Added various Scripts

dr0pd34d · web-flow · commit cd54dc3aefbc · 2018-12-08T11:09:04.000+01:00
The scripts do the following:
File-Read: Track Access to files
StringBuilder: Print generated strings for URLs and queries
KeyStore: Track different Keystore access methods with their password
SecretKeySpec: Log keys and their Keyspecs to find hardcoded values
SQLiteHelper: Capture executed SQL statements
diff --git a/Android-File-Read.js b/Android-File-Read.js
@@ -0,0 +1,14 @@
+Java.perform(function () {
+	// Get a class handler of the File class
+	// https://docs.oracle.com/javase/9/docs/api/java/io/File.html
+	const file = Java.use('java.io.File');
+	// Overload the constructor "File" to capture the input parameters
+	file.$init.overload('java.lang.String').implementation = function (filename) {
+		// Log the successful hook to fridas console
+		console.log('[+] new file access operation found!');
+		// Log the file path to the console
+		console.log('Path: ' + filename);
+		// Call the original function to keep the app working
+		return this.$init(filename);
+	}
+});
diff --git a/Android-KeyStore.js b/Android-KeyStore.js
@@ -0,0 +1,61 @@
+Java.perform(function () {
+	// Get a class handler of the KeyStore class
+	// https://docs.oracle.com/javase/9/docs/api/java/security/KeyStore.html
+	const keyStore = Java.use('java.security.KeyStore');
+	// Overload the method "getKey" to capture the input parameters
+	keyStore.getKey.overload('java.lang.String','[C').implementation = function (alias, pass) {
+		// Log the successful hook to fridas console
+		console.log('[+] new getKey operation found!');
+		console.log('Password: ' + pass.join(""));
+		// Call the original function to keep the app working
+		return this.getKey(alias, pass);
+	}
+	keyStore.getInstance.overload('java.lang.String').implementation = function (s) {
+		// Log the successful hook to fridas console
+		console.log('[+] new keyStore.getInstance operation found!');
+		console.log('Content: ' + s);
+		// Call the original function to keep the app working
+		return this.getInstance(s);
+	}
+	keyStore.getInstance.overload('java.lang.String', 'java.security.Provider').implementation = function (s,p) {
+		// Log the successful hook to fridas console
+		console.log('[+] new keyStore.getInstance operation found!');
+		console.log('Content: ' + s);
+		// Call the original function to keep the app working
+		return this.getInstance(s,p);
+	}
+	keyStore.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (s,s2) {
+		// Log the successful hook to fridas console
+		console.log('[+] new keyStore.getInstance operation found!');
+		console.log('Content: ' + s);
+		console.log('Content2: ' + s2);
+		// Call the original function to keep the app working
+		return this.getInstance(s,s2);
+	}
+	
+	keyStore.$init.overload('java.security.KeyStoreSpi', 'java.security.Provider', 'java.lang.String').implementation = function (keyStoreSpi, securityProvider, s) {
+		// Log the successful hook to fridas console
+		console.log('[+] new keyStore.$init operation found!');
+		// Call the original function to keep the app working
+		return this.$init(keyStoreSpi, securityProvider, s);
+	}
+	
+	keyStore.store.overload('java.io.OutputStream','[C').implementation = function (outputStream, pass) {
+		// Log the successful hook to fridas console
+		console.log('[+] new keyStore.store operation found!');
+		console.log('Password: ' + pass.join(""));
+		// Call the original function to keep the app working
+		return this.store(outputStream, pass);
+	}
+	keyStore.load.overload('java.io.InputStream','[C').implementation = function (inputStream, pass) {
+		// Log the successful hook to fridas console
+		console.log('[+] new keyStore.load operation found!');
+		if(pass != null)
+		{
+			console.log('Password Length: ' + pass.length());
+			console.log('Password: ' + pass.join(""));
+		}
+		// Call the original function to keep the app working
+		return this.load(inputStream, pass);
+	}
+});
diff --git a/Android-SQLiteHelper-Capture-Statements.js b/Android-SQLiteHelper-Capture-Statements.js
@@ -0,0 +1,13 @@
+Java.perform(function () {
+	// Get a class handler of the SQLiteDatabase class
+	// https://developer.android.com/reference/android/database/sqlite/SQLiteDatabase
+	const sQLiteDatabase = Java.use('android.database.sqlite.SQLiteDatabase');
+	// Overload the method "executeSql" to capture the input parameters
+	sQLiteDatabase.executeSql.overload('java.lang.String','[Ljava.lang.Object;').implementation = function (query, object) {
+		// Log the successful hook to fridas console
+		console.log('[+] new SQLite Statement captured!');
+		console.log('Query: '+ query);
+		// Call the original function to keep the app working
+		return this.executeSql(query, object);
+	}
+});
diff --git a/Android-SecretKeySpec.js b/Android-SecretKeySpec.js
@@ -0,0 +1,33 @@
+Java.perform(function () {
+	// Get a class handler of the SecretKeySpec class
+	// https://developer.android.com/reference/javax/crypto/spec/SecretKeySpec
+    var SecretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
+	// Overload the method "$init" to capture the input parameters
+    SecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function(bytes, keyspec) {
+        // Log the successful hook to fridas console
+		console.log('SecretKeySpec.$init("' + bytes2hex(bytes) + '", "' + keyspec + '")');
+        // Call the original function to keep the app working
+		return this.$init(bytes, keyspec);
+    };
+});
+
+// This function converts the byte array to a hex array
+function bytes2hex(array) {
+    var result = '';
+    console.log('len = ' + array.length);
+    for(var i = 0; i < array.length; ++i)
+        result += ('0' + (array[i] & 0xFF).toString(16)).slice(-2);
+    return result;
+}
+
+// This function can be used inside Java.perform to enumerate strings being used as keys
+// WARNING: Non printable characters may crash the frida server
+function hex2ascii(str1)
+ {
+	var hex  = str1.toString();
+	var str = '';
+	for (var n = 0; n < hex.length; n += 2) {
+		str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
+	}
+	return str;
+ }
diff --git a/Android-StringBuilder.js b/Android-StringBuilder.js
@@ -0,0 +1,13 @@
+Java.perform(function () {
+	// Get a class handler of the StringBuilder class
+	// https://docs.oracle.com/javase/10/docs/api/java/lang/StringBuilder.html
+	const stringBuilder = Java.use('java.lang.StringBuilder');
+	// Overload the method "toString" to capture the input parameters
+	stringBuilder.toString.overload().implementation = function () {
+		// Log the successful hook to fridas console
+		console.log('[+] stringBuilder.toString found!');
+		console.log('Content: ' + this.toString());
+		// Call the original function to keep the app working
+		return this.toString();
+	}
+});
