这是一个 Frida VEH 示例
好了废话不多说,因为太简单了,没什么话可以说,直接上代码。Talk is cheap. Show you My code.顺便说一句,丢掉调试器,丢掉各种Loader各种Patcher吧,一个 frida 的 js 脚本就能干翻一切。大佬们可以自己实现下 x64 下的代码(尝试下试硬件断点的方式,尝试下 VMP,TEP,WL,SE各种壳的替换机器码)
python3 安装 frida
pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple
然后把这个 js 放 exe 同级目录,在目录下 cmd 或者 PS运行下面命令就行
frida -f 010Editor.exe -l ./frida-veh-010-bs.js//"use strict"
console.log("\n");
console.warn("Frida.version = " + Frida.version);
console.log("Frida.heapSize = " + Frida.heapSize);
console.warn("Process.arch = " + Process.arch);
console.warn("Process.platform = " + Process.platform);
console.log("Process.pointerSize = " + Process.pointerSize);
console.log("\n");
console.error(" 这是一个 Frida VEH 010 Editor 的牛逼示例")
console.error(" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple ");
console.error(" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause ");
//
if (Process.platform == "windows" && Process.arch == "x64") {
console.warn("\n", "Coming soon :) ", "\n");
} else if (Process.platform == "windows" && Process.arch == "ia32") {
//
var editor = Process.findModuleByName("010Editor.exe");
console.log("010 editor base: ", editor.base, typeof (editor.base));
var sub_patchaddr = editor.base.add(0x31f7fa);
console.log("010 editor VA: ", sub_patchaddr, typeof (sub_patchaddr));
var buf = Memory.readByteArray(sub_patchaddr, 16);
const cc_origin = Memory.readU8(sub_patchaddr);
console.log("cc_origin: ", cc_origin, typeof (cc_origin));
console.log(hexdump(sub_patchaddr, { offset: 0, length: 32, header: true, ansi: true }));
// VEH
Process.setExceptionHandler(function (details) {
console.log("\n", "setExceptionHandler ==> address: ", details.address);
console.error(JSON.stringify(details));
console.warn("RVA: ", details.address.sub(editor.base));
//
console.log("eip: " + ptr(Memory.readU8(details.context.eip)));
// restore
//Memory.writeU8(sub_patchaddr, 0x55);
Memory.writeU8(sub_patchaddr, cc_origin);
console.warn("eip: " + ptr(Memory.readU8(details.context.eip)));
console.log("eip: ", details.context.eip);
console.log("pc: ", details.context.pc);
console.log("eax: ", details.context.eax);
//
details.context.eax = 0xDB;
details.context.eip = ptr(details.context.eip).add(0x7);
console.warn("eax: ", details.context.eax);
console.warn("eip: ", details.context.eip);
console.warn("pc: ", details.context.pc);
// int30xCC
Memory.protect(sub_patchaddr, 1, 'rwx');
Memory.writeU8(sub_patchaddr, 0xcc);
return true;
});
// int30xCC
Memory.protect(sub_patchaddr, 1, 'rwx');
Memory.writeU8(sub_patchaddr, 0xcc);
} else {
console.warn("\n", "This platform and architecture are not supported :( ", "\n");
}
**** Hidden Message *****
感谢分享,看看怎么牛逼的
感谢分享,很给力!~
新技能已get√ 感谢分享,很给力!~
页:
[1]