add minor bug in parsing arguments and fixed some issues with full pa…

…cket capture on Android devices
fkie-cad · Dec 6, 2024 · 7fd8c79 · 7fd8c79
1 parent fbc9185
commit 7fd8c79
Show file tree

Hide file tree

Showing 13 changed files with 801 additions and 147 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,8 @@ frida-server*
 __handlers__
 friTap.egg-info
 dist/
+*.pcap
+*.trace
 
 # debian package generation stuff
 deb_dist/

diff --git a/INTEGRATION.md b/INTEGRATION.md
@@ -32,17 +32,15 @@ try:
         keylog="keylogtest.log", # Path to save SSL key log
         debug_output=True        # Enable debug output
     )
-
+
+    ssl_log.install_signal_handler() 
+
     # Start friTap session
-    process = ssl_log.start_fritap_session()  
+    process, script = ssl_log.start_fritap_session()  
 
-    # Wait for user input to stop
-    sys.stdin.read()
-
-except KeyboardInterrupt:
-    # Detach process on interruption
-    process.detach()
-    print("Logging stopped.")
+    # Wait for user input or interrupt which will invoke the internal signal handler
+    while ssl_log.running:
+        pass
 ```
 
 ---
@@ -154,7 +152,7 @@ try:
     )
 
     # Hook friTap into the target process without immediately loading the script
-    script = ssl_log.start_fritap_session_instrumentation(myAwesomeHandler, process)
+    process, script = ssl_log.start_fritap_session_instrumentation(myAwesomeHandler, process)
 
     # Manually load the friTap script into the target process
     script.load()

diff --git a/agent/misc/socket_tracer.ts b/agent/misc/socket_tracer.ts
@@ -3,9 +3,21 @@ import { get_process_architecture } from "../util/process_infos.js";
 import { readAddresses, getPortsAndAddresses } from "../shared/shared_functions.js";
 import { enable_default_fd } from "../ssl_log.js";
 
-export function execute(moduleName:string) {
+function has_valid_socket_type(fd : number): boolean{
+    var socktype = Socket.type(fd);
+    if (socktype === 'tcp' || socktype === 'tcp6' || socktype === 'udp' || socktype === 'udp6'){
+        if(socktype === 'udp6' && ObjC.available){
+            return false // on iOS this leads always to empty addresses
+        }
+        return true;
+    }
+
+    return true;
+}
+
+export function socket_trace_execute() {
 
-    log("Doing a full packet capture\nUse -k in order to get TLS keys.");
+    //log("Doing a full packet capture\nUse -k in order to get TLS keys.");
 
     var socket_library:string =""
     switch(Process.platform){
@@ -22,31 +34,30 @@ export function execute(moduleName:string) {
             log(`Platform "${Process.platform} currently not supported!`)
     }
 
-var library_method_mapping: { [key: string]: Array<String> } = {}
+var library_method_mapping: { [key: string]: Array<string> } = {};
 const socketFDs = new Map()
 
 if(ObjC.available){
     // currently those libraries gets only detected on iOS if we add an *-sign
     library_method_mapping[`*${socket_library}*`] = ["getpeername*", "getsockname*","socket*", "ntohs*", "ntohl*", "recv*", "recvfrom*", "send*", "sendto*", "read*", "write*"]
 }else{
-    library_method_mapping[`*${socket_library}*`] = ["getpeername", "getsockname", "ntohs", "ntohl","socket", "recv", "recvfrom", "send", "sendto", "read", "write"]
+    library_method_mapping[`*${socket_library}*`] = ["getpeername", "getsockname", "ntohs", "ntohl","socket", "recv", "recvfrom", "send", "sendto", "read", "write", "connect"]
 }
 
-var addresses: { [key: string]: NativePointer } = readAddresses(library_method_mapping)
+var addresses: { [libraryName: string]: { [functionName: string]: NativePointer } };
+addresses = readAddresses(socket_library,library_method_mapping);
 
-function has_valid_socket_type(fd : number): boolean{
-    var socktype = Socket.type(fd);
-    if (socktype === 'tcp' || socktype === 'tcp6' || socktype === 'udp' || socktype === 'udp6'){
-        if(socktype === 'udp6' && ObjC.available){
-            return false // on iOS this leads always to empty addresses
-        }
-        return true;
-    }
-
-    return true;
+
+if (!addresses[socket_library] || !addresses[socket_library]["socket"] || !addresses[socket_library]["connect"]) {
+    throw new Error(
+        `Missing required functions in ${socket_library}. Ensure "socket" and "connect" are exported by the library.`
+    );
 }
 
-Interceptor.attach(addresses["socket"],
+
+
+
+Interceptor.attach(addresses[socket_library]["socket"],
 {
     onEnter: function (args: any) {
 
@@ -57,7 +68,11 @@ Interceptor.attach(addresses["socket"],
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, false, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, false, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_read"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["dst_addr"])
@@ -68,7 +83,7 @@ Interceptor.attach(addresses["socket"],
 
 
 
-Interceptor.attach(addresses["connect"],
+Interceptor.attach(addresses[socket_library]["connect"],
 {
     onEnter: function (args: any) {
         this.fd = args[0].toInt32();
@@ -80,7 +95,11 @@ Interceptor.attach(addresses["connect"],
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, false, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, false, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_read"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["dst_addr"])
@@ -90,7 +109,7 @@ Interceptor.attach(addresses["connect"],
 });
 
 
-Interceptor.attach(addresses["read"],
+Interceptor.attach(addresses[socket_library]["read"],
 {
     onEnter: function (args: any) {
         this.fd = args[0].toInt32();
@@ -100,7 +119,11 @@ Interceptor.attach(addresses["read"],
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, true, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, true, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_read"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["src_addr"])
@@ -111,7 +134,7 @@ Interceptor.attach(addresses["read"],
 })
 
 
-Interceptor.attach(addresses["recv"],
+Interceptor.attach(addresses[socket_library]["recv"],
 {
     onEnter: function (args: any) {
         this.fd= args[0].toInt32();
@@ -122,7 +145,11 @@ Interceptor.attach(addresses["recv"],
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, true, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, true, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_read"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["src_addr"])
@@ -135,7 +162,7 @@ Interceptor.attach(addresses["recv"],
     }
 })
 
-Interceptor.attach(addresses["recvfrom"],
+Interceptor.attach(addresses[socket_library]["recvfrom"],
 {
     onEnter: function (args: any) {
         this.fd = args[0].toInt32();
@@ -146,7 +173,11 @@ Interceptor.attach(addresses["recvfrom"],
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, true, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, true, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_read"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["src_addr"])
@@ -156,7 +187,7 @@ Interceptor.attach(addresses["recvfrom"],
 })
 
 
-Interceptor.attach(addresses["send"],
+Interceptor.attach(addresses[socket_library]["send"],
 {
     onEnter: function (args: any) {
         this.fd = args[0].toInt32();
@@ -168,7 +199,11 @@ Interceptor.attach(addresses["send"],
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, false, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, false, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_write"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["dst_addr"])
@@ -178,7 +213,7 @@ Interceptor.attach(addresses["send"],
 })
 
 
-Interceptor.attach(addresses["sendto"],
+Interceptor.attach(addresses[socket_library]["sendto"],
 {
     onEnter: function (args: any) {
         this.fd = args[0].toInt32();
@@ -188,7 +223,11 @@ Interceptor.attach(addresses["sendto"],
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, false, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, false, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_write"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["dst_addr"])
@@ -197,7 +236,7 @@ Interceptor.attach(addresses["sendto"],
     }
 })
 
-Interceptor.attach(addresses["write"],
+Interceptor.attach(addresses[socket_library]["write"],
 {
     onEnter: function (args: any) {
         this.fd = args[0].toInt32();
@@ -207,7 +246,11 @@ Interceptor.attach(addresses["write"],
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, false, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, false, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_write"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["dst_addr"])
@@ -225,7 +268,11 @@ if(ObjC.available){
             return;
         }
         if(has_valid_socket_type(fd)){
-            var message = getPortsAndAddresses(fd as number, false, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(fd as number, false, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+                //devlog("Skipping this socket due to unsupported address family."); To noisy
+                return;
+            }
             message["function"] = "Full_write"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["dst_addr"])
@@ -250,7 +297,11 @@ Interceptor.attach(Module.getExportByName("libsystem_kernel.dylib","read"),
             return;
         }
         if(has_valid_socket_type(this.fd)){
-            var message = getPortsAndAddresses(this.fd as number, true, addresses, enable_default_fd)
+            var message = getPortsAndAddresses(this.fd as number, true, addresses[socket_library], enable_default_fd)
+            if (message === null) {
+
+                return;
+            }
             message["function"] = "Full_read"
             message["contentType"] = "netlog"
             socketFDs.set(this.fd, message["src_addr"])

diff --git a/agent/shared/shared_functions.ts b/agent/shared/shared_functions.ts
@@ -1,5 +1,5 @@
 import { log, devlog, devlog_error } from "../util/log.js";
-import { AF_INET, AF_INET6, ModuleHookingType } from "./shared_structures.js";
+import { AF_INET, AF_INET6, AddressFamilyMapping, unwantedFDs, ModuleHookingType } from "./shared_structures.js";
 
 
 function wait_for_library_loaded(module_name: string){
@@ -233,6 +233,11 @@ export function getPortsAndAddresses(sockfd: number, isRead: boolean, methodAddr
         return message
     }
 
+    // Check if this fd is already marked as unwanted
+    if (unwantedFDs.has(sockfd)) {
+        return null; // Skip further processing
+    }
+
     var getpeername = new NativeFunction(methodAddresses["getpeername"], "int", ["int", "pointer", "pointer"])
     var getsockname = new NativeFunction(methodAddresses["getsockname"], "int", ["int", "pointer", "pointer"])
     var ntohs = new NativeFunction(methodAddresses["ntohs"], "uint16", ["uint16"])
@@ -241,7 +246,7 @@ export function getPortsAndAddresses(sockfd: number, isRead: boolean, methodAddr
     var addrlen = Memory.alloc(4)
     var addr = Memory.alloc(128)
     var src_dst = ["src", "dst"]
-    for (var i = 0; i < src_dst.length; i++) {
+    for (let i = 0; i < src_dst.length; i++) {
         addrlen.writeU32(128)
         if ((src_dst[i] == "src") !== isRead) {
             devlog("src")
@@ -251,6 +256,11 @@ export function getPortsAndAddresses(sockfd: number, isRead: boolean, methodAddr
             devlog("dst")
             getpeername(sockfd, addr, addrlen)
         }
+
+        var family = addr.readU16();
+        const familyName = AddressFamilyMapping[family] || `UNKNOWN`;
+
+
         if (addr.readU16() == AF_INET) {
             message[src_dst[i] + "_port"] = ntohs(addr.add(2).readU16()) as number
             message[src_dst[i] + "_addr"] = ntohl(addr.add(4).readU32()) as number
@@ -270,10 +280,19 @@ export function getPortsAndAddresses(sockfd: number, isRead: boolean, methodAddr
                 message["ss_family"] = "AF_INET6"
             }
         } else {
-            devlog("[-] getPortsAndAddresses resolving error: "+addr.readU16())
-            throw "Only supporting IPv4/6"
+            // only uncomment this if you really need to debug this
+            //devlog("[-] getPortsAndAddresses resolving error: Only supporting IPv4/6");
+            //devlog(`[-] Inspecting fd: ${sockfd}, Address family: ${family} (${familyName})`);
+            //throw "Only supporting IPv4/6"
+
+            if (!unwantedFDs.has(sockfd)) {
+                //devlog(`Skipping unsupported address family: ${family}:${familyName} (fd: ${sockfd})`);
+            }
+            unwantedFDs.add(sockfd); // Mark this fd as unwanted
+            return null;
         }
     }
+
     return message
 }
 

diff --git a/agent/shared/shared_structures.ts b/agent/shared/shared_structures.ts
@@ -3,7 +3,17 @@
 export type ModuleHookingType = (moduleName: string, is_base_hook: boolean) => void;
 export var module_library_mapping:{ [key: string]: Array<[any, ModuleHookingType]> }  = {};
 
+export const unwantedFDs = new Set<number>(); // this helps us to track if we alredy encountered this fd
 
-export const AF_INET = 2
-export const AF_INET6 = 10
-export const pointerSize = Process.pointerSize;
+export const AF_INET = 2;
+export const AF_INET6 = 10;
+export const AF_UNIX = 1;
+export const pointerSize = Process.pointerSize;
+
+export const AddressFamilyMapping: { [key: number]: string } = {
+    2: "AF_INET", // IPv4
+    10: "AF_INET6", // IPv6
+    1: "AF_UNIX", // Unix domain sockets
+    17: "AF_PACKET", // Raw packets
+    // Add other address families as needed
+};