API tools faq
paste
Advertisement
hmimzomatrix

dump

hmimzomatrix
Aug 3rd, 2024 (edited)
72
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 5.85 KB | None | 0 0
raw download clone embed print report
  1. function get_self_process_name() {
  2.     var openPtr = Module.getExportByName('libc.so', 'open');
  3.     var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);
  4.  
  5.     var readPtr = Module.getExportByName("libc.so", "read");
  6.     var read = new NativeFunction(readPtr, "int", ["int", "pointer", "int"]);
  7.  
  8.     var closePtr = Module.getExportByName('libc.so', 'close');
  9.     var close = new NativeFunction(closePtr, 'int', ['int']);
  10.  
  11.     var path = Memory.allocUtf8String("/proc/self/cmdline");
  12.     var fd = open(path, 0);
  13.     if (fd != -1) {
  14.         var buffer = Memory.alloc(0x1000);
  15.  
  16.         var result = read(fd, buffer, 0x1000);
  17.         close(fd);
  18.         result = ptr(buffer).readCString();
  19.         return result;
  20.     }
  21.  
  22.     return "-1";
  23. }
  24.  
  25.  
  26. function mkdir(path) {
  27.     var mkdirPtr = Module.getExportByName('libc.so', 'mkdir');
  28.     var mkdir = new NativeFunction(mkdirPtr, 'int', ['pointer', 'int']);
  29.  
  30.  
  31.  
  32.     var opendirPtr = Module.getExportByName('libc.so', 'opendir');
  33.     var opendir = new NativeFunction(opendirPtr, 'pointer', ['pointer']);
  34.  
  35.     var closedirPtr = Module.getExportByName('libc.so', 'closedir');
  36.     var closedir = new NativeFunction(closedirPtr, 'int', ['pointer']);
  37.  
  38.     var cPath = Memory.allocUtf8String(path);
  39.     var dir = opendir(cPath);
  40.     if (dir != 0) {
  41.         closedir(dir);
  42.         return 0;
  43.     }
  44.     mkdir(cPath, 755);
  45.     chmod(path);
  46. }
  47.  
  48. function chmod(path) {
  49.     var chmodPtr = Module.getExportByName('libc.so', 'chmod');
  50.     var chmod = new NativeFunction(chmodPtr, 'int', ['pointer', 'int']);
  51.     var cPath = Memory.allocUtf8String(path);
  52.     chmod(cPath, 755);
  53. }
  54.  
  55. function dump_dex() {
  56.     var libart = Process.findModuleByName("libart.so");
  57.     var addr_DefineClass = null;
  58.     var symbols = libart.enumerateSymbols();
  59.     for (var index = 0; index < symbols.length; index++) {
  60.         var symbol = symbols[index];
  61.         var symbol_name = symbol.name;
  62.         //这个DefineClass的函数签名是Android9的
  63.         //_ZN3art11ClassLinker11DefineClassEPNS_6ThreadEPKcmNS_6HandleINS_6mirror11ClassLoaderEEERKNS_7DexFileERKNS9_8ClassDefE
  64.         if (symbol_name.indexOf("ClassLinker") >= 0 &&
  65.             symbol_name.indexOf("DefineClass") >= 0 &&
  66.             symbol_name.indexOf("Thread") >= 0 &&
  67.             symbol_name.indexOf("DexFile") >= 0) {
  68.             console.log(symbol_name, symbol.address);
  69.             addr_DefineClass = symbol.address;
  70.         }
  71.     }
  72.     var dex_maps = {};
  73.     var dex_count = 1;
  74.  
  75.     console.log("[DefineClass:]", addr_DefineClass);
  76.     if (addr_DefineClass) {
  77.         Interceptor.attach(addr_DefineClass, {
  78.             onEnter: function(args) {
  79.                 var dex_file = args[5];
  80.                 //ptr(dex_file).add(Process.pointerSize) is "const uint8_t* const begin_;"
  81.                 //ptr(dex_file).add(Process.pointerSize + Process.pointerSize) is "const size_t size_;"
  82.                 var base = ptr(dex_file).add(Process.pointerSize).readPointer();
  83.                 var size = ptr(dex_file).add(Process.pointerSize + Process.pointerSize).readUInt();
  84.  
  85.                 if (dex_maps[base] == undefined) {
  86.                     dex_maps[base] = size;
  87.                     var magic = ptr(base).readCString();
  88.                     if (magic.indexOf("dex") == 0) {
  89.  
  90.                         var process_name = get_self_process_name();
  91.                         if (process_name != "-1") {
  92.                             var dex_dir_path = "/data/data/" + process_name + "/files/dump_dex_" + process_name;
  93.                             mkdir(dex_dir_path);
  94.                             var dex_path = dex_dir_path + "/classes" + (dex_count == 1 ? "" : dex_count) + ".dex";
  95.                             console.log("[find dex]:", dex_path);
  96.                             var fd = new File(dex_path, "wb");
  97.                             if (fd && fd != null) {
  98.                                 dex_count++;
  99.                                 var dex_buffer = ptr(base).readByteArray(size);
  100.                                 fd.write(dex_buffer);
  101.                                 fd.flush();
  102.                                 fd.close();
  103.                                 console.log("[dump dex]:", dex_path);
  104.  
  105.                             }
  106.                         }
  107.                     }
  108.                 }
  109.             },
  110.             onLeave: function(retval) {}
  111.         });
  112.     }
  113. }
  114.  
  115. var is_hook_libart = false;
  116.  
  117. function hook_dlopen() {
  118.     Interceptor.attach(Module.findExportByName(null, "dlopen"), {
  119.         onEnter: function(args) {
  120.             var pathptr = args[0];
  121.             if (pathptr !== undefined && pathptr != null) {
  122.                 var path = ptr(pathptr).readCString();
  123.                 //console.log("dlopen:", path);
  124.                 if (path.indexOf("libart.so") >= 0) {
  125.                     this.can_hook_libart = true;
  126.                     console.log("[dlopen:]", path);
  127.                 }
  128.             }
  129.         },
  130.         onLeave: function(retval) {
  131.             if (this.can_hook_libart && !is_hook_libart) {
  132.                 dump_dex();
  133.                 is_hook_libart = true;
  134.             }
  135.         }
  136.     })
  137.  
  138.     Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), {
  139.         onEnter: function(args) {
  140.             var pathptr = args[0];
  141.             if (pathptr !== undefined && pathptr != null) {
  142.                 var path = ptr(pathptr).readCString();
  143.                 //console.log("android_dlopen_ext:", path);
  144.                 if (path.indexOf("libart.so") >= 0) {
  145.                     this.can_hook_libart = true;
  146.                     console.log("[android_dlopen_ext:]", path);
  147.                 }
  148.             }
  149.         },
  150.         onLeave: function(retval) {
  151.             if (this.can_hook_libart && !is_hook_libart) {
  152.                 dump_dex();
  153.                 is_hook_libart = true;
  154.             }
  155.         }
  156.     });
  157. }
  158.  
  159.  
  160. setImmediate(dump_dex);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!