objection 改源码解决 app的双进程保护 和 双进程保护原理 frida.core.RPCException: Error: expected a pointer
采用双进程的方式,对父进程进行保护,基于信号的发送和接收,实现相互的保护防止被动态攻击。简单的双进程保护就是从原进程再fork一个空进程出来,让逆向分析的时候附加到空进程中导致hook不上双进程进程保护主要功能: 1、保护父进程,ptrace所有线程,防止被附加、调试、暂停; 2、保护子进程,防止被暂停、异常退出;下面是我用objection附加双进程保护的app的时候报错,一般双进程保护,先把a
采用双进程的方式,对父进程进行保护,基于信号的发送和接收,实现相互的保护防止被动态攻击。
简单的双进程保护就是从原进程再fork一个空进程出来,让逆向分析的时候附加到空进程中导致hook不上
双进程进程保护主要功能: 1、保护父进程,ptrace所有线程,防止被附加、调试、暂停; 2、保护子进程,防止被暂停、异常退出;
下面是我用objection附加双进程保护的app的时候报错,一般双进程保护,先把app关掉直接用spwan模式就能附加上
root@arr:~/Desktop/frida_js# objection -d -g com.xc.p2p explore[debug] Agent path is: /root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/objection/agent.js
[debug] Injecting agent...
Using USB device `Google Pixel`
[debug] Attempting to attach to process: `com.xc.p2p`
[debug] Process attached!
Agent injected and responds ok!
Traceback (most recent call last):
File "/root/.pyenv/versions/3.8.1/bin/objection", line 11, in <module>
load_entry_point('objection==1.8.4', 'console_scripts', 'objection')()
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/objection/console/cli.py", line 156, in explore
device_info = get_device_info()
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/objection/commands/device.py", line 41, in get_device_info
package_info = api.env_android()
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/frida/core.py", line 401, in method
return script._rpc_request('call', js_name, args, **kwargs)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/frida/core.py", line 333, in _rpc_request
raise result[2]
frida.core.RPCException: Error: expected a pointer
at M (frida/node_modules/frida-java-bridge/index.js:437)
at frida/node_modules/frida-java-bridge/index.js:285
at src/android/lib/libjava.ts:15
at node_modules/core-js/library/modules/es6.promise.js:83
at src/android/lib/libjava.ts:16
at frida/runtime/message-dispatcher.js:15
at c (frida/runtime/message-dispatcher.js:25)
Asking jobs to stop...
Unloading objection agent...
[debug] Calling unload()
Exception ignored in: <function Pool.__del__ at 0x7fe01269f940>
Traceback (most recent call last):
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/pool.py", line 268, in __del__
self._change_notifier.put(None)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/queues.py", line 368, in put
self._writer.send_bytes(obj)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/connection.py", line 200, in send_bytes
self._send_bytes(m[offset:offset + size])
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/connection.py", line 411, in _send_bytes
self._send(header + buf)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/connection.py", line 368, in _send
n = write(self._handle, buf)
OSError: [Errno 9] Bad file descriptor
报错分析大概就是说找不到进程,进程被关闭了,但是用frida又能附加上
直接看frida和objection源码
frida附加的顺序:spawn->resume->attach
objection附加的顺序:spawn->attach->resume
可以看出应该是因为objection通过spawn启动app之后attach得太快,然后app又正在复制进程,所以app卡死了,objection也卡死了.
然后我们可以通过改objection的源码来修改他附加的顺序
在objection的agent.py中找到
def get_session(self) -> frida.core.Session:
"""
Attempt to get a Frida session on a device.
"""
if self.session:
return self.session
self.device = self._get_device()
# try and get the target process.
try:
debug_print('Attempting to attach to process: `{process}`'.format(
process=state_connection.gadget_name))
self.session = self.device.attach(state_connection.gadget_name)
debug_print('Process attached!')
self.resumed = True
self.session.on('detached', self.on_detach)
return self.session
except frida.ProcessNotFoundError:
debug_print('Unable to find process: `{process}`, attempting spawn'.format(
process=state_connection.gadget_name))
# TODO: Handle the fact that gadget mode can't spawn
self.spawned_pid = self.device.spawn(state_connection.gadget_name)
debug_print('PID `{pid}` spawned, attaching...'.format(pid=self.spawned_pid))
***~~debug_print('Resuming PID test `{pid}`'.format(pid=self.spawned_pid))
self.device.resume(self.spawned_pid)~~ ***
self.session = self.device.attach(self.spawned_pid)
return self.session
这一块是后面加上去的
debug_print('Resuming PID test {pid}
'.format(pid=self.spawned_pid))
self.device.resume(self.spawned_pid)
def inject(self):
"""
Injects the Objection Agent.
:return:
"""
debug_print('Injecting agent...')
session = self.get_session()
self.script = session.create_script(source=self._get_agent_source())
self.script.on('message', self.on_message)
self.script.load()
# if not self.resumed:
# debug_print('Resuming PID 1 `{pid}`'.format(pid=self.spawned_pid))
# self.device.resume(self.spawned_pid)
# ping the agent
if not self.exports().ping():
click.secho('Failed to ping the agent', fg='red')
raise Exception('Failed to communicate with agent')
click.secho('Agent injected and responds ok!', fg='green', dim=True)
return self
这一块是删除的
# if not self.resumed:
# debug_print('Resuming PID 1 {pid}
'.format(pid=self.spawned_pid))
# self.device.resume(self.spawned_pid)
实际就是把resume放到步骤的中间,如果不行的话适当加个sleep就能附加上了
成功辣
更多推荐
所有评论(0)