[Frida 5] Frida python binding

[Frida 5] Frida python binding

Lecture
Security
ํƒœ๊ทธ
frida
mobile hacking
public
์™„์„ฑ
Y
์ƒ์„ฑ์ผ
Mar 18, 2024 05:48 AM
LectureName
Mobile Hacking (Android - Frida )

1. Python Binding


1.1 ๊ฐœ์š”

Frida๋Š” JS API๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ฉ”์„œ๋“œ๋‚˜ ๊ฐ์ฒด๋ฅผ ํ˜ธ์ถœํ•˜๊ณ , ํ›„ํ‚นํ•  ์ˆ˜ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค. ์ด ๊ณผ์ •์—์„œ ์‚ฌ์šฉ๋œ ๋ฐฉ๋ฒ•์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.
  • ํ„ฐ๋ฏธ๋„์—์„œ ํ”„๋กœ์„ธ์Šค์— Attach ํ•˜์—ฌ ๋ช…๋ น์–ด ์ˆ˜ํ–‰
  • ์Šคํฌ๋ฆฝํŠธ๋ฅผ ๋กœ๋“œํ•ด์„œ ํ›„ํ‚น
์ด๋Ÿฐ ์ž‘์—…๋“ค์„ python์„ ์ด์šฉํ•˜์—ฌ ์ž๋™ํ™” ํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค.
ย 
ย 

1.2 ์ด์ 

๋‹ค์Œ๊ณผ ๊ฐ™์€ ์ด์ ์ด ์žˆ์Šต๋‹ˆ๋‹ค.
  • ์ž๋™ํ™” ๊ฐ€๋Šฅ
  • python์—์„œ ์ง€์›ํ•˜๋Š” Frida ์ด์™ธ์˜ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋„ ์‚ฌ์šฉ ๊ฐ€๋Šฅ
  • Frida process๊ฐ€ ๋™์ž‘ํ•  ๋•Œ ์ด์™ธ์˜ ๊ฒƒ๋„ ์ปจํŠธ๋กค ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
ย 
ย 
ย 

2. ์‚ฌ์šฉ ๋ฐฉ๋ฒ•


2.1 ๊ธฐ๋ณธ ํ˜•์‹

โžก๏ธ import
๋ชจ๋“ˆ์„ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด import ํ•ฉ๋‹ˆ๋‹ค.
import frida, sys
  • sys ๋ชจ๋“ˆ์€ script๊ฐ€ ๋™์ž‘ํ•˜๊ธฐ ์ „์— ์ข…๋ฃŒ๋˜๋Š” ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•ด ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.
ย 
ย 
โžก๏ธ ๊ธฐ๋ณธ ํ‹€
# jscode ์„น์…˜ jsCode = """ ๋™์ž‘ํ•  js script ์ž‘์„ฑ """ # USB ์žฅ์น˜์— ์—ฐ๊ฒฐ๋˜์–ด ์žˆ๋Š” ๋””๋ฐ”์ด์Šค์— ์„ค์น˜๋œ ํŒจํ‚ค์ง€๋ฅผ ์—ฐ๊ฒฐํ•ฉ๋‹ˆ๋‹ค. session = frida.get_usb_device(timeout=5).attach("com.package.name") # jsCode์— ์žˆ๋Š” ์Šคํฌ๋ฆฝํŠธ ์ฝ”๋“œ๋ฅผ frida์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋„๋ก ํฌ๋ฉงํŒ… ํ•ฉ๋‹ˆ๋‹ค script = session.create_script(jscode) # ์ƒ์„ฑํ•œ script๋ฅผ ๋กœ๋“œํ•ฉ๋‹ˆ๋‹ค. script.load() # script๊ฐ€ ๋™์ž‘ํ•˜๊ธฐ ์ „์— ์ข…๋ฃŒ๋˜๋Š” ๋ฌธ์ œ ์˜ˆ๋ฐฉ sys.stdin.read()
ย 
ย 
โžก๏ธ Spawn์„ ์ด์šฉํ•œ ํ‹€
device = frida.get_usb_device(timeout=5) # ์—ฐ๊ฒฐ๋œ ์žฅ์น˜์—์„œ spwanํ•  ํŒจํ‚ค์ง€ ์ƒ์„ฑ p = device.spawn(["pakagename"]) # ํ”„๋กœ์„ธ์„œ ์—ฐ๊ฒฐ session = device.attach(p) #์Šคํฌ๋ฆฝํŠธ ์ƒ์„ฑ, ๋กœ๋“œ ๋™์ผ . . . # ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ํ”„๋กœ์„ธ์Šค ๋ฉ”์ธ ์Šค๋ ˆ๋“œ ์‹คํ–‰ device.resume(p) sys.stdin.read()
ย 
ย 

2.2 ์˜ˆ์‹œ

import frida, sys jscode = """ setImmediate(function() { Java.perform(function() { Java.enumerateLoadedClasses({ onMatch : function(className) { send(`[+] find ${className}`) }, onComplete : function() { } }) }) }) """ def on_message(message, data): print(message) # USB ์žฅ์น˜์— ์—ฐ๊ฒฐ๋˜์–ด ์žˆ๋Š” ๋””๋ฐ”์ด์Šค์— ์„ค์น˜๋œ ํŒจํ‚ค์ง€๋ฅผ ์—ฐ๊ฒฐํ•ฉ๋‹ˆ๋‹ค. session = frida.get_usb_device(timeout=5).attach("InsecureBankv2") # jsCode์— ์žˆ๋Š” ์Šคํฌ๋ฆฝํŠธ ์ฝ”๋“œ๋ฅผ frida์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋„๋ก ํฌ๋ฉงํŒ… ํ•ฉ๋‹ˆ๋‹ค script = session.create_script(jscode) # ์ƒ์„ฑํ•œ script๋ฅผ ๋กœ๋“œํ•ฉ๋‹ˆ๋‹ค. script.on('message', on_message) script.load() # script๊ฐ€ ๋™์ž‘ํ•˜๊ธฐ ์ „์— ์ข…๋ฃŒ๋˜๋Š” ๋ฌธ์ œ ์˜ˆ๋ฐฉ sys.stdin.read()
  • โš ๏ธ ์ถœ๋ ฅ ๊ฐ’์„ ์ „๋‹ฌ ๋ฐ›์œผ๋ ค๋ฉด js code๋ถ€๋ถ„์„ console.log โ†’ send๋กœ ์ˆ˜์ •ํ•˜์—ฌ์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  • ์ดํ›„ script.on('message', messageFunction) ์„ ์‚ฌ์šฉํ•˜์—ฌ ์ฝ˜์†”์— ์ถœ๋ ฅํ•ฉ๋‹ˆ๋‹ค.
  • messageFunction์€ ์ปค์Šคํ„ฐ๋งˆ์ด์ง• ํ•˜์—ฌ ์‚ฌ์šฉํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค. (callback ๋งค๊ฐœ๋ณ€์ˆ˜๋Š” 2๊ฐœ)