JavaScript using frida

자바스크립트 코드(Function Hooking)

var handle = Module.findExportByName("msvcrt.dll", "memset");
//var handle2 = Module.findExportByName("WS2_32.dll", "send");
var baseAddr = Module.findBaseAddress("msvcrt.dll");
 
console.log(">> Hooking Function <<");
console.log("[+] Handle : " + handle);
console.log("[+] msvcrt.dll baseAddr : " + baseAddr);
 
Interceptor.attach(handle, {
    onEnter: function(args) {
        console.log("onEnter : " + args[0]);
        var str = Memory.readByteArray(args[0], 8);
        console.log(str);
    },
    onLeave: function(retval) {
        console.log("onLeave:" + retval);
    }
});
 
//console.log("Done.");
 
setTimeout(function() {
    console.log("Done.");
}, 5000);
 

자바스크립트 코드(Find Modules)

var f = new File("C:\\Users\\Tribal\\Desktop\\modules.txt", "w+");
 
Process.enumerateModules({
    onMatch: function(module) {
        f.write("\n===============================================")
        f.write("\n- Module.name : " + module.name);
        f.write("\n- Module.base : " + module.base);
        f.write("\n- Module.size : " + module.size);
        f.write("\n- Module.path : " + module.path);
        f.write("\n===============================================")
        //console.log("");
        //console.log("- Module.name : " + module.name);
        //console.log("- Module.base : " + module.base);
        //console.log("- Module.size : " + module.size);
        //console.log("- Module.size : " + module.path);
        
    },
    onComplete: function() {
        console.log("[+] Process.enumerateModules Done.");
    }
});
 

커맨드

$ frida -l [자바스크립트.js] -q -n [대상 프로그램 명]
- l : load file
- q : quiet, 필요하다면 제거해도 됨
- n : name, attach할 프로그램 

System 권한이 필요한 경우(https://docs.microsoft.com/ko-kr/sysinternals/downloads/psexec)

$ Psexec -i -s -d CMD

참고

• Frida API : https://www.frida.re/docs/javascript-api/
• pdf : https://www.coresecurity.com/system/files/publications/2016/10/Getting%20fun%20with%20Frida-Ekoparty-21-10-2016.pdf