-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdump_so.py
More file actions
98 lines (81 loc) · 3.63 KB
/
dump_so.py
File metadata and controls
98 lines (81 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import sys
import frida
import os
import argparse
def fix_so(arch, origin_so_name, so_name, base, size):
if arch == "arm":
os.system("adb push android/SoFixer32 /data/local/tmp/SoFixer")
elif arch == "arm64":
os.system("adb push android/SoFixer64 /data/local/tmp/SoFixer")
os.system("adb shell chmod +x /data/local/tmp/SoFixer")
os.system("adb push " + so_name + " /data/local/tmp/" + so_name)
print("adb shell /data/local/tmp/SoFixer -m " + base + " -s /data/local/tmp/" + so_name + " -o /data/local/tmp/" + so_name + ".fix.so")
os.system("adb shell /data/local/tmp/SoFixer -m " + base + " -s /data/local/tmp/" + so_name + " -o /data/local/tmp/" + so_name + ".fix.so")
os.system("adb pull /data/local/tmp/" + so_name + ".fix.so " + origin_so_name + "_" + base + "_" + str(size) + "_fix.so")
os.system("adb shell rm /data/local/tmp/" + so_name)
os.system("adb shell rm /data/local/tmp/" + so_name + ".fix.so")
os.system("adb shell rm /data/local/tmp/SoFixer")
return origin_so_name + "_" + base + "_" + str(size) + "_fix.so"
def read_frida_js_source():
with open("dump_so.js", "r") as f:
return f.read()
def on_message(message, data):
pass
def get_device_and_session(host=None, port=None, process_name=None):
"""获取设备和会话"""
if host and port:
# 远程连接
device_manager = frida.get_device_manager()
device = device_manager.add_remote_device(f"{host}:{port}")
else:
# USB连接
device = frida.get_usb_device()
if process_name:
# 指定进程名
try:
pid = device.get_process(process_name).pid
except:
print(f"Process '{process_name}' not found")
return None, None
else:
# 前台应用
pid = device.get_frontmost_application().pid
session = device.attach(pid)
return device, session
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Dump SO files using Frida')
parser.add_argument('so_name', nargs='?', help='SO file name to dump')
parser.add_argument('-H', '--host', help='Remote frida server host (e.g., 127.0.0.1)')
parser.add_argument('-p', '--port', type=int, default=27042, help='Remote frida server port (default: 27042)')
parser.add_argument('-F', '--frontmost', action='store_true', help='Attach to frontmost application')
parser.add_argument('-n', '--name', help='Process name to attach')
args = parser.parse_args()
# 获取设备和会话
device, session = get_device_and_session(args.host, args.port, args.name)
if not device or not session:
sys.exit(1)
script = session.create_script(read_frida_js_source())
script.on('message', on_message)
script.load()
if not args.so_name:
# 列出所有模块
allmodule = script.exports.allmodule()
for module in allmodule:
print(module["name"])
else:
# dump指定的so文件
origin_so_name = args.so_name
module_info = script.exports.findmodule(origin_so_name)
print(module_info)
base = module_info["base"]
size = module_info["size"]
module_buffer = script.exports.dumpmodule(origin_so_name)
if module_buffer != -1:
dump_so_name = origin_so_name + ".dump.so"
with open(dump_so_name, "wb") as f:
f.write(module_buffer)
f.close()
arch = script.exports.arch()
fix_so_name = fix_so(arch, origin_so_name, dump_so_name, base, size)
print(fix_so_name)
os.remove(dump_so_name)