Stappe om Frida op 'n Jailbroken-toestel te installeer:
Maak die Cydia/Sileo-toep oop.
Navigeer na Bestuur -> Bronne -> Wysig -> Voeg by.
Voer "https://build.frida.re" as die URL in.
Gaan na die nuut bygevoegde Frida-bron.
Installeer die Frida-pakket.
As jy Corellium gebruik, moet jy die Frida vrystelling aflaai vanaf https://github.com/frida/frida/releases (frida-gadget-[jouversie]-ios-universal.dylib.gz) en uitpak en kopieer na die dylib-plek wat Frida vir vra, bv.: /Gebruikers/[jougebruiker]/.cache/frida/gadget-ios.dylib
Nadat dit geïnstalleer is, kan jy op jou rekenaar die opdrag frida-ls-devices gebruik en sien dat die toestel verskyn (jou rekenaar moet daartoe in staat wees om dit te kan bereik).
Voer ook frida-ps -Uia uit om die lopende prosesse van die foon te kontroleer.
Frida sonder Jailbroken-toestel & sonder om die app te patch
Met die Frida-bediener geïnstalleer en die toestel wat loop en gekoppel is, kontroleer of die klient werk:
frida-ls-devices# List devicesfrida-ps-Uia# Get running processes
Frida Spoor
# Functions## Trace all functions with the word "log" in their namefrida-trace-U<program>-i"*log*"frida-trace-U<program>-i"*log*"|swiftdemangle# Demangle names# Objective-C## Trace all methods of all classesfrida-trace-U<program>-m"*[* *]"## Trace all methods with the word "authentication" from classes that start with "NE"frida-trace-U<program>-m"*[NE* *authentication*]"# Plug-In## To hook a plugin that is momentarely executed prepare Frida indicating the ID of the Plugin binaryfrida-trace-U-W<if-plugin-bin>-m'*[* *]'
// frida -U <program> -l /tmp/script.jsvar specificClass ="YourClassName";var filterMethod ="filtermethod";if (ObjC.available) {if (ObjC.classes.hasOwnProperty(specificClass)) {var methods =ObjC.classes[specificClass].$ownMethods;for (var i =0; i <methods.length; i++) {if (!filterMethod || methods[i].includes(filterClass)) {console.log(specificClass +': '+ methods[i]);}}} else {console.log("Class not found.");}} else {console.log("Objective-C runtime is not available.");}
Roep 'n funksie aan
// Find the address of the function to callconstfunc_addr=Module.findExportByName("<Prog Name>","<Func Name>");// Declare the function to callconstfunc=newNativeFunction(func_addr,"void", ["pointer","pointer","pointer"], {});var arg0 =null;// In this case to call this function we need to intercept a call to it to copy arg0Interceptor.attach(wg_log_addr, {onEnter:function(args) {arg0 =newNativePointer(args[0]);}});// Wait untill a call to the func occurswhile (! arg0) {Thread.sleep(1);console.log("waiting for ptr");}var arg1 =Memory.allocUtf8String('arg1');var txt =Memory.allocUtf8String('Some text for arg2');wg_log(arg0, arg1, txt);console.log("loaded");
Frida Fuzzing
Frida Stalker
Van die dokumente: Stalker is Frida se kode naspeurings-enjin. Dit maak dit moontlik om drade te volg, elke funksie vas te lê, selfs elke instruksie wat uitgevoer word.
Hierdie is 'n ander voorbeeld om Frida Stalker aan te heg elke keer as 'n funksie geroep word:
console.log("loading");constwg_log_addr=Module.findExportByName("<Program>","<function_name>");constwg_log=newNativeFunction(wg_log_addr,"void", ["pointer","pointer","pointer"], {});Interceptor.attach(wg_log_addr, {onEnter:function(args) {console.log(`logging the following message: ${args[2].readCString()}`);Stalker.follow({events: {// only collect coverage for newly encountered blockscompile:true,},onReceive:function (events) {constbbs=Stalker.parse(events, {stringify:false,annotate:false});console.log("Stalker trace of write_msg_to_log: \n"+bbs.flat().map(DebugSymbol.fromAddress).join('\n'));}});},onLeave:function(retval) {Stalker.unfollow();Stalker.flush(); // this is important to get all events}});
Dit is interessant vir foutopsporingsdoeleindes, maar vir fuzzing is dit baie ondoeltreffend om voortdurend .follow() en .unfollow() te gebruik.
fpicker is 'n Frida-gebaseerde fuzzing-pakket wat 'n verskeidenheid fuzzing-modusse bied vir in-process fuzzing, soos 'n AFL++-modus of 'n passiewe naspeurmodus. Dit behoort te werk op alle platforms wat deur Frida ondersteun word.
# Get fpickergitclonehttps://github.com/ttdennis/fpickercdfpicker# Get Frida core devkit and prepare fpickerwget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz
# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xztar-xf./*tar.xzcplibfrida-core.alibfrida-core-[yourOS].a#libfrida-core-macos.a# Install fpickermakefpicker-[yourOS]# fpicker-macos# This generates ./fpicker# Install radamsa (fuzzer generator)brewinstallradamsa
Maak die FS gereed:
# From inside fpicker clonemkdir-pexamples/wg-log# Where the fuzzing script will bemkdir-pexamples/wg-log/out# For code coverage and crashesmkdir-pexamples/wg-log/in# For starting inputs# Create at least 1 input for the fuzzerechoHelloWorld>examples/wg-log/in/0
Fuzzer-skrip (voorbeelde/wg-log/myfuzzer.js):
voorbeelde/wg-log/myfuzzer.js
// Import the fuzzer base classimport { Fuzzer } from"../../harness/fuzzer.js";classWGLogFuzzerextendsFuzzer {constructor() {console.log("WGLogFuzzer constructor called")// Get and declare the function we are going to fuzzvar wg_log_addr =Module.findExportByName("<Program name>","<func name to fuzz>");var wg_log_func =newNativeFunction(wg_log_addr,"void", ["pointer","pointer","pointer"], {});// Initialize the objectsuper("<Program nane>", wg_log_addr, wg_log_func);this.wg_log_addr = wg_log_addr; // We cannot use "this" before calling "super"console.log("WGLogFuzzer in the middle");// Prepare the second argument to pass to the fuzz functionthis.tag =Memory.allocUtf8String("arg2");// Get the first argument we need to pass from a call to the functino we want to fuzzvar wg_log_global_ptr =null;console.log(this.wg_log_addr);Interceptor.attach(this.wg_log_addr, {onEnter:function(args) {console.log("Entering in the function to get the first argument");wg_log_global_ptr =newNativePointer(args[0]);}});while (! wg_log_global_ptr) {Thread.sleep(1)}this.wg_log_global_ptr = wg_log_global_ptr;console.log("WGLogFuzzer prepare ended")}// This function is called by the fuzzer with the first argument being a pointer into memory// where the payload is stored and the second the length of the input.fuzz(payload, len) {// Get a pointer to payload being a valid C string (with a null byte at the end)var payload_cstring =payload.readCString(len);this.payload =Memory.allocUtf8String(payload_cstring);// Debug and fuzzthis.debug_log(this.payload, len);// Pass the 2 first arguments we know the function needs and finally the payload to fuzzthis.target_function(this.wg_log_global_ptr,this.tag,this.payload);}}constf=newWGLogFuzzer();rpc.exports.fuzzer = f;
Kompilering van die fuzzer:
# From inside fpicker clone## Compile from "myfuzzer.js" to "harness.js"frida-compileexamples/wg-log/myfuzzer.js-oharness.js
Roep fuzzer fpicker aan met behulp van radamsa:
# Indicate fpicker to fuzz a program with the harness.js script and which folders to usefpicker -v --fuzzer-mode active -e attach -p <Program to fuzz> -D usb -o examples/wg-log/out/ -i examples/wg-log/in/ -f harness.js --standalone-mutator cmd --mutator-command "radamsa"
# You can find code coverage and crashes in examples/wg-log/out/
In hierdie geval herlaai ons nie die app of herstel die toestand na elke lading. So, as Frida 'n crash vind, kan die volgende insette na daardie lading ook die app laat crash (omdat die app in 'n onstabiele toestand is), selfs al behoort die inset die app nie te laat crash nie.
Verder sal Frida in die uitsondering seine van iOS inklink, so wanneer Frida 'n crash vind, sal daar waarskynlik nie 'n iOS crash verslag gegenereer word nie.
Om dit te voorkom, byvoorbeeld, kan ons die app herlaai na elke Frida crash.
Logs & Crashes
Jy kan die macOS konsole of die log cli gebruik om macOS logs te kontroleer.
Jy kan ook die logs van iOS kontroleer deur idevicesyslog te gebruik.
Sommige logs sal inligting uitsluit deur <private> by te voeg. Om al die inligting te sien, moet jy 'n profiel van https://developer.apple.com/bug-reporting/profiles-and-logs/ installeer om daardie private inligting te aktiveer.
WhiteIntel is 'n dark-web aangedrewe soekenjin wat gratis funksies bied om te kyk of 'n maatskappy of sy kliënte deur stealer malware gekompromitteer is.
Die primêre doel van WhiteIntel is om rekening-oorneemname en lospryse-aanvalle te bekamp wat voortspruit uit inligtingsteel-malware.
Jy kan hul webwerf besoek en hul enjin gratis probeer by: