@ -1110,6 +1110,8 @@ <h5 class="modal-title" id="exampleModalLabel">Attach to a Running Process</h5>
 
 // Frida Session
 $("#frida_session").click(function() {
+  $( "input[name='default_hooks']:checkbox" ).prop( "checked", false );
+  $( "input[name='dump_hooks']:checkbox" ).prop( "checked", false );
   start_network_capture();
   frida_instrument('session');
   enableReportBtn(2);