├── .gitignore ├── README.md ├── android ├── backtrace.js ├── common_detections_calls.js ├── dwarf_trace_nested_java_function.js ├── hook_system_load_library.js ├── pinning.js ├── selinux_check.js └── statically_access_root_activity_and_layout.js ├── arm64 ├── hook_svc.js ├── stalk_svc.js └── syscall_table_to_js_obj.py └── unix └── pthread_create_n_task.js /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | We collect here all the useful scripts for an ez copy pasta 2 | 3 | 4 | ##### ARM64 5 | [Hook SVC in given space](https://github.com/secRet-re/frida-scripts/blob/master/arm64/hook_svc.js) 6 | 7 | [Stalk SVC](https://github.com/secRet-re/frida-scripts/blob/master/arm64/stalk_svc.js) 8 | 9 | ##### Android 10 | [Backtrace](https://github.com/secRet-re/frida-scripts/blob/master/android/backtrace.js) 11 | 12 | [Break selinux check](https://github.com/secRet-re/frida-scripts/blob/master/android/selinux_check.js) 13 | 14 | [Cert pinning](https://github.com/secRet-re/frida-scripts/blob/master/android/pinning.js) 15 | 16 | [Common calls for su and other detections](https://github.com/secRet-re/frida-scripts/blob/master/android/common_detections_calls.js) 17 | 18 | [Dwarf: trace java function](https://github.com/secRet-re/frida-scripts/blob/master/android/dwarf_trace_nested_java_function.js) 19 | 20 | [Hook native library loading](https://github.com/secRet-re/frida-scripts/blob/master/android/hook_system_load_library.js) 21 | 22 | [Satically grab an handle to root activity and root layout](https://github.com/secRet-re/frida-scripts/blob/master/android/statically_access_root_activity_and_layout.js) 23 | 24 | ##### Unix 25 | [Run code on a new thread](https://github.com/secRet-re/frida-scripts/blob/master/unix/pthread_create_n_task.js) 26 | -------------------------------------------------------------------------------- /android/backtrace.js: -------------------------------------------------------------------------------- 1 | function backtrace() { 2 | Java.perform(function () { 3 | console.log(Java.use("android.util.Log") 4 | .getStackTraceString(Java.use("java.lang.Exception").$new())); 5 | }) 6 | } -------------------------------------------------------------------------------- /android/common_detections_calls.js: -------------------------------------------------------------------------------- 1 | /** 2 | * common calls for su and various detections 3 | */ 4 | 5 | Interceptor.attach(Module.findExportByName(null, 'faccessat'), function (args) { 6 | console.log('faccessat', args[1].readUtf8String()); 7 | }); 8 | 9 | Interceptor.attach(Module.findExportByName(null, 'open'), function (args) { 10 | console.log('open', args[0].readUtf8String()); 11 | }); 12 | 13 | Interceptor.attach(Module.findExportByName(null, 'stat'), function (args) { 14 | console.log('stat', args[0].readUtf8String()); 15 | }); 16 | 17 | Interceptor.attach(Module.findExportByName(null, 'access'), function (args) { 18 | console.log('access', args[0].readUtf8String()); 19 | }); 20 | 21 | Interceptor.attach(Module.findExportByName(null, 'system'), function (args) { 22 | console.log('system', args[0].readUtf8String()); 23 | }); -------------------------------------------------------------------------------- /android/dwarf_trace_nested_java_function.js: -------------------------------------------------------------------------------- 1 | /* startJavaTracer is a Dwarf api. The implemented callbacks will give a similar output 2 | |--------> org.json.JSONObject.toString ( ) 3 | | 4 | |------------> org.json.JSONObject.writeTo ( null (org.json.JSONStringer) ) 5 | | 6 | |----------------> org.json.JSONObject.writeTo ( {"rs":[ (org.json.JSONStringer) ) 7 | | 8 | |--------------------> org.json.JSONObject.writeTo ( {"rs":[{"sers" (org.json.JSONStringer) ) 9 | | 10 | |------------------------> org.json.JSONObject.numberToString ( 1590597498541 (java.lang.Long) ) 11 | | 12 | |------------------------> org.json.JSONObject.writeTo ( {"rs":[{"sers":{"ts":null,"ls":[ (org.json.JSONStringer) ) 13 | |<------------------------ org.json.JSONObject writeTo void 14 | | 15 | |------------------------> org.json.JSONObject.writeTo ( {"rs":[{"sers":{"ts":null,"ls":[{"sn":"com.mufc.fireuvw.MainService","pn":"com.mufc.fireuvw"} (org.json.JSONStringer) ) 16 | |<------------------------ org.json.JSONObject writeTo void 17 | |<-------------------- org.json.JSONObject writeTo void 18 | |<---------------- org.json.JSONObject writeTo void 19 | */ 20 | startJavaTracer(['list', 'of', 'target', 'classes'], { 21 | onEnter: function () { 22 | console.log('|'); 23 | this.nullDepthLine = ('\t'.repeat(this.depth)); 24 | this.depthLine = ('----'.repeat(this.nullDepthLine.length)); 25 | var r = ['|' + this.depthLine + '>', this.$className + '.' + this.method]; 26 | r.push(' (') 27 | for (var i=0;i= 29) { 12 | Runtime.getRuntime().loadLibrary0(Java.use('sun.reflect.Reflection').getCallerClass(), currentLibname); 13 | } else if (VERSION.SDK_INT.value >= 24) { 14 | Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), currentLibname); 15 | } else { 16 | Runtime.getRuntime().loadLibrary(currentLibname, VMStack.getCallingClassLoader()); 17 | } 18 | if(currentLibname === libname) { 19 | callback(); 20 | } 21 | }; 22 | }); 23 | } 24 | -------------------------------------------------------------------------------- /android/pinning.js: -------------------------------------------------------------------------------- 1 | // start with: 2 | // frida -U -l pinning.js -f [APP_ID] --no-pause 3 | 4 | Java.perform(function () { 5 | console.log('') 6 | console.log('===') 7 | console.log('* Injecting hooks into common certificate pinning methods *') 8 | console.log('===') 9 | 10 | var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); 11 | var SSLContext = Java.use('javax.net.ssl.SSLContext'); 12 | 13 | // build fake trust manager 14 | var TrustManager = Java.registerClass({ 15 | name: 'com.sensepost.test.TrustManager', 16 | implements: [X509TrustManager], 17 | methods: { 18 | checkClientTrusted: function (chain, authType) { 19 | }, 20 | checkServerTrusted: function (chain, authType) { 21 | }, 22 | getAcceptedIssuers: function () { 23 | return []; 24 | } 25 | } 26 | }); 27 | 28 | // pass our own custom trust manager through when requested 29 | var TrustManagers = [TrustManager.$new()]; 30 | var SSLContext_init = SSLContext.init.overload( 31 | '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom' 32 | ); 33 | SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) { 34 | console.log('! Intercepted trustmanager request'); 35 | SSLContext_init.call(this, keyManager, TrustManagers, secureRandom); 36 | }; 37 | 38 | console.log('* Setup custom trust manager'); 39 | 40 | // okhttp3 41 | try { 42 | var CertificatePinner = Java.use('okhttp3.CertificatePinner'); 43 | CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) { 44 | console.log('! Intercepted okhttp3: ' + str); 45 | return; 46 | }; 47 | 48 | console.log('* Setup okhttp3 pinning') 49 | } catch(err) { 50 | console.log('* Unable to hook into okhttp3 pinner') 51 | } 52 | 53 | // trustkit 54 | try { 55 | var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier"); 56 | Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) { 57 | console.log('! Intercepted trustkit{1}: ' + str); 58 | return true; 59 | }; 60 | 61 | Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) { 62 | console.log('! Intercepted trustkit{2}: ' + str); 63 | return true; 64 | }; 65 | 66 | console.log('* Setup trustkit pinning') 67 | } catch(err) { 68 | console.log('* Unable to hook into trustkit pinner') 69 | } 70 | 71 | // TrustManagerImpl 72 | try { 73 | var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); 74 | TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { 75 | console.log('! Intercepted TrustManagerImp: ' + host); 76 | return untrustedChain; 77 | } 78 | 79 | console.log('* Setup TrustManagerImpl pinning') 80 | } catch (err) { 81 | console.log('* Unable to hook into TrustManagerImpl') 82 | } 83 | 84 | // Appcelerator 85 | try { 86 | var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager'); 87 | PinningTrustManager.checkServerTrusted.implementation = function () { 88 | console.log('! Intercepted Appcelerator'); 89 | } 90 | 91 | console.log('* Setup Appcelerator pinning') 92 | } catch (err) { 93 | console.log('* Unable to hook into Appcelerator pinning') 94 | } 95 | }); 96 | -------------------------------------------------------------------------------- /android/selinux_check.js: -------------------------------------------------------------------------------- 1 | var selinuxFd = -1; 2 | 3 | Interceptor.attach(Module.findExportByName(null, 'open'), { 4 | onEnter: function(args) { 5 | this.path = args[0].readUtf8String(); 6 | }, 7 | onLeave: function(ret) { 8 | if (this.path === '/sys/fs/selinux/enforce') { 9 | selinuxFd = parseInt(ret); 10 | } 11 | } 12 | }); 13 | 14 | Interceptor.attach(Module.findExportByName(null, 'read'), { 15 | onEnter: function(args) { 16 | this.fd = args[0]; 17 | this.buf = args[1]; 18 | }, 19 | onLeave: function(ret) { 20 | if (parseInt(this.fd) === selinuxFd) { 21 | selinuxFd = -1; 22 | this.buf.writeU8(1); 23 | } 24 | } 25 | }); 26 | -------------------------------------------------------------------------------- /android/statically_access_root_activity_and_layout.js: -------------------------------------------------------------------------------- 1 | Java.perform(function() { 2 | const ActivityThread = Java.use('android.app.ActivityThread'); 3 | const record = Java.cast(ActivityThread.currentActivityThread().mActivities.value.values().toArray()[0], 4 | Java.use('android.app.ActivityThread$ActivityClientRecord')); 5 | const rootActivity = record.activity.value; 6 | const contentViewId = rootActivity.getResources().getIdentifier('content', "id", rootActivity.getPackageName()); 7 | console.log(rootActivity.findViewById(contentViewId)); 8 | }) 9 | -------------------------------------------------------------------------------- /arm64/hook_svc.js: -------------------------------------------------------------------------------- 1 | /** 2 | * attach any SVC in a given space 3 | */ 4 | 5 | var table = {0: 'io_setup', 1: 'io_destroy', 2: 'io_submit', 3: 'io_cancel', 4: 'io_getevents', 5: 'setxattr', 6: 'lsetxattr', 7: 'fsetxattr', 8: 'getxattr', 9: 'lgetxattr', 10: 'fgetxattr', 11: 'listxattr', 12: 'llistxattr', 13: 'flistxattr', 14: 'removexattr', 15: 'lremovexattr', 16: 'fremovexattr', 17: 'getcwd', 18: 'lookup_dcookie', 19: 'eventfd2', 20: 'epoll_create1', 21: 'epoll_ctl', 22: 'epoll_pwait', 23: 'dup', 24: 'dup3', 25: 'fcntl', 26: 'inotify_init1', 27: 'inotify_add_watch', 28: 'inotify_rm_watch', 29: 'ioctl', 30: 'ioprio_set', 31: 'ioprio_get', 32: 'flock', 33: 'mknodat', 34: 'mkdirat', 35: 'unlinkat', 36: 'symlinkat', 37: 'linkat', 38: 'renameat', 39: 'umount2', 40: 'mount', 41: 'pivot_root', 42: 'nfsservctl', 43: 'statfs', 44: 'fstatfs', 45: 'truncate', 46: 'ftruncate', 47: 'fallocate', 48: 'faccessat', 49: 'chdir', 50: 'fchdir', 51: 'chroot', 52: 'fchmod', 53: 'fchmodat', 54: 'fchownat', 55: 'fchown', 56: 'openat', 57: 'close', 58: 'vhangup', 59: 'pipe2', 60: 'quotactl', 61: 'getdents64', 62: 'lseek', 63: 'read', 64: 'write', 65: 'readv', 66: 'writev', 67: 'pread64', 68: 'pwrite64', 69: 'preadv', 70: 'pwritev', 71: 'sendfile', 72: 'pselect6', 73: 'ppoll', 74: 'signalfd4', 75: 'vmsplice', 76: 'splice', 77: 'tee', 78: 'readlinkat', 79: 'fstatat', 80: 'fstat', 81: 'sync', 82: 'fsync', 83: 'fdatasync', 84: 'sync_file_range', 85: 'timerfd_create', 86: 'timerfd_settime', 87: 'timerfd_gettime', 88: 'utimensat', 89: 'acct', 90: 'capget', 91: 'capset', 92: 'personality', 93: 'exit', 94: 'exit_group', 95: 'waitid', 96: 'set_tid_address', 97: 'unshare', 98: 'futex', 99: 'set_robust_list', 100: 'get_robust_list', 101: 'nanosleep', 102: 'getitimer', 103: 'setitimer', 104: 'kexec_load', 105: 'init_module', 106: 'delete_module', 107: 'timer_create', 108: 'timer_gettime', 109: 'timer_getoverrun', 110: 'timer_settime', 111: 'timer_delete', 112: 'clock_settime', 113: 'clock_gettime', 114: 'clock_getres', 115: 'clock_nanosleep', 116: 'syslog', 117: 'ptrace', 118: 'sched_setparam', 119: 'sched_setscheduler', 120: 'sched_getscheduler', 121: 'sched_getparam', 122: 'sched_setaffinity', 123: 'sched_getaffinity', 124: 'sched_yield', 125: 'sched_get_priority_max', 126: 'sched_get_priority_min', 127: 'sched_rr_get_interval', 128: 'restart_syscall', 129: 'kill', 130: 'tkill', 131: 'tgkill', 132: 'sigaltstack', 133: 'rt_sigsuspend', 134: 'rt_sigaction', 135: 'rt_sigprocmask', 136: 'rt_sigpending', 137: 'rt_sigtimedwait', 138: 'rt_sigqueueinfo', 139: 'rt_sigreturn', 140: 'setpriority', 141: 'getpriority', 142: 'reboot', 143: 'setregid', 144: 'setgid', 145: 'setreuid', 146: 'setuid', 147: 'setresuid', 148: 'getresuid', 149: 'setresgid', 150: 'getresgid', 151: 'setfsuid', 152: 'setfsgid', 153: 'times', 154: 'setpgid', 155: 'getpgid', 156: 'getsid', 157: 'setsid', 158: 'getgroups', 159: 'setgroups', 160: 'uname', 161: 'sethostname', 162: 'setdomainname', 163: 'getrlimit', 164: 'setrlimit', 165: 'getrusage', 166: 'umask', 167: 'prctl', 168: 'getcpu', 169: 'gettimeofday', 170: 'settimeofday', 171: 'adjtimex', 172: 'getpid', 173: 'getppid', 174: 'getuid', 175: 'geteuid', 176: 'getgid', 177: 'getegid', 178: 'gettid', 179: 'sysinfo', 180: 'mq_open', 181: 'mq_unlink', 182: 'mq_timedsend', 183: 'mq_timedreceive', 184: 'mq_notify', 185: 'mq_getsetattr', 186: 'msgget', 187: 'msgctl', 188: 'msgrcv', 189: 'msgsnd', 190: 'semget', 191: 'semctl', 192: 'semtimedop', 193: 'semop', 194: 'shmget', 195: 'shmctl', 196: 'shmat', 197: 'shmdt', 198: 'socket', 199: 'socketpair', 200: 'bind', 201: 'listen', 202: 'accept', 203: 'connect', 204: 'getsockname', 205: 'getpeername', 206: 'sendto', 207: 'recvfrom', 208: 'setsockopt', 209: 'getsockopt', 210: 'shutdown', 211: 'sendmsg', 212: 'recvmsg', 213: 'readahead', 214: 'brk', 215: 'munmap', 216: 'mremap', 217: 'add_key', 218: 'request_key', 219: 'keyctl', 220: 'clone', 221: 'execve', 222: 'mmap', 223: 'fadvise64', 224: 'swapon', 225: 'swapoff', 226: 'mprotect', 227: 'msync', 228: 'mlock', 229: 'munlock', 230: 'mlockall', 231: 'munlockall', 232: 'mincore', 233: 'madvise', 234: 'remap_file_pages', 235: 'mbind', 236: 'get_mempolicy', 237: 'set_mempolicy', 238: 'migrate_pages', 239: 'move_pages', 240: 'rt_tgsigqueueinfo', 241: 'perf_event_open', 242: 'accept4', 243: 'recvmmsg', 244: 'arch_specific_syscall', 260: 'wait4', 261: 'prlimit64', 262: 'fanotify_init', 263: 'fanotify_mark', 264: 'name_to_handle_at', 265: 'open_by_handle_at', 266: 'clock_adjtime', 267: 'syncfs', 268: 'setns', 269: 'sendmmsg', 270: 'process_vm_readv', 271: 'process_vm_writev', 272: 'kcmp', 273: 'finit_module', 274: 'sched_setattr', 275: 'sched_getattr', 276: 'renameat2', 277: 'seccomp', 278: 'getrandom', 279: 'memfd_create', 280: 'bpf', 281: 'execveat', 282: 'userfaultfd', 283: 'membarrier', 284: 'mlock2', 285: 'copy_file_range', 286: 'preadv2', 287: 'pwritev2', 288: 'pkey_mprotect', 289: 'pkey_alloc', 290: 'pkey_free', 291: 'statx', 292: 'syscalls'} 6 | 7 | var m = Process.findModuleByName('whatever.so'); 8 | m.enumerateRanges('--x').forEach(function (range) { 9 | Memory.scanSync(range.base, range.size, '01 00 00 d4').forEach(function (match) { 10 | Interceptor.attach(match.address, function () { 11 | var sc = parseInt(this.context['x8']); 12 | console.log('syscall N', sc, '[' + table[sc] + ']') 13 | }) 14 | }) 15 | }) 16 | -------------------------------------------------------------------------------- /arm64/stalk_svc.js: -------------------------------------------------------------------------------- 1 | var table = {0: 'io_setup', 1: 'io_destroy', 2: 'io_submit', 3: 'io_cancel', 4: 'io_getevents', 5: 'setxattr', 6: 'lsetxattr', 7: 'fsetxattr', 8: 'getxattr', 9: 'lgetxattr', 10: 'fgetxattr', 11: 'listxattr', 12: 'llistxattr', 13: 'flistxattr', 14: 'removexattr', 15: 'lremovexattr', 16: 'fremovexattr', 17: 'getcwd', 18: 'lookup_dcookie', 19: 'eventfd2', 20: 'epoll_create1', 21: 'epoll_ctl', 22: 'epoll_pwait', 23: 'dup', 24: 'dup3', 25: 'fcntl', 26: 'inotify_init1', 27: 'inotify_add_watch', 28: 'inotify_rm_watch', 29: 'ioctl', 30: 'ioprio_set', 31: 'ioprio_get', 32: 'flock', 33: 'mknodat', 34: 'mkdirat', 35: 'unlinkat', 36: 'symlinkat', 37: 'linkat', 38: 'renameat', 39: 'umount2', 40: 'mount', 41: 'pivot_root', 42: 'nfsservctl', 43: 'statfs', 44: 'fstatfs', 45: 'truncate', 46: 'ftruncate', 47: 'fallocate', 48: 'faccessat', 49: 'chdir', 50: 'fchdir', 51: 'chroot', 52: 'fchmod', 53: 'fchmodat', 54: 'fchownat', 55: 'fchown', 56: 'openat', 57: 'close', 58: 'vhangup', 59: 'pipe2', 60: 'quotactl', 61: 'getdents64', 62: 'lseek', 63: 'read', 64: 'write', 65: 'readv', 66: 'writev', 67: 'pread64', 68: 'pwrite64', 69: 'preadv', 70: 'pwritev', 71: 'sendfile', 72: 'pselect6', 73: 'ppoll', 74: 'signalfd4', 75: 'vmsplice', 76: 'splice', 77: 'tee', 78: 'readlinkat', 79: 'fstatat', 80: 'fstat', 81: 'sync', 82: 'fsync', 83: 'fdatasync', 84: 'sync_file_range', 85: 'timerfd_create', 86: 'timerfd_settime', 87: 'timerfd_gettime', 88: 'utimensat', 89: 'acct', 90: 'capget', 91: 'capset', 92: 'personality', 93: 'exit', 94: 'exit_group', 95: 'waitid', 96: 'set_tid_address', 97: 'unshare', 98: 'futex', 99: 'set_robust_list', 100: 'get_robust_list', 101: 'nanosleep', 102: 'getitimer', 103: 'setitimer', 104: 'kexec_load', 105: 'init_module', 106: 'delete_module', 107: 'timer_create', 108: 'timer_gettime', 109: 'timer_getoverrun', 110: 'timer_settime', 111: 'timer_delete', 112: 'clock_settime', 113: 'clock_gettime', 114: 'clock_getres', 115: 'clock_nanosleep', 116: 'syslog', 117: 'ptrace', 118: 'sched_setparam', 119: 'sched_setscheduler', 120: 'sched_getscheduler', 121: 'sched_getparam', 122: 'sched_setaffinity', 123: 'sched_getaffinity', 124: 'sched_yield', 125: 'sched_get_priority_max', 126: 'sched_get_priority_min', 127: 'sched_rr_get_interval', 128: 'restart_syscall', 129: 'kill', 130: 'tkill', 131: 'tgkill', 132: 'sigaltstack', 133: 'rt_sigsuspend', 134: 'rt_sigaction', 135: 'rt_sigprocmask', 136: 'rt_sigpending', 137: 'rt_sigtimedwait', 138: 'rt_sigqueueinfo', 139: 'rt_sigreturn', 140: 'setpriority', 141: 'getpriority', 142: 'reboot', 143: 'setregid', 144: 'setgid', 145: 'setreuid', 146: 'setuid', 147: 'setresuid', 148: 'getresuid', 149: 'setresgid', 150: 'getresgid', 151: 'setfsuid', 152: 'setfsgid', 153: 'times', 154: 'setpgid', 155: 'getpgid', 156: 'getsid', 157: 'setsid', 158: 'getgroups', 159: 'setgroups', 160: 'uname', 161: 'sethostname', 162: 'setdomainname', 163: 'getrlimit', 164: 'setrlimit', 165: 'getrusage', 166: 'umask', 167: 'prctl', 168: 'getcpu', 169: 'gettimeofday', 170: 'settimeofday', 171: 'adjtimex', 172: 'getpid', 173: 'getppid', 174: 'getuid', 175: 'geteuid', 176: 'getgid', 177: 'getegid', 178: 'gettid', 179: 'sysinfo', 180: 'mq_open', 181: 'mq_unlink', 182: 'mq_timedsend', 183: 'mq_timedreceive', 184: 'mq_notify', 185: 'mq_getsetattr', 186: 'msgget', 187: 'msgctl', 188: 'msgrcv', 189: 'msgsnd', 190: 'semget', 191: 'semctl', 192: 'semtimedop', 193: 'semop', 194: 'shmget', 195: 'shmctl', 196: 'shmat', 197: 'shmdt', 198: 'socket', 199: 'socketpair', 200: 'bind', 201: 'listen', 202: 'accept', 203: 'connect', 204: 'getsockname', 205: 'getpeername', 206: 'sendto', 207: 'recvfrom', 208: 'setsockopt', 209: 'getsockopt', 210: 'shutdown', 211: 'sendmsg', 212: 'recvmsg', 213: 'readahead', 214: 'brk', 215: 'munmap', 216: 'mremap', 217: 'add_key', 218: 'request_key', 219: 'keyctl', 220: 'clone', 221: 'execve', 222: 'mmap', 223: 'fadvise64', 224: 'swapon', 225: 'swapoff', 226: 'mprotect', 227: 'msync', 228: 'mlock', 229: 'munlock', 230: 'mlockall', 231: 'munlockall', 232: 'mincore', 233: 'madvise', 234: 'remap_file_pages', 235: 'mbind', 236: 'get_mempolicy', 237: 'set_mempolicy', 238: 'migrate_pages', 239: 'move_pages', 240: 'rt_tgsigqueueinfo', 241: 'perf_event_open', 242: 'accept4', 243: 'recvmmsg', 244: 'arch_specific_syscall', 260: 'wait4', 261: 'prlimit64', 262: 'fanotify_init', 263: 'fanotify_mark', 264: 'name_to_handle_at', 265: 'open_by_handle_at', 266: 'clock_adjtime', 267: 'syncfs', 268: 'setns', 269: 'sendmmsg', 270: 'process_vm_readv', 271: 'process_vm_writev', 272: 'kcmp', 273: 'finit_module', 274: 'sched_setattr', 275: 'sched_getattr', 276: 'renameat2', 277: 'seccomp', 278: 'getrandom', 279: 'memfd_create', 280: 'bpf', 281: 'execveat', 282: 'userfaultfd', 283: 'membarrier', 284: 'mlock2', 285: 'copy_file_range', 286: 'preadv2', 287: 'pwritev2', 288: 'pkey_mprotect', 289: 'pkey_alloc', 290: 'pkey_free', 291: 'statx', 292: 'syscalls'} 2 | 3 | function stalkSVC() { 4 | Stalker.follow(Process.getCurrentThreadId(), { 5 | transform: function (iter) { 6 | var insn = iter.next(); 7 | do { 8 | if (insn.mnemonic === 'svc') { 9 | iter.putCallout(onSVC) 10 | } 11 | iter.keep(); 12 | } while ((insn = iter.next()) !== null); 13 | } 14 | }); 15 | } 16 | 17 | function onSVC(context) { 18 | var sc = parseInt(context['x8']); 19 | console.log('syscall N', sc, '[' + table[sc] + ']') 20 | } 21 | -------------------------------------------------------------------------------- /arm64/syscall_table_to_js_obj.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | r = requests.get('https://raw.githubusercontent.com/torvalds/linux/v4.17/include/uapi/asm-generic/unistd.h').text 4 | lines = r.split('\n') 5 | table = {} 6 | for x in lines: 7 | if x.startswith('#define') and '_NR' in x: 8 | y = x.split(' ') 9 | try: 10 | num = int(y[-1]) 11 | except: 12 | continue 13 | name = '_'.join(y[1].split('_')[3:]) 14 | table[num] = name 15 | print(table) 16 | -------------------------------------------------------------------------------- /unix/pthread_create_n_task.js: -------------------------------------------------------------------------------- 1 | var pthread = new NativeFunction(Module.findExportByName(null, 'pthread_create'), 'int', ['pointer', 'pointer', 'pointer', 'pointer']); 2 | 3 | var pthread_t = Memory.alloc(Process.pointerSize); 4 | Memory.protect(pthread_t, Process.pointerSize, 'rwx'); 5 | 6 | var handler = Memory.alloc(Process.pointerSize); 7 | Memory.protect(handler, Process.pointerSize, 'rwx'); 8 | if (Process.arch === 'arm64') { 9 | var writer = new Arm64Writer(handler); 10 | writer.putNop(); 11 | writer.flush(); 12 | writer.dispose(); 13 | } 14 | Interceptor.replace(handler, new NativeCallback(function () { 15 | console.log('hello from', Process.getCurrentThreadId()); 16 | return 0; 17 | }, 'int', [])); 18 | 19 | console.log('starting thread from', Process.getCurrentThreadId()); 20 | pthread(pthread_t, NULL, handler, NULL); --------------------------------------------------------------------------------