├── .gitignore ├── Frida快速入门.docx ├── LICENSE ├── README.md └── 配套代码 ├── F01 ├── CheatEngine74.exe ├── WINMINE.EX_ ├── spyxx.zip ├── zh_CN_2.zip └── 课程专用OllyDbg_V3.7z ├── F03 └── F03.py ├── F04 ├── .vscode │ └── launch.json ├── L04.ts ├── js │ └── L04.js ├── package-lock.json ├── package.json └── tsconfig.json ├── F07 └── L07.ts ├── F08 └── L08.ts ├── F09 └── L09.ts ├── F10 ├── L10.ts └── win_api.ts ├── F11 ├── L11.ts └── win_api.ts ├── F12 ├── L12.ts └── win_api.ts ├── F14 ├── L14.ts └── win_api.ts ├── F15 ├── L08.ts └── win_api.ts ├── F16 ├── L16.ts └── win_api.ts ├── F17 ├── L17.ts └── win_api.ts ├── F18 └── L18.ts ├── F19 └── F19.ts ├── F20 ├── F20.cpp └── F20.ts ├── F21 └── F21.ts ├── F22 └── F22.ts ├── F24 ├── F24.ts └── win_api.ts ├── F26 └── F26.ts ├── F27 └── F27.ts ├── F28 └── F28.ts ├── F29 └── F29.ts ├── F30 └── F30.ts ├── F31 └── F31.ts ├── F32 └── F32.ts ├── F33 └── F33.ts ├── F35 └── F35.ts ├── F36 └── F36.ts ├── F37 └── F37.ts ├── F39 ├── F39.ts └── Win32Stream.cpp ├── F40 └── F40.ts ├── F41 ├── F41.py └── F41.ts ├── F43 └── F43.ts └── F44 └── F44.ts /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Aa][Rr][Mm]/ 27 | [Aa][Rr][Mm]64/ 28 | bld/ 29 | [Bb]in/ 30 | [Oo]bj/ 31 | [Ll]og/ 32 | [Ll]ogs/ 33 | 34 | # Visual Studio 2015/2017 cache/options directory 35 | .vs/ 36 | # Uncomment if you have tasks that create the project's static files in wwwroot 37 | #wwwroot/ 38 | 39 | # Visual Studio 2017 auto generated files 40 | Generated\ Files/ 41 | 42 | # MSTest test Results 43 | [Tt]est[Rr]esult*/ 44 | [Bb]uild[Ll]og.* 45 | 46 | # NUnit 47 | *.VisualState.xml 48 | TestResult.xml 49 | nunit-*.xml 50 | 51 | # Build Results of an ATL Project 52 | [Dd]ebugPS/ 53 | [Rr]eleasePS/ 54 | dlldata.c 55 | 56 | # Benchmark Results 57 | BenchmarkDotNet.Artifacts/ 58 | 59 | # .NET Core 60 | project.lock.json 61 | project.fragment.lock.json 62 | artifacts/ 63 | 64 | # StyleCop 65 | StyleCopReport.xml 66 | 67 | # Files built by Visual Studio 68 | *_i.c 69 | *_p.c 70 | *_h.h 71 | *.ilk 72 | *.meta 73 | *.obj 74 | *.iobj 75 | *.pch 76 | *.pdb 77 | *.ipdb 78 | *.pgc 79 | *.pgd 80 | *.rsp 81 | *.sbr 82 | *.tlb 83 | *.tli 84 | *.tlh 85 | *.tmp 86 | *.tmp_proj 87 | *_wpftmp.csproj 88 | *.log 89 | *.vspscc 90 | *.vssscc 91 | .builds 92 | *.pidb 93 | *.svclog 94 | *.scc 95 | 96 | # Chutzpah Test files 97 | _Chutzpah* 98 | 99 | # Visual C++ cache files 100 | ipch/ 101 | *.aps 102 | *.ncb 103 | *.opendb 104 | *.opensdf 105 | *.sdf 106 | *.cachefile 107 | *.VC.db 108 | *.VC.VC.opendb 109 | 110 | # Visual Studio profiler 111 | *.psess 112 | *.vsp 113 | *.vspx 114 | *.sap 115 | 116 | # Visual Studio Trace Files 117 | *.e2e 118 | 119 | # TFS 2012 Local Workspace 120 | $tf/ 121 | 122 | # Guidance Automation Toolkit 123 | *.gpState 124 | 125 | # ReSharper is a .NET coding add-in 126 | _ReSharper*/ 127 | *.[Rr]e[Ss]harper 128 | *.DotSettings.user 129 | 130 | # TeamCity is a build add-in 131 | _TeamCity* 132 | 133 | # DotCover is a Code Coverage Tool 134 | *.dotCover 135 | 136 | # AxoCover is a Code Coverage Tool 137 | .axoCover/* 138 | !.axoCover/settings.json 139 | 140 | # Visual Studio code coverage results 141 | *.coverage 142 | *.coveragexml 143 | 144 | # NCrunch 145 | _NCrunch_* 146 | .*crunch*.local.xml 147 | nCrunchTemp_* 148 | 149 | # MightyMoose 150 | *.mm.* 151 | AutoTest.Net/ 152 | 153 | # Web workbench (sass) 154 | .sass-cache/ 155 | 156 | # Installshield output folder 157 | [Ee]xpress/ 158 | 159 | # DocProject is a documentation generator add-in 160 | DocProject/buildhelp/ 161 | DocProject/Help/*.HxT 162 | DocProject/Help/*.HxC 163 | DocProject/Help/*.hhc 164 | DocProject/Help/*.hhk 165 | DocProject/Help/*.hhp 166 | DocProject/Help/Html2 167 | DocProject/Help/html 168 | 169 | # Click-Once directory 170 | publish/ 171 | 172 | # Publish Web Output 173 | *.[Pp]ublish.xml 174 | *.azurePubxml 175 | # Note: Comment the next line if you want to checkin your web deploy settings, 176 | # but database connection strings (with potential passwords) will be unencrypted 177 | *.pubxml 178 | *.publishproj 179 | 180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 181 | # checkin your Azure Web App publish settings, but sensitive information contained 182 | # in these scripts will be unencrypted 183 | PublishScripts/ 184 | 185 | # NuGet Packages 186 | *.nupkg 187 | # NuGet Symbol Packages 188 | *.snupkg 189 | # The packages folder can be ignored because of Package Restore 190 | **/[Pp]ackages/* 191 | # except build/, which is used as an MSBuild target. 192 | !**/[Pp]ackages/build/ 193 | # Uncomment if necessary however generally it will be regenerated when needed 194 | #!**/[Pp]ackages/repositories.config 195 | # NuGet v3's project.json files produces more ignorable files 196 | *.nuget.props 197 | *.nuget.targets 198 | 199 | # Microsoft Azure Build Output 200 | csx/ 201 | *.build.csdef 202 | 203 | # Microsoft Azure Emulator 204 | ecf/ 205 | rcf/ 206 | 207 | # Windows Store app package directories and files 208 | AppPackages/ 209 | BundleArtifacts/ 210 | Package.StoreAssociation.xml 211 | _pkginfo.txt 212 | *.appx 213 | *.appxbundle 214 | *.appxupload 215 | 216 | # Visual Studio cache files 217 | # files ending in .cache can be ignored 218 | *.[Cc]ache 219 | # but keep track of directories ending in .cache 220 | !?*.[Cc]ache/ 221 | 222 | # Others 223 | ClientBin/ 224 | ~$* 225 | *~ 226 | *.dbmdl 227 | *.dbproj.schemaview 228 | *.jfm 229 | *.pfx 230 | *.publishsettings 231 | orleans.codegen.cs 232 | 233 | # Including strong name files can present a security risk 234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 235 | #*.snk 236 | 237 | # Since there are multiple workflows, uncomment next line to ignore bower_components 238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 239 | #bower_components/ 240 | 241 | # RIA/Silverlight projects 242 | Generated_Code/ 243 | 244 | # Backup & report files from converting an old project file 245 | # to a newer Visual Studio version. Backup files are not needed, 246 | # because we have git ;-) 247 | _UpgradeReport_Files/ 248 | Backup*/ 249 | UpgradeLog*.XML 250 | UpgradeLog*.htm 251 | ServiceFabricBackup/ 252 | *.rptproj.bak 253 | 254 | # SQL Server files 255 | *.mdf 256 | *.ldf 257 | *.ndf 258 | 259 | # Business Intelligence projects 260 | *.rdl.data 261 | *.bim.layout 262 | *.bim_*.settings 263 | *.rptproj.rsuser 264 | *- [Bb]ackup.rdl 265 | *- [Bb]ackup ([0-9]).rdl 266 | *- [Bb]ackup ([0-9][0-9]).rdl 267 | 268 | # Microsoft Fakes 269 | FakesAssemblies/ 270 | 271 | # GhostDoc plugin setting file 272 | *.GhostDoc.xml 273 | 274 | # Node.js Tools for Visual Studio 275 | .ntvs_analysis.dat 276 | node_modules/ 277 | 278 | # Visual Studio 6 build log 279 | *.plg 280 | 281 | # Visual Studio 6 workspace options file 282 | *.opt 283 | 284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 285 | *.vbw 286 | 287 | # Visual Studio LightSwitch build output 288 | **/*.HTMLClient/GeneratedArtifacts 289 | **/*.DesktopClient/GeneratedArtifacts 290 | **/*.DesktopClient/ModelManifest.xml 291 | **/*.Server/GeneratedArtifacts 292 | **/*.Server/ModelManifest.xml 293 | _Pvt_Extensions 294 | 295 | # Paket dependency manager 296 | .paket/paket.exe 297 | paket-files/ 298 | 299 | # FAKE - F# Make 300 | .fake/ 301 | 302 | # CodeRush personal settings 303 | .cr/personal 304 | 305 | # Python Tools for Visual Studio (PTVS) 306 | __pycache__/ 307 | *.pyc 308 | 309 | # Cake - Uncomment if you are using it 310 | # tools/** 311 | # !tools/packages.config 312 | 313 | # Tabs Studio 314 | *.tss 315 | 316 | # Telerik's JustMock configuration file 317 | *.jmconfig 318 | 319 | # BizTalk build output 320 | *.btp.cs 321 | *.btm.cs 322 | *.odx.cs 323 | *.xsd.cs 324 | 325 | # OpenCover UI analysis results 326 | OpenCover/ 327 | 328 | # Azure Stream Analytics local run output 329 | ASALocalRun/ 330 | 331 | # MSBuild Binary and Structured Log 332 | *.binlog 333 | 334 | # NVidia Nsight GPU debugger configuration file 335 | *.nvuser 336 | 337 | # MFractors (Xamarin productivity tool) working folder 338 | .mfractor/ 339 | 340 | # Local History for Visual Studio 341 | .localhistory/ 342 | 343 | # BeatPulse healthcheck temp database 344 | healthchecksdb 345 | 346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 347 | MigrationBackup/ 348 | 349 | # Ionide (cross platform F# VS Code tools) working folder 350 | .ionide/ 351 | -------------------------------------------------------------------------------- /Frida快速入门.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmrbak/Frida/f020737d02aa7f33b55d5ba3ff9a96b9c888eede/Frida快速入门.docx -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 赵庆明 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Frida 2 | 在线课程《Frida快速入门》https://download.csdn.net/course/detail/37437 3 | 4 | Frida是一款免费的,基于Python和JavaScript来实现的,面向开发人员、逆向工程师和安全研究人员的动态检测工具包。 5 | 6 | Frida拥有一套全面的测试套件,不但调试效率极高,而且在广泛的使用中经历了多年严格的测试。 7 | 8 | 尤其是,移动应用安全测试和服务巨头NowSecure对齐钟爱有加,在NowSecure内部,安全人员通过Frida这个工具套装,已经完成对大量的移动应用程序大规模深度的安全分析测试。目前依然在该公司的安全测试中扮演重要的角色。 9 | 10 | 基于Python和JavaScript的Frida,天生就是跨平台的动态调试工具,不但可以运行在Windows、Linux、macOS之上,而且还可以调试Windows应用程序、Linux应用程序,macOS、iOS、Andriod和QNX等几乎全平台的应用程序。可以说,一旦掌握Frida这套工具,就可以在全平台,对全平台的应用程序进行动态调试和分析。 11 | 12 | Frida使用极其方便,在使用过程中,只需将你编写的JavaScript脚本通过Frida自身的工具注入到目标进程中,就可以HOOK任何功能,其中包括但不限于监视加密API或跟踪应用程序关键代码等。在使用过程中,无需知道被“研究”程序的源代码。 13 | 14 | 尤其是可以一边编辑JavaScript脚本,一边运行JavaScript脚本的功能对于调试分析来说极为友好。只需“保存”正在编辑的JavaScript脚本,就立即就能看到该脚本执行的结果,全称无需其它人工介入,也无需重新启动被“研究”的应用程序,极大地简化了分析流程,同时也极大地提高了工作效率。因此,得到了众多安全分析人士的青睐。 15 | 16 | 本课程从最基本的调试环境搭建开始,基于经典的Windows“扫雷”游戏的动态调试分析,编码等,循序渐进演示Firda在分析调试Windows应用程序中基本使用方法和技巧。拥有这些知识储备之后,在加上官方的参考文档,你就可以轻松地将这些知识“迁移”至分析和调试其他平台的应用程序。 17 | 18 | # 交流QQ群 19 | 20 | 会员交流群:456197310 PC微信HOOK逆向分析 21 | 22 | 学员交流群:741218412 PC微信探秘/软件逆向分 23 | -------------------------------------------------------------------------------- /配套代码/F01/CheatEngine74.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmrbak/Frida/f020737d02aa7f33b55d5ba3ff9a96b9c888eede/配套代码/F01/CheatEngine74.exe -------------------------------------------------------------------------------- /配套代码/F01/WINMINE.EX_: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmrbak/Frida/f020737d02aa7f33b55d5ba3ff9a96b9c888eede/配套代码/F01/WINMINE.EX_ -------------------------------------------------------------------------------- /配套代码/F01/spyxx.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmrbak/Frida/f020737d02aa7f33b55d5ba3ff9a96b9c888eede/配套代码/F01/spyxx.zip -------------------------------------------------------------------------------- /配套代码/F01/zh_CN_2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmrbak/Frida/f020737d02aa7f33b55d5ba3ff9a96b9c888eede/配套代码/F01/zh_CN_2.zip -------------------------------------------------------------------------------- /配套代码/F01/课程专用OllyDbg_V3.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zmrbak/Frida/f020737d02aa7f33b55d5ba3ff9a96b9c888eede/配套代码/F01/课程专用OllyDbg_V3.7z -------------------------------------------------------------------------------- /配套代码/F03/F03.py: -------------------------------------------------------------------------------- 1 | import frida 2 | 3 | 4 | def on_message(message, data): 5 | print("[on_message] message:", message, "data:", data) 6 | 7 | 8 | session = frida.attach("wechat.exe") 9 | 10 | script = session.create_script(""" 11 | rpc.exports.enumerateModules = function () { 12 | return Process.enumerateModules(); 13 | }; 14 | """) 15 | script.on("message", on_message) 16 | script.load() 17 | 18 | 19 | print([m["name"] for m in script.exports.enumerate_modules()]) 20 | -------------------------------------------------------------------------------- /配套代码/F04/.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // 使用 IntelliSense 了解相关属性。 3 | // 悬停以查看现有属性的描述。 4 | // 欲了解更多信息,请访问: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "name": "ts-node", 9 | "type": "node", 10 | "request": "launch", 11 | "args": [ 12 | "${relativeFile}" 13 | ], 14 | "runtimeArgs": [ 15 | "-r", 16 | "ts-node/register" 17 | ], 18 | "cwd": "${workspaceRoot}", 19 | "protocol": "inspector", 20 | "internalConsoleOptions": "openOnSessionStart" 21 | } 22 | ] 23 | } -------------------------------------------------------------------------------- /配套代码/F04/L04.ts: -------------------------------------------------------------------------------- 1 | function frida04() { 2 | console.log("======================", new Date().toISOString(), "=========================="); 3 | console.log("Frida.version", Frida.version); 4 | console.log("Frida.heapSize", Frida.heapSize); 5 | console.log(Process.id); 6 | console.log(Process.arch); 7 | console.log(Process.codeSigningPolicy); 8 | let modules = Process.enumerateModules(); 9 | for (const iterator of modules) { 10 | console.log(iterator.base, iterator.name, iterator.size); 11 | } 12 | } 13 | 14 | frida04(); 15 | console.log("OK"); 16 | console.log("OK1"); 17 | -------------------------------------------------------------------------------- /配套代码/F04/js/L04.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | function frida04() { 3 | console.log("======================", new Date().toISOString(), "=========================="); 4 | console.log("Frida.version", Frida.version); 5 | console.log("Frida.heapSize", Frida.heapSize); 6 | console.log(Process.id); 7 | console.log(Process.arch); 8 | console.log(Process.codeSigningPolicy); 9 | let modules = Process.enumerateModules(); 10 | for (const iterator of modules) { 11 | console.log(iterator.base, iterator.name, iterator.size); 12 | } 13 | } 14 | frida04(); 15 | console.log("OK"); 16 | console.log("OK1"); 17 | -------------------------------------------------------------------------------- /配套代码/F04/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "frida", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "author": "", 10 | "license": "ISC", 11 | "dependencies": { 12 | "@types/frida-gum": "^18.0.0", 13 | "@types/node": "^17.0.42", 14 | "frida-compile": "^10.2.5", 15 | "ts-node": "^10.8.1" 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /配套代码/F04/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | /* Visit https://aka.ms/tsconfig to read more about this file */ 4 | 5 | /* Projects */ 6 | // "incremental": true, /* Save .tsbuildinfo files to allow for incremental compilation of projects. */ 7 | // "composite": true, /* Enable constraints that allow a TypeScript project to be used with project references. */ 8 | // "tsBuildInfoFile": "./.tsbuildinfo", /* Specify the path to .tsbuildinfo incremental compilation file. */ 9 | // "disableSourceOfProjectReferenceRedirect": true, /* Disable preferring source files instead of declaration files when referencing composite projects. */ 10 | // "disableSolutionSearching": true, /* Opt a project out of multi-project reference checking when editing. */ 11 | // "disableReferencedProjectLoad": true, /* Reduce the number of projects loaded automatically by TypeScript. */ 12 | 13 | /* Language and Environment */ 14 | "target": "es2016", /* Set the JavaScript language version for emitted JavaScript and include compatible library declarations. */ 15 | // "lib": [], /* Specify a set of bundled library declaration files that describe the target runtime environment. */ 16 | // "jsx": "preserve", /* Specify what JSX code is generated. */ 17 | // "experimentalDecorators": true, /* Enable experimental support for TC39 stage 2 draft decorators. */ 18 | // "emitDecoratorMetadata": true, /* Emit design-type metadata for decorated declarations in source files. */ 19 | // "jsxFactory": "", /* Specify the JSX factory function used when targeting React JSX emit, e.g. 'React.createElement' or 'h'. */ 20 | // "jsxFragmentFactory": "", /* Specify the JSX Fragment reference used for fragments when targeting React JSX emit e.g. 'React.Fragment' or 'Fragment'. */ 21 | // "jsxImportSource": "", /* Specify module specifier used to import the JSX factory functions when using 'jsx: react-jsx*'. */ 22 | // "reactNamespace": "", /* Specify the object invoked for 'createElement'. This only applies when targeting 'react' JSX emit. */ 23 | // "noLib": true, /* Disable including any library files, including the default lib.d.ts. */ 24 | // "useDefineForClassFields": true, /* Emit ECMAScript-standard-compliant class fields. */ 25 | // "moduleDetection": "auto", /* Control what method is used to detect module-format JS files. */ 26 | 27 | /* Modules */ 28 | "module": "commonjs", /* Specify what module code is generated. */ 29 | "rootDir": "./", /* Specify the root folder within your source files. */ 30 | // "moduleResolution": "node", /* Specify how TypeScript looks up a file from a given module specifier. */ 31 | // "baseUrl": "./", /* Specify the base directory to resolve non-relative module names. */ 32 | // "paths": {}, /* Specify a set of entries that re-map imports to additional lookup locations. */ 33 | // "rootDirs": [], /* Allow multiple folders to be treated as one when resolving modules. */ 34 | // "typeRoots": [], /* Specify multiple folders that act like './node_modules/@types'. */ 35 | // "types": [], /* Specify type package names to be included without being referenced in a source file. */ 36 | // "allowUmdGlobalAccess": true, /* Allow accessing UMD globals from modules. */ 37 | // "moduleSuffixes": [], /* List of file name suffixes to search when resolving a module. */ 38 | // "resolveJsonModule": true, /* Enable importing .json files. */ 39 | // "noResolve": true, /* Disallow 'import's, 'require's or ''s from expanding the number of files TypeScript should add to a project. */ 40 | 41 | /* JavaScript Support */ 42 | // "allowJs": true, /* Allow JavaScript files to be a part of your program. Use the 'checkJS' option to get errors from these files. */ 43 | // "checkJs": true, /* Enable error reporting in type-checked JavaScript files. */ 44 | // "maxNodeModuleJsDepth": 1, /* Specify the maximum folder depth used for checking JavaScript files from 'node_modules'. Only applicable with 'allowJs'. */ 45 | 46 | /* Emit */ 47 | // "declaration": true, /* Generate .d.ts files from TypeScript and JavaScript files in your project. */ 48 | // "declarationMap": true, /* Create sourcemaps for d.ts files. */ 49 | // "emitDeclarationOnly": true, /* Only output d.ts files and not JavaScript files. */ 50 | // "sourceMap": true, /* Create source map files for emitted JavaScript files. */ 51 | // "outFile": "./", /* Specify a file that bundles all outputs into one JavaScript file. If 'declaration' is true, also designates a file that bundles all .d.ts output. */ 52 | "outDir": "./js/", /* Specify an output folder for all emitted files. */ 53 | // "removeComments": true, /* Disable emitting comments. */ 54 | // "noEmit": true, /* Disable emitting files from a compilation. */ 55 | // "importHelpers": true, /* Allow importing helper functions from tslib once per project, instead of including them per-file. */ 56 | // "importsNotUsedAsValues": "remove", /* Specify emit/checking behavior for imports that are only used for types. */ 57 | // "downlevelIteration": true, /* Emit more compliant, but verbose and less performant JavaScript for iteration. */ 58 | // "sourceRoot": "", /* Specify the root path for debuggers to find the reference source code. */ 59 | // "mapRoot": "", /* Specify the location where debugger should locate map files instead of generated locations. */ 60 | // "inlineSourceMap": true, /* Include sourcemap files inside the emitted JavaScript. */ 61 | // "inlineSources": true, /* Include source code in the sourcemaps inside the emitted JavaScript. */ 62 | // "emitBOM": true, /* Emit a UTF-8 Byte Order Mark (BOM) in the beginning of output files. */ 63 | // "newLine": "crlf", /* Set the newline character for emitting files. */ 64 | // "stripInternal": true, /* Disable emitting declarations that have '@internal' in their JSDoc comments. */ 65 | // "noEmitHelpers": true, /* Disable generating custom helper functions like '__extends' in compiled output. */ 66 | // "noEmitOnError": true, /* Disable emitting files if any type checking errors are reported. */ 67 | // "preserveConstEnums": true, /* Disable erasing 'const enum' declarations in generated code. */ 68 | // "declarationDir": "./", /* Specify the output directory for generated declaration files. */ 69 | // "preserveValueImports": true, /* Preserve unused imported values in the JavaScript output that would otherwise be removed. */ 70 | 71 | /* Interop Constraints */ 72 | // "isolatedModules": true, /* Ensure that each file can be safely transpiled without relying on other imports. */ 73 | // "allowSyntheticDefaultImports": true, /* Allow 'import x from y' when a module doesn't have a default export. */ 74 | "esModuleInterop": true, /* Emit additional JavaScript to ease support for importing CommonJS modules. This enables 'allowSyntheticDefaultImports' for type compatibility. */ 75 | // "preserveSymlinks": true, /* Disable resolving symlinks to their realpath. This correlates to the same flag in node. */ 76 | "forceConsistentCasingInFileNames": true, /* Ensure that casing is correct in imports. */ 77 | 78 | /* Type Checking */ 79 | "strict": true, /* Enable all strict type-checking options. */ 80 | // "noImplicitAny": true, /* Enable error reporting for expressions and declarations with an implied 'any' type. */ 81 | // "strictNullChecks": true, /* When type checking, take into account 'null' and 'undefined'. */ 82 | // "strictFunctionTypes": true, /* When assigning functions, check to ensure parameters and the return values are subtype-compatible. */ 83 | // "strictBindCallApply": true, /* Check that the arguments for 'bind', 'call', and 'apply' methods match the original function. */ 84 | // "strictPropertyInitialization": true, /* Check for class properties that are declared but not set in the constructor. */ 85 | // "noImplicitThis": true, /* Enable error reporting when 'this' is given the type 'any'. */ 86 | // "useUnknownInCatchVariables": true, /* Default catch clause variables as 'unknown' instead of 'any'. */ 87 | // "alwaysStrict": true, /* Ensure 'use strict' is always emitted. */ 88 | // "noUnusedLocals": true, /* Enable error reporting when local variables aren't read. */ 89 | // "noUnusedParameters": true, /* Raise an error when a function parameter isn't read. */ 90 | // "exactOptionalPropertyTypes": true, /* Interpret optional property types as written, rather than adding 'undefined'. */ 91 | // "noImplicitReturns": true, /* Enable error reporting for codepaths that do not explicitly return in a function. */ 92 | // "noFallthroughCasesInSwitch": true, /* Enable error reporting for fallthrough cases in switch statements. */ 93 | // "noUncheckedIndexedAccess": true, /* Add 'undefined' to a type when accessed using an index. */ 94 | // "noImplicitOverride": true, /* Ensure overriding members in derived classes are marked with an override modifier. */ 95 | // "noPropertyAccessFromIndexSignature": true, /* Enforces using indexed accessors for keys declared using an indexed type. */ 96 | // "allowUnusedLabels": true, /* Disable error reporting for unused labels. */ 97 | // "allowUnreachableCode": true, /* Disable error reporting for unreachable code. */ 98 | 99 | /* Completeness */ 100 | // "skipDefaultLibCheck": true, /* Skip type checking .d.ts files that are included with TypeScript. */ 101 | "skipLibCheck": true /* Skip type checking all .d.ts files. */ 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /配套代码/F07/L07.ts: -------------------------------------------------------------------------------- 1 | class L07 { 2 | private module_name_winmine = "winmine.exe"; 3 | private module_winmine: Module; 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | console.log("Frida.version", Frida.version); 7 | //获取模块基址 8 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 9 | } 10 | 11 | board_info() { 12 | let height = this.module_winmine.base.add(0x5338).readU32(); 13 | console.log("棋盘高度:", height); 14 | 15 | let width = this.module_winmine.base.add(0x5334).readU32(); 16 | console.log("棋盘宽度:", width); 17 | 18 | let mine_count = this.module_winmine.base.add(0x5330).readU32(); 19 | console.log("地雷数量:", mine_count); 20 | 21 | let head = this.module_winmine.base.add(0x5340); 22 | console.log("棋盘头:", head); 23 | 24 | //遍历棋盘,按行遍历 25 | for (let i = 0; i < height + 2; i++) { 26 | //按列遍历 27 | let data = []; 28 | for (let j = 0; j < width + 2; j++) { 29 | let byte_data = head.add(j + 0x20 * i).readU8(); 30 | data.push(byte_data.toString(16).padStart(2, '0')); 31 | } 32 | console.log(data.join(" ")); 33 | } 34 | } 35 | } 36 | 37 | let l07 = new L07(); 38 | l07.board_info(); -------------------------------------------------------------------------------- /配套代码/F08/L08.ts: -------------------------------------------------------------------------------- 1 | class L07 { 2 | private module_name_winmine = "winmine.exe"; 3 | private module_winmine: Module; 4 | private height: number = 0; 5 | private width: number = 0; 6 | private mine_count: number = 0; 7 | private head: NativePointer = ptr(0); 8 | constructor() { 9 | console.log("======================", new Date().toISOString(), "=========================="); 10 | console.log("Frida.version", Frida.version); 11 | //获取模块基址 12 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 13 | } 14 | 15 | private load_board_info() { 16 | this.height = this.module_winmine.base.add(0x5338).readU32(); 17 | this.width = this.module_winmine.base.add(0x5334).readU32(); 18 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 19 | this.head = this.module_winmine.base.add(0x5340); 20 | } 21 | 22 | board_info() { 23 | this.board_mark(); 24 | } 25 | board_mark(modify: boolean = false) { 26 | //加载棋盘数据 27 | this.load_board_info(); 28 | //遍历棋盘,按行遍历 29 | for (let i = 0; i < this.height + 2; i++) { 30 | //按列遍历 31 | let data = []; 32 | for (let j = 0; j < this.width + 2; j++) { 33 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 34 | if (modify == true) { 35 | if (byte_data == 0x8F) { 36 | this.head.add(j + 0x20 * i).writeU8(0x8E); 37 | } 38 | } 39 | else { 40 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 41 | } 42 | } 43 | 44 | if (modify != true) { 45 | console.log(data.join(" ")); 46 | } 47 | } 48 | } 49 | } 50 | 51 | let l07 = new L07(); 52 | l07.board_mark(true); 53 | l07.board_info(); -------------------------------------------------------------------------------- /配套代码/F09/L09.ts: -------------------------------------------------------------------------------- 1 | class L07 { 2 | private module_name_winmine = "winmine.exe"; 3 | private module_winmine: Module; 4 | private height: number = 0; 5 | private width: number = 0; 6 | private mine_count: number = 0; 7 | private head: NativePointer = ptr(0); 8 | 9 | private hWnd: NativePointer = ptr(0); 10 | private GetClientRect!: NativePointer | null; 11 | private InvalidateRect!: NativePointer | null; 12 | constructor() { 13 | console.log("======================", new Date().toISOString(), "=========================="); 14 | console.log("Frida.version", Frida.version); 15 | //获取模块基址 16 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 17 | } 18 | 19 | private load_board_info() { 20 | this.height = this.module_winmine.base.add(0x5338).readU32(); 21 | this.width = this.module_winmine.base.add(0x5334).readU32(); 22 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 23 | this.head = this.module_winmine.base.add(0x5340); 24 | this.hWnd = this.module_winmine.base.add(0x5B24).readPointer(); 25 | 26 | this.GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 27 | this.InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 28 | } 29 | 30 | board_info() { 31 | this.board_mark(); 32 | } 33 | board_mark(modify: boolean = false) { 34 | //加载棋盘数据 35 | this.load_board_info(); 36 | //遍历棋盘,按行遍历 37 | for (let i = 0; i < this.height + 2; i++) { 38 | //按列遍历 39 | let data = []; 40 | for (let j = 0; j < this.width + 2; j++) { 41 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 42 | if (modify == true) { 43 | if (byte_data == 0x8F) { 44 | this.head.add(j + 0x20 * i).writeU8(0x8E); 45 | } 46 | } 47 | else { 48 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 49 | } 50 | } 51 | 52 | if (modify != true) { 53 | console.log(data.join(" ")); 54 | } 55 | } 56 | } 57 | 58 | board_repaint() { 59 | // BOOL GetClientRect( 60 | // [in] HWND hWnd, 61 | // [out] LPRECT lpRect 62 | // ); 63 | const lpRect = Memory.alloc(4 * 4); 64 | let GetClientRect = new NativeFunction(this.GetClientRect!, "bool", ["pointer", "pointer"]); 65 | GetClientRect(this.hWnd, lpRect); 66 | 67 | // BOOL InvalidateRect( 68 | // [in] HWND hWnd, 69 | // [in] const RECT * lpRect, 70 | // [in] BOOL bErase 71 | // ); 72 | let InvalidateRect = new NativeFunction(this.InvalidateRect!, "bool", ["pointer", "pointer", 'bool']); 73 | InvalidateRect(this.hWnd, lpRect, 1); 74 | } 75 | } 76 | 77 | let l07 = new L07(); 78 | l07.board_mark(true); 79 | l07.board_info(); 80 | l07.board_repaint(); -------------------------------------------------------------------------------- /配套代码/F10/L10.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | class L07 { 3 | private module_name_winmine = "winmine.exe"; 4 | private module_winmine: Module; 5 | private height: number = 0; 6 | private width: number = 0; 7 | private mine_count: number = 0; 8 | private head: NativePointer = ptr(0); 9 | 10 | private hWnd: NativePointer = ptr(0); 11 | private winApi = new WinApi(); 12 | 13 | constructor() { 14 | console.log("======================", new Date().toISOString(), "=========================="); 15 | console.log("Frida.version", Frida.version); 16 | //获取模块基址 17 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 18 | } 19 | 20 | private load_board_info() { 21 | this.height = this.module_winmine.base.add(0x5338).readU32(); 22 | this.width = this.module_winmine.base.add(0x5334).readU32(); 23 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 24 | this.head = this.module_winmine.base.add(0x5340); 25 | this.hWnd = this.module_winmine.base.add(0x5B24).readPointer(); 26 | } 27 | 28 | board_info() { 29 | this.board_mark(); 30 | } 31 | board_mark(modify: boolean = false) { 32 | //加载棋盘数据 33 | this.load_board_info(); 34 | //遍历棋盘,按行遍历 35 | for (let i = 0; i < this.height + 2; i++) { 36 | //按列遍历 37 | let data = []; 38 | for (let j = 0; j < this.width + 2; j++) { 39 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 40 | if (modify == true) { 41 | if (byte_data == 0x8F) { 42 | this.head.add(j + 0x20 * i).writeU8(0x8E); 43 | } 44 | } 45 | else { 46 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 47 | } 48 | } 49 | 50 | if (modify != true) { 51 | console.log(data.join(" ")); 52 | } 53 | } 54 | } 55 | 56 | board_repaint() { 57 | const lpRect = Memory.alloc(4 * 4); 58 | this.winApi.GetClientRect(this.hWnd, lpRect); 59 | this.winApi.InvalidateRect(this.hWnd, lpRect, 1); 60 | } 61 | } 62 | 63 | let l07 = new L07(); 64 | l07.board_mark(true); 65 | l07.board_info(); 66 | l07.board_repaint(); -------------------------------------------------------------------------------- /配套代码/F10/win_api.ts: -------------------------------------------------------------------------------- 1 | export class WinApi { 2 | private address_GetClientRect!: NativePointer | null; 3 | private address_InvalidateRect!: NativePointer | null; 4 | 5 | constructor() { 6 | this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 7 | this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 8 | } 9 | 10 | GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 11 | return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"]) 12 | (hWnd, lpRect); 13 | } 14 | 15 | InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number { 16 | return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool']) 17 | (hWnd, lpRect, bErase); 18 | } 19 | } -------------------------------------------------------------------------------- /配套代码/F11/L11.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | class L07 { 3 | private module_name_winmine = "winmine.exe"; 4 | private module_winmine: Module; 5 | private height: number = 0; 6 | private width: number = 0; 7 | private mine_count: number = 0; 8 | private head: NativePointer = ptr(0); 9 | private hWnd: NativePointer = ptr(0); 10 | 11 | constructor() { 12 | console.log("======================", new Date().toISOString(), "=========================="); 13 | console.log("Frida.version", Frida.version); 14 | //获取模块基址 15 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 16 | this.hWnd = this.module_winmine.base.add(0x5B24).readPointer(); 17 | this.head = this.module_winmine.base.add(0x5340); 18 | } 19 | 20 | private load_board_info() { 21 | this.height = this.module_winmine.base.add(0x5338).readU32(); 22 | this.width = this.module_winmine.base.add(0x5334).readU32(); 23 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 24 | } 25 | 26 | board_info() { 27 | this.board_mark(); 28 | } 29 | board_mark(modify: boolean = false) { 30 | //加载棋盘数据 31 | this.load_board_info(); 32 | //遍历棋盘,按行遍历 33 | for (let i = 0; i < this.height + 2; i++) { 34 | //按列遍历 35 | let data = []; 36 | for (let j = 0; j < this.width + 2; j++) { 37 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 38 | if (modify == true) { 39 | if (byte_data == 0x8F) { 40 | this.head.add(j + 0x20 * i).writeU8(0x8E); 41 | } 42 | } 43 | else { 44 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 45 | } 46 | } 47 | 48 | if (modify != true) { 49 | console.log(data.join(" ")); 50 | } 51 | } 52 | } 53 | 54 | board_repaint() { 55 | const lpRect = Memory.alloc(4 * 4); 56 | WinApi.GetClientRect(this.hWnd, lpRect); 57 | WinApi.InvalidateRect(this.hWnd, lpRect, 1); 58 | } 59 | } 60 | 61 | let l07 = new L07(); 62 | l07.board_mark(true); 63 | l07.board_info(); 64 | l07.board_repaint(); -------------------------------------------------------------------------------- /配套代码/F11/win_api.ts: -------------------------------------------------------------------------------- 1 | export class WinApi { 2 | private static address_GetClientRect: NativePointerValue | null; 3 | private static address_InvalidateRect: NativePointerValue | null; 4 | 5 | static GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 6 | if (this.address_GetClientRect == null) { 7 | this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 8 | } 9 | return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"])(hWnd, lpRect); 10 | } 11 | 12 | static InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number { 13 | if (this.address_InvalidateRect == null) { 14 | this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 15 | } 16 | return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool'])(hWnd, lpRect, bErase); 17 | } 18 | } -------------------------------------------------------------------------------- /配套代码/F12/L12.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | class L07 { 3 | private module_name_winmine = "winmine.exe"; 4 | private module_winmine: Module; 5 | private height: number = 0; 6 | private width: number = 0; 7 | private mine_count: number = 0; 8 | private head: NativePointer = ptr(0); 9 | private hWnd: NativePointer = ptr(0); 10 | 11 | constructor() { 12 | console.log("======================", new Date().toISOString(), "=========================="); 13 | console.log("Frida.version", Frida.version); 14 | //获取模块基址 15 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 16 | this.hWnd = this.module_winmine.base.add(0x5B24).readPointer(); 17 | this.head = this.module_winmine.base.add(0x5340); 18 | } 19 | 20 | private load_board_info() { 21 | this.height = this.module_winmine.base.add(0x5338).readU32(); 22 | this.width = this.module_winmine.base.add(0x5334).readU32(); 23 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 24 | } 25 | 26 | board_info() { 27 | this.board_mark(); 28 | } 29 | board_mark(modify: boolean = false) { 30 | //加载棋盘数据 31 | this.load_board_info(); 32 | //遍历棋盘,按行遍历 33 | for (let i = 0; i < this.height + 2; i++) { 34 | //按列遍历 35 | let data = []; 36 | for (let j = 0; j < this.width + 2; j++) { 37 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 38 | if (modify == true) { 39 | if (byte_data == 0x8F) { 40 | this.head.add(j + 0x20 * i).writeU8(0x8E); 41 | } 42 | } 43 | else { 44 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 45 | } 46 | } 47 | 48 | if (modify != true) { 49 | console.log(data.join(" ")); 50 | } 51 | } 52 | } 53 | 54 | board_repaint() { 55 | const lpRect = Memory.alloc(4 * 4); 56 | WinApi.GetClientRect(this.hWnd, lpRect); 57 | WinApi.InvalidateRect(this.hWnd, lpRect, 1); 58 | } 59 | board_foreground() { 60 | 61 | let hForeWnd = WinApi.GetForegroundWindow(); 62 | let dwCurID = WinApi.GetCurrentThreadId(); 63 | let dwForeID = WinApi.GetWindowThreadProcessId(hForeWnd, ptr(0)); 64 | WinApi.AttachThreadInput(dwCurID, dwForeID, 1); 65 | 66 | const SW_RESTORE = 9; 67 | WinApi.ShowWindow(this.hWnd, SW_RESTORE); 68 | 69 | WinApi.SetForegroundWindow(this.hWnd); 70 | 71 | const HWND_TOPMOST = -1; 72 | const HWND_NOTOPMOST = -2; 73 | const SWP_NOSIZE = 0x0001; 74 | const SWP_NOMOVE = 0x0002; 75 | WinApi.SetWindowPos(this.hWnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 76 | WinApi.SetWindowPos(this.hWnd, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 77 | 78 | WinApi.AttachThreadInput(dwCurID, dwForeID, 0); 79 | } 80 | } 81 | 82 | let l07 = new L07(); 83 | l07.board_mark(true); 84 | l07.board_info(); 85 | l07.board_repaint(); 86 | l07.board_foreground(); -------------------------------------------------------------------------------- /配套代码/F12/win_api.ts: -------------------------------------------------------------------------------- 1 | export class WinApi { 2 | private static address_GetClientRect: NativePointerValue | null; 3 | static GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 4 | if (this.address_GetClientRect == null) { 5 | this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 6 | } 7 | return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"])(hWnd, lpRect); 8 | } 9 | 10 | private static address_InvalidateRect: NativePointerValue | null; 11 | static InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number { 12 | if (this.address_InvalidateRect == null) { 13 | this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 14 | } 15 | return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool'])(hWnd, lpRect, bErase); 16 | } 17 | 18 | private static address_SetForegroundWindow: NativePointerValue | null; 19 | static SetForegroundWindow(hWnd: NativePointerValue): number { 20 | // BOOL SetForegroundWindow( 21 | // [in] HWND hWnd 22 | // ); 23 | if (this.address_SetForegroundWindow == null) { 24 | this.address_SetForegroundWindow = Module.findExportByName("User32.dll", "SetForegroundWindow"); 25 | } 26 | return new NativeFunction(this.address_SetForegroundWindow!, "bool", ["pointer"])(hWnd); 27 | } 28 | 29 | private static address_ShowWindow: NativePointerValue | null; 30 | static ShowWindow(hWnd: NativePointerValue, nCmdShow: number): number { 31 | // BOOL ShowWindow( 32 | // [in] HWND hWnd, 33 | // [in] int nCmdShow 34 | // ); 35 | if (this.address_ShowWindow == null) { 36 | this.address_ShowWindow = Module.findExportByName("User32.dll", "ShowWindow"); 37 | } 38 | return new NativeFunction(this.address_ShowWindow!, "bool", ["pointer", "int"])(hWnd, nCmdShow); 39 | } 40 | 41 | private static address_SetWindowPos: NativePointerValue | null; 42 | static SetWindowPos(hWnd: NativePointerValue, hWndInsertAfter: number, X: number, Y: number, cx: number, cy: number, uFlags: number): number { 43 | // BOOL SetWindowPos( 44 | // [in] HWND hWnd, 45 | // [in, optional] HWND hWndInsertAfter, 46 | // [in] int X, 47 | // [in] int Y, 48 | // [in] int cx, 49 | // [in] int cy, 50 | // [in] UINT uFlags 51 | // ); 52 | if (this.address_SetWindowPos == null) { 53 | this.address_SetWindowPos = Module.findExportByName("User32.dll", "SetWindowPos"); 54 | } 55 | return new NativeFunction(this.address_SetWindowPos!, "bool", ["pointer", "int", "int", "int", "int", "int", "int"])(hWnd, hWndInsertAfter, X, Y, cx, cy, uFlags); 56 | } 57 | 58 | private static address_GetForegroundWindow: NativePointerValue | null; 59 | static GetForegroundWindow(): NativePointerValue { 60 | // HWND GetForegroundWindow(); 61 | if (this.address_GetForegroundWindow == null) { 62 | this.address_GetForegroundWindow = Module.findExportByName("User32.dll", "GetForegroundWindow"); 63 | } 64 | return new NativeFunction(this.address_GetForegroundWindow!, "pointer", [])(); 65 | } 66 | 67 | private static address_GetCurrentThreadId: NativePointerValue | null; 68 | static GetCurrentThreadId(): number { 69 | // DWORD GetCurrentThreadId(); 70 | if (this.address_GetCurrentThreadId == null) { 71 | this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId"); 72 | } 73 | return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])(); 74 | } 75 | 76 | private static address_GetWindowThreadProcessId: NativePointerValue | null; 77 | static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 78 | // DWORD GetWindowThreadProcessId( 79 | // [in] HWND hWnd, 80 | // [out, optional] LPDWORD lpdwProcessId 81 | // ); 82 | if (this.address_GetWindowThreadProcessId == null) { 83 | this.address_GetWindowThreadProcessId = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 84 | } 85 | return new NativeFunction(this.address_GetWindowThreadProcessId!, "int", ["pointer", "pointer"])(hWnd, lpdwProcessId); 86 | } 87 | 88 | private static address_AttachThreadInput: NativePointerValue | null; 89 | static AttachThreadInput(idAttach: number, idAttachTo: number, fAttach: number): number { 90 | // BOOL AttachThreadInput( 91 | // [in] DWORD idAttach, 92 | // [in] DWORD idAttachTo, 93 | // [in] BOOL fAttach 94 | // ); 95 | if (this.address_AttachThreadInput == null) { 96 | this.address_AttachThreadInput = Module.findExportByName("User32.dll", "AttachThreadInput"); 97 | } 98 | return new NativeFunction(this.address_AttachThreadInput!, "int", ["int", "int", "int"])(idAttach, idAttachTo, fAttach); 99 | } 100 | } -------------------------------------------------------------------------------- /配套代码/F14/L14.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | class L07 { 3 | private module_name_winmine = "winmine.exe"; 4 | private module_winmine: Module; 5 | private height: number = 0; 6 | private width: number = 0; 7 | private mine_count: number = 0; 8 | private head: NativePointer = ptr(0); 9 | private hWnd: NativePointer = ptr(0); 10 | 11 | constructor() { 12 | console.log("======================", new Date().toISOString(), "=========================="); 13 | console.log("Frida.version", Frida.version); 14 | //获取模块基址 15 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 16 | this.hWnd = this.module_winmine.base.add(0x5B24).readPointer(); 17 | this.head = this.module_winmine.base.add(0x5340); 18 | } 19 | 20 | private load_board_info() { 21 | this.height = this.module_winmine.base.add(0x5338).readU32(); 22 | this.width = this.module_winmine.base.add(0x5334).readU32(); 23 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 24 | } 25 | 26 | board_info() { 27 | this.board_mark(); 28 | } 29 | board_mark(modify: boolean = false) { 30 | //加载棋盘数据 31 | this.load_board_info(); 32 | //遍历棋盘,按行遍历 33 | for (let i = 0; i < this.height + 2; i++) { 34 | //按列遍历 35 | let data = []; 36 | for (let j = 0; j < this.width + 2; j++) { 37 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 38 | if (modify == true) { 39 | if (byte_data == 0x8F) { 40 | this.head.add(j + 0x20 * i).writeU8(0x8E); 41 | } 42 | } 43 | else { 44 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 45 | } 46 | } 47 | 48 | if (modify != true) { 49 | console.log(data.join(" ")); 50 | } 51 | } 52 | } 53 | 54 | board_repaint() { 55 | const lpRect = Memory.alloc(4 * 4); 56 | WinApi.GetClientRect(this.hWnd, lpRect); 57 | WinApi.InvalidateRect(this.hWnd, lpRect, 1); 58 | } 59 | board_foreground() { 60 | let hForeWnd = WinApi.GetForegroundWindow(); 61 | let dwCurID = WinApi.GetCurrentThreadId(); 62 | let dwForeID = WinApi.GetWindowThreadProcessId(hForeWnd, ptr(0)); 63 | WinApi.AttachThreadInput(dwCurID, dwForeID, 1); 64 | 65 | const SW_RESTORE = 9; 66 | WinApi.ShowWindow(this.hWnd, SW_RESTORE); 67 | 68 | WinApi.SetForegroundWindow(this.hWnd); 69 | 70 | const HWND_TOPMOST = -1; 71 | const HWND_NOTOPMOST = -2; 72 | const SWP_NOSIZE = 0x0001; 73 | const SWP_NOMOVE = 0x0002; 74 | WinApi.SetWindowPos(this.hWnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 75 | WinApi.SetWindowPos(this.hWnd, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 76 | 77 | WinApi.AttachThreadInput(dwCurID, dwForeID, 0); 78 | } 79 | } 80 | 81 | let l07 = new L07(); 82 | l07.board_mark(true); 83 | l07.board_info(); 84 | l07.board_repaint(); 85 | l07.board_foreground(); -------------------------------------------------------------------------------- /配套代码/F14/win_api.ts: -------------------------------------------------------------------------------- 1 | export class WinApi { 2 | private static address_GetClientRect: NativePointerValue | null; 3 | static GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 4 | if (this.address_GetClientRect == null) { 5 | this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 6 | } 7 | return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"])(hWnd, lpRect); 8 | } 9 | 10 | private static address_InvalidateRect: NativePointerValue | null; 11 | static InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number { 12 | if (this.address_InvalidateRect == null) { 13 | this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 14 | } 15 | return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool'])(hWnd, lpRect, bErase); 16 | } 17 | 18 | private static address_SetForegroundWindow: NativePointerValue | null; 19 | static SetForegroundWindow(hWnd: NativePointerValue): number { 20 | // BOOL SetForegroundWindow( 21 | // [in] HWND hWnd 22 | // ); 23 | if (this.address_SetForegroundWindow == null) { 24 | this.address_SetForegroundWindow = Module.findExportByName("User32.dll", "SetForegroundWindow"); 25 | } 26 | return new NativeFunction(this.address_SetForegroundWindow!, "bool", ["pointer"])(hWnd); 27 | } 28 | 29 | private static address_ShowWindow: NativePointerValue | null; 30 | static ShowWindow(hWnd: NativePointerValue, nCmdShow: number): number { 31 | // BOOL ShowWindow( 32 | // [in] HWND hWnd, 33 | // [in] int nCmdShow 34 | // ); 35 | if (this.address_ShowWindow == null) { 36 | this.address_ShowWindow = Module.findExportByName("User32.dll", "ShowWindow"); 37 | } 38 | return new NativeFunction(this.address_ShowWindow!, "bool", ["pointer", "int"])(hWnd, nCmdShow); 39 | } 40 | 41 | private static address_SetWindowPos: NativePointerValue | null; 42 | static SetWindowPos(hWnd: NativePointerValue, hWndInsertAfter: number, X: number, Y: number, cx: number, cy: number, uFlags: number): number { 43 | // BOOL SetWindowPos( 44 | // [in] HWND hWnd, 45 | // [in, optional] HWND hWndInsertAfter, 46 | // [in] int X, 47 | // [in] int Y, 48 | // [in] int cx, 49 | // [in] int cy, 50 | // [in] UINT uFlags 51 | // ); 52 | if (this.address_SetWindowPos == null) { 53 | this.address_SetWindowPos = Module.findExportByName("User32.dll", "SetWindowPos"); 54 | } 55 | return new NativeFunction(this.address_SetWindowPos!, "bool", ["pointer", "int", "int", "int", "int", "int", "int"])(hWnd, hWndInsertAfter, X, Y, cx, cy, uFlags); 56 | } 57 | 58 | private static address_GetForegroundWindow: NativePointerValue | null; 59 | static GetForegroundWindow(): NativePointerValue { 60 | // HWND GetForegroundWindow(); 61 | if (this.address_GetForegroundWindow == null) { 62 | this.address_GetForegroundWindow = Module.findExportByName("User32.dll", "GetForegroundWindow"); 63 | } 64 | return new NativeFunction(this.address_GetForegroundWindow!, "pointer", [])(); 65 | } 66 | 67 | private static address_GetCurrentThreadId: NativePointerValue | null; 68 | static GetCurrentThreadId(): number { 69 | // DWORD GetCurrentThreadId(); 70 | if (this.address_GetCurrentThreadId == null) { 71 | this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId"); 72 | } 73 | return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])(); 74 | } 75 | 76 | // private static address_GetWindowThreadProcessId: NativePointerValue | null; 77 | // static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 78 | // // DWORD GetWindowThreadProcessId( 79 | // // [in] HWND hWnd, 80 | // // [out, optional] LPDWORD lpdwProcessId 81 | // // ); 82 | // if (this.address_GetWindowThreadProcessId == null) { 83 | // this.address_GetWindowThreadProcessId = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 84 | // } 85 | // return new NativeFunction(this.address_GetWindowThreadProcessId!, "int", ["pointer", "pointer"])(hWnd, lpdwProcessId); 86 | // } 87 | 88 | private static func_GetWindowThreadProcessId: AnyFunction; 89 | static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 90 | // BOOL AttachThreadInput( 91 | // [in] DWORD idAttach, 92 | // [in] DWORD idAttachTo, 93 | // [in] BOOL fAttach 94 | // ); 95 | if (this.func_GetWindowThreadProcessId == undefined) { 96 | let address = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 97 | this.func_GetWindowThreadProcessId = new NativeFunction(address!, "int", ["pointer", "pointer"]); 98 | } 99 | return this.func_GetWindowThreadProcessId(hWnd, lpdwProcessId); 100 | } 101 | 102 | private static func_AttachThreadInput: ((arg0: number, arg1: number, arg2: number) => number) | null; 103 | static AttachThreadInput(idAttach: number, idAttachTo: number, fAttach: number): number { 104 | // BOOL AttachThreadInput( 105 | // [in] DWORD idAttach, 106 | // [in] DWORD idAttachTo, 107 | // [in] BOOL fAttach 108 | // ); 109 | if (this.func_AttachThreadInput == null) { 110 | let address_AttachThreadInput = Module.findExportByName("User32.dll", "AttachThreadInput"); 111 | this.func_AttachThreadInput = new NativeFunction(address_AttachThreadInput!, "int", ["int", "int", "int"]); 112 | } 113 | return this.func_AttachThreadInput(idAttach, idAttachTo, fAttach); 114 | } 115 | 116 | 117 | 118 | 119 | } -------------------------------------------------------------------------------- /配套代码/F15/L08.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | class L07 { 3 | private module_name_winmine = "winmine.exe"; 4 | private module_winmine: Module; 5 | private height: number = 0; 6 | private width: number = 0; 7 | private mine_count: number = 0; 8 | private head: NativePointer = ptr(0); 9 | private hWnd: NativePointer = ptr(0); 10 | 11 | constructor() { 12 | console.log("======================", new Date().toISOString(), "=========================="); 13 | console.log("Frida.version", Frida.version); 14 | //获取模块基址 15 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 16 | this.hWnd = this.module_winmine.base.add(0x5B24).readPointer(); 17 | this.head = this.module_winmine.base.add(0x5340); 18 | } 19 | 20 | private load_board_info() { 21 | this.height = this.module_winmine.base.add(0x5338).readU32(); 22 | this.width = this.module_winmine.base.add(0x5334).readU32(); 23 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 24 | } 25 | 26 | board_info() { 27 | this.board_mark(); 28 | } 29 | board_mark(modify: boolean = false) { 30 | //加载棋盘数据 31 | this.load_board_info(); 32 | //遍历棋盘,按行遍历 33 | for (let i = 0; i < this.height + 2; i++) { 34 | //按列遍历 35 | let data = []; 36 | for (let j = 0; j < this.width + 2; j++) { 37 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 38 | if (modify == true) { 39 | if (byte_data == 0x8F) { 40 | this.head.add(j + 0x20 * i).writeU8(0x8E); 41 | } 42 | } 43 | else { 44 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 45 | } 46 | } 47 | 48 | if (modify != true) { 49 | console.log(data.join(" ")); 50 | } 51 | } 52 | } 53 | 54 | board_repaint() { 55 | const lpRect = Memory.alloc(4 * 4); 56 | WinApi.GetClientRect(this.hWnd, lpRect); 57 | WinApi.InvalidateRect(this.hWnd, lpRect, 1); 58 | } 59 | board_foreground() { 60 | let hForeWnd = WinApi.GetForegroundWindow(); 61 | let dwCurID = WinApi.GetCurrentThreadId(); 62 | let dwForeID = WinApi.GetWindowThreadProcessId(hForeWnd, ptr(0)); 63 | WinApi.AttachThreadInput(dwCurID, dwForeID, 1); 64 | 65 | const SW_RESTORE = 9; 66 | WinApi.ShowWindow(this.hWnd, SW_RESTORE); 67 | 68 | WinApi.SetForegroundWindow(this.hWnd); 69 | 70 | const HWND_TOPMOST = -1; 71 | const HWND_NOTOPMOST = -2; 72 | const SWP_NOSIZE = 0x0001; 73 | const SWP_NOMOVE = 0x0002; 74 | WinApi.SetWindowPos(this.hWnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 75 | WinApi.SetWindowPos(this.hWnd, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 76 | 77 | WinApi.AttachThreadInput(dwCurID, dwForeID, 0); 78 | } 79 | 80 | board_location() { 81 | 82 | let lpOrgRect = Memory.alloc(4 * 4); 83 | WinApi.GetCursorPos(lpOrgRect); 84 | 85 | // typedef struct tagRECT { 86 | // LONG left; 87 | // LONG top; 88 | // LONG right; 89 | // LONG bottom; 90 | // } RECT, *PRECT, *NPRECT, *LPRECT; 91 | let lpRect = Memory.alloc(4 * 4); 92 | WinApi.GetWindowRect(this.hWnd, lpRect); 93 | console.log("left", lpRect.readU32()); 94 | console.log("top", lpRect.add(4).readU32()); 95 | console.log("right", lpRect.add(8).readU32()); 96 | console.log("bottom", lpRect.add(12).readU32()); 97 | 98 | WinApi.SetCursorPos(lpRect.readU32(), lpRect.add(4).readU32()); 99 | 100 | WinApi.Sleep(2000); 101 | WinApi.SetCursorPos(lpOrgRect.readU32(), lpOrgRect.add(4).readU32()); 102 | 103 | } 104 | } 105 | 106 | let l07 = new L07(); 107 | l07.board_mark(true); 108 | l07.board_info(); 109 | l07.board_repaint(); 110 | l07.board_foreground(); 111 | l07.board_location(); -------------------------------------------------------------------------------- /配套代码/F15/win_api.ts: -------------------------------------------------------------------------------- 1 | export class WinApi { 2 | private static address_GetClientRect: NativePointerValue | null; 3 | static GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 4 | if (this.address_GetClientRect == null) { 5 | this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 6 | } 7 | return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"])(hWnd, lpRect); 8 | } 9 | 10 | private static address_InvalidateRect: NativePointerValue | null; 11 | static InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number { 12 | if (this.address_InvalidateRect == null) { 13 | this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 14 | } 15 | return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool'])(hWnd, lpRect, bErase); 16 | } 17 | 18 | private static address_SetForegroundWindow: NativePointerValue | null; 19 | static SetForegroundWindow(hWnd: NativePointerValue): number { 20 | // BOOL SetForegroundWindow( 21 | // [in] HWND hWnd 22 | // ); 23 | if (this.address_SetForegroundWindow == null) { 24 | this.address_SetForegroundWindow = Module.findExportByName("User32.dll", "SetForegroundWindow"); 25 | } 26 | return new NativeFunction(this.address_SetForegroundWindow!, "bool", ["pointer"])(hWnd); 27 | } 28 | 29 | private static address_ShowWindow: NativePointerValue | null; 30 | static ShowWindow(hWnd: NativePointerValue, nCmdShow: number): number { 31 | // BOOL ShowWindow( 32 | // [in] HWND hWnd, 33 | // [in] int nCmdShow 34 | // ); 35 | if (this.address_ShowWindow == null) { 36 | this.address_ShowWindow = Module.findExportByName("User32.dll", "ShowWindow"); 37 | } 38 | return new NativeFunction(this.address_ShowWindow!, "bool", ["pointer", "int"])(hWnd, nCmdShow); 39 | } 40 | 41 | private static address_SetWindowPos: NativePointerValue | null; 42 | static SetWindowPos(hWnd: NativePointerValue, hWndInsertAfter: number, X: number, Y: number, cx: number, cy: number, uFlags: number): number { 43 | // BOOL SetWindowPos( 44 | // [in] HWND hWnd, 45 | // [in, optional] HWND hWndInsertAfter, 46 | // [in] int X, 47 | // [in] int Y, 48 | // [in] int cx, 49 | // [in] int cy, 50 | // [in] UINT uFlags 51 | // ); 52 | if (this.address_SetWindowPos == null) { 53 | this.address_SetWindowPos = Module.findExportByName("User32.dll", "SetWindowPos"); 54 | } 55 | return new NativeFunction(this.address_SetWindowPos!, "bool", ["pointer", "int", "int", "int", "int", "int", "int"])(hWnd, hWndInsertAfter, X, Y, cx, cy, uFlags); 56 | } 57 | 58 | private static address_GetForegroundWindow: NativePointerValue | null; 59 | static GetForegroundWindow(): NativePointerValue { 60 | // HWND GetForegroundWindow(); 61 | if (this.address_GetForegroundWindow == null) { 62 | this.address_GetForegroundWindow = Module.findExportByName("User32.dll", "GetForegroundWindow"); 63 | } 64 | return new NativeFunction(this.address_GetForegroundWindow!, "pointer", [])(); 65 | } 66 | 67 | private static address_GetCurrentThreadId: NativePointerValue | null; 68 | static GetCurrentThreadId(): number { 69 | // DWORD GetCurrentThreadId(); 70 | if (this.address_GetCurrentThreadId == null) { 71 | this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId"); 72 | } 73 | return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])(); 74 | } 75 | 76 | // private static address_GetWindowThreadProcessId: NativePointerValue | null; 77 | // static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 78 | // // DWORD GetWindowThreadProcessId( 79 | // // [in] HWND hWnd, 80 | // // [out, optional] LPDWORD lpdwProcessId 81 | // // ); 82 | // if (this.address_GetWindowThreadProcessId == null) { 83 | // this.address_GetWindowThreadProcessId = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 84 | // } 85 | // return new NativeFunction(this.address_GetWindowThreadProcessId!, "int", ["pointer", "pointer"])(hWnd, lpdwProcessId); 86 | // } 87 | 88 | private static func_GetWindowThreadProcessId: AnyFunction; 89 | static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 90 | // BOOL AttachThreadInput( 91 | // [in] DWORD idAttach, 92 | // [in] DWORD idAttachTo, 93 | // [in] BOOL fAttach 94 | // ); 95 | if (this.func_GetWindowThreadProcessId == undefined) { 96 | let address = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 97 | this.func_GetWindowThreadProcessId = new NativeFunction(address!, "int", ["pointer", "pointer"]); 98 | } 99 | return this.func_GetWindowThreadProcessId(hWnd, lpdwProcessId); 100 | } 101 | 102 | private static func_AttachThreadInput: AnyFunction; 103 | static AttachThreadInput(idAttach: number, idAttachTo: number, fAttach: number): number { 104 | // BOOL AttachThreadInput( 105 | // [in] DWORD idAttach, 106 | // [in] DWORD idAttachTo, 107 | // [in] BOOL fAttach 108 | // ); 109 | if (this.func_AttachThreadInput == null) { 110 | let address_AttachThreadInput = Module.findExportByName("User32.dll", "AttachThreadInput"); 111 | this.func_AttachThreadInput = new NativeFunction(address_AttachThreadInput!, "int", ["int", "int", "int"]); 112 | } 113 | return this.func_AttachThreadInput(idAttach, idAttachTo, fAttach); 114 | } 115 | 116 | private static func_GetWindowRect: AnyFunction; 117 | static GetWindowRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 118 | // BOOL GetWindowRect( 119 | // [in] HWND hWnd, 120 | // [out] LPRECT lpRect 121 | // ); 122 | if (this.func_GetWindowRect == null) { 123 | let address = Module.findExportByName("User32.dll", "GetWindowRect"); 124 | this.func_GetWindowRect = new NativeFunction(address!, "bool", ["pointer", "pointer"]); 125 | } 126 | return this.func_GetWindowRect(hWnd, lpRect); 127 | } 128 | 129 | private static func_SetCursorPos: AnyFunction; 130 | static SetCursorPos(X: number, Y: number): number { 131 | // BOOL SetCursorPos( 132 | // [in] int X, 133 | // [in] int Y 134 | // ); 135 | if (this.func_SetCursorPos == null) { 136 | let address = Module.findExportByName("User32.dll", "SetCursorPos"); 137 | this.func_SetCursorPos = new NativeFunction(address!, "bool", ["int", "int"]); 138 | } 139 | return this.func_SetCursorPos(X, Y); 140 | } 141 | 142 | private static func_GetCursorPos: AnyFunction; 143 | static GetCursorPos(lpPoint: NativePointerValue): number { 144 | // BOOL GetCursorPos( 145 | // [out] LPPOINT lpPoint 146 | // ); 147 | if (this.func_GetCursorPos == null) { 148 | let address = Module.findExportByName("User32.dll", "GetCursorPos"); 149 | this.func_GetCursorPos = new NativeFunction(address!, "bool", ["pointer"]); 150 | } 151 | return this.func_GetCursorPos(lpPoint); 152 | } 153 | 154 | private static func_Sleep: AnyFunction; 155 | static Sleep(dwMilliseconds: number): void { 156 | // void Sleep( 157 | // [in] DWORD dwMilliseconds 158 | // ); 159 | if (this.func_Sleep == null) { 160 | let address = Module.findExportByName("Kernel32.dll", "Sleep"); 161 | this.func_Sleep = new NativeFunction(address!, "void", ["int"]); 162 | } 163 | return this.func_Sleep(dwMilliseconds); 164 | } 165 | 166 | } -------------------------------------------------------------------------------- /配套代码/F16/L16.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | class L07 { 3 | private module_name_winmine = "winmine.exe"; 4 | private module_winmine: Module; 5 | private height: number = 0; 6 | private width: number = 0; 7 | private mine_count: number = 0; 8 | private head: NativePointer = ptr(0); 9 | private hWnd: NativePointer = ptr(0); 10 | 11 | constructor() { 12 | console.log("======================", new Date().toISOString(), "=========================="); 13 | console.log("Frida.version", Frida.version); 14 | //获取模块基址 15 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 16 | this.hWnd = this.module_winmine.base.add(0x5B24).readPointer(); 17 | this.head = this.module_winmine.base.add(0x5340); 18 | } 19 | 20 | private load_board_info() { 21 | this.height = this.module_winmine.base.add(0x5338).readU32(); 22 | this.width = this.module_winmine.base.add(0x5334).readU32(); 23 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 24 | } 25 | 26 | board_info() { 27 | this.board_mark(); 28 | } 29 | board_mark(modify: boolean = false) { 30 | //加载棋盘数据 31 | this.load_board_info(); 32 | //遍历棋盘,按行遍历 33 | for (let i = 0; i < this.height + 2; i++) { 34 | //按列遍历 35 | let data = []; 36 | for (let j = 0; j < this.width + 2; j++) { 37 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 38 | if (modify == true) { 39 | if (byte_data == 0x8F) { 40 | this.head.add(j + 0x20 * i).writeU8(0x8E); 41 | } 42 | } 43 | else { 44 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 45 | } 46 | } 47 | 48 | if (modify != true) { 49 | console.log(data.join(" ")); 50 | } 51 | } 52 | } 53 | 54 | board_repaint() { 55 | const lpRect = Memory.alloc(4 * 4); 56 | WinApi.GetClientRect(this.hWnd, lpRect); 57 | WinApi.InvalidateRect(this.hWnd, lpRect, 1); 58 | } 59 | board_foreground() { 60 | let hForeWnd = WinApi.GetForegroundWindow(); 61 | let dwCurID = WinApi.GetCurrentThreadId(); 62 | let dwForeID = WinApi.GetWindowThreadProcessId(hForeWnd, ptr(0)); 63 | WinApi.AttachThreadInput(dwCurID, dwForeID, 1); 64 | 65 | const SW_RESTORE = 9; 66 | WinApi.ShowWindow(this.hWnd, SW_RESTORE); 67 | 68 | WinApi.SetForegroundWindow(this.hWnd); 69 | 70 | const HWND_TOPMOST = -1; 71 | const HWND_NOTOPMOST = -2; 72 | const SWP_NOSIZE = 0x0001; 73 | const SWP_NOMOVE = 0x0002; 74 | WinApi.SetWindowPos(this.hWnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 75 | WinApi.SetWindowPos(this.hWnd, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 76 | 77 | WinApi.AttachThreadInput(dwCurID, dwForeID, 0); 78 | } 79 | 80 | board_location() { 81 | 82 | let lpOrgRect = Memory.alloc(4 * 4); 83 | WinApi.GetCursorPos(lpOrgRect); 84 | 85 | let lpRect = Memory.alloc(4 * 4); 86 | WinApi.GetWindowRect(this.hWnd, lpRect); 87 | console.log("left", lpRect.readU32()); 88 | console.log("top", lpRect.add(4).readU32()); 89 | 90 | let start_x = lpRect.readU32() + 7; 91 | let start_y = lpRect.add(4).readU32() + 92; 92 | let step = 16; 93 | let x = 4; 94 | let y = 5; 95 | 96 | WinApi.SetCursorPos(start_x + step * x, start_y + step * y); 97 | 98 | const MOUSEEVENTF_LEFTDOWN = 0x0002; 99 | const MOUSEEVENTF_LEFTUP = 0x0004; 100 | 101 | const MOUSEEVENTF_RIGHTDOWN = 0x0008; 102 | const MOUSEEVENTF_RIGHTUP = 0x0010; 103 | 104 | WinApi.MouseEvent(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, WinApi.GetMessageExtraInfo()); 105 | WinApi.MouseEvent(MOUSEEVENTF_LEFTUP, 0, 0, 0, WinApi.GetMessageExtraInfo()); 106 | 107 | // WinApi.MouseEvent(MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, WinApi.GetMessageExtraInfo()); 108 | // WinApi.MouseEvent(MOUSEEVENTF_RIGHTUP, 0, 0, 0, WinApi.GetMessageExtraInfo()); 109 | 110 | 111 | 112 | // WinApi.Sleep(2000); 113 | // WinApi.SetCursorPos(lpOrgRect.readU32(), lpOrgRect.add(4).readU32()); 114 | 115 | } 116 | } 117 | 118 | let l07 = new L07(); 119 | l07.board_mark(true); 120 | l07.board_info(); 121 | l07.board_repaint(); 122 | l07.board_foreground(); 123 | l07.board_location(); -------------------------------------------------------------------------------- /配套代码/F16/win_api.ts: -------------------------------------------------------------------------------- 1 | export class WinApi { 2 | private static address_GetClientRect: NativePointerValue | null; 3 | static GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 4 | if (this.address_GetClientRect == null) { 5 | this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 6 | } 7 | return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"])(hWnd, lpRect); 8 | } 9 | 10 | private static address_InvalidateRect: NativePointerValue | null; 11 | static InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number { 12 | if (this.address_InvalidateRect == null) { 13 | this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 14 | } 15 | return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool'])(hWnd, lpRect, bErase); 16 | } 17 | 18 | private static address_SetForegroundWindow: NativePointerValue | null; 19 | static SetForegroundWindow(hWnd: NativePointerValue): number { 20 | // BOOL SetForegroundWindow( 21 | // [in] HWND hWnd 22 | // ); 23 | if (this.address_SetForegroundWindow == null) { 24 | this.address_SetForegroundWindow = Module.findExportByName("User32.dll", "SetForegroundWindow"); 25 | } 26 | return new NativeFunction(this.address_SetForegroundWindow!, "bool", ["pointer"])(hWnd); 27 | } 28 | 29 | private static address_ShowWindow: NativePointerValue | null; 30 | static ShowWindow(hWnd: NativePointerValue, nCmdShow: number): number { 31 | // BOOL ShowWindow( 32 | // [in] HWND hWnd, 33 | // [in] int nCmdShow 34 | // ); 35 | if (this.address_ShowWindow == null) { 36 | this.address_ShowWindow = Module.findExportByName("User32.dll", "ShowWindow"); 37 | } 38 | return new NativeFunction(this.address_ShowWindow!, "bool", ["pointer", "int"])(hWnd, nCmdShow); 39 | } 40 | 41 | private static address_SetWindowPos: NativePointerValue | null; 42 | static SetWindowPos(hWnd: NativePointerValue, hWndInsertAfter: number, X: number, Y: number, cx: number, cy: number, uFlags: number): number { 43 | // BOOL SetWindowPos( 44 | // [in] HWND hWnd, 45 | // [in, optional] HWND hWndInsertAfter, 46 | // [in] int X, 47 | // [in] int Y, 48 | // [in] int cx, 49 | // [in] int cy, 50 | // [in] UINT uFlags 51 | // ); 52 | if (this.address_SetWindowPos == null) { 53 | this.address_SetWindowPos = Module.findExportByName("User32.dll", "SetWindowPos"); 54 | } 55 | return new NativeFunction(this.address_SetWindowPos!, "bool", ["pointer", "int", "int", "int", "int", "int", "int"])(hWnd, hWndInsertAfter, X, Y, cx, cy, uFlags); 56 | } 57 | 58 | private static address_GetForegroundWindow: NativePointerValue | null; 59 | static GetForegroundWindow(): NativePointerValue { 60 | // HWND GetForegroundWindow(); 61 | if (this.address_GetForegroundWindow == null) { 62 | this.address_GetForegroundWindow = Module.findExportByName("User32.dll", "GetForegroundWindow"); 63 | } 64 | return new NativeFunction(this.address_GetForegroundWindow!, "pointer", [])(); 65 | } 66 | 67 | private static address_GetCurrentThreadId: NativePointerValue | null; 68 | static GetCurrentThreadId(): number { 69 | // DWORD GetCurrentThreadId(); 70 | if (this.address_GetCurrentThreadId == null) { 71 | this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId"); 72 | } 73 | return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])(); 74 | } 75 | 76 | // private static address_GetWindowThreadProcessId: NativePointerValue | null; 77 | // static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 78 | // // DWORD GetWindowThreadProcessId( 79 | // // [in] HWND hWnd, 80 | // // [out, optional] LPDWORD lpdwProcessId 81 | // // ); 82 | // if (this.address_GetWindowThreadProcessId == null) { 83 | // this.address_GetWindowThreadProcessId = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 84 | // } 85 | // return new NativeFunction(this.address_GetWindowThreadProcessId!, "int", ["pointer", "pointer"])(hWnd, lpdwProcessId); 86 | // } 87 | 88 | private static func_GetWindowThreadProcessId: AnyFunction; 89 | static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 90 | // BOOL AttachThreadInput( 91 | // [in] DWORD idAttach, 92 | // [in] DWORD idAttachTo, 93 | // [in] BOOL fAttach 94 | // ); 95 | if (this.func_GetWindowThreadProcessId == undefined) { 96 | let address = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 97 | this.func_GetWindowThreadProcessId = new NativeFunction(address!, "int", ["pointer", "pointer"]); 98 | } 99 | return this.func_GetWindowThreadProcessId(hWnd, lpdwProcessId); 100 | } 101 | 102 | private static func_AttachThreadInput: AnyFunction; 103 | static AttachThreadInput(idAttach: number, idAttachTo: number, fAttach: number): number { 104 | // BOOL AttachThreadInput( 105 | // [in] DWORD idAttach, 106 | // [in] DWORD idAttachTo, 107 | // [in] BOOL fAttach 108 | // ); 109 | if (this.func_AttachThreadInput == null) { 110 | let address_AttachThreadInput = Module.findExportByName("User32.dll", "AttachThreadInput"); 111 | this.func_AttachThreadInput = new NativeFunction(address_AttachThreadInput!, "int", ["int", "int", "int"]); 112 | } 113 | return this.func_AttachThreadInput(idAttach, idAttachTo, fAttach); 114 | } 115 | 116 | private static func_GetWindowRect: AnyFunction; 117 | static GetWindowRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 118 | // BOOL GetWindowRect( 119 | // [in] HWND hWnd, 120 | // [out] LPRECT lpRect 121 | // ); 122 | if (this.func_GetWindowRect == null) { 123 | let address = Module.findExportByName("User32.dll", "GetWindowRect"); 124 | this.func_GetWindowRect = new NativeFunction(address!, "bool", ["pointer", "pointer"]); 125 | } 126 | return this.func_GetWindowRect(hWnd, lpRect); 127 | } 128 | 129 | private static func_SetCursorPos: AnyFunction; 130 | static SetCursorPos(X: number, Y: number): number { 131 | // BOOL SetCursorPos( 132 | // [in] int X, 133 | // [in] int Y 134 | // ); 135 | if (this.func_SetCursorPos == null) { 136 | let address = Module.findExportByName("User32.dll", "SetCursorPos"); 137 | this.func_SetCursorPos = new NativeFunction(address!, "bool", ["int", "int"]); 138 | } 139 | return this.func_SetCursorPos(X, Y); 140 | } 141 | 142 | private static func_GetCursorPos: AnyFunction; 143 | static GetCursorPos(lpPoint: NativePointerValue): number { 144 | // BOOL GetCursorPos( 145 | // [out] LPPOINT lpPoint 146 | // ); 147 | if (this.func_GetCursorPos == null) { 148 | let address = Module.findExportByName("User32.dll", "GetCursorPos"); 149 | this.func_GetCursorPos = new NativeFunction(address!, "bool", ["pointer"]); 150 | } 151 | return this.func_GetCursorPos(lpPoint); 152 | } 153 | 154 | private static func_Sleep: AnyFunction; 155 | static Sleep(dwMilliseconds: number): void { 156 | // void Sleep( 157 | // [in] DWORD dwMilliseconds 158 | // ); 159 | if (this.func_Sleep == null) { 160 | let address = Module.findExportByName("Kernel32.dll", "Sleep"); 161 | this.func_Sleep = new NativeFunction(address!, "void", ["int"]); 162 | } 163 | return this.func_Sleep(dwMilliseconds); 164 | } 165 | 166 | //mouse_event 167 | private static func_MouseEvent: AnyFunction; 168 | static MouseEvent(dwFlags: number, dx: number, dy: number, dwData: number, dwExtraInfo: NativePointerValue): void { 169 | // void mouse_event( 170 | // [in] DWORD dwFlags, 171 | // [in] DWORD dx, 172 | // [in] DWORD dy, 173 | // [in] DWORD dwData, 174 | // [in] ULONG_PTR dwExtraInfo 175 | // ); 176 | if (this.func_MouseEvent == null) { 177 | let address = Module.findExportByName("User32.dll", "mouse_event"); 178 | this.func_MouseEvent = new NativeFunction(address!, "void", ["int", "int", "int", "int", "pointer"]); 179 | } 180 | return this.func_MouseEvent(dwFlags, dx, dy, dwData, dwExtraInfo); 181 | } 182 | 183 | //GetMessageExtraInfo 184 | private static func_GetMessageExtraInfo: AnyFunction; 185 | static GetMessageExtraInfo(): NativePointerValue { 186 | // LPARAM GetMessageExtraInfo(); 187 | if (this.func_GetMessageExtraInfo == null) { 188 | let address = Module.findExportByName("User32.dll", "GetMessageExtraInfo"); 189 | this.func_GetMessageExtraInfo = new NativeFunction(address!, "pointer", []); 190 | } 191 | return this.func_GetMessageExtraInfo(); 192 | } 193 | 194 | } -------------------------------------------------------------------------------- /配套代码/F17/L17.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | class L07 { 3 | private module_name_winmine = "winmine.exe"; 4 | private module_winmine: Module; 5 | private height: number = 0; 6 | private width: number = 0; 7 | private mine_count: number = 0; 8 | private head: NativePointer = ptr(0); 9 | private hWnd: NativePointer = ptr(0); 10 | private start_x = 0; 11 | private start_y = 0; 12 | private step = 16; 13 | 14 | private MOUSEEVENTF_LEFTDOWN = 0x0002; 15 | private MOUSEEVENTF_LEFTUP = 0x0004; 16 | private MOUSEEVENTF_RIGHTDOWN = 0x0008; 17 | private MOUSEEVENTF_RIGHTUP = 0x0010; 18 | 19 | 20 | constructor() { 21 | console.log("======================", new Date().toISOString(), "=========================="); 22 | console.log("Frida.version", Frida.version); 23 | //获取模块基址 24 | this.module_winmine = Process.getModuleByName(this.module_name_winmine); 25 | this.hWnd = this.module_winmine.base.add(0x5B24).readPointer(); 26 | this.head = this.module_winmine.base.add(0x5340); 27 | } 28 | 29 | private load_board_info() { 30 | this.height = this.module_winmine.base.add(0x5338).readU32(); 31 | this.width = this.module_winmine.base.add(0x5334).readU32(); 32 | this.mine_count = this.module_winmine.base.add(0x5330).readU32(); 33 | } 34 | 35 | board_info() { 36 | this.board_mark(); 37 | } 38 | board_mark(modify: boolean = false) { 39 | //加载棋盘数据 40 | this.load_board_info(); 41 | //遍历棋盘,按行遍历 42 | for (let i = 0; i < this.height + 2; i++) { 43 | //按列遍历 44 | let data = []; 45 | for (let j = 0; j < this.width + 2; j++) { 46 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 47 | if (modify == true) { 48 | if (byte_data == 0x8F) { 49 | this.head.add(j + 0x20 * i).writeU8(0x8E); 50 | } 51 | } 52 | else { 53 | data.push(byte_data.toString(16).padStart(2, '0').toUpperCase()); 54 | } 55 | } 56 | 57 | if (modify != true) { 58 | console.log(data.join(" ")); 59 | } 60 | } 61 | } 62 | 63 | board_repaint() { 64 | const lpRect = Memory.alloc(4 * 4); 65 | WinApi.GetClientRect(this.hWnd, lpRect); 66 | WinApi.InvalidateRect(this.hWnd, lpRect, 1); 67 | } 68 | board_foreground() { 69 | let hForeWnd = WinApi.GetForegroundWindow(); 70 | let dwCurID = WinApi.GetCurrentThreadId(); 71 | let dwForeID = WinApi.GetWindowThreadProcessId(hForeWnd, ptr(0)); 72 | WinApi.AttachThreadInput(dwCurID, dwForeID, 1); 73 | 74 | const SW_RESTORE = 9; 75 | WinApi.ShowWindow(this.hWnd, SW_RESTORE); 76 | 77 | WinApi.SetForegroundWindow(this.hWnd); 78 | 79 | const HWND_TOPMOST = -1; 80 | const HWND_NOTOPMOST = -2; 81 | const SWP_NOSIZE = 0x0001; 82 | const SWP_NOMOVE = 0x0002; 83 | WinApi.SetWindowPos(this.hWnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 84 | WinApi.SetWindowPos(this.hWnd, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 85 | 86 | WinApi.AttachThreadInput(dwCurID, dwForeID, 0); 87 | } 88 | 89 | board_location() { 90 | 91 | let lpOrgRect = Memory.alloc(4 * 4); 92 | WinApi.GetCursorPos(lpOrgRect); 93 | 94 | let lpRect = Memory.alloc(4 * 4); 95 | WinApi.GetWindowRect(this.hWnd, lpRect); 96 | console.log("left", lpRect.readU32()); 97 | console.log("top", lpRect.add(4).readU32()); 98 | 99 | this.start_x = lpRect.readU32() + 7; 100 | this.start_y = lpRect.add(4).readU32() + 92; 101 | let x = 4; 102 | let y = 5; 103 | 104 | WinApi.SetCursorPos(this.start_x + this.step * x, this.start_y + this.step * y); 105 | 106 | const MOUSEEVENTF_LEFTDOWN = 0x0002; 107 | const MOUSEEVENTF_LEFTUP = 0x0004; 108 | 109 | const MOUSEEVENTF_RIGHTDOWN = 0x0008; 110 | const MOUSEEVENTF_RIGHTUP = 0x0010; 111 | 112 | WinApi.MouseEvent(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, WinApi.GetMessageExtraInfo()); 113 | WinApi.MouseEvent(MOUSEEVENTF_LEFTUP, 0, 0, 0, WinApi.GetMessageExtraInfo()); 114 | 115 | // WinApi.MouseEvent(MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, WinApi.GetMessageExtraInfo()); 116 | // WinApi.MouseEvent(MOUSEEVENTF_RIGHTUP, 0, 0, 0, WinApi.GetMessageExtraInfo()); 117 | 118 | // WinApi.Sleep(2000); 119 | // WinApi.SetCursorPos(lpOrgRect.readU32(), lpOrgRect.add(4).readU32()); 120 | 121 | } 122 | 123 | mouse_click(x: number, y: number, left_click: boolean = true) { 124 | 125 | WinApi.SetCursorPos(this.start_x + this.step * x, this.start_y + this.step * y); 126 | if (left_click) { 127 | WinApi.MouseEvent(this.MOUSEEVENTF_LEFTDOWN, 0, 0, 0, WinApi.GetMessageExtraInfo()); 128 | WinApi.MouseEvent(this.MOUSEEVENTF_LEFTUP, 0, 0, 0, WinApi.GetMessageExtraInfo()); 129 | } 130 | else { 131 | WinApi.MouseEvent(this.MOUSEEVENTF_RIGHTDOWN, 0, 0, 0, WinApi.GetMessageExtraInfo()); 132 | WinApi.MouseEvent(this.MOUSEEVENTF_RIGHTUP, 0, 0, 0, WinApi.GetMessageExtraInfo()); 133 | } 134 | } 135 | board_click() { 136 | 137 | //记录鼠标位置 138 | let lpOrgRect = Memory.alloc(4 * 4); 139 | WinApi.GetCursorPos(lpOrgRect); 140 | 141 | //加载棋盘数据 142 | this.load_board_info(); 143 | 144 | //获取棋盘位置 145 | let lpRect = Memory.alloc(4 * 4); 146 | WinApi.GetWindowRect(this.hWnd, lpRect); 147 | this.start_x = lpRect.readU32() + 7; 148 | this.start_y = lpRect.add(4).readU32() + 92; 149 | 150 | //遍历棋盘,按行遍历 151 | for (let i = 1; i < this.height + 2; i++) { 152 | //按列遍历 153 | for (let j = 1; j < this.width + 2; j++) { 154 | let byte_data = this.head.add(j + 0x20 * i).readU8(); 155 | //标记地雷 156 | if (byte_data == 0x8F) { 157 | this.mouse_click(j, i, false); 158 | continue; 159 | } 160 | //点击无雷区 161 | if (byte_data == 0x0F) { 162 | this.mouse_click(j, i); 163 | continue; 164 | } 165 | } 166 | } 167 | 168 | //鼠标归位 169 | WinApi.SetCursorPos(lpOrgRect.readU32(), lpOrgRect.add(4).readU32()); 170 | } 171 | } 172 | 173 | let l07 = new L07(); 174 | // l07.board_mark(true); 175 | // l07.board_info(); 176 | // l07.board_repaint(); 177 | l07.board_foreground(); 178 | // l07.board_location(); 179 | l07.board_click(); -------------------------------------------------------------------------------- /配套代码/F17/win_api.ts: -------------------------------------------------------------------------------- 1 | export class WinApi { 2 | private static address_GetClientRect: NativePointerValue | null; 3 | static GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 4 | if (this.address_GetClientRect == null) { 5 | this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 6 | } 7 | return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"])(hWnd, lpRect); 8 | } 9 | 10 | private static address_InvalidateRect: NativePointerValue | null; 11 | static InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number { 12 | if (this.address_InvalidateRect == null) { 13 | this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 14 | } 15 | return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool'])(hWnd, lpRect, bErase); 16 | } 17 | 18 | private static address_SetForegroundWindow: NativePointerValue | null; 19 | static SetForegroundWindow(hWnd: NativePointerValue): number { 20 | // BOOL SetForegroundWindow( 21 | // [in] HWND hWnd 22 | // ); 23 | if (this.address_SetForegroundWindow == null) { 24 | this.address_SetForegroundWindow = Module.findExportByName("User32.dll", "SetForegroundWindow"); 25 | } 26 | return new NativeFunction(this.address_SetForegroundWindow!, "bool", ["pointer"])(hWnd); 27 | } 28 | 29 | private static address_ShowWindow: NativePointerValue | null; 30 | static ShowWindow(hWnd: NativePointerValue, nCmdShow: number): number { 31 | // BOOL ShowWindow( 32 | // [in] HWND hWnd, 33 | // [in] int nCmdShow 34 | // ); 35 | if (this.address_ShowWindow == null) { 36 | this.address_ShowWindow = Module.findExportByName("User32.dll", "ShowWindow"); 37 | } 38 | return new NativeFunction(this.address_ShowWindow!, "bool", ["pointer", "int"])(hWnd, nCmdShow); 39 | } 40 | 41 | private static address_SetWindowPos: NativePointerValue | null; 42 | static SetWindowPos(hWnd: NativePointerValue, hWndInsertAfter: number, X: number, Y: number, cx: number, cy: number, uFlags: number): number { 43 | // BOOL SetWindowPos( 44 | // [in] HWND hWnd, 45 | // [in, optional] HWND hWndInsertAfter, 46 | // [in] int X, 47 | // [in] int Y, 48 | // [in] int cx, 49 | // [in] int cy, 50 | // [in] UINT uFlags 51 | // ); 52 | if (this.address_SetWindowPos == null) { 53 | this.address_SetWindowPos = Module.findExportByName("User32.dll", "SetWindowPos"); 54 | } 55 | return new NativeFunction(this.address_SetWindowPos!, "bool", ["pointer", "int", "int", "int", "int", "int", "int"])(hWnd, hWndInsertAfter, X, Y, cx, cy, uFlags); 56 | } 57 | 58 | private static address_GetForegroundWindow: NativePointerValue | null; 59 | static GetForegroundWindow(): NativePointerValue { 60 | // HWND GetForegroundWindow(); 61 | if (this.address_GetForegroundWindow == null) { 62 | this.address_GetForegroundWindow = Module.findExportByName("User32.dll", "GetForegroundWindow"); 63 | } 64 | return new NativeFunction(this.address_GetForegroundWindow!, "pointer", [])(); 65 | } 66 | 67 | private static address_GetCurrentThreadId: NativePointerValue | null; 68 | static GetCurrentThreadId(): number { 69 | // DWORD GetCurrentThreadId(); 70 | if (this.address_GetCurrentThreadId == null) { 71 | this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId"); 72 | } 73 | return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])(); 74 | } 75 | 76 | // private static address_GetWindowThreadProcessId: NativePointerValue | null; 77 | // static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 78 | // // DWORD GetWindowThreadProcessId( 79 | // // [in] HWND hWnd, 80 | // // [out, optional] LPDWORD lpdwProcessId 81 | // // ); 82 | // if (this.address_GetWindowThreadProcessId == null) { 83 | // this.address_GetWindowThreadProcessId = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 84 | // } 85 | // return new NativeFunction(this.address_GetWindowThreadProcessId!, "int", ["pointer", "pointer"])(hWnd, lpdwProcessId); 86 | // } 87 | 88 | private static func_GetWindowThreadProcessId: AnyFunction; 89 | static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 90 | // BOOL AttachThreadInput( 91 | // [in] DWORD idAttach, 92 | // [in] DWORD idAttachTo, 93 | // [in] BOOL fAttach 94 | // ); 95 | if (this.func_GetWindowThreadProcessId == undefined) { 96 | let address = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 97 | this.func_GetWindowThreadProcessId = new NativeFunction(address!, "int", ["pointer", "pointer"]); 98 | } 99 | return this.func_GetWindowThreadProcessId(hWnd, lpdwProcessId); 100 | } 101 | 102 | private static func_AttachThreadInput: AnyFunction; 103 | static AttachThreadInput(idAttach: number, idAttachTo: number, fAttach: number): number { 104 | // BOOL AttachThreadInput( 105 | // [in] DWORD idAttach, 106 | // [in] DWORD idAttachTo, 107 | // [in] BOOL fAttach 108 | // ); 109 | if (this.func_AttachThreadInput == null) { 110 | let address_AttachThreadInput = Module.findExportByName("User32.dll", "AttachThreadInput"); 111 | this.func_AttachThreadInput = new NativeFunction(address_AttachThreadInput!, "int", ["int", "int", "int"]); 112 | } 113 | return this.func_AttachThreadInput(idAttach, idAttachTo, fAttach); 114 | } 115 | 116 | private static func_GetWindowRect: AnyFunction; 117 | static GetWindowRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 118 | // BOOL GetWindowRect( 119 | // [in] HWND hWnd, 120 | // [out] LPRECT lpRect 121 | // ); 122 | if (this.func_GetWindowRect == null) { 123 | let address = Module.findExportByName("User32.dll", "GetWindowRect"); 124 | this.func_GetWindowRect = new NativeFunction(address!, "bool", ["pointer", "pointer"]); 125 | } 126 | return this.func_GetWindowRect(hWnd, lpRect); 127 | } 128 | 129 | private static func_SetCursorPos: AnyFunction; 130 | static SetCursorPos(X: number, Y: number): number { 131 | // BOOL SetCursorPos( 132 | // [in] int X, 133 | // [in] int Y 134 | // ); 135 | if (this.func_SetCursorPos == null) { 136 | let address = Module.findExportByName("User32.dll", "SetCursorPos"); 137 | this.func_SetCursorPos = new NativeFunction(address!, "bool", ["int", "int"]); 138 | } 139 | return this.func_SetCursorPos(X, Y); 140 | } 141 | 142 | private static func_GetCursorPos: AnyFunction; 143 | static GetCursorPos(lpPoint: NativePointerValue): number { 144 | // BOOL GetCursorPos( 145 | // [out] LPPOINT lpPoint 146 | // ); 147 | if (this.func_GetCursorPos == null) { 148 | let address = Module.findExportByName("User32.dll", "GetCursorPos"); 149 | this.func_GetCursorPos = new NativeFunction(address!, "bool", ["pointer"]); 150 | } 151 | return this.func_GetCursorPos(lpPoint); 152 | } 153 | 154 | private static func_Sleep: AnyFunction; 155 | static Sleep(dwMilliseconds: number): void { 156 | // void Sleep( 157 | // [in] DWORD dwMilliseconds 158 | // ); 159 | if (this.func_Sleep == null) { 160 | let address = Module.findExportByName("Kernel32.dll", "Sleep"); 161 | this.func_Sleep = new NativeFunction(address!, "void", ["int"]); 162 | } 163 | return this.func_Sleep(dwMilliseconds); 164 | } 165 | 166 | //mouse_event 167 | private static func_MouseEvent: AnyFunction; 168 | static MouseEvent(dwFlags: number, dx: number, dy: number, dwData: number, dwExtraInfo: NativePointerValue): void { 169 | // void mouse_event( 170 | // [in] DWORD dwFlags, 171 | // [in] DWORD dx, 172 | // [in] DWORD dy, 173 | // [in] DWORD dwData, 174 | // [in] ULONG_PTR dwExtraInfo 175 | // ); 176 | if (this.func_MouseEvent == null) { 177 | let address = Module.findExportByName("User32.dll", "mouse_event"); 178 | this.func_MouseEvent = new NativeFunction(address!, "void", ["int", "int", "int", "int", "pointer"]); 179 | } 180 | return this.func_MouseEvent(dwFlags, dx, dy, dwData, dwExtraInfo); 181 | } 182 | 183 | //GetMessageExtraInfo 184 | private static func_GetMessageExtraInfo: AnyFunction; 185 | static GetMessageExtraInfo(): NativePointerValue { 186 | // LPARAM GetMessageExtraInfo(); 187 | if (this.func_GetMessageExtraInfo == null) { 188 | let address = Module.findExportByName("User32.dll", "GetMessageExtraInfo"); 189 | this.func_GetMessageExtraInfo = new NativeFunction(address!, "pointer", []); 190 | } 191 | return this.func_GetMessageExtraInfo(); 192 | } 193 | 194 | } -------------------------------------------------------------------------------- /配套代码/F18/L18.ts: -------------------------------------------------------------------------------- 1 | let version = Frida.version; 2 | console.log(version); 3 | 4 | let data = [] 5 | for (let index = 0; index < 100; index++) { 6 | let mem = Memory.alloc(1024 * 1024); 7 | data.push(mem); 8 | 9 | let heapSize = Frida.heapSize; 10 | console.log(heapSize); 11 | } 12 | -------------------------------------------------------------------------------- /配套代码/F19/F19.ts: -------------------------------------------------------------------------------- 1 | class FridaDemo { 2 | constructor() { 3 | console.log("======================", new Date().toISOString(), "=========================="); 4 | console.log("Frida.version", Frida.version); 5 | } 6 | 7 | show_process() { 8 | console.log("Process.id:\t\t", Process.id); 9 | console.log("Process.arch:\t\t", Process.arch); 10 | console.log("Process.platform:\t", Process.platform); 11 | console.log("Process.pageSize:\t", Process.pageSize); 12 | console.log("Process.pointerSize:\t", Process.pointerSize); 13 | console.log("Process.codeSigningPolicy:\t", Process.codeSigningPolicy); 14 | console.log("Process.isDebuggerAttached():\t", Process.isDebuggerAttached()); 15 | console.log("Process.getCurrentThreadId():\t", Process.getCurrentThreadId()); 16 | console.log("Process.getCurrentThreadId():\t", Process.getCurrentThreadId()); 17 | 18 | // let threads = Process.enumerateThreads(); 19 | // for (const iterator of threads) { 20 | // console.log(JSON.stringify(iterator)); 21 | // } 22 | 23 | // let modules = Process.enumerateModules(); 24 | // for (const iterator of modules) { 25 | // console.log(JSON.stringify(iterator)); 26 | // } 27 | 28 | // let ranges = Process.enumerateRanges("rwx"); 29 | // for (const iterator of ranges) { 30 | // console.log(JSON.stringify(iterator)); 31 | // } 32 | 33 | let mallocRanges = Process.enumerateMallocRanges(); 34 | for (const iterator of mallocRanges) { 35 | console.log(JSON.stringify(iterator)); 36 | } 37 | 38 | } 39 | } 40 | 41 | let fridaDemo = new FridaDemo(); 42 | fridaDemo.show_process(); -------------------------------------------------------------------------------- /配套代码/F20/F20.cpp: -------------------------------------------------------------------------------- 1 | // F20.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。 2 | // 3 | 4 | #include 5 | 6 | int main() 7 | { 8 | std::cout << "打回车,继续1,程序奔溃!\n"; 9 | getchar(); 10 | 11 | int* pointer = (int*)0; 12 | pointer[0] = 123; 13 | 14 | 15 | std::cout << "打回车,继续2,程序奔溃!\n"; 16 | getchar(); 17 | } 18 | -------------------------------------------------------------------------------- /配套代码/F20/F20.ts: -------------------------------------------------------------------------------- 1 | class FridaDemo { 2 | constructor() { 3 | console.log("======================", new Date().toISOString(), "=========================="); 4 | console.log("Frida.version", Frida.version); 5 | } 6 | 7 | show_process() { 8 | Process.setExceptionHandler((exception) => { 9 | console.log(JSON.stringify(exception, null, 4)); 10 | 11 | return false; 12 | }); 13 | } 14 | } 15 | 16 | let fridaDemo = new FridaDemo(); 17 | fridaDemo.show_process(); -------------------------------------------------------------------------------- /配套代码/F21/F21.ts: -------------------------------------------------------------------------------- 1 | class FridaDemo { 2 | constructor() { 3 | console.log("======================", new Date().toISOString(), "=========================="); 4 | // console.log("Frida", JSON.stringify(Frida, null, 4)); 5 | // console.log("Process", JSON.stringify(Process, null, 4)); 6 | 7 | } 8 | 9 | demo() { 10 | // let module = Process.getModuleByName("winmine.exe"); 11 | // let module = Process.getModuleByName("user32.dll"); 12 | let module = Process.getModuleByName("Kernel32.dll"); 13 | // console.log("module", JSON.stringify(module, null, 4)); 14 | 15 | // console.log("Imports:"); 16 | // for (const iterator of module.enumerateImports()) { 17 | // console.log(JSON.stringify(iterator)); 18 | // } 19 | 20 | // console.log("Exports:"); 21 | // for (const iterator of module.enumerateExports()) { 22 | // console.log(JSON.stringify(iterator)); 23 | // } 24 | 25 | // console.log("Symbols:"); 26 | // for (const iterator of module.enumerateSymbols()) { 27 | // console.log(JSON.stringify(iterator)); 28 | // } 29 | 30 | //enumerateRanges 31 | // console.log("Ranges:"); 32 | // for (const iterator of module.enumerateRanges("r--")) { 33 | // console.log(JSON.stringify(iterator)); 34 | // } 35 | 36 | //{"type":"function","name":"lstrlenW","address":"0x7630e0b0"} 37 | // let p = module.findExportByName("lstrlenW"); 38 | // console.log(p); 39 | 40 | // let p1 = Module.load("C:\\DBGHELP.DLL"); 41 | // console.log(JSON.stringify(p1)); 42 | // console.log("Exports:"); 43 | // for (const iterator of p1.enumerateExports()) { 44 | // console.log(JSON.stringify(iterator)); 45 | // } 46 | 47 | // console.log("Imports:"); 48 | // for (const iterator of p1.enumerateImports()) { 49 | // console.log(JSON.stringify(iterator)); 50 | // } 51 | 52 | 53 | } 54 | } 55 | 56 | let fridaDemo = new FridaDemo(); 57 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F22/F22.ts: -------------------------------------------------------------------------------- 1 | class FridaDemo { 2 | constructor() { 3 | console.log("======================", new Date().toISOString(), "=========================="); 4 | // console.log("Frida", JSON.stringify(Frida, null, 4)); 5 | // console.log("Process", JSON.stringify(Process, null, 4)); 6 | 7 | } 8 | 9 | demo() { 10 | let str1 = "This is a string! 你好!"; 11 | console.log(str1); 12 | 13 | let m1 = Memory.alloc(4); 14 | let m2 = Memory.allocAnsiString(str1); 15 | let m3 = Memory.allocUtf16String(str1); 16 | let m4 = Memory.allocUtf8String(str1); 17 | 18 | console.log(m2); 19 | 20 | // console.log(m2.readAnsiString()); 21 | // console.log(m2.readCString()); 22 | // console.log(m2.readUtf8String()); 23 | // console.log(m2.readUtf16String()); 24 | 25 | let ab = m2.readByteArray(str1.length * 2 + 2); 26 | // console.log(ab?.byteLength); 27 | 28 | let i8 = new Int8Array(ab!); 29 | // let i8 = new Int32Array(ab!); 30 | // let i8 = new String(ab!); 31 | 32 | // for (const iterator of i8) { 33 | // console.log(iterator); 34 | // } 35 | 36 | // console.log("b1", i8.map(x => String.fromCharCode(x)).join("")); 37 | 38 | let b1 = Array.prototype.slice.call(new Int8Array(ab!)); 39 | console.log("b1", b1.map(x => String.fromCharCode(x)).join("")); 40 | 41 | // console.log(ab); 42 | // console.log(m2.readPointer()); 43 | // console.log(m2.readS8().toString(16)); 44 | // console.log(m2.readFloat()); 45 | // console.log(m2.readDouble()); 46 | 47 | // m1.writeU8(0xF8); 48 | // console.log(m1.readU8()); 49 | // console.log(m1.readS8()); 50 | 51 | // let p1 = ptr(1); 52 | // console.log(p1.isNull()); 53 | // console.log(p1.add(100).toInt32()); 54 | 55 | // let p2 = new NativePointer("0x12345678"); 56 | 57 | // let p3 = ptr(1); 58 | // let p4 = ptr(0x11223344); 59 | // console.log(p3 == p4); 60 | // console.log(p3.equals(p4)); 61 | // console.log(p3.compare(p4)); 62 | // console.log("3".localeCompare("3")); 63 | // console.log(p4); 64 | // console.log(p4.toString()); 65 | // console.log(p4.toJSON()); 66 | // console.log(p4.toMatchPattern()); 67 | 68 | } 69 | } 70 | 71 | let fridaDemo = new FridaDemo(); 72 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F24/F24.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | // console.log(JSON.stringify(Memory)); 10 | let module = Process.getModuleByName("winmine.exe"); 11 | 12 | let p = ptr(0x00210604); 13 | let pattern = p.toMatchPattern(); 14 | console.log("pattern", pattern); 15 | 16 | // Memory.scan(module.base, module.size, pattern, { 17 | // Memory.scan(module.base, module.size, "04 ?? ?1 ?0", { 18 | // onMatch: (address, size) => { 19 | // console.log("onMatch", size, address, address.sub(module.base)); 20 | // }, 21 | 22 | // onError: (reason) => { 23 | // console.log(reason); 24 | // }, 25 | 26 | // onComplete: () => { 27 | // console.log("Scan Complete!"); 28 | // } 29 | // }); 30 | // let matches = Memory.scanSync(module.base, module.size, pattern); 31 | // let matches = Memory.scanSync(module.base, module.size, "04 ?? ?1 ?0"); 32 | // for (const iterator of matches) { 33 | // console.log(JSON.stringify(iterator)); 34 | // } 35 | 36 | // let m1 = Memory.alloc(Process.pageSize); 37 | // console.log("protect", JSON.stringify(Process.getRangeByAddress(m1))); 38 | // Memory.protect(m1, Process.pageSize, "r-x"); 39 | // console.log("protect", JSON.stringify(Process.getRangeByAddress(m1))); 40 | 41 | let lpText = Memory.allocUtf16String("This is a string!"); 42 | let lpCaption = Memory.allocUtf16String("Caption"); 43 | 44 | // WinApi.MessageBox(p, lpText, lpCaption, 0x00000001); 45 | 46 | let m2 = Memory.alloc(Process.pageSize); 47 | console.log("m2", m2); 48 | let address = Module.getExportByName("User32.dll", "MessageBoxW"); 49 | 50 | Memory.patchCode(m2, Process.pageSize, (code) => { 51 | // console.log("code", code); 52 | let asm = new X86Writer(code); 53 | asm.putPushU32(0x00000001); 54 | asm.putPushU32(lpCaption.toUInt32()); 55 | asm.putPushU32(lpText.toUInt32()); 56 | // asm.putPushU32(p.toUInt32()); 57 | asm.putPushU32(0); 58 | asm.putCallAddress(address); 59 | asm.putRet(); 60 | asm.flush(); 61 | }); 62 | 63 | let func = new NativeFunction(m2, "void", []); 64 | func(); 65 | 66 | 67 | } 68 | } 69 | 70 | let fridaDemo = new FridaDemo(); 71 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F24/win_api.ts: -------------------------------------------------------------------------------- 1 | export class WinApi { 2 | private static address_GetClientRect: NativePointerValue | null; 3 | static GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 4 | if (this.address_GetClientRect == null) { 5 | this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect"); 6 | } 7 | return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"])(hWnd, lpRect); 8 | } 9 | 10 | private static address_InvalidateRect: NativePointerValue | null; 11 | static InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number { 12 | if (this.address_InvalidateRect == null) { 13 | this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect"); 14 | } 15 | return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool'])(hWnd, lpRect, bErase); 16 | } 17 | 18 | private static address_SetForegroundWindow: NativePointerValue | null; 19 | static SetForegroundWindow(hWnd: NativePointerValue): number { 20 | // BOOL SetForegroundWindow( 21 | // [in] HWND hWnd 22 | // ); 23 | if (this.address_SetForegroundWindow == null) { 24 | this.address_SetForegroundWindow = Module.findExportByName("User32.dll", "SetForegroundWindow"); 25 | } 26 | return new NativeFunction(this.address_SetForegroundWindow!, "bool", ["pointer"])(hWnd); 27 | } 28 | 29 | private static address_ShowWindow: NativePointerValue | null; 30 | static ShowWindow(hWnd: NativePointerValue, nCmdShow: number): number { 31 | // BOOL ShowWindow( 32 | // [in] HWND hWnd, 33 | // [in] int nCmdShow 34 | // ); 35 | if (this.address_ShowWindow == null) { 36 | this.address_ShowWindow = Module.findExportByName("User32.dll", "ShowWindow"); 37 | } 38 | return new NativeFunction(this.address_ShowWindow!, "bool", ["pointer", "int"])(hWnd, nCmdShow); 39 | } 40 | 41 | private static address_SetWindowPos: NativePointerValue | null; 42 | static SetWindowPos(hWnd: NativePointerValue, hWndInsertAfter: number, X: number, Y: number, cx: number, cy: number, uFlags: number): number { 43 | // BOOL SetWindowPos( 44 | // [in] HWND hWnd, 45 | // [in, optional] HWND hWndInsertAfter, 46 | // [in] int X, 47 | // [in] int Y, 48 | // [in] int cx, 49 | // [in] int cy, 50 | // [in] UINT uFlags 51 | // ); 52 | if (this.address_SetWindowPos == null) { 53 | this.address_SetWindowPos = Module.findExportByName("User32.dll", "SetWindowPos"); 54 | } 55 | return new NativeFunction(this.address_SetWindowPos!, "bool", ["pointer", "int", "int", "int", "int", "int", "int"])(hWnd, hWndInsertAfter, X, Y, cx, cy, uFlags); 56 | } 57 | 58 | private static address_GetForegroundWindow: NativePointerValue | null; 59 | static GetForegroundWindow(): NativePointerValue { 60 | // HWND GetForegroundWindow(); 61 | if (this.address_GetForegroundWindow == null) { 62 | this.address_GetForegroundWindow = Module.findExportByName("User32.dll", "GetForegroundWindow"); 63 | } 64 | return new NativeFunction(this.address_GetForegroundWindow!, "pointer", [])(); 65 | } 66 | 67 | private static address_GetCurrentThreadId: NativePointerValue | null; 68 | static GetCurrentThreadId(): number { 69 | // DWORD GetCurrentThreadId(); 70 | if (this.address_GetCurrentThreadId == null) { 71 | this.address_GetCurrentThreadId = Module.findExportByName("Kernel32.dll", "GetCurrentThreadId"); 72 | } 73 | return new NativeFunction(this.address_GetCurrentThreadId!, "int", [])(); 74 | } 75 | 76 | // private static address_GetWindowThreadProcessId: NativePointerValue | null; 77 | // static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 78 | // // DWORD GetWindowThreadProcessId( 79 | // // [in] HWND hWnd, 80 | // // [out, optional] LPDWORD lpdwProcessId 81 | // // ); 82 | // if (this.address_GetWindowThreadProcessId == null) { 83 | // this.address_GetWindowThreadProcessId = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 84 | // } 85 | // return new NativeFunction(this.address_GetWindowThreadProcessId!, "int", ["pointer", "pointer"])(hWnd, lpdwProcessId); 86 | // } 87 | 88 | private static func_GetWindowThreadProcessId: AnyFunction; 89 | static GetWindowThreadProcessId(hWnd: NativePointerValue, lpdwProcessId: NativePointerValue): number { 90 | // BOOL AttachThreadInput( 91 | // [in] DWORD idAttach, 92 | // [in] DWORD idAttachTo, 93 | // [in] BOOL fAttach 94 | // ); 95 | if (this.func_GetWindowThreadProcessId == undefined) { 96 | let address = Module.findExportByName("User32.dll", "GetWindowThreadProcessId"); 97 | this.func_GetWindowThreadProcessId = new NativeFunction(address!, "int", ["pointer", "pointer"]); 98 | } 99 | return this.func_GetWindowThreadProcessId(hWnd, lpdwProcessId); 100 | } 101 | 102 | private static func_AttachThreadInput: AnyFunction; 103 | static AttachThreadInput(idAttach: number, idAttachTo: number, fAttach: number): number { 104 | // BOOL AttachThreadInput( 105 | // [in] DWORD idAttach, 106 | // [in] DWORD idAttachTo, 107 | // [in] BOOL fAttach 108 | // ); 109 | if (this.func_AttachThreadInput == null) { 110 | let address_AttachThreadInput = Module.findExportByName("User32.dll", "AttachThreadInput"); 111 | this.func_AttachThreadInput = new NativeFunction(address_AttachThreadInput!, "int", ["int", "int", "int"]); 112 | } 113 | return this.func_AttachThreadInput(idAttach, idAttachTo, fAttach); 114 | } 115 | 116 | private static func_GetWindowRect: AnyFunction; 117 | static GetWindowRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number { 118 | // BOOL GetWindowRect( 119 | // [in] HWND hWnd, 120 | // [out] LPRECT lpRect 121 | // ); 122 | if (this.func_GetWindowRect == null) { 123 | let address = Module.findExportByName("User32.dll", "GetWindowRect"); 124 | this.func_GetWindowRect = new NativeFunction(address!, "bool", ["pointer", "pointer"]); 125 | } 126 | return this.func_GetWindowRect(hWnd, lpRect); 127 | } 128 | 129 | private static func_SetCursorPos: AnyFunction; 130 | static SetCursorPos(X: number, Y: number): number { 131 | // BOOL SetCursorPos( 132 | // [in] int X, 133 | // [in] int Y 134 | // ); 135 | if (this.func_SetCursorPos == null) { 136 | let address = Module.findExportByName("User32.dll", "SetCursorPos"); 137 | this.func_SetCursorPos = new NativeFunction(address!, "bool", ["int", "int"]); 138 | } 139 | return this.func_SetCursorPos(X, Y); 140 | } 141 | 142 | private static func_GetCursorPos: AnyFunction; 143 | static GetCursorPos(lpPoint: NativePointerValue): number { 144 | // BOOL GetCursorPos( 145 | // [out] LPPOINT lpPoint 146 | // ); 147 | if (this.func_GetCursorPos == null) { 148 | let address = Module.findExportByName("User32.dll", "GetCursorPos"); 149 | this.func_GetCursorPos = new NativeFunction(address!, "bool", ["pointer"]); 150 | } 151 | return this.func_GetCursorPos(lpPoint); 152 | } 153 | 154 | private static func_Sleep: AnyFunction; 155 | static Sleep(dwMilliseconds: number): void { 156 | // void Sleep( 157 | // [in] DWORD dwMilliseconds 158 | // ); 159 | if (this.func_Sleep == null) { 160 | let address = Module.findExportByName("Kernel32.dll", "Sleep"); 161 | this.func_Sleep = new NativeFunction(address!, "void", ["int"]); 162 | } 163 | return this.func_Sleep(dwMilliseconds); 164 | } 165 | 166 | //mouse_event 167 | private static func_MouseEvent: AnyFunction; 168 | static MouseEvent(dwFlags: number, dx: number, dy: number, dwData: number, dwExtraInfo: NativePointerValue): void { 169 | // void mouse_event( 170 | // [in] DWORD dwFlags, 171 | // [in] DWORD dx, 172 | // [in] DWORD dy, 173 | // [in] DWORD dwData, 174 | // [in] ULONG_PTR dwExtraInfo 175 | // ); 176 | if (this.func_MouseEvent == null) { 177 | let address = Module.findExportByName("User32.dll", "mouse_event"); 178 | this.func_MouseEvent = new NativeFunction(address!, "void", ["int", "int", "int", "int", "pointer"]); 179 | } 180 | return this.func_MouseEvent(dwFlags, dx, dy, dwData, dwExtraInfo); 181 | } 182 | 183 | //GetMessageExtraInfo 184 | private static func_GetMessageExtraInfo: AnyFunction; 185 | static GetMessageExtraInfo(): NativePointerValue { 186 | // LPARAM GetMessageExtraInfo(); 187 | if (this.func_GetMessageExtraInfo == null) { 188 | let address = Module.findExportByName("User32.dll", "GetMessageExtraInfo"); 189 | this.func_GetMessageExtraInfo = new NativeFunction(address!, "pointer", []); 190 | } 191 | return this.func_GetMessageExtraInfo(); 192 | } 193 | 194 | private static func_MessageBox: AnyFunction; 195 | static MessageBox(hWnd: NativePointerValue, lpText: NativePointerValue, lpCaption: NativePointerValue, uType: number): number { 196 | // int MessageBox( 197 | // [in, optional] HWND hWnd, 198 | // [in, optional] LPCTSTR lpText, 199 | // [in, optional] LPCTSTR lpCaption, 200 | // [in] UINT uType 201 | // ); 202 | if (this.func_MessageBox == null) { 203 | let address = Module.findExportByName("User32.dll", "MessageBoxW"); 204 | this.func_MessageBox = new NativeFunction(address!, "int", ["pointer", "pointer", "pointer", 'int']); 205 | } 206 | return this.func_MessageBox(hWnd, lpText, lpCaption, uType); 207 | } 208 | 209 | 210 | } -------------------------------------------------------------------------------- /配套代码/F26/F26.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | let address = Module.getExportByName("User32.dll", "MessageBoxW"); 10 | let m2 = Memory.alloc(Process.pageSize); 11 | let asm = new X86Writer(m2); 12 | asm.putPushU32(0x00000001); 13 | asm.putPushU32(2); 14 | asm.putPushU32(3); 15 | asm.putPushU32(4); 16 | asm.putCallAddress(address); 17 | asm.putRet(); 18 | asm.putPushReg("eax"); 19 | asm.flush(); 20 | 21 | // this.show_asm(m2); 22 | this.show_asm(ptr(0x01003E21)); 23 | } 24 | 25 | show_asm(start: NativePointer, length: number = 10) { 26 | for (let index = 0; index < length; index++) { 27 | let inst = Instruction.parse(start); 28 | // console.log(JSON.stringify(inst)); 29 | let byteArray = start.readByteArray(inst.size); 30 | let byteCode = Array.prototype.slice.call(new Uint8Array(byteArray!)); 31 | let mCode = byteCode.map(x => x.toString(16).padStart(2, "0")).join(" ").toUpperCase(); 32 | console.log(inst.address.toString().toUpperCase().replace("0X", "0x"), mCode.padEnd(14, " "), "\t", inst.toString().toUpperCase().replace("0X", "0x")); 33 | 34 | start = inst.next; 35 | if (start.readU32() == 0) break; 36 | } 37 | } 38 | } 39 | 40 | let fridaDemo = new FridaDemo(); 41 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F27/F27.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | 10 | let m2 = Memory.alloc(Process.pageSize); 11 | let asm = new X86Writer(m2); 12 | asm.putPushU32(0x00000001); 13 | asm.putLabel("label1"); 14 | 15 | asm.putPushU32(0x00000002); 16 | asm.putPushU32(0x00000000); 17 | 18 | // /** 19 | // * Puts a label at the current position, where `id` is an identifier 20 | // * that may be referenced in past and future `put*Label()` calls. 21 | // */ 22 | 23 | 24 | // /** 25 | // * Puts code needed for calling a C function with the specified `args`. 26 | // */ 27 | // 0x49000F 68 22 00 00 00 PUSH 0x22 28 | // 0x490014 68 11 00 00 00 PUSH 0x11 29 | // 0x490019 50 PUSH EAX 30 | // 0x49001A E8 25 33 D9 10 CALL 0x11223344 31 | // asm.putCallAddressWithArguments(ptr(0x11223344), ["eax", 0x11, ptr(0x22)]); 32 | 33 | // /** 34 | // * Like `putCallWithArguments()`, but also 35 | // * ensures that the argument list is aligned on a 16 byte boundary. 36 | // */ 37 | // 0x49000F 68 33 00 00 00 PUSH 0x33 38 | // 0x490014 68 22 00 00 00 PUSH 0x22 39 | // 0x490019 68 11 00 00 00 PUSH 0x11 40 | // 0x49001E 50 PUSH EAX 41 | // 0x49001F E8 20 33 D9 10 CALL 0x11223344 42 | // 0x490024 83 C4 10 ADD ESP, 0x10 43 | // asm.putCallAddressWithAlignedArguments(ptr(0x11223344), ["eax", 0x11, ptr(0x22), ptr(0x33)]); 44 | 45 | // /** 46 | // * Puts code needed for calling a C function with the specified `args`. 47 | // */ 48 | // 0x49000F 50 PUSH EAX 49 | // 0x490010 FF D0 CALL EAX 50 | // 0x490012 83 C4 04 ADD ESP, 4 51 | // asm.putCallRegWithArguments("eax", ["eax"]); 52 | 53 | // /** 54 | // * Like `putCallWithArguments()`, but also 55 | // * ensures that the argument list is aligned on a 16 byte boundary. 56 | // */ 57 | // putCallRegWithAlignedArguments(reg: X86Register, args: X86CallArgument[]): void; 58 | 59 | // /** 60 | // * Puts code needed for calling a C function with the specified `args`. 61 | // */ 62 | // 0x49000F 68 33 00 00 00 PUSH 0x33 63 | // 0x490014 68 22 00 00 00 PUSH 0x22 64 | // 0x490019 FF 53 11 CALL DWORD PTR[EBX + 0x11] 65 | // 0x49001C 83 C4 08 ADD ESP, 8 66 | // asm.putCallRegOffsetPtrWithArguments("ebx", 0x11, [ptr(0x22), ptr(0x33)]); 67 | 68 | // /** 69 | // * Puts a CALL instruction. 70 | // */ 71 | //0x49000F E8 30 33 D9 10 CALL 0x11223344 72 | // asm.putCallAddress(ptr(0x11223344)); 73 | 74 | // /** 75 | // * Puts a CALL instruction. 76 | // */ 77 | //0x45000F FF D7 CALL EDI 78 | // asm.putCallReg("edi"); 79 | 80 | // /** 81 | // * Puts a CALL instruction. 82 | // */ 83 | //0x49000F FF 50 11 CALL DWORD PTR [EAX + 0x11] 84 | // asm.putCallRegOffsetPtr("eax", 0x11); 85 | 86 | // /** 87 | // * Puts a CALL instruction. 88 | // */ 89 | //0x45000F FF 15 44 33 22 11 CALL DWORD PTR [0x11223344] 90 | // asm.putCallIndirect(ptr(0x11223344)); 91 | 92 | // /** 93 | // * Puts a CALL instruction referencing `labelId`, defined by a past 94 | // * or future `putLabel()`. 95 | // */ 96 | //0x45000F FF 15 05 00 45 00 CALL DWORD PTR [0x450005] 97 | // asm.putCallIndirectLabel("label1"); 98 | 99 | // /** 100 | // * Puts a CALL instruction referencing `labelId`, defined by a past 101 | // * or future `putLabel()`. 102 | // */ 103 | //0x49000F E8 F1 FF FF FF CALL 0x490005 104 | // asm.putCallNearLabel("label1"); 105 | 106 | // /** 107 | // * Puts a LEAVE instruction. 108 | // */ 109 | //0x49000F C9 LEAVE 110 | // asm.putLeave(); 111 | 112 | // /** 113 | // * Puts a RET instruction. 114 | // */ 115 | //0x45000F C3 RET 116 | // asm.putRet(); 117 | 118 | // /** 119 | // * Puts a RET instruction. 120 | // */ 121 | //0x45000F C2 22 11 RET 0x1122 122 | //0xFFFF 123 | // asm.putRetImm(0x1122); 124 | 125 | // /** 126 | // * Puts a JMP instruction. 127 | // */ 128 | //0x79000F E9 1F 22 98 FF JMP 0x112233 129 | // asm.putJmpAddress(ptr(0x112233)); 130 | 131 | // /** 132 | // * Puts a JMP instruction referencing `labelId`, defined by a past 133 | // * or future `putLabel()`. 134 | // */ 135 | // putJmpShortLabel(labelId: string): void; 136 | 137 | // /** 138 | // * Puts a JMP instruction referencing `labelId`, defined by a past 139 | // * or future `putLabel()`. 140 | // */ 141 | // putJmpNearLabel(labelId: string): void; 142 | 143 | // /** 144 | // * Puts a JMP instruction. 145 | // */ 146 | //0x79000F FF E0 JMP EAX 147 | // asm.putJmpReg("eax"); 148 | 149 | // /** 150 | // * Puts a JMP instruction. 151 | // */ 152 | //0x79000F FF 20 JMP DWORD PTR [EAX] 153 | // asm.putJmpRegPtr("eax"); 154 | 155 | // /** 156 | // * Puts a JMP instruction. 157 | // */ 158 | // putJmpRegOffsetPtr(reg: X86Register, offset: number | Int64 | UInt64): void; 159 | 160 | // /** 161 | // * Puts a JMP instruction. 162 | // */ 163 | // putJmpNearPtr(address: NativePointerValue): void; 164 | 165 | // /** 166 | // * Puts a JCC instruction. 167 | // */ 168 | // asm.putJccShort(instructionId: X86InstructionId, target: NativePointerValue, hint: X86BranchHint): void; 169 | 170 | // /** 171 | // * Puts a JCC instruction. 172 | // */ 173 | // putJccNear(instructionId: X86InstructionId, target: NativePointerValue, hint: X86BranchHint): void; 174 | 175 | // /** 176 | // * Puts a JCC instruction referencing `labelId`, defined by a past 177 | // * or future `putLabel()`. 178 | // */ 179 | // putJccShortLabel(instructionId: X86InstructionId, labelId: string, hint: X86BranchHint): void; 180 | 181 | // /** 182 | // * Puts a JCC instruction referencing `labelId`, defined by a past 183 | // * or future `putLabel()`. 184 | // */ 185 | // putJccNearLabel(instructionId: X86InstructionId, labelId: string, hint: X86BranchHint): void; 186 | 187 | // /** 188 | // * Puts an ADD instruction. 189 | // */ 190 | // putAddRegImm(reg: X86Register, immValue: number | Int64 | UInt64): void; 191 | 192 | // /** 193 | // * Puts an ADD instruction. 194 | // */ 195 | // putAddRegReg(dstReg: X86Register, srcReg: X86Register): void; 196 | 197 | // /** 198 | // * Puts an ADD instruction. 199 | // */ 200 | //0x79000F 03 05 44 33 22 11 ADD EAX, DWORD PTR [0x11223344] 201 | // asm.putAddRegNearPtr("eax", ptr(0x11223344)); 202 | 203 | // /** 204 | // * Puts a SUB instruction. 205 | // */ 206 | // putSubRegImm(reg: X86Register, immValue: number | Int64 | UInt64): void; 207 | 208 | // /** 209 | // * Puts a SUB instruction. 210 | // */ 211 | // putSubRegReg(dstReg: X86Register, srcReg: X86Register): void; 212 | 213 | // /** 214 | // * Puts a SUB instruction. 215 | // */ 216 | // putSubRegNearPtr(dstReg: X86Register, srcAddress: NativePointerValue): void; 217 | 218 | // /** 219 | // * Puts an INC instruction. 220 | // */ 221 | // putIncReg(reg: X86Register): void; 222 | 223 | // /** 224 | // * Puts a DEC instruction. 225 | // */ 226 | // putDecReg(reg: X86Register): void; 227 | 228 | // /** 229 | // * Puts an INC instruction. 230 | // */ 231 | //0x79000F FE 00 INC BYTE PTR [EAX] 232 | //0x79000F FF 00 INC DWORD PTR [EAX] 233 | // asm.putIncRegPtr("dword", "eax"); 234 | 235 | // /** 236 | // * Puts a DEC instruction. 237 | // */ 238 | // putDecRegPtr(target: X86PointerTarget, reg: X86Register): void; 239 | 240 | // /** 241 | // * Puts a LOCK XADD instruction. 242 | // */ 243 | asm.putLockXaddRegPtrReg("eax", "ebp"); 244 | 245 | // /** 246 | // * Puts a LOCK CMPXCHG instruction. 247 | // */ 248 | // putLockCmpxchgRegPtrReg(dstReg: X86Register, srcReg: X86Register): void; 249 | 250 | // /** 251 | // * Puts a LOCK INC IMM32 instruction. 252 | // */ 253 | // putLockIncImm32Ptr(target: NativePointerValue): void; 254 | 255 | // /** 256 | // * Puts a LOCK DEC IMM32 instruction. 257 | // */ 258 | // putLockDecImm32Ptr(target: NativePointerValue): void; 259 | 260 | // /** 261 | // * Puts an AND instruction. 262 | // */ 263 | // putAndRegReg(dstReg: X86Register, srcReg: X86Register): void; 264 | 265 | // /** 266 | // * Puts an AND instruction. 267 | // */ 268 | // putAndRegU32(reg: X86Register, immValue: number): void; 269 | 270 | // /** 271 | // * Puts a SHL instruction. 272 | // */ 273 | // putShlRegU8(reg: X86Register, immValue: number): void; 274 | 275 | // /** 276 | // * Puts a SHR instruction. 277 | // */ 278 | // putShrRegU8(reg: X86Register, immValue: number): void; 279 | 280 | // /** 281 | // * Puts an XOR instruction. 282 | // */ 283 | // putXorRegReg(dstReg: X86Register, srcReg: X86Register): void; 284 | 285 | // /** 286 | // * Puts a MOV instruction. 287 | // */ 288 | // putMovRegReg(dstReg: X86Register, srcReg: X86Register): void; 289 | 290 | // /** 291 | // * Puts a MOV instruction. 292 | // */ 293 | // putMovRegU32(dstReg: X86Register, immValue: number): void; 294 | 295 | // /** 296 | // * Puts a MOV instruction. 297 | // */ 298 | // putMovRegU64(dstReg: X86Register, immValue: number | UInt64): void; 299 | 300 | // /** 301 | // * Puts a MOV instruction. 302 | // */ 303 | // putMovRegAddress(dstReg: X86Register, address: NativePointerValue): void; 304 | 305 | // /** 306 | // * Puts a MOV instruction. 307 | // */ 308 | // putMovRegPtrU32(dstReg: X86Register, immValue: number): void; 309 | 310 | // /** 311 | // * Puts a MOV instruction. 312 | // */ 313 | // putMovRegOffsetPtrU32(dstReg: X86Register, dstOffset: number | Int64 | UInt64, immValue: number): void; 314 | 315 | // /** 316 | // * Puts a MOV instruction. 317 | // */ 318 | // putMovRegPtrReg(dstReg: X86Register, srcReg: X86Register): void; 319 | 320 | // /** 321 | // * Puts a MOV instruction. 322 | // */ 323 | // putMovRegOffsetPtrReg(dstReg: X86Register, dstOffset: number | Int64 | UInt64, srcReg: X86Register): void; 324 | 325 | // /** 326 | // * Puts a MOV instruction. 327 | // */ 328 | // putMovRegRegPtr(dstReg: X86Register, srcReg: X86Register): void; 329 | 330 | // /** 331 | // * Puts a MOV instruction. 332 | // */ 333 | // putMovRegRegOffsetPtr(dstReg: X86Register, srcReg: X86Register, srcOffset: number | Int64 | UInt64): void; 334 | 335 | // /** 336 | // * Puts a MOV instruction. 337 | // */ 338 | // putMovRegBaseIndexScaleOffsetPtr(dstReg: X86Register, baseReg: X86Register, indexReg: X86Register, scale: number, offset: number | Int64 | UInt64): void; 339 | 340 | // /** 341 | // * Puts a MOV instruction. 342 | // */ 343 | // putMovRegNearPtr(dstReg: X86Register, srcAddress: NativePointerValue): void; 344 | 345 | // /** 346 | // * Puts a MOV instruction. 347 | // */ 348 | // putMovNearPtrReg(dstAddress: NativePointerValue, srcReg: X86Register): void; 349 | 350 | // /** 351 | // * Puts a MOV FS instruction. 352 | // */ 353 | // putMovFsU32PtrReg(fsOffset: number, srcReg: X86Register): void; 354 | 355 | // /** 356 | // * Puts a MOV FS instruction. 357 | // */ 358 | // putMovRegFsU32Ptr(dstReg: X86Register, fsOffset: number): void; 359 | 360 | // /** 361 | // * Puts a MOV GS instruction. 362 | // */ 363 | // putMovGsU32PtrReg(fsOffset: number, srcReg: X86Register): void; 364 | 365 | // /** 366 | // * Puts a MOV GS instruction. 367 | // */ 368 | // putMovRegGsU32Ptr(dstReg: X86Register, fsOffset: number): void; 369 | 370 | // /** 371 | // * Puts a MOVQ XMM0 ESP instruction. 372 | // */ 373 | // putMovqXmm0EspOffsetPtr(offset: number): void; 374 | 375 | // /** 376 | // * Puts a MOVQ EAX XMM0 instruction. 377 | // */ 378 | // putMovqEaxOffsetPtrXmm0(offset: number): void; 379 | 380 | // /** 381 | // * Puts a MOVDQU XMM0 ESP instruction. 382 | // */ 383 | // putMovdquXmm0EspOffsetPtr(offset: number): void; 384 | 385 | // /** 386 | // * Puts a MOVDQU EAX XMM0 instruction. 387 | // */ 388 | // putMovdquEaxOffsetPtrXmm0(offset: number): void; 389 | 390 | // /** 391 | // * Puts a LEA instruction. 392 | // */ 393 | // putLeaRegRegOffset(dstReg: X86Register, srcReg: X86Register, srcOffset: number | Int64 | UInt64): void; 394 | 395 | // /** 396 | // * Puts an XCHG instruction. 397 | // */ 398 | // putXchgRegRegPtr(leftReg: X86Register, rightReg: X86Register): void; 399 | 400 | // /** 401 | // * Puts a PUSH instruction. 402 | // */ 403 | // putPushU32(immValue: number): void; 404 | 405 | // /** 406 | // * Puts a PUSH instruction. 407 | // */ 408 | // putPushNearPtr(address: NativePointerValue): void; 409 | 410 | // /** 411 | // * Puts a PUSH instruction. 412 | // */ 413 | // putPushReg(reg: X86Register): void; 414 | 415 | // /** 416 | // * Puts a POP instruction. 417 | // */ 418 | // putPopReg(reg: X86Register): void; 419 | 420 | // /** 421 | // * Puts a PUSH instruction. 422 | // */ 423 | // putPushImmPtr(immPtr: NativePointerValue): void; 424 | 425 | // /** 426 | // * Puts a PUSHAX instruction. 427 | // */ 428 | // putPushax(): void; 429 | 430 | // /** 431 | // * Puts a POPAX instruction. 432 | // */ 433 | // putPopax(): void; 434 | 435 | // /** 436 | // * Puts a PUSHFX instruction. 437 | // */ 438 | // putPushfx(): void; 439 | 440 | // /** 441 | // * Puts a POPFX instruction. 442 | // */ 443 | // putPopfx(): void; 444 | 445 | // /** 446 | // * Puts a TEST instruction. 447 | // */ 448 | // putTestRegReg(regA: X86Register, regB: X86Register): void; 449 | 450 | // /** 451 | // * Puts a TEST instruction. 452 | // */ 453 | // putTestRegU32(reg: X86Register, immValue: number): void; 454 | 455 | // /** 456 | // * Puts a CMP instruction. 457 | // */ 458 | // putCmpRegI32(reg: X86Register, immValue: number): void; 459 | 460 | // /** 461 | // * Puts a CMP instruction. 462 | // */ 463 | // putCmpRegOffsetPtrReg(regA: X86Register, offset: number | Int64 | UInt64, regB: X86Register): void; 464 | 465 | // /** 466 | // * Puts a CMP instruction. 467 | // */ 468 | // putCmpImmPtrImmU32(immPtr: NativePointerValue, immValue: number): void; 469 | 470 | // /** 471 | // * Puts a CMP instruction. 472 | // */ 473 | // putCmpRegReg(regA: X86Register, regB: X86Register): void; 474 | 475 | // /** 476 | // * Puts a CLC instruction. 477 | // */ 478 | // putClc(): void; 479 | 480 | // /** 481 | // * Puts a STC instruction. 482 | // */ 483 | // putStc(): void; 484 | 485 | // /** 486 | // * Puts a CLD instruction. 487 | // */ 488 | // putCld(): void; 489 | 490 | // /** 491 | // * Puts a STD instruction. 492 | // */ 493 | // putStd(): void; 494 | 495 | // /** 496 | // * Puts a CPUID instruction. 497 | // */ 498 | // putCpuid(): void; 499 | 500 | // /** 501 | // * Puts an LFENCE instruction. 502 | // */ 503 | // putLfence(): void; 504 | 505 | // /** 506 | // * Puts an RDTSC instruction. 507 | // */ 508 | // putRdtsc(): void; 509 | 510 | // /** 511 | // * Puts a PAUSE instruction. 512 | // */ 513 | // putPause(): void; 514 | 515 | // /** 516 | // * Puts a NOP instruction. 517 | // */ 518 | // putNop(): void; 519 | 520 | // /** 521 | // * Puts an OS/architecture-specific breakpoint instruction. 522 | // */ 523 | // putBreakpoint(): void; 524 | 525 | // /** 526 | // * Puts `n` guard instruction. 527 | // */ 528 | // putPadding(n: number): void; 529 | 530 | // /** 531 | // * Puts `n` NOP instructions. 532 | // */ 533 | // putNopPadding(n: number): void; 534 | 535 | // /** 536 | // * Puts a uint8. 537 | // */ 538 | // putU8(value: number): void; 539 | 540 | // /** 541 | // * Puts an int8. 542 | // */ 543 | // putS8(value: number): void; 544 | 545 | // /** 546 | // * Puts raw data. 547 | // */ 548 | // putBytes(data: ArrayBuffer | number[] | string): void; 549 | 550 | asm.flush(); 551 | // console.log(asm.base, asm.code, asm.offset, asm.pc); 552 | 553 | 554 | this.show_asm(m2); 555 | } 556 | 557 | show_asm(start: NativePointer, length: number = 20) { 558 | for (let index = 0; index < length; index++) { 559 | let inst = Instruction.parse(start); 560 | let byteArray = start.readByteArray(inst.size); 561 | let byteCode = Array.prototype.slice.call(new Uint8Array(byteArray!)); 562 | let mCode = byteCode.map(x => x.toString(16).padStart(2, "0")).join(" ").toUpperCase(); 563 | console.log(inst.address.toString().toUpperCase().replace("0X", "0x"), mCode.padEnd(14, " "), "\t", inst.toString().toUpperCase().replace("0X", "0x")); 564 | 565 | start = inst.next; 566 | // if (start.readU32() == 0) break; 567 | } 568 | } 569 | } 570 | 571 | let fridaDemo = new FridaDemo(); 572 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F28/F28.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | //DispatchMessageW 10 | let address = Module.getExportByName("User32.dll", "DispatchMessageW"); 11 | // console.log(JSON.stringify(Interceptor)); 12 | Interceptor.attach(address, { 13 | onEnter(this, args) { 14 | 15 | // console.log(this.context, this.depth, this.errno, this.lastError, this.returnAddress, this.threadId); 16 | console.log(JSON.stringify(this.context)); 17 | 18 | // typedef struct tagMSG { 19 | // HWND hwnd; 20 | // UINT message; 21 | // WPARAM wParam; 22 | // LPARAM lParam; 23 | // DWORD time; 24 | // POINT pt; 25 | // DWORD lPrivate; 26 | // } MSG, *PMSG, *NPMSG, *LPMSG; 27 | // console.log(args[0]); 28 | // console.log(args[1]); 29 | // console.log(args[2]); 30 | // console.log(args[3]); 31 | // console.log(args[4]); 32 | // console.log(args[5]); 33 | // let msg = args[0]; 34 | 35 | // console.log("hwnd", msg.readPointer()); 36 | // console.log("message", msg.add(4).readPointer()); 37 | // console.log("wParam", msg.add(8).readPointer()); 38 | // console.log("lParam", msg.add(12).readPointer()); 39 | // console.log("pt", msg.add(20).readPointer()); 40 | // console.log("lPrivate", msg.add(24).readPointer()); 41 | 42 | }, 43 | onLeave(this, retval) { 44 | console.log(JSON.stringify(this.context)); 45 | console.log(retval); 46 | 47 | }, 48 | }); 49 | 50 | } 51 | } 52 | 53 | let fridaDemo = new FridaDemo(); 54 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F29/F29.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | // for (const iterator of Process.enumerateThreads()) { 10 | // console.log("iterator", JSON.stringify(iterator)); 11 | // } 12 | console.log("Main Thread:", Process.enumerateThreads()[0].id); 13 | 14 | console.log("CurrentThreadId", Process.getCurrentThreadId()); 15 | 16 | let address = Module.getExportByName("User32.dll", "InvalidateRect"); 17 | console.log("address", address); 18 | 19 | let listener = Interceptor.attach(address, { 20 | onEnter(this, args) { 21 | console.log("CurrentThreadId2", Process.getCurrentThreadId()); 22 | console.log("onEnter"); 23 | this["AAA"] = "1234"; 24 | }, 25 | onLeave(this, retval) { 26 | console.log("onLeave"); 27 | console.log(this["AAA"]); 28 | listener.detach(); 29 | }, 30 | }); 31 | } 32 | } 33 | 34 | let fridaDemo = new FridaDemo(); 35 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F30/F30.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | // Process.getModuleByAddress(ptr(0x11223344)); 10 | // Process.getModuleByName("module.name"); 11 | // Process.enumerateModules(); 12 | let moduleMap = new ModuleMap((m: Module) => { return m.name.endsWith("dll"); }); 13 | for (const iterator of moduleMap.values()) { 14 | console.log(JSON.stringify(iterator)); 15 | } 16 | 17 | console.log(JSON.stringify(moduleMap.find(ptr(0x736c0000).add(0x10)))); 18 | } 19 | } 20 | 21 | let fridaDemo = new FridaDemo(); 22 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F31/F31.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | // let module = Process.getModuleByName("winmine.exe"); 10 | // MemoryAccessMonitor.enable( 11 | // { base: module.base, size: module.size }, 12 | // { 13 | // onAccess(details) { 14 | // // console.log(JSON.stringify(details)); 15 | // console.log("address", details.address, "from", details.from, "operation", details.operation, "pageIndex", details.pageIndex, "pagesCompleted", details.pagesCompleted, "pagesTotal", details.pagesTotal, "rangeIndex", details.rangeIndex); 16 | // console.log(); 17 | // }, 18 | // }); 19 | 20 | // let rangs = Process.enumerateRanges("rw"); 21 | let rangs = Process.enumerateMallocRanges().filter(x => x.size > 2000); 22 | for (const iterator of rangs) { 23 | console.log(JSON.stringify(iterator)); 24 | 25 | } 26 | MemoryAccessMonitor.enable( 27 | rangs, 28 | { 29 | onAccess(details) { 30 | // console.log(JSON.stringify(details)); 31 | console.log("address", details.address, "from", details.from, "operation", details.operation, "pageIndex", details.pageIndex, "pagesCompleted", details.pagesCompleted, "pagesTotal", details.pagesTotal, "rangeIndex", details.rangeIndex); 32 | console.log(); 33 | }, 34 | }); 35 | console.log("MemoryAccessMonitor OK"); 36 | 37 | } 38 | } 39 | 40 | let fridaDemo = new FridaDemo(); 41 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F32/F32.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | let resolver = new ApiResolver("module"); 10 | // exports:*!open*, exports:libc.so!* or imports:notepad.exe!* 11 | //exports,imports 12 | //module,* 13 | //! 14 | //query ,*,? 15 | // for (const iterator of resolver.enumerateMatches("exports:*!Stringf*/i")) { 16 | for (const iterator of resolver.enumerateMatches("imports:winmine.exe!*w?r*")) { 17 | console.log(JSON.stringify(iterator)); 18 | } 19 | } 20 | } 21 | 22 | let fridaDemo = new FridaDemo(); 23 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F33/F33.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | Socket.listen({ family: "ipv4", host: "127.0.0.1", port: 11223 }) 10 | .then(this.socket_fulfill, (reason: any) => { console.log("socket_reject", reason); }) 11 | .catch((reason: any) => { console.log("socket_reject", reason); }) 12 | .finally(() => { console.log("socket_finally"); }); 13 | } 14 | socket_fulfill(listener: SocketListener) { 15 | console.log("listener", JSON.stringify(listener)); 16 | 17 | listener.accept() 18 | .then(FridaDemo.listener_fulfill, (reason: any) => { console.log("listener_reject", reason); }) 19 | .catch((reason: any) => { console.log("listener_reject", reason); }) 20 | .finally(() => { console.log("listener_finally"); }); 21 | // listener.close(); 22 | } 23 | 24 | static listener_fulfill(connection: SocketConnection) { 25 | console.log("listener_fulfill connection"); 26 | connection.setNoDelay(true); 27 | 28 | let welcome = "Welcome to Frida Socket Server.\r\n"; 29 | let data: number[] = []; 30 | for (const iterator of welcome) { 31 | data.push(iterator.charCodeAt(0)); 32 | } 33 | 34 | connection.output.writeAll(data); 35 | FridaDemo.read_connection(connection) 36 | 37 | } 38 | 39 | static dataArray: number[] = []; 40 | static read_connection(connection: SocketConnection) { 41 | connection.input.read(1) 42 | .then((buffer: ArrayBuffer) => { 43 | // console.log(buffer); 44 | let data = buffer.unwrap().readU8(); 45 | this.dataArray.push(data); 46 | 47 | if (data == '\n'.charCodeAt(0)) { 48 | // console.log(this.dataArray); 49 | 50 | let m1 = Memory.alloc(this.dataArray.length); 51 | m1.writeByteArray(this.dataArray); 52 | console.log(m1.readUtf8String()); 53 | 54 | this.dataArray = []; 55 | } 56 | 57 | FridaDemo.read_connection(connection); 58 | }, (reason: any) => { console.log("read_reject", reason); }) 59 | .catch((reason: any) => { console.log("read_reject", reason); }) 60 | .finally(() => { console.log("read_finally"); }); 61 | } 62 | 63 | 64 | 65 | 66 | 67 | } 68 | 69 | let fridaDemo = new FridaDemo(); 70 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F35/F35.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | Socket.listen({ family: "ipv4", host: "127.0.0.1", port: 11223 }) 10 | .then(this.socket_fulfill, (reason: any) => { console.log("socket_reject", reason); }) 11 | .catch((reason: any) => { console.log("socket_reject", reason); }) 12 | .finally(() => { console.log("socket_finally"); }); 13 | } 14 | socket_fulfill(listener: SocketListener) { 15 | console.log("listener", JSON.stringify(listener)); 16 | FridaDemo.accept_loop(listener); 17 | } 18 | 19 | static accept_loop(listener: SocketListener) { 20 | let next = FridaDemo.accept_loop.bind(null, listener); 21 | 22 | listener.accept() 23 | .then(FridaDemo.listener_fulfill, (reason: any) => { console.log("listener_reject", reason); }) 24 | .catch((reason: any) => { console.log("listener_reject", reason); }) 25 | .finally(() => { setImmediate(next); }); 26 | } 27 | 28 | static listener_fulfill(connection: SocketConnection) { 29 | console.log("listener_fulfill connection"); 30 | connection.setNoDelay(true); 31 | 32 | let welcome = "Welcome to Frida Socket Server.\r\n"; 33 | let data: number[] = []; 34 | for (const iterator of welcome) { 35 | data.push(iterator.charCodeAt(0)); 36 | } 37 | 38 | connection.output.writeAll(data); 39 | FridaDemo.read_connection(connection) 40 | 41 | } 42 | 43 | static dataArray: number[] = []; 44 | static read_connection(connection: SocketConnection) { 45 | connection.input.read(1) 46 | .then((buffer: ArrayBuffer) => { 47 | // console.log(buffer); 48 | let data = buffer.unwrap().readU8(); 49 | this.dataArray.push(data); 50 | 51 | if (data == '\n'.charCodeAt(0)) { 52 | // console.log(this.dataArray); 53 | 54 | let m1 = Memory.alloc(this.dataArray.length); 55 | m1.writeByteArray(this.dataArray); 56 | console.log(m1.readUtf8String()); 57 | 58 | this.dataArray = []; 59 | } 60 | 61 | FridaDemo.read_connection(connection); 62 | }, (reason: any) => { console.log("read_reject", reason); }) 63 | .catch((reason: any) => { console.log("read_reject", reason); }) 64 | .finally(() => { console.log("read_finally"); }); 65 | } 66 | 67 | 68 | 69 | 70 | 71 | } 72 | 73 | let fridaDemo = new FridaDemo(); 74 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F36/F36.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaDemo { 4 | constructor() { 5 | console.log("======================", new Date().toISOString(), "=========================="); 6 | } 7 | 8 | demo() { 9 | Socket.listen({ family: "ipv4", host: "127.0.0.1", port: 11223 }) 10 | .then(this.socket_fulfill) 11 | .catch((reason: any) => { console.log("socket_reject", reason); }); 12 | } 13 | socket_fulfill(listener: SocketListener) { 14 | console.log("listener", JSON.stringify(listener)); 15 | FridaDemo.accept_loop(listener); 16 | } 17 | 18 | static accept_loop(listener: SocketListener) { 19 | let next = FridaDemo.accept_loop.bind(null, listener); 20 | 21 | listener.accept() 22 | .then(FridaDemo.listener_fulfill) 23 | .catch((reason: any) => { console.log("listener_reject", reason); }) 24 | .finally(() => { setImmediate(next); }); 25 | } 26 | 27 | static listener_fulfill(connection: SocketConnection) { 28 | connection.setNoDelay(true); 29 | 30 | let welcome = "Welcome to Frida Socket Server.\r\n"; 31 | let data: number[] = []; 32 | for (const iterator of welcome) { 33 | data.push(iterator.charCodeAt(0)); 34 | } 35 | 36 | connection.output.writeAll(data); 37 | FridaDemo.read_connection(connection) 38 | } 39 | 40 | static connectionMap = new Map(); 41 | static read_connection(connection: SocketConnection) { 42 | let next = FridaDemo.read_connection.bind(null, connection); 43 | 44 | if (!FridaDemo.connectionMap.has(connection)) { 45 | FridaDemo.connectionMap.set(connection, []); 46 | } 47 | 48 | connection.input.read(1) 49 | .then((buffer: ArrayBuffer) => { 50 | let data = buffer.unwrap().readU8(); 51 | FridaDemo.connectionMap.get(connection).push(data); 52 | 53 | if (data == '\n'.charCodeAt(0)) { 54 | let temp: number[] = FridaDemo.connectionMap.get(connection); 55 | let inputStr = Array.from(temp, x => String.fromCharCode(x)).join(""); 56 | 57 | if (inputStr.trimEnd() == "quit") { 58 | connection.close(); 59 | return; 60 | } 61 | 62 | console.log(inputStr); 63 | connection.output.write(temp); 64 | FridaDemo.connectionMap.set(connection, []); 65 | } 66 | 67 | setImmediate(next); 68 | }) 69 | .catch((reason: any) => { console.log("read_reject", reason); }); 70 | } 71 | } 72 | 73 | let fridaDemo = new FridaDemo(); 74 | fridaDemo.demo(); -------------------------------------------------------------------------------- /配套代码/F37/F37.ts: -------------------------------------------------------------------------------- 1 | import { WinApi } from "./win_api"; 2 | 3 | class FridaSocketServer { 4 | 5 | constructor(options?: SocketListenOptions) { 6 | console.log("======================", new Date().toISOString(), "=========================="); 7 | this.demo(options); 8 | } 9 | 10 | private demo(options?: SocketListenOptions) { 11 | Socket.listen(options) 12 | .then(this.socket_fulfill) 13 | .catch((reason: any) => { console.log("socket_reject", reason); }); 14 | } 15 | private socket_fulfill(listener: SocketListener) { 16 | console.log("listener", JSON.stringify(listener)); 17 | FridaSocketServer.accept_loop(listener); 18 | } 19 | 20 | private static accept_loop(listener: SocketListener) { 21 | let next = FridaSocketServer.accept_loop.bind(null, listener); 22 | 23 | listener.accept() 24 | .then(FridaSocketServer.listener_fulfill) 25 | .catch((reason: any) => { console.log("listener_reject", reason); }) 26 | .finally(() => { setImmediate(next); }); 27 | } 28 | 29 | private static listener_fulfill(connection: SocketConnection) { 30 | connection.setNoDelay(true); 31 | 32 | let welcome = "Welcome to Frida Socket Server.\r\n"; 33 | let data: number[] = []; 34 | for (const iterator of welcome) { 35 | data.push(iterator.charCodeAt(0)); 36 | } 37 | 38 | connection.output.writeAll(data); 39 | FridaSocketServer.read_connection(connection) 40 | } 41 | 42 | private static connectionMap = new Map(); 43 | private static read_connection(connection: SocketConnection) { 44 | let next = FridaSocketServer.read_connection.bind(null, connection); 45 | 46 | if (!FridaSocketServer.connectionMap.has(connection)) { 47 | FridaSocketServer.connectionMap.set(connection, []); 48 | // FridaSocketServer.connectionMap.set(connection, [[],""]); 49 | } 50 | 51 | connection.input.read(1) 52 | .then((buffer: ArrayBuffer) => { 53 | if (buffer.byteLength == 0) { 54 | FridaSocketServer.connectionMap.set(connection, []); 55 | FridaSocketServer.connectionMap.delete(connection); 56 | connection.close(); 57 | 58 | console.log("one of clients was disconnected!"); 59 | return; 60 | } 61 | 62 | let data = buffer.unwrap().readU8(); 63 | FridaSocketServer.connectionMap.get(connection).push(data); 64 | 65 | if (data == '\n'.charCodeAt(0)) { 66 | let temp: number[] = FridaSocketServer.connectionMap.get(connection); 67 | let inputStr = Array.from(temp, x => String.fromCharCode(x)).join(""); 68 | 69 | if (inputStr.trimEnd() == "quit") { 70 | connection.close(); 71 | return; 72 | } 73 | 74 | console.log(inputStr); 75 | connection.output.write(temp); 76 | FridaSocketServer.connectionMap.set(connection, []); 77 | } 78 | 79 | setImmediate(next); 80 | }) 81 | .catch((reason: any) => { console.log("read_reject", reason); }); 82 | } 83 | writeline(message: string) { 84 | let temp = Array.from(message + "\r\n", x => x.charCodeAt(0)); 85 | for (const iterator of FridaSocketServer.connectionMap) { 86 | iterator[0].output.write(temp) 87 | } 88 | } 89 | } 90 | 91 | class FridaSocketClient { 92 | 93 | private connection!: SocketConnection; 94 | constructor(options: SocketConnectOptions) { 95 | Socket.connect(options) 96 | .then((connection: SocketConnection) => { 97 | connection.setNoDelay(true); 98 | this.connection = connection; 99 | FridaSocketClient.read_loop(connection); 100 | }) 101 | .catch((reason: any) => { 102 | console.log("Socket.connect catch", reason); 103 | }) 104 | .finally(() => { console.log("Socket.connect finally"); }); 105 | } 106 | private static read_loop(connection: SocketConnection) { 107 | let next = FridaSocketClient.read_loop.bind(null, connection); 108 | connection.input.read(1000) 109 | .then((buffer: ArrayBuffer) => { 110 | if (buffer.byteLength == 0) { 111 | connection.close(); 112 | console.log("server lost!"); 113 | 114 | return; 115 | } 116 | console.log("client got:\t", buffer.unwrap().readCString()?.trimEnd()); 117 | setImmediate(next); 118 | }) 119 | .catch((reason: any) => { 120 | console.log("read_loop catch", reason); 121 | }); 122 | } 123 | writeline(message: string) { 124 | let temp = Array.from(message + "\r\n", x => x.charCodeAt(0)); 125 | this.connection.output.write(temp); 126 | } 127 | } 128 | 129 | 130 | let server = new FridaSocketServer({ family: "ipv4", host: "127.0.0.1", port: 11223 }); 131 | 132 | let index = 0; 133 | setInterval(() => { 134 | index++; 135 | server.writeline(index + " server!"); 136 | }, 3000); 137 | 138 | let client = new FridaSocketClient({ family: "ipv4", host: "127.0.0.1", port: 11223 }); 139 | setInterval(() => { 140 | index++; 141 | client.writeline(index + " client!"); 142 | }, 3000); 143 | 144 | -------------------------------------------------------------------------------- /配套代码/F39/F39.ts: -------------------------------------------------------------------------------- 1 | 2 | let handle = ptr(0x0d0); 3 | // let input = new Win32InputStream(handle, { autoClose: false }); 4 | // input.read(5) 5 | // .then((value: ArrayBuffer) => { 6 | // console.log("then:", value); 7 | // }) 8 | // .catch((reason: any) => { 9 | // console.log("catch:", reason); 10 | // }) 11 | // .finally(() => { 12 | // console.log("finally:"); 13 | // }); 14 | 15 | 16 | let ouotput = new Win32OutputStream(handle, { autoClose: false }); 17 | let str1 = "this is a string"; 18 | let data = Array.from(str1, x => x.charCodeAt(0)); 19 | ouotput.write(data) 20 | .then((value: number) => { 21 | console.log("then:", value); 22 | }) 23 | .catch((reason: any) => { 24 | console.log("catch:", reason); 25 | }) 26 | .finally(() => { 27 | console.log("finally:"); 28 | }); -------------------------------------------------------------------------------- /配套代码/F39/Win32Stream.cpp: -------------------------------------------------------------------------------- 1 | // Win32Stream.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。 2 | // 3 | 4 | #include 5 | #include 6 | 7 | int main() 8 | { 9 | std::cout << "Hello World!\n"; 10 | 11 | auto handle = CreateFile(L"test.txt", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 12 | 13 | printf("handle: %p", handle); 14 | getchar(); 15 | 16 | while (true) 17 | { 18 | char buffer[1024] = { 0 }; 19 | if (ReadFile(handle, buffer, 5, NULL, NULL)) 20 | { 21 | printf("read: %s", buffer); 22 | getchar(); 23 | } 24 | } 25 | getchar(); 26 | CloseHandle(handle); 27 | 28 | 29 | } 30 | -------------------------------------------------------------------------------- /配套代码/F40/F40.ts: -------------------------------------------------------------------------------- 1 | function demo1() { 2 | let sqlite = SqliteDatabase.open("test.db"); 3 | // sqlite.exec("CREATE TABLE t1(a INTEGER PRIMARY KEY,b INTEGER)"); 4 | // sqlite.exec("INSERT INTO t1 VALUES(NULL,123)"); 5 | // sqlite.exec("INSERT INTO t1 VALUES((SELECT max(a) FROM t1)+1,123)"); 6 | let statement = sqlite.prepare("SELECT * FROM T1 WHERE a=?"); 7 | statement.bindInteger(1, 8); 8 | while (true) { 9 | let row = statement.step(); 10 | if (row == null) break; 11 | 12 | console.log(JSON.stringify(row)); 13 | } 14 | sqlite.close(); 15 | } 16 | function demo2() { 17 | let sqlite = SqliteDatabase.open("test.db"); 18 | console.log("sqlite.dump()", sqlite.dump()); 19 | sqlite.close(); 20 | } 21 | 22 | function demo3() { 23 | let sqlite = SqliteDatabase.openInline("H4sIAAAAAAAACu3XPSxDURjG8XPbqz7raX20PkqP+rpNpEnDZGrJJY0SbjvoItqohGiI3FiYTCaTyWQymUymTiaTyWQymUwmk9snEYlFbIb3n/P+knNycvZTWMvvuFW9vX9YK7t6WoWUYaiM1kqppDc+9Z3hjflj/1tJlSpsBhuXUVfekiRJkiRJkiRJkiTpz2WMQDQcNmpuubJXddNu2jfv2NmirYvZubyt3bRV1rmVor1oO3rVyS1nnZJesktTla/TZONvbiGk8IF3vOEVL3jGEx7xgHvUcYdb3OAaV7jEBc5xhlOc4AgH2MUWNrAOB3ksIINZzCAFCwnEEPEelCRJkiRJkiRJkqR/nGn5lXFsTtIJOk7H6ChN0BGqaZwO0yEao4N0gPbTPhqlEdpLe2g37aJhGqKgnTRIO2g7baOttIU20wBtoib1Ux81Gn4Cr4LuvgAgAAA=") 24 | let statement = sqlite.prepare("SELECT * FROM T1"); 25 | while (true) { 26 | let row = statement.step(); 27 | if (row == null) break; 28 | 29 | console.log(JSON.stringify(row)); 30 | } 31 | sqlite.close(); 32 | } 33 | // demo1(); 34 | // demo2(); 35 | demo3(); -------------------------------------------------------------------------------- /配套代码/F41/F41.py: -------------------------------------------------------------------------------- 1 | import frida 2 | 3 | 4 | def on_message(message, data): 5 | print("[on_message] message:", message, "data:", data) 6 | 7 | 8 | session = frida.attach("winmine.exe") 9 | 10 | script = session.create_script(""" 11 | rpc.exports.test1 = function () { 12 | return Process.enumerateModules(); 13 | }; 14 | rpc.exports.test2 = function (message) { 15 | console.log("Test 2 From JS ,", message); 16 | }; 17 | """) 18 | 19 | script.on("message", on_message) 20 | script.load() 21 | 22 | # print([m["name"] for m in script.exports.enumerate_modules()]) 23 | for m in script.exports.test1(): 24 | print(m) 25 | 26 | script.exports.test2("123") 27 | -------------------------------------------------------------------------------- /配套代码/F41/F41.ts: -------------------------------------------------------------------------------- 1 | rpc.exports.test1 = function () { 2 | return Process.enumerateModules(); 3 | }; 4 | rpc.exports.test2 = function (message: string) { 5 | console.log("Test 2 From JS ,", message); 6 | 7 | }; -------------------------------------------------------------------------------- /配套代码/F43/F43.ts: -------------------------------------------------------------------------------- 1 | let inputCode = ptr(0x0100374F); 2 | let codeAddress = Memory.alloc(Process.pageSize); 3 | 4 | function demo1() { 5 | let output = new X86Writer(codeAddress); 6 | let relocator = new X86Relocator(inputCode, output); 7 | let index = 0; 8 | while (relocator.readOne()) { 9 | let instruction = relocator.input; 10 | console.log( 11 | (++index).toString().padStart(3, " "), 12 | instruction?.address, 13 | Array.from(new Uint8Array(instruction?.address.readByteArray(instruction.size)!), x => x.toString(16).padStart(2, "0")).join(" ").toUpperCase().padEnd(20, " "), 14 | instruction?.toString()); 15 | relocator.writeOne(); 16 | } 17 | } 18 | function demo2() { 19 | let temp = codeAddress; 20 | let index = 0; 21 | while (true) { 22 | let instruction = Instruction.parse(temp); 23 | console.log( 24 | (++index).toString().padStart(3, " "), 25 | instruction?.address, 26 | Array.from(new Uint8Array(instruction?.address.readByteArray(instruction.size)!), x => x.toString(16).padStart(2, "0")).join(" ").toUpperCase().padEnd(20, " "), 27 | instruction?.toString()); 28 | temp = instruction.next; 29 | 30 | if (index > 100) break; 31 | } 32 | 33 | } 34 | 35 | console.log("======================", new Date().toISOString(), "=========================="); 36 | demo1(); 37 | console.log("===================== codeAddress"); 38 | demo2(); -------------------------------------------------------------------------------- /配套代码/F44/F44.ts: -------------------------------------------------------------------------------- 1 | // Interceptor.attach() 2 | 3 | let mainThread = Process.enumerateThreads()[0]; 4 | 5 | Stalker.follow(mainThread.id, { 6 | events: { 7 | call: false, 8 | ret: true, 9 | exec: false, 10 | block: false, 11 | compile: false, 12 | }, 13 | onCallSummary(summary: StalkerCallSummary) { 14 | // console.log("onCallSummary", JSON.stringify(summary)); 15 | }, 16 | onReceive(events: ArrayBuffer) { 17 | // console.log("onReceive", events); 18 | for (const iterator of Stalker.parse(events)) { 19 | console.log(JSON.stringify(iterator)); 20 | 21 | }; 22 | }, 23 | // transform: (iterator: StalkerX86Iterator) => { 24 | // // console.log("transform"); 25 | // // while (true) { 26 | // // let instraction = iterator.next(); 27 | // // iterator.keep(); 28 | 29 | // // if (instraction == null) break; 30 | // // console.log(instraction); 31 | // // } 32 | 33 | // } 34 | }); --------------------------------------------------------------------------------