본문 바로가기
보안 및 개발/MOBILE

[Android] Frida detection bypass

by CH@3M 2020. 3. 11.

strstr fuction hooking

frida 문자열 체크를 우회하는 방법

Interceptor.attach(Module.findExportByName(null, "strstr"), {

        onEnter: function(args) {
        this.hooked = Boolean(0);
        this.a = Memory.readCString(ptr(args[1]));
        // console.log("[a] strstr args[1] : " + args[1] + " / " + this.a);

        if (this.a.indexOf("frida") !== -1 || this.a.indexOf("xpose") !== -1){
            this.hooked = Boolean(1);
            console.log("checking frida...")
        }
    },
    
        onLeave: function(retval) {
            if (this.frida) {
                retval.replace(0); //변조할 값
            }
            return retval;
        }
    })

 

frida port 관련

frida 기본 port 27042 

starlteks:/ # netstat -nat
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:27042         0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.65:39442      172.217.174.106:443     ESTABLISHED
tcp        0      0 192.168.0.65:43014      216.58.197.246:443      ESTABLISHED
tcp        0      0 192.168.0.65:37178      172.217.25.226:443      ESTABLISHED
tcp6       0      0 :::41493                :::*                    LISTEN
tcp6       0      0 ::ffff:127.0.0.1:45149  :::*                    LISTEN
tcp6       0      0 ::ffff:192.168.0.:47894 ::ffff:172.217.27.7:443 ESTABLISHED
tcp6       0      0 ::ffff:192.168.0.:47928 ::ffff:108.177.125:5228 ESTABLISHED
tcp6       0      0 ::ffff:192.168.0.:45514 ::ffff:172.217.175.:443 ESTABLISHED
tcp6       0      0 ::ffff:192.168.0.:44560 ::ffff:172.217.25.7:443 ESTABLISHED

원하는 port를 지정하여 frida sever 실행 가능

# /system/frida-server tcp:host=192.168.0.65,port=17000

starlteks:/ # netstat -nat
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.0.65:17000      0.0.0.0:*               LISTEN
tcp6       0      0 ::ffff:127.0.0.1:45149  :::*                    LISTEN
tcp6       0      0 ::ffff:192.168.0.:43566 ::ffff:216.58.197.2:443 TIME_WAIT
tcp6       0      0 ::ffff:192.168.0.:36154 ::ffff:172.217.161.:443 ESTABLISHED
tcp6       0      0 ::ffff:192.168.0.:47928 ::ffff:108.177.125:5228 ESTABLISHED

 

frida script에서 아무것도 후킹하지 않아도 앱에서 탐지하는 경우가 있음

27042나 frida 파일기반 탐지방법이 아니라 frida가 내부적으로 hooking하는 것이 있기 때문! -> 이 부분 더 공부해보기

반응형
저작자표시 비영리 동일조건

'보안 및 개발 > MOBILE' 카테고리의 다른 글

[Android] SELinux chcon  (0) 2020.03.16
[Android] Integrity Bypass  (0) 2020.03.11
[Android] galaxy s9 루팅하기  (0) 2020.02.20
[Android] How to Rooting Detection  (0) 2020.02.12
[Android] frida 환경 구축  (0) 2020.02.11

관련글

티스토리툴바