从frida脚本运行cp命令
从frida脚本运行cp命令
提问于 2022-06-11 05:21:03
我正在运行一个Frida脚本注入应用程序,例如。
frida -U -f com.myapp.example -l myscript.js --no-pause我如何执行控制台命令例如。从Frida启动cp?我的脚本myscript.js应该是:
var createPtr = Module.findExportByName(null, 'create');
Interceptor.replace(createPtr, new NativeCallback( function (a){
//execute cp command here eg. cp a "/out/path"
return 1;
}, 'int', ['pointer']));回答 1
Stack Overflow用户
发布于 2022-06-20 20:54:59
您可以使用下面的示例包装libc函数以读取和写入文件,该示例通过tid获取线程的名称。
const fopen = new NativeFunction(Module.findExportByName('libc.so', 'fopen'), 'pointer', ['pointer', 'pointer']);
const fclose = new NativeFunction(Module.findExportByName('libc.so', 'fclose'), 'int', ['pointer']);
const getc = new NativeFunction(Module.findExportByName('libc.so', 'getc'), 'int', ['pointer']);
function getThreadName(tId) {
var name = new Array(20);
var f = fopen(Memory.allocUtf8String('/proc/self/task/' + tId + '/comm'), MODE_READ);
var c, i = 0;
while (i < name.length) {
var c = getc(f);
name[i++] = String.fromCharCode(c != -1 && c != 10 ? c : 32);
}
fclose(f);
name = name.join('')
return name;
}但是,您应该用python包装代码。
import frida
from frida_tools.application import Reactor
import threading
import click
class Shell(object):
def __init__(self, argv, env):
self._stop_requested = threading.Event()
self._reactor = Reactor(run_until_return=lambda reactor: self._stop_requested.wait())
self._device = frida.get_usb_device()
self._sessions = set()
self._device.on("child-added", lambda child: self._reactor.schedule(lambda: self._on_child_added(child)))
self._device.on("child-removed", lambda child: self._reactor.schedule(lambda: self._on_child_removed(child)))
self._device.on("output", lambda pid, fd, data: self._reactor.schedule(lambda: self._on_output(pid, fd, data)))
self.argv = argv
self.env = env
self.output = [] # stdout will pushed into array
def exec(self):
self._reactor.schedule(lambda: self._start())
self._reactor.run()
def _start(self):
click.secho("✔ spawn(argv={})".format(self.argv), fg='green', dim=True)
pid = self._device.spawn(self.argv, env=self.env, stdio='pipe')
self._instrument(pid)
def _stop_if_idle(self):
if len(self._sessions) == 0:
self._stop_requested.set()
def _instrument(self, pid):
click.secho("✔ attach(pid={})".format(pid), fg='green', dim=True)
session = self._device.attach(pid)
session.on("detached", lambda reason: self._reactor.schedule(lambda: self._on_detached(pid, session, reason)))
click.secho("✔ enable_child_gating()", fg='green', dim=True)
session.enable_child_gating()
# print("✔ resume(pid={})".format(pid))
self._device.resume(pid)
self._sessions.add(session)
def _on_child_added(self, child):
click.secho("⚡ child_added: {}".format(child), fg='green', dim=True)
self._instrument(child.pid)
@staticmethod
def _on_child_removed(child):
click.secho("⚡ child_removed: {}".format(child), fg='green', dim=True)
def _on_output(self, pid, fd, data):
# print("⚡ output: pid={}, fd={}, data={}".format(pid, fd, repr(data)))
# fd=0 (input) fd=1(stdout) fd=2(stderr)
if fd != 2:
self.output.append(data)
def _on_detached(self, pid, session, reason):
click.secho("⚡ detached: pid={}, reason='{}'".format(pid, reason), fg='green', dim=True)
self._sessions.remove(session)
self._reactor.schedule(self._stop_if_idle, delay=0.5)
@staticmethod
def _on_message(pid, message):
click.secho("⚡ message: pid={}, payload={}".format(pid, message), fg='green', dim=True)cmd = Shell(['/bin/sh', '-c', 'cp /data/data/com.app/databases/a.db /data/local/tmp'], None)
cmd.exec()
with open('/tmp/example', 'wb+') as f:
f.writelines(cmd.output)页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72581924
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号