虚假maps文件绕过frida检测

虚假maps文件绕过frida检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
function readmaps() {
    const openPtr = Module.getExportByName('libc.so', 'open');
    const open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);

    var readPtr = Module.findExportByName("libc.so", "read");
    var read = new NativeFunction(readPtr, 'int', ['int', 'pointer', "int"]);


    var writePtr = Module.findExportByName("libc.so", "write");
    var write = new NativeFunction(writePtr, 'int', ['int', 'pointer', "int"]);

    var fakePath = Memory.allocUtf8String("/data/data/com.tencent.mm/maps");
    
    // var file = new File(fakePath, "w");
    var fakeFd = open(fakePath,65)
    var buffer = Memory.alloc(512);
    var nativePath = Memory.allocUtf8String("proc/self/maps")
    var open_mode = Memory.allocUtf8String("r"); 
    var realFd = open(nativePath,0);

    while (parseInt(read(realFd, buffer, 512)) !== 0) {
        var oneLine = Memory.readCString(buffer);
        if (oneLine.indexOf("tmp") === -1 && oneLine.indexOf("frida") === -1) {
            file.write(oneLine);
            // write(fakeFd,buffer,512)
        }
        // write(fakeFd,buffer,512)
        // console.log(oneLine)
    }
}
setTimeout(readmaps,5)

二进制逆向
#反调试 #frida
虚假maps文件绕过frida检测
http://showfaker.top/2024/03/20/maps-bypass/
作者
ShowFaker
发布于
2024年3月20日
许可协议