본문 바로가기
reversing/reversing

frida - runtime.exec hook[root bypass]

Richong 2021. 3. 4. 08:56
SMALL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
console.log("[+] Start Script");
 
Java.perform(function () {
    console.log("[*] Hooking Test code");
 
 
 var Runtime = Java.use('java.lang.Runtime');
 
 
    var exec = Runtime.exec.overload('[Ljava.lang.String;');
    var exec1 = Runtime.exec.overload('java.lang.String');
    var exec2 = Runtime.exec.overload('java.lang.String''[Ljava.lang.String;');
    var exec3 = Runtime.exec.overload('[Ljava.lang.String;''[Ljava.lang.String;');
    var exec4 = Runtime.exec.overload('[Ljava.lang.String;''[Ljava.lang.String;''java.io.File');
    var exec5 = Runtime.exec.overload('java.lang.String''[Ljava.lang.String;''java.io.File');
   
        exec5.implementation = function(cmd, env, dir) {
            console.log(cmd);
            if (cmd.indexOf("getprop"!= -1 || cmd == "mount" || cmd.indexOf("build.prop"!= -1 || cmd == "id" || cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }
            if (cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }
            return exec5.call(this, cmd, env, dir);
        };
 
        exec4.implementation = function(cmdarr, env, file) {
            
            for (var i = 0; i < cmdarr.length; i = i + 1) {
                var tmp_cmd = cmdarr[i];
                console.log(tmp_cmd);
                if (tmp_cmd.indexOf("getprop"!= -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop"!= -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                    var fakeCmd = "grep";
                    send("Bypass " + cmdarr + " command");
                    return exec1.call(this, fakeCmd);
                }
 
                if (tmp_cmd == "su") {
                    var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                    send("Bypass " + cmdarr + " command");
                    return exec1.call(this, fakeCmd);
                }
            }
            return exec4.call(this, cmdarr, env, file);
        };
 
        exec3.implementation = function(cmdarr, envp) {
            console.log(cmd);
            for (var i = 0; i < cmdarr.length; i = i + 1) {
                var tmp_cmd = cmdarr[i];
                if (tmp_cmd.indexOf("getprop"!= -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop"!= -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                    var fakeCmd = "grep";
                    send("Bypass " + cmdarr + " command");
                    return exec1.call(this, fakeCmd);
                }
 
                if (tmp_cmd == "su") {
                    var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                    send("Bypass " + cmdarr + " command");
                    return exec1.call(this, fakeCmd);
                }
            }
            return exec3.call(this, cmdarr, envp);
        };
 
        exec2.implementation = function(cmd, env) {
            console.log(cmd);
            if (cmd.indexOf("getprop"!= -1 || cmd == "mount" || cmd.indexOf("build.prop"!= -1 || cmd == "id" || cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }
            if (cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }
            return exec2.call(this, cmd, env);
        };
 
        exec.implementation = function(cmd) {
            console.log(cmd);
            for (var i = 0; i < cmd.length; i = i + 1) {
                var tmp_cmd = cmd[i];
                if (tmp_cmd.indexOf("getprop"!= -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop"!= -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                    var fakeCmd = "grep";
                    send("Bypass " + cmd + " command");
                    return exec1.call(this, fakeCmd);
                }
 
                if (tmp_cmd == "su") {
                    var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                    send("Bypass " + cmd + " command");
                    return exec1.call(this, fakeCmd);
                }
            }
 
            return exec.call(this, cmd);
        };
 
        exec1.implementation = function(cmd) {
            console.log(cmd);
            if (cmd.indexOf("getprop"!= -1 || cmd == "mount" || cmd.indexOf("build.prop"!= -1 || cmd == "id" || cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }
            if (cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }
            return exec1.call(this, cmd);
        };
 
});
cs
LIST

'reversing > reversing' 카테고리의 다른 글

ios - usb to ssh  (0) 2021.06.16
ARM hooking 정리  (0) 2021.03.30
idapython 메모  (0) 2019.03.25
mips 특징  (0) 2018.10.08
chroot qemu static 환경변수 설정  (0) 2018.10.07

'reversing/reversing' Related Articles

티스토리툴바