Skip to content

Commit

Permalink
improved cronet pattern (ARM64); conscrypt (Android) improved; enable…
Browse files Browse the repository at this point in the history 
… NSS TLS key hooks
  • Loading branch information
@monkeywave
monkeywave committed Feb 7, 2025
1 parent e7ad64a commit 0854ec4
Show file tree
Hide file tree
Showing 10 changed files with 290 additions and 138 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
</p>

# friTap
![version](https://img.shields.io/badge/version-1.2.8.5-blue) [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&r=r&ts=1683906897&type=6e&v=1.2.8.5&x2=0)](https://badge.fury.io/py/friTap)
![version](https://img.shields.io/badge/version-1.2.8.8-blue) [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&r=r&ts=1683906897&type=6e&v=1.2.8.8&x2=0)](https://badge.fury.io/py/friTap)

friTap is a powerful tool designed to assist researchers in analyzing network traffic encapsulated in SSL/TLS. With its ability to automate key extraction, friTap is especially valuable when dealing with malware analysis or investigating privacy issues in applications. By simplifying the process of decrypting and inspecting encrypted traffic, friTap empowers researchers to uncover critical insights with ease.

Expand Down
7 changes: 4 additions & 3 deletions agent/android/android_agent.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import { mbedTLS_execute } from "./mbedTLS_android.js";
import { boring_execute } from "./openssl_boringssl_android.js";
import { java_execute} from "./android_java_tls_libs.js";
import { cronet_execute } from "./cronet_android.js";
import { conscrypt_native_execute } from "./conscrypt.js";
import { flutter_execute } from "./flutter_android.js";
import { s2ntls_execute } from "./s2ntls_android.js";
import { mono_btls_execute } from "./mono_btls_android.js";
Expand Down Expand Up @@ -78,14 +79,14 @@ export function load_android_hooking_agent() {
module_library_mapping[plattform_name] = [
[/.*libssl_sb.so/, invokeHookingFunction(boring_execute)],
[/.*libssl\.so/, invokeHookingFunction(boring_execute)],
[/libconscrypt_gmscore_jni.so/, invokeHookingFunction(boring_execute)], // inspired from https://github.com/PiRogueToolSuite/pirogue-cli/blob/debian-12/pirogue_cli/frida-scripts/log_ssl_keys.js#L55
[/ibconscrypt_jni.so/, invokeHookingFunction(boring_execute)],
[/libconscrypt_gmscore_jni.so/, invokeHookingFunction(conscrypt_native_execute)], // inspired from https://github.com/PiRogueToolSuite/pirogue-cli/blob/debian-12/pirogue_cli/frida-scripts/log_ssl_keys.js#L55
[/ibconscrypt_jni.so/, invokeHookingFunction(conscrypt_native_execute)],
[/.*cronet.*\.so/, invokeHookingFunction(cronet_execute)],
[/.*monochrome.*\.so/, invokeHookingFunction(cronet_execute)],
[/.*flutter.*\.so/, invokeHookingFunction(flutter_execute)],
[/.*libgnutls\.so/, invokeHookingFunction(gnutls_execute)],
[/.*libwolfssl\.so/, invokeHookingFunction(wolfssl_execute)],
[/.*libnspr[0-9]?\.so/,invokeHookingFunction(nss_execute)],
[/.*libnss*\.so/,invokeHookingFunction(nss_execute)],
[/libmbedtls\.so.*/, invokeHookingFunction(mbedTLS_execute)],
[/.*libs2n.so/, invokeHookingFunction(s2ntls_execute)],
[/.*mono-btls.*\.so/, invokeHookingFunction(mono_btls_execute)]];
Expand Down
58 changes: 58 additions & 0 deletions agent/android/conscrypt.ts
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,63 @@
import { devlog, devlog_error, log } from "../util/log.js";
import { getAndroidVersion } from "../util/process_infos.js";
import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js";
import { socket_library } from "./android_agent.js";

export class Consycrypt_BoringSSL_Android extends OpenSSL_BoringSSL {

constructor(public moduleName:string, public socket_library:String, is_base_hook: boolean){
var library_method_mapping : { [key: string]: Array<string> }= {};
library_method_mapping[`*${moduleName}*`] = ["SSL_CTX_new", "SSL_CTX_set_keylog_callback"]

super(moduleName,socket_library,is_base_hook, library_method_mapping);
}



install_conscrypt_tls_keys_callback_hook (){
this.SSL_CTX_set_keylog_callback = new NativeFunction(this.addresses[this.module_name]["SSL_CTX_set_keylog_callback"], "void", ["pointer", "pointer"]);
var instance = this;

Interceptor.attach(this.addresses[this.module_name]["SSL_CTX_new"], {
onLeave: function(retval) {
const ssl = new NativePointer(retval);
if (!ssl.isNull()) {
instance.SSL_CTX_set_keylog_callback(ssl, OpenSSL_BoringSSL.keylog_callback)
}
}
});

}


execute_conscrypt_hooks(){
this.install_conscrypt_tls_keys_callback_hook();
}

}

export function conscrypt_native_execute(moduleName:string, is_base_hook: boolean){
var boring_ssl = new Consycrypt_BoringSSL_Android(moduleName,socket_library,is_base_hook);
try {
boring_ssl.execute_conscrypt_hooks();
}catch(error_msg){
devlog(`conscrypt_execute error: ${error_msg}`);
}

if (is_base_hook) {
try {
const init_addresses = boring_ssl.addresses[moduleName];
// ensure that we only add it to global when we are not
if (Object.keys(init_addresses).length > 0) {
(global as any).init_addresses[moduleName] = init_addresses;
}}catch(error_msg){
devlog(`conscrypt_execute base-hook error: ${error_msg}`)
}
}

}



function findProviderInstallerImplFromClassloaders(currentClassLoader: Java.Wrapper, backupImplementation: any) : Java.Wrapper | null {

Expand Down
4 changes: 2 additions & 2 deletions agent/android/cronet_android.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ export class Cronet_Android extends Cronet {
fallback: "55 53 57 56 83 EC 4C E8 00 00 00 00 5B 81 C3 A9 CB 13 00 8B 44 24 60" // Fallback pattern
},
"arm64": {
//primary: "3F 23 03 D5 FF C3 01 D1 FD 7B 04 A9 F6 57 05 A9 F4 4F 06 A9 FD 03 01 91 08 34 40 F9 08 11 41 F9 C8 07 00 B4 // Primary pattern old
primary: "3F 23 03 D5 FF C3 01 D1 FD 7B 04 A9 F6 57 05 A9 F4 4F 06 A9 FD 03 01 91 08 34 40 F9 08 1? 41 F9 ?8 0? 00 B4", // Primary pattern
//primary: "3F 23 03 D5 FF C3 01 D1 FD 7B 04 A9 F6 57 05 A9 F4 4F 06 A9 FD 03 01 91 08 34 40 F9 08 1? 41 F9 ?8 0? 00 B4" // Primary pattern old
primary: "3F 23 03 D5 FF ?3 01 D1 FD 7B 0? A9 F6 57 0? A9 F4 4F 0? A9 FD ?3 0? 91 08 34 40 F9 08 1? 41 F9 ?8 0? 00 B4", // Primary pattern
fallback: "3F 23 03 D5 FF 03 02 D1 FD 7B 04 A9 F7 2B 00 F9 F6 57 06 A9 F4 4F 07 A9 FD 03 01 91 08 34 40 F9 08 ?? 41 F9 E8 0F 00 B4" // Fallback pattern
},

Expand Down
7 changes: 6 additions & 1 deletion agent/android/nss_android.ts
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@

import {NSS } from "../ssl_lib/nss.js";
import { socket_library } from "./android_agent.js";
import { devlog } from "../util/log.js";

export class NSS_Android extends NSS {

Expand All @@ -18,7 +19,11 @@ export class NSS_Android extends NSS {
execute_hooks(){
this.install_plaintext_read_hook();
this.install_plaintext_write_hook();
//this.install_tls_keys_callback_hook() // might fail
try{
this.install_tls_keys_callback_hook() // might fail
}catch(e){
devlog("Installing NSS key hooking - still early development stage");
}
}

}
Expand Down
19 changes: 19 additions & 0 deletions agent/android/openssl_boringssl_android.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,32 @@ export class OpenSSL_BoringSSL_Android extends OpenSSL_BoringSSL {
*/
}

install_conscrypt_tls_keys_callback_hook (){
this.SSL_CTX_set_keylog_callback = new NativeFunction(this.addresses[this.module_name]["SSL_CTX_set_keylog_callback"], "void", ["pointer", "pointer"]);
var instance = this;

Interceptor.attach(this.addresses[this.module_name]["SSL_CTX_new"], {
onLeave: function(retval) {
const ssl = new NativePointer(retval);
if (!ssl.isNull()) {
instance.SSL_CTX_set_keylog_callback(ssl, OpenSSL_BoringSSL.keylog_callback)
}
}
});

}

execute_hooks(){
this.install_plaintext_read_hook();
this.install_plaintext_write_hook();
this.install_tls_keys_callback_hook();
this.install_extended_hooks();
}

execute_conscrypt_hooks(){
this.install_conscrypt_tls_keys_callback_hook();
}

}


Expand Down
2 changes: 1 addition & 1 deletion agent/ssl_lib/openssl_boringssl.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ export class OpenSSL_BoringSSL {

}

if(!ObjC.available){
if(!ObjC.available && checkNumberOfExports(moduleName) > 2){
this.SSL_SESSION_get_id = new NativeFunction(this.addresses[this.moduleName]["SSL_SESSION_get_id"], "pointer", ["pointer", "pointer"]);
this.SSL_get_fd = ObjC.available ? new NativeFunction(this.addresses[this.moduleName]["BIO_get_fd"], "int", ["pointer"]) : new NativeFunction(this.addresses[this.moduleName]["SSL_get_fd"], "int", ["pointer"]);
this.SSL_get_session = new NativeFunction(this.addresses[this.moduleName]["SSL_get_session"], "pointer", ["pointer"]);
Expand Down
Loading

0 comments on commit 0854ec4

Please sign in to comment.