[原创]这是一个 Frida VEH 示例
2022-11-30 10:24:0 Author: bbs.pediy.com(查看原文) 阅读量:10 收藏

顺便说一句,丢掉调试器,丢掉各种Loader各种Patcher吧,一个 frida 的 js 脚本就能干翻一切。
大佬们可以自己实现下 x64 下的代码(尝试下试硬件断点的方式,尝试下 VMP,TEP,WL,SE各种壳的替换机器码)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

//"use strict"

console.log("\n");

console.warn("Frida.version = " + Frida.version);

console.log("Frida.heapSize = " + Frida.heapSize);

console.warn("Process.arch = " + Process.arch);

console.warn("Process.platform = " + Process.platform);

console.log("Process.pointerSize = " + Process.pointerSize);

console.log("\n");

console.error(" 这是一个 Frida VEH 010 Editor 的牛逼示例")

console.error(" pip3 install frida frida-tools -i https://pypi.tuna.tsinghua.edu.cn/simple ");

console.error(" frida -f 010Editor.exe -l ./frida-veh-010-bs.js --no-pause ");

//

if (Process.platform == "windows" && Process.arch == "x64") {

    console.warn("\n", "Coming soon :) ", "\n");

} else if (Process.platform == "windows" && Process.arch == "ia32") {

    //

    var editor = Process.findModuleByName("010Editor.exe");

    console.log("010 editor base: ", editor.base, typeof (editor.base));

    var sub_patchaddr = editor.base.add(0x31f7fa);

    console.log("010 editor VA: ", sub_patchaddr, typeof (sub_patchaddr));

    var buf = Memory.readByteArray(sub_patchaddr, 16);

    const cc_origin = Memory.readU8(sub_patchaddr);

    console.log("cc_origin: ", cc_origin, typeof (cc_origin));

    console.log(hexdump(sub_patchaddr, { offset: 0, length: 32, header: true, ansi: true }));

    // VEH

    Process.setExceptionHandler(function (details) {

        console.log("\n", "setExceptionHandler ==> address: ", details.address);

        console.error(JSON.stringify(details));

        console.warn("RVA: ", details.address.sub(editor.base));

        //

        console.log("eip[0]: " + ptr(Memory.readU8(details.context.eip)));

        // restore

        //Memory.writeU8(sub_patchaddr, 0x55);

        Memory.writeU8(sub_patchaddr, cc_origin);

        console.warn("eip[0]: " + ptr(Memory.readU8(details.context.eip)));

        console.log("eip: ", details.context.eip);

        console.log("pc: ", details.context.pc);

        console.log("eax: ", details.context.eax);

        //

        details.context.eax = 0xDB;

        details.context.eip = ptr(details.context.eip).add(0x7);

        console.warn("eax: ", details.context.eax);

        console.warn("eip: ", details.context.eip);

        console.warn("pc: ", details.context.pc);

        // int3  0xCC

        Memory.protect(sub_patchaddr, 1, 'rwx');

        Memory.writeU8(sub_patchaddr, 0xcc);

        return true;

    });

    // int3  0xCC

    Memory.protect(sub_patchaddr, 1, 'rwx');

    Memory.writeU8(sub_patchaddr, 0xcc);

} else {

    console.warn("\n", "This platform and architecture are not supported :( ", "\n");

}


文章来源: https://bbs.pediy.com/thread-275358.htm
如有侵权请联系:admin#unsafe.sh