WhiteIntel ni injini ya utaftaji inayotumia dark-web ambayo inatoa huduma za bure za kuangalia ikiwa kampuni au wateja wake wameathiriwa na malware za kuiba.
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za kuiba taarifa.
Unaweza kutembelea tovuti yao na kujaribu injini yao bure kwa:
Kusakinisha Frida
Hatua za kusakinisha Frida kwenye kifaa kilichofanyiwa Jailbreak:
Fungua programu ya Cydia/Sileo.
Nenda kwa Usimamizi -> Vyanzo -> Hariri -> Ongeza.
Ingiza "https://build.frida.re" kama URL.
Nenda kwenye chanzo cha Frida kilichoongezwa hivi karibuni.
Sakinisha pakiti ya Frida.
Ikiwa unatumia Corellium utahitaji kupakua kutolewa kwa Frida kutoka https://github.com/frida/frida/releases (frida-gadget-[yourversion]-ios-universal.dylib.gz) na kufungua na kunakili kwenye eneo la dylib ambalo Frida inahitaji, k.m.: /Users/[youruser]/.cache/frida/gadget-ios.dylib
Baada ya kusakinishwa, unaweza kutumia amri frida-ls-devices kwenye PC yako na kuhakikisha kuwa kifaa kinaonekana (PC yako inahitaji kuweza kufikia).
Tumia pia frida-ps -Uia kuchunguza michakato inayoendeshwa kwenye simu.
Frida bila kifaa kilichofanyiwa Jailbreak & bila kubadilisha programu
Baada ya kusakinisha seva ya Frida na kifaa kikiwa kinaendeshwa na kimeunganishwa, angalia kama mteja anafanya kazi:
frida-ls-devices# List devicesfrida-ps-Uia# Get running processes
Kufuatilia kwa Frida
# Functions## Trace all functions with the word "log" in their namefrida-trace-U<program>-i"*log*"frida-trace-U<program>-i"*log*"|swiftdemangle# Demangle names# Objective-C## Trace all methods of all classesfrida-trace-U<program>-m"*[* *]"## Trace all methods with the word "authentication" from classes that start with "NE"frida-trace-U<program>-m"*[NE* *authentication*]"# Plug-In## To hook a plugin that is momentarely executed prepare Frida indicating the ID of the Plugin binaryfrida-trace-U-W<if-plugin-bin>-m'*[* *]'
Pata madarasa na njia zote
Kukamilisha moja kwa moja: Tekeleza tu frida -U <program>
Pata madarasa yote yanayopatikana (pambanua kwa herufi)
// frida -U <program> -l /tmp/script.jsvar specificClass ="YourClassName";var filterMethod ="filtermethod";if (ObjC.available) {if (ObjC.classes.hasOwnProperty(specificClass)) {var methods =ObjC.classes[specificClass].$ownMethods;for (var i =0; i <methods.length; i++) {if (!filterMethod || methods[i].includes(filterClass)) {console.log(specificClass +': '+ methods[i]);}}} else {console.log("Class not found.");}} else {console.log("Objective-C runtime is not available.");}
Piga simu kwa kazi
// Find the address of the function to callconstfunc_addr=Module.findExportByName("<Prog Name>","<Func Name>");// Declare the function to callconstfunc=newNativeFunction(func_addr,"void", ["pointer","pointer","pointer"], {});var arg0 =null;// In this case to call this function we need to intercept a call to it to copy arg0Interceptor.attach(wg_log_addr, {onEnter:function(args) {arg0 =newNativePointer(args[0]);}});// Wait untill a call to the func occurswhile (! arg0) {Thread.sleep(1);console.log("waiting for ptr");}var arg1 =Memory.allocUtf8String('arg1');var txt =Memory.allocUtf8String('Some text for arg2');wg_log(arg0, arg1, txt);console.log("loaded");
Frida Fuzzing
Frida Stalker
Kutoka kwa nyaraka: Stalker ni injini ya kufuatilia ya Frida. Inaruhusu nyuzi kufuatiliwa, kukamata kila kazi, kila kibodi, hata kila maagizo yanayotekelezwa.
Huu ni mfano mwingine wa kuambatisha Frida Stalker kila wakati kazi inaitwa:
console.log("loading");constwg_log_addr=Module.findExportByName("<Program>","<function_name>");constwg_log=newNativeFunction(wg_log_addr,"void", ["pointer","pointer","pointer"], {});Interceptor.attach(wg_log_addr, {onEnter:function(args) {console.log(`logging the following message: ${args[2].readCString()}`);Stalker.follow({events: {// only collect coverage for newly encountered blockscompile:true,},onReceive:function (events) {constbbs=Stalker.parse(events, {stringify:false,annotate:false});console.log("Stalker trace of write_msg_to_log: \n"+bbs.flat().map(DebugSymbol.fromAddress).join('\n'));}});},onLeave:function(retval) {Stalker.unfollow();Stalker.flush(); // this is important to get all events}});
Hii ni ya kuvutia kwa madhumuni ya kutatua matatizo lakini kwa fuzzing, kuwa kila wakati .follow() na .unfollow() ni ya ufanisi sana.
fpicker ni zana ya kufanya fuzzing kwa kutumia Frida ambayo inatoa aina mbalimbali za modes za fuzzing kwa fuzzing ndani ya mchakato, kama vile mode ya AFL++ au mode ya ufuatiliaji wa kupita. Inapaswa kuendesha kwenye majukwaa yote yanayoungwa mkono na Frida.
# Get fpickergitclonehttps://github.com/ttdennis/fpickercdfpicker# Get Frida core devkit and prepare fpickerwget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz
# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xztar-xf./*tar.xzcplibfrida-core.alibfrida-core-[yourOS].a#libfrida-core-macos.a# Install fpickermakefpicker-[yourOS]# fpicker-macos# This generates ./fpicker# Install radamsa (fuzzer generator)brewinstallradamsa
Jitayarisha FS:
# From inside fpicker clonemkdir-pexamples/wg-log# Where the fuzzing script will bemkdir-pexamples/wg-log/out# For code coverage and crashesmkdir-pexamples/wg-log/in# For starting inputs# Create at least 1 input for the fuzzerechoHelloWorld>examples/wg-log/in/0
Skripti la Fuzzer (mfano/wg-log/myfuzzer.js):
mfano/wg-log/myfuzzer.js
// Import the fuzzer base classimport { Fuzzer } from"../../harness/fuzzer.js";classWGLogFuzzerextendsFuzzer {constructor() {console.log("WGLogFuzzer constructor called")// Get and declare the function we are going to fuzzvar wg_log_addr =Module.findExportByName("<Program name>","<func name to fuzz>");var wg_log_func =newNativeFunction(wg_log_addr,"void", ["pointer","pointer","pointer"], {});// Initialize the objectsuper("<Program nane>", wg_log_addr, wg_log_func);this.wg_log_addr = wg_log_addr; // We cannot use "this" before calling "super"console.log("WGLogFuzzer in the middle");// Prepare the second argument to pass to the fuzz functionthis.tag =Memory.allocUtf8String("arg2");// Get the first argument we need to pass from a call to the functino we want to fuzzvar wg_log_global_ptr =null;console.log(this.wg_log_addr);Interceptor.attach(this.wg_log_addr, {onEnter:function(args) {console.log("Entering in the function to get the first argument");wg_log_global_ptr =newNativePointer(args[0]);}});while (! wg_log_global_ptr) {Thread.sleep(1)}this.wg_log_global_ptr = wg_log_global_ptr;console.log("WGLogFuzzer prepare ended")}// This function is called by the fuzzer with the first argument being a pointer into memory// where the payload is stored and the second the length of the input.fuzz(payload, len) {// Get a pointer to payload being a valid C string (with a null byte at the end)var payload_cstring =payload.readCString(len);this.payload =Memory.allocUtf8String(payload_cstring);// Debug and fuzzthis.debug_log(this.payload, len);// Pass the 2 first arguments we know the function needs and finally the payload to fuzzthis.target_function(this.wg_log_global_ptr,this.tag,this.payload);}}constf=newWGLogFuzzer();rpc.exports.fuzzer = f;
Kusanya fuzzer:
# From inside fpicker clone## Compile from "myfuzzer.js" to "harness.js"frida-compileexamples/wg-log/myfuzzer.js-oharness.js
Piga fuzzer fpicker ukitumia radamsa:
# Indicate fpicker to fuzz a program with the harness.js script and which folders to usefpicker -v --fuzzer-mode active -e attach -p <Program to fuzz> -D usb -o examples/wg-log/out/ -i examples/wg-log/in/ -f harness.js --standalone-mutator cmd --mutator-command "radamsa"
# You can find code coverage and crashes in examples/wg-log/out/
Katika kesi hii hatuwezi kuanza upya programu au kurejesha hali baada ya kila mzigo. Kwa hivyo, ikiwa Frida inagundua kosa baada ya mzigo huo, matokeo ya kuingiza baada ya mzigo huo yanaweza pia kusababisha programu kugonga (kwa sababu programu iko katika hali isiyo thabiti) hata kama kuingiza haipaswi kusababisha programu kugonga.
Zaidi ya hayo, Frida itaunganisha ishara za kipekee za iOS, kwa hivyo wakati Frida inapogundua kosa, labda ripoti za kugonga za iOS hazitazalishwa.
Ili kuzuia hili, kwa mfano, tunaweza kuanza upya programu baada ya kila kugonga cha Frida.
Kumbukumbu & Kugonga
Unaweza kuangalia konsoli ya macOS au cli ya log kuangalia kumbukumbu za macOS.
Unaweza pia kuangalia kumbukumbu kutoka iOS kwa kutumia idevicesyslog.
Baadhi ya kumbukumbu zitakosa taarifa kwa kuongeza <binafsi>. Ili kuonyesha taarifa zote unahitaji kusakinisha wasifu fulani kutoka https://developer.apple.com/bug-reporting/profiles-and-logs/ kuwezesha taarifa hizo za binafsi.
WhiteIntel ni injini ya utaftaji inayotumia dark-web ambayo inatoa utendaji wa bure kuchunguza ikiwa kampuni au wateja wake wameathiriwa na malware za wizi.
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na programu hasidi za wizi wa habari.
Unaweza kutembelea tovuti yao na kujaribu injini yao bure hapa:
