[HOTFIX] RPC hook suggestions + Bug Fix (#2301)

* String compare script improvements * Fix iOS Frida script bugs * Added RPC helpers for hook suggestion (TODO:Expose to UI) * Code QA
MobSF · Dec 7, 2023 · d3b0214 · d3b0214
1 parent b668ee8
commit d3b0214
Show file tree

Hide file tree

Showing 24 changed files with 446 additions and 362 deletions.
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/auxiliary/string_compare.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/auxiliary/string_compare.js
@@ -1,15 +1,37 @@
-//https://github.com/iddoeldor/frida-snippets#reveal-native-methods
 //String comparison
 Java.perform(function () {
     send('[AUXILIARY] [String Compare] capturing all string comparisons')
-    var str = Java.use('java.lang.String'), objectClass = 'java.lang.Object';
-    str.equals.overload(objectClass).implementation = function (obj) {
-        var response = str.equals.overload(objectClass).call(this, obj);
-        if (obj) {
-            if (obj.toString().length > 5) {
-                send('[AUXILIARY] [String Compare] ' + str.toString.call(this) + ' == ' + obj.toString() + ' ? ' + response);
-            }
+    let Exception = Java.use('java.lang.Exception');
+    let javaString = Java.use('java.lang.String')
+    let objectClass = 'java.lang.Object';
+    var skiplist = ['android.app.SystemServiceRegistry.getSystemService']
+    javaString.equals.overload(objectClass).implementation = function (obj) {
+        var response = javaString.equals.overload(objectClass).call(this, obj);
+        if (obj && obj.toString().length > 5) {
+           var stack = [];
+           var calledFrom = Exception.$new().getStackTrace().toString().split(',');
+           // Otherwise capture string comparisons
+           let i = 0;
+           do {
+                i = i + 1;
+                stack.push(calledFrom[i]);
+            } while (i <= 5);
+            var skipClass, skipMethod = false;
+            skiplist.forEach(function (toSkip) {
+                if (calledFrom[4].includes(toSkip))
+                    skipClass = true;
+           });
+           if (!skipClass) {
+                var data = {
+                caller: stack,
+                string1: javaString.toString.call(this),
+                string2: obj.toString(),
+                return: response,
+                }
+                send('[AUXILIARY] [String Compare] ' + JSON.stringify(data, null, 2));
+           }
         }
         return response;
     }
-});
+ });
+
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/dump_clipboard.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/dump_clipboard.js
@@ -1,40 +1,42 @@
 // Based on https://github.com/sensepost/objection/blob/f8e78d8a29574c6dadd2b953a63207b45a19b1cf/objection/hooks/android/clipboard/monitor.js
-var ActivityThread = Java.use('android.app.ActivityThread');
-var ClipboardManager = Java.use('android.content.ClipboardManager');
-var CLIPBOARD_SERVICE = 'clipboard';
-
-var currentApplication = ActivityThread.currentApplication();
-var context = currentApplication.getApplicationContext();
-
-var clipboard_handle = context.getApplicationContext().getSystemService(CLIPBOARD_SERVICE);
-var clipboard = Java.cast(clipboard_handle, ClipboardManager);
-
 // Variable used for the current string data
 var string_data;
 
 function check_clipboard_data() {
 
     Java.perform(function () {
-
-        var primary_clip = clipboard.getPrimaryClip();
-
-        // If we have managed to get the primary clipboard and there are
-        // items stored in it, process an update.
-        if (primary_clip != null && primary_clip.getItemCount() > 0) {
-
-            var data = primary_clip.getItemAt(0).coerceToText(context).toString();
-
-            // If the data is the same, just stop.
-            if (string_data == data) {
-                return;
+        var ActivityThread = Java.use('android.app.ActivityThread');
+        var ClipboardManager = Java.use('android.content.ClipboardManager');
+        var CLIPBOARD_SERVICE = 'clipboard';
+
+        var currentApplication = ActivityThread.currentApplication();
+        var context = currentApplication.getApplicationContext();
+
+        var clipboard_handle = context.getApplicationContext().getSystemService(CLIPBOARD_SERVICE);
+        var clipboard = Java.cast(clipboard_handle, ClipboardManager);
+
+        setInterval(function(){
+
+            var primary_clip = clipboard.getPrimaryClip();
+
+            // If we have managed to get the primary clipboard and there are
+            // items stored in it, process an update.
+            if (primary_clip != null && primary_clip.getItemCount() > 0) {
+
+                var data = primary_clip.getItemAt(0).coerceToText(context).toString();
+
+                // If the data is the same, just stop.
+                if (string_data == data) {
+                    return;
+                }
+
+                // Update the data with the new string and report back.
+                string_data = data;
+                send('mobsf-android-clipboard:' + data);
             }
-
-            // Update the data with the new string and report back.
-            string_data = data;
-            send('mobsf-android-clipboard:' + data);
-        }
+        // Poll every 5 seconds
+        }, 1000 * 5);
     });
 }
 
-// Poll every 5 seconds
-setInterval(check_clipboard_data, 1000 * 5);
+check_clipboard_data();
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/stop-app-terminate.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/stop-app-terminate.js
@@ -132,38 +132,46 @@ Java.perform(function() {
         console.error(e);
     }
 })
-Interceptor.attach(Module.findExportByName(null, "exit"), {
-    onEnter: function(args) {
-        console.warn("Native Exit() Called :-->:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n") + "\n");
-    },
-    onLeave: function(retval) {}
-});
-Interceptor.attach(Module.findExportByName(null, "abort"), {
-    onEnter: function(args) {
-        console.warn("Native Abort() Called :-->:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n") + "\n");
-    },
-    onLeave: function(retval) {}
-});
-var fork = Module.findExportByName(null, "fork")
-Interceptor.attach(fork, {
-    onEnter: function(args) {},
-    onLeave: function(retval) {
-        var pid = parseInt(retval.toString(16), 16)
-        console.log("Second Process PID : ", pid)
-    }
-})
-Interceptor.attach(Module.findExportByName("libc.so", "system"), {
-    onEnter: function(args) {
-        var cmd = Memory.readCString(args[0]);
-        if (cmd.indexOf("kill") != -1) {
-            console.log("Bypass native system: " + cmd);
-            var NewKill = args[0].writeUtf8String("bypassed");
-            args[0] = ptr(NewKill);
-        }
-    },
-    onLeave: function(retval) {}
-});
-
+try {
+    Interceptor.attach(Module.findExportByName(null, "exit"), {
+        onEnter: function(args) {
+            console.warn("Native Exit() Called :-->:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n") + "\n");
+        },
+        onLeave: function(retval) {}
+    });
+} catch (e) {}
+try {
+    Interceptor.attach(Module.findExportByName(null, "abort"), {
+        onEnter: function(args) {
+            console.warn("Native Abort() Called :-->:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n") + "\n");
+        },
+        onLeave: function(retval) {}
+    });
+} catch (e) {}
+try {
+    var fork = Module.findExportByName(null, "fork")
+    Interceptor.attach(fork, {
+        onEnter: function(args) {},
+        onLeave: function(retval) {
+            var pid = parseInt(retval.toString(16), 16)
+            console.log("Second Process PID : ", pid)
+        }
+    })
+} catch (e) {}
+try {
+    Interceptor.attach(Module.findExportByName("libc.so", "system"), {
+        onEnter: function(args) {
+            var cmd = Memory.readCString(args[0]);
+            if (cmd.indexOf("kill") != -1) {
+                console.log("Bypass native system: " + cmd);
+                var NewKill = args[0].writeUtf8String("bypassed");
+                args[0] = ptr(NewKill);
+            }
+        },
+        onLeave: function(retval) {}
+    });
+} catch (e) {}
+try {
     var abortPtr = Module.getExportByName('libc.so', 'abort');
     var abort = new NativeFunction(abortPtr, 'int', ['int']);
     var exitPtr = Module.getExportByName('libc.so', 'exit');
@@ -200,4 +208,4 @@ Interceptor.attach(Module.findExportByName("libc.so", "system"), {
         console.log('Shutdown Replaced');
         return 0;
     }, 'int', ['int', 'int']));
-
+} catch (e) {}