Hook any function by giving the name and the class name

icezhaoL · Aug 21, 2020 · 9d91039 · 9d91039
1 parent 1aefda7
commit 9d91039
Show file tree

Hide file tree

Showing 9 changed files with 256 additions and 405 deletions.
diff --git a/README.md b/README.md
@@ -9,12 +9,34 @@
 It's functionality can be summarised as follows:
 
 - Tracing and instrumentation of API calls used by common malware categories
+
 - Unpacking of packed apps (effective for most of the weel known packers, including Qihoo, Secshell e.t.c.)
+
 - Triggering of various system events in order to initiate a malicious behaviour
+
 - Triggering of application's components (Activities, Services e.t.c.)
+
 - Translation of UI to English in order to enhance user interaction
+
 - Wrapping of adb commands (e.g. cchange proxy settings, insert keys e.t.c.)
 
+
+
+### Updates:
+
+**21/08/2020**: Hook a function by giving the name and its class name (example):
+
+```
+medusa>hook
+
+Enter the full name of the function's class: foo.com
+Enter the function name: onCreate
+
+Hook has been added to the modules/schratchpad.me ,you may inlude it in the final script
+```
+
+
+
 
 ### Usage:
 
@@ -58,8 +80,6 @@ Medusa's functionality is based the following scripts:
 
 
 
-
-
 - **apkutils.py** 
 
   > Given a **manifest or and apk file**, the specific script is able to perform the following functionalities:

diff --git a/libraries/defs.py b/libraries/defs.py
@@ -89,6 +89,41 @@ def do_export(self,line):
     #         print('exception: ' + e) 
 
 
+
+
+    def do_hook(self,line):
+        className = input("Enter the full name of the function's class: ")
+        functionName = input("Enter the function name: ")
+        codejs = """
+        var hook = Java.use('"""+className+"""');
+                    var overloadCount = hook['"""+functionName+"""'].overloads.length;
+                    console.log("Tracing " +'"""+ functionName+"""' + " [" + overloadCount + " overload(s)]");
+                    for (var i = 0; i < overloadCount; i++) {
+                    hook['"""+functionName+"""'].overloads[i].implementation = function() {
+                    colorLog("*** entered " +'"""+ functionName+ """',{ c: Color.Green });
+
+        Java.perform(function() {
+             var bt = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
+                console.log("Backtrace:" + bt);
+        });   
+
+        if (arguments.length) console.log();
+        for (var j = 0; j < arguments.length; j++) {
+            console.log("arg[" + j + "]: " + arguments[j]);
+        }
+        var retval = this['"""+functionName+"""'].apply(this, arguments); // rare crash (Frida bug?)
+        console.log("nretval: " + retval);
+        colorLog("*** exiting " + '"""+functionName+"""',{ c: Color.Green });
+        return retval;
+    }
+}
+"""
+        with open('modules/scratchpad.med','a') as script:
+            script.write(codejs)
+
+        print("Hook has been added to the"+GREEN+ " modules/schratchpad.me"+ RESET+" ,you may inlude it in the final script")
+
+
 #---------------------------------------------------------------------------------------------------------------
 
     def do_search(self, line):
@@ -592,6 +627,7 @@ def do_help(self,line):
                     Script operations:
                         - export                    : Save the current module list to 'recipe.txt'
                         - compile                   : Compile the modules to a frida script
+                        - hook                      : Initiates a dialog for hooking a function
 
                     Frida Session:
                         - run        [package name] : Initiate a Frida session and attache to the sellected package

diff --git a/libraries/libapkutils.py b/libraries/libapkutils.py
@@ -35,12 +35,56 @@ class parser(cmd.Cmd):
     services = None
     receivers = None
     providers = None
-    filters = None
+    filters = []
 
     classes = []
     packages = []
 
 
+    def do_search(self, line):
+        found = False
+        try:
+            what = line.split(' ')[0]
+
+            for module in self.activities:
+                if what in module:
+                    print(module[:str(module).find(what)]+GREEN+what+RESET+module[str(module).find(what)+len(what):])
+                    found = True
+            if not found:
+                print('No Activities found containing: {} !'.format(what))
+
+            found = False
+            for module in self.services:
+                if what in module:
+                    print(module[:str(module).find(what)]+GREEN+what+RESET+module[str(module).find(what)+len(what):])
+                    found = True
+            if not found:
+                print('No Services found containing: {} !'.format(what))
+
+            found = False
+            for module in self.receivers:
+                if what in module:
+                    print(module[:str(module).find(what)]+GREEN+what+RESET+module[str(module).find(what)+len(what):])
+                    found = True
+            if not found:
+                print('No Receivers found containing: {} !'.format(what))
+
+
+            found = False
+            for module in self.providers:
+                if what in module:
+                    print(module[:str(module).find(what)]+GREEN+what+RESET+module[str(module).find(what)+len(what):])
+                    found = True
+            if not found:
+                print('No Providers found containing: {} !'.format(what))
+
+
+
+        except Exception as e:
+            print(e)
+
+
+
 
     def do_trace(self,line):
 
@@ -391,6 +435,7 @@ def do_help(self,line):
                     - show receivers            : Prints a list with the application's receivers
                     - show providers            : Prints a list with the application's content providers
                     - show filters              : Prints broadcast filters
+                    - search [keyword]          : Search components containing the given keyword
                     ===========================================================================================
 
                     [+] TRIGERS:

diff --git a/modules/a11y_abuse/accessibility_nod.med b/modules/a11y_abuse/accessibility_nod.med
@@ -8,8 +8,42 @@ https://developer.android.com/reference/android/view/accessibility/Accessibility
 console.log('---------------A11Y monitor by @chopin--------------');
 
 var accessibilityNodeInfo = Java.use('android.view.accessibility.AccessibilityNodeInfo');
+var accessibilityEvent = Java.use('android.view.accessibility.AccessibilityEvent');
+var accessibilityRecord= Java.use('android.view.accessibility.AccessibilityRecord');
 
 
+
+accessibilityRecord.getText.implementation = function(){
+    ret = this.getText();
+    colorLog('[+] accessibilityRecord, Get Text called: ' +ret, {c:Color.Green});
+    return ret;  
+}
+
+
+accessibilityEvent.eventTypeToString.implementation = function(eventType){
+    ret = this.eventTypeToString(eventType);
+    colorLog('[+] accessibilityEvent, Get Event Type called: ' +ret, {c:Color.Green});
+    return ret;  
+}
+
+accessibilityEvent.getAction.implementation = function(){
+    ret = this.getAction();
+    colorLog('[+] accessibilityEvent, GetAction called: ' +ret, {c:Color.Green});
+    return ret;  
+}
+
+accessibilityEvent.setAction.implementation = function(action){
+    this.setAction(action);
+    colorLog('[+] accessibilityEvent, setAction called with action set to: ' +action, {c:Color.Green});
+}
+
+accessibilityEvent.getPackageName.implementation = function(){
+    ret = this.getPackageName();
+    colorLog('[+] accessibilityEvent, Get Package Name called: ' +ret, {c:Color.Green});
+    return ret;  
+
+}
+
 accessibilityNodeInfo.getPackageName.implementation = function(){
     ret = this.getPackageName();
     colorLog('App Gets the package of the nod: ' +ret, {c:Color.Green});