动态库内存转储(dump)

IDAPython版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# dump memory from IDA Debugger
#

import idautils
import idc
import idaapi
import struct


def main(ea_start, ea_end, save_file):    
    print('[*]begin to dump segment')
    
    handle_f = open(save_file, 'wb')
    for byte_addr in range(ea_start, ea_end):
        byte_value = idaapi.get_byte(byte_addr)
        handle_f.write(struct.pack('B',byte_value))
    
    handle_f.close()
    hooks = idaapi.DBG_Hooks()
    hooks.hook()
          
    print('[*]script by freakish, enjoy~~')
    print('[*]script finish')

# /data/app/~~lhTyg-PBDQwNd_vAYM2H1Q==/com.bwton.szfreego-Ah412yVWDeN-9QBLj60gmw==/lib/arm64/librokog.so	0000006FDF840000	00000002E123A000
# ea_start = 0x78ACE9B000  #360加固
# ea_size = 0x11C459

ea_start = 0x78AA6BF000 #naga
ea_size = 0x2A5000

ea_end = ea_start + ea_size
save_file = 'd:/geiri_'+str(ea_start)+'.so'

main(ea_start, ea_end, save_file)

frida版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

function dump(packageName,name) {    
    var libxx = Process.getModuleByName(name);
    console.log("*****************************************************");
    console.log("name: " + libxx.name);
    console.log("base: " + libxx.base);
    console.log("size: " + ptr(libxx.size));
	
    var file_path ="data/data/" + packageName +"/" + libxx.name + "_" + libxx.base + "_" + ptr(libxx.size) + ".so";
    console.log(file_path);

    var file_handle = new File(file_path, "wb");
    if (file_handle && file_handle != null) {
        Memory.protect(ptr(libxx.base), libxx.size, 'rwx');
        var libso_buffer = ptr(libxx.base).readByteArray(libxx.size);
        file_handle.write(libso_buffer);
        file_handle.flush();
        file_handle.close();
        console.log("[dump]:", file_path);
    }
}
#二进制逆向
动态库内存转储(dump)
http://showfaker.top/2024/03/20/dumpmem/
作者
ShowFaker
发布于
2024年3月20日
许可协议