SeeFlowerX · May 14, 2024 13:17 · SeeFlowerX · Oct 9, 2022
diff --git a/stacktrace.js b/stacktrace.js
 let mem_regions = [];

 function read_maps(){
    let libc = Process.getModuleByName("libc.so");
    let fopen = new NativeFunction(libc.getExportByName("fopen"), "pointer", ["pointer", "pointer"]);
    let fgets = new NativeFunction(libc.getExportByName("fgets"), "pointer", ["pointer", "int", "pointer"]);
    let fclose = new NativeFunction(libc.getExportByName("fclose"), "int", ["pointer"]);
    let filepath = Memory.allocUtf8String("/proc/self/maps");
    let mode = Memory.allocUtf8String("r");
    let file = fopen(filepath, mode);
    let line = Memory.alloc(1024);
    let results = [];
    while (fgets(line, 1024, file).toInt32() != 0x0) {
        let text = line.readCString();
        if (text == null) {
            break;
        }
        results.push(text);
    }
    fclose(file);
    for (let index = 0; index < results.length; index++) {
        let line = results[index];
        let infos = line.split("        ");
        let segment_path = infos[infos.length - 1];
        if (segment_path) {
            segment_path = segment_path.trim();
            if (segment_path == "") {
                segment_path = "UNKNOW";
            }
        }
        let [addr_info, permission, offset] = infos[0].split(" ", 3);
        let [start, end] = addr_info.split("-");
        mem_regions.push({
            "start": parseInt(`0x${start}`),
            "end": parseInt(`0x${end}`),
            "offset": parseInt(`0x${offset}`),
            "path": segment_path,
            "name": segment_path.split("/").pop(),
        });
    }
 }

 function get_addr_info(addr) {
    let info_head = `${addr}`.padStart(16, " ");
    let mem_region = find_mem_region(addr);
    if (!mem_region) {
        return `${info_head}[UNKNOW]`;
    }
    let base_addr = mem_region.start - mem_region.offset;
    return `${info_head}[${mem_region.name}:${addr.sub(base_addr)}]`;
 }

 function find_mem_region(sp_addr) {
    for (let index = 0; index < mem_regions.length; index++) {
        let mem_region = mem_regions[index];
        if (sp_addr >= mem_region.start && sp_addr < mem_region.end) {
            return mem_region;
        }
    }
 }

 function stacktrace(pc, lr, fp, sp) {
    let n = 0, stack_arr = [], fp_c = fp;
    stack_arr[n++] = lr;
    stack_arr[n++] = pc;
    let mem_region = find_mem_region(sp);
    if (!mem_region) {
        console.log(`[stacktrace] can not find mem_region ${sp}`);
        return stack_arr;
    }
    while (n < 32) {
        if (parseInt(fp_c.toString()) < parseInt(sp.toString()) || fp_c < mem_region.start || fp_c > mem_region.end) {
            break
        }
        let next_fp = fp_c.readPointer();
        let lr = fp_c.add(8).readPointer();
        fp_c = next_fp;
        stack_arr[n++] = lr;
    }
    return stack_arr;
 }

 function hook_libsscronet(){
    function hook_SSL_write(){
        let symbol = "SSL_write";
        let symbol_addr = libsscronet.getExportByName(symbol);
        console.log(`[${symbol}] addr=${symbol_addr}`);
        Interceptor.attach(symbol_addr, {
            onEnter: function(args) {
                this.ssl = args[0];
                this.buf = args[1];
                this.num = args[2];
                this.info = stacktrace(this.context.pc, this.context.lr, this.context.fp, this.context.sp).map(get_addr_info).join("\n");
            }, onLeave: function(retval){
                let status = retval.toInt32();
                console.log(`[${symbol}] retval=${status} SSL=${this.ssl} buf=${this.buf} num=${this.num}\n${this.info}`);
            }
        })
    }
    let libsscronet = Process.getModuleByName("libsscronet.so");
    hook_SSL_write();
 }

 function main(){
    read_maps();
    hook_libsscronet();
 }

 setImmediate(main);
 // frida -U -n 抖音 -l hook.js -o hook.log
 // by SeeFlowerX
 // 参考 https://github.com/Abbbbbi/Frida-Seccomp
	let mem_regions = [];

	function read_maps(){
	let libc = Process.getModuleByName("libc.so");
	let fopen = new NativeFunction(libc.getExportByName("fopen"), "pointer", ["pointer", "pointer"]);
	let fgets = new NativeFunction(libc.getExportByName("fgets"), "pointer", ["pointer", "int", "pointer"]);
	let fclose = new NativeFunction(libc.getExportByName("fclose"), "int", ["pointer"]);
	let filepath = Memory.allocUtf8String("/proc/self/maps");
	let mode = Memory.allocUtf8String("r");
	let file = fopen(filepath, mode);
	let line = Memory.alloc(1024);
	let results = [];
	while (fgets(line, 1024, file).toInt32() != 0x0) {
	let text = line.readCString();
	if (text == null) {
	break;
	}
	results.push(text);
	}
	fclose(file);
	for (let index = 0; index < results.length; index++) {
	let line = results[index];
	let infos = line.split(" ");
	let segment_path = infos[infos.length - 1];
	if (segment_path) {
	segment_path = segment_path.trim();
	if (segment_path == "") {
	segment_path = "UNKNOW";
	}
	}
	let [addr_info, permission, offset] = infos[0].split(" ", 3);
	let [start, end] = addr_info.split("-");
	mem_regions.push({
	"start": parseInt(`0x${start}`),
	"end": parseInt(`0x${end}`),
	"offset": parseInt(`0x${offset}`),
	"path": segment_path,
	"name": segment_path.split("/").pop(),
	});
	}
	}

	function get_addr_info(addr) {
	let info_head = `${addr}`.padStart(16, " ");
	let mem_region = find_mem_region(addr);
	if (!mem_region) {
	return `${info_head}[UNKNOW]`;
	}
	let base_addr = mem_region.start - mem_region.offset;
	return `${info_head}[${mem_region.name}:${addr.sub(base_addr)}]`;
	}

	function find_mem_region(sp_addr) {
	for (let index = 0; index < mem_regions.length; index++) {
	let mem_region = mem_regions[index];
	if (sp_addr >= mem_region.start && sp_addr < mem_region.end) {
	return mem_region;
	}
	}
	}

	function stacktrace(pc, lr, fp, sp) {
	let n = 0, stack_arr = [], fp_c = fp;
	stack_arr[n++] = lr;
	stack_arr[n++] = pc;
	let mem_region = find_mem_region(sp);
	if (!mem_region) {
	console.log(`[stacktrace] can not find mem_region ${sp}`);
	return stack_arr;
	}
	while (n < 32) {
	if (parseInt(fp_c.toString()) < parseInt(sp.toString()) \|\| fp_c < mem_region.start \|\| fp_c > mem_region.end) {
	break
	}
	let next_fp = fp_c.readPointer();
	let lr = fp_c.add(8).readPointer();
	fp_c = next_fp;
	stack_arr[n++] = lr;
	}
	return stack_arr;
	}

	function hook_libsscronet(){
	function hook_SSL_write(){
	let symbol = "SSL_write";
	let symbol_addr = libsscronet.getExportByName(symbol);
	console.log(`[${symbol}] addr=${symbol_addr}`);
	Interceptor.attach(symbol_addr, {
	onEnter: function(args) {
	this.ssl = args[0];
	this.buf = args[1];
	this.num = args[2];
	this.info = stacktrace(this.context.pc, this.context.lr, this.context.fp, this.context.sp).map(get_addr_info).join("\n");
	}, onLeave: function(retval){
	let status = retval.toInt32();
	console.log(`[${symbol}] retval=${status} SSL=${this.ssl} buf=${this.buf} num=${this.num}\n${this.info}`);
	}
	})
	}
	let libsscronet = Process.getModuleByName("libsscronet.so");
	hook_SSL_write();
	}

	function main(){
	read_maps();
	hook_libsscronet();
	}

	setImmediate(main);
	// frida -U -n 抖音 -l hook.js -o hook.log
	// by SeeFlowerX
	// 参考 https://github.com/Abbbbbi/Frida-Seccomp