add feature for default socket informations

README.md

@@ -3,7 +3,7 @@
 </p>
 
 # friTap
-![version](https://img.shields.io/badge/version-1.1.0.1-blue) [![PyPi](https://badge.fury.io/py/friTap.svg)](https://pypi.org/project/friTap)
+![version](https://img.shields.io/badge/version-1.1.0.5-blue) [![PyPi](https://badge.fury.io/py/friTap.svg)](https://pypi.org/project/friTap)
 
 The goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS. For details have a view into the [OSDFCon webinar slides](assets/friTapOSDFConwebinar.pdf) or in [this blog post](https://lolcads.github.io/posts/2022/08/fritap/).
 
@@ -51,6 +51,47 @@ $ sudo -E /home/daniel/.local/bin/friTap
 
 More examples on using friTap can be found in the [USAGE.md](./USAGE.md). A detailed introduction using friTap on Android is under [EXAMPLE.md](./EXAMPLE.md) as well.
 
+
+## Problems
+
+The absence of traffic or incomplete traffic capture in the resulting pcap file (-p <your.pcap>) may stem from various causes. Before submitting a new issue, consider attempting the following solutions:
+
+### Default Socket Information
+
+There might be instances where friTap fails to retrieve socket information. In such scenarios, running friTap with default socket information (`--enable_default_fd`) could resolve the issue. This approach utilizes default socket information (127.0.0.1:1234 to 127.0.0.1:2345) for all traffic when the file descriptor (FD) cannot be used to obtain socket details:
+
+```bash
+friTap -m --enable_default_fd -p plaintext.pcap com.example.app
+```
+
+### Handling Subprocess Traffic
+
+Traffic originating from a subprocess could be another contributing factor. To capture this traffic, friTap can leverage Frida's spawn gating feature, which intercepts newly spawned processes using the `--enable_spawn_gating` parameter:
+
+```bash
+friTap -m -p log.pcap --enable_spawn_gating com.example.app
+```
+
+### Library Support exist only for Key Extraction
+
+In cases where the target library solely supports key extraction (cf. the table below), you can utilize the `-k <key.log>` parameter alongside full packet capture:
+
+```bash
+friTap -m -p log.pcap --full_capture -k keys.log com.example.app
+```
+
+### Seeking Further Assistance
+
+If these approaches do not address your issue, please create a detailed issue report to aid in troubleshooting. To facilitate a more effective diagnosis, include the following information in your report:
+
+- The operating system and its version
+- The specific application encountering the issue or a comparable application that exhibits similar problems
+- The output from executing friTap with the specified parameters, augmented with friTap's debug output:
+```bash
+friTap -do -v com.example.app
+```
+
+
 ## Supported SSL/TLS implementations and corresponding logging capabilities
 
 ```markdown
@@ -83,6 +124,7 @@ More examples on using friTap can be found in the [USAGE.md](./USAGE.md). A deta
 - scapy (`python3 -m pip install scapy`)
 - watchdog (`python3 -m pip install watchdog`)
 - importlib.resources  (`python3 -m pip install importlib-resources`)
+- for hooking on Android ensure that the `adb`-command is in your PATH
 
 ## Planned features
 

agent/android/android_agent.ts

@@ -1,12 +1,12 @@
-import { module_library_mapping } from "../shared/shared_structures.js"
-import { getModuleNames, ssl_library_loader } from "../shared/shared_functions.js"
-import { log, devlog } from "../util/log.js"
-import { gnutls_execute } from "./gnutls_android.js"
-import { wolfssl_execute } from "./wolfssl_android.js"
-import { nss_execute } from "./nss_android.js"
-import { mbedTLS_execute } from "./mbedTLS_android.js"
-import { boring_execute } from "./openssl_boringssl_android.js"
-import { java_execute} from "./android_java_tls_libs.js"
+import { module_library_mapping } from "../shared/shared_structures.js";
+import { getModuleNames, ssl_library_loader } from "../shared/shared_functions.js";
+import { log, devlog } from "../util/log.js";
+import { gnutls_execute } from "./gnutls_android.js";
+import { wolfssl_execute } from "./wolfssl_android.js";
+import { nss_execute } from "./nss_android.js";
+import { mbedTLS_execute } from "./mbedTLS_android.js";
+import { boring_execute } from "./openssl_boringssl_android.js";
+import { java_execute} from "./android_java_tls_libs.js";
 
 
 var plattform_name = "linux";

agent/android/android_java_tls_libs.ts

@@ -1,6 +1,6 @@
-import { log } from "../util/log.js"
-import { execute as bouncy_execute } from "./bouncycastle.js"
-import { SSL_Java } from "../ssl_lib/java_ssl_libs.js"
+import { log } from "../util/log.js";
+import { execute as bouncy_execute } from "./bouncycastle.js";
+import { SSL_Java } from "../ssl_lib/java_ssl_libs.js";
 
 
 export class SSL_Java_Android extends SSL_Java {

agent/android/bouncycastle.ts

@@ -1,5 +1,5 @@
-import { log } from "../util/log.js"
-import { byteArrayToString, byteArrayToNumber, getAttribute, reflectionByteArrayToString } from "../shared/shared_functions.js"
+import { log } from "../util/log.js";
+import { byteArrayToString, byteArrayToNumber, getAttribute, reflectionByteArrayToString } from "../shared/shared_functions.js";
 export function execute() {
     setTimeout(function () {
         Java.perform(function () {

agent/android/conscrypt.ts

@@ -1,7 +1,7 @@
-import { log } from "../util/log.js"
+import { log } from "../util/log.js";
 import { getAndroidVersion } from "../util/process_infos.js";
 
-function findProviderInstallerFromClassloaders(currentClassLoader: Java.Wrapper, backupImplementation: any) {
+function findProviderInstallerImplFromClassloaders(currentClassLoader: Java.Wrapper, backupImplementation: any) : Java.Wrapper | null {
 
     var providerInstallerImpl = null
     var classLoaders = Java.enumerateClassLoadersSync()
@@ -30,6 +30,35 @@ function findProviderInstallerFromClassloaders(currentClassLoader: Java.Wrapper,
     return providerInstallerImpl
 }
 
+function findProviderInstallerFromClassloaders(currentClassLoader: Java.Wrapper, backupImplementation: any) : Java.Wrapper | null  {
+
+    var providerInstaller = null
+    var classLoaders = Java.enumerateClassLoadersSync()
+    for (var cl of classLoaders) {
+        try {
+            var classFactory = Java.ClassFactory.get(cl)
+            providerInstaller = classFactory.use("com.google.android.gms.security.ProviderInstaller")
+            break
+        } catch (error) {
+            log("Error in hooking ProviderInstallerImpl")
+            console.log(error);
+            // On error we return null
+        }
+
+    }
+
+    var version = getAndroidVersion()
+    //log("is here the error")
+    //log(typeof version)
+
+    if (version <= 12){
+        //Revert the implementation to avoid an infinitloop of "Loadclass"
+        currentClassLoader.loadClass.overload("java.lang.String").implementation = backupImplementation
+    }
+
+    return providerInstaller
+}
+
 export function execute() {
 
     //We have to hook multiple entrypoints: ProviderInstallerImpl and ProviderInstaller
@@ -42,7 +71,7 @@ export function execute() {
             let retval = this.loadClass(className)
             if (className.endsWith("ProviderInstallerImpl")) {
                 log("Process is loading ProviderInstallerImpl")
-                var providerInstallerImpl = findProviderInstallerFromClassloaders(javaClassLoader, backupImplementation)
+                var providerInstallerImpl = findProviderInstallerImplFromClassloaders(javaClassLoader, backupImplementation)
                 if (providerInstallerImpl === null) {
                     log("ProviderInstallerImpl could not be found, although it has been loaded")
                 } else {
@@ -67,9 +96,26 @@ export function execute() {
                 callback.onProviderInstalled()
             }
         } catch (error) {
-            log("Some error in hooking the Providerinstaller")
-            console.log(error);
-            // As it is not available, do nothing
+            try {
+                // probably class wasn't loaded by the app's main class loader therefore we load it
+                var providerInstallerFromClassloder = findProviderInstallerFromClassloaders(javaClassLoader, backupImplementation)
+                if (providerInstallerFromClassloder === null) {
+                    log("ProviderInstaller could not be found, although it has been loaded")
+                }else{
+                    providerInstallerFromClassloder.installIfNeeded.implementation = function (context: any) {
+                        log("Providerinstaller redirection/blocking")
+                    }
+                    providerInstallerFromClassloder.installIfNeededAsync.implementation = function (context: any, callback: any) {
+                        log("Providerinstaller redirection/blocking")
+                        callback.onProviderInstalled()
+                    }
+                }
+            }catch (error) {
+                log("Some error in hooking the Providerinstaller")
+                console.log(error);
+                // As it is not available, do nothing
+            }
+
         }
     })
 

agent/android/gnutls_android.ts

@@ -1,5 +1,5 @@
 
-import {GnuTLS } from "../ssl_lib/gnutls.js"
+import {GnuTLS } from "../ssl_lib/gnutls.js";
 import { socket_library } from "./android_agent.js";
 
 export class GnuTLS_Linux extends GnuTLS {

agent/android/mbedTLS_android.ts

@@ -1,5 +1,5 @@
 
-import {mbed_TLS } from "../ssl_lib/mbedTLS.js"
+import {mbed_TLS } from "../ssl_lib/mbedTLS.js";
 import { socket_library } from "./android_agent.js";
 
 export class mbed_TLS_Android extends mbed_TLS {

agent/android/nss_android.ts

@@ -1,5 +1,5 @@
 
-import {NSS } from "../ssl_lib/nss.js"
+import {NSS } from "../ssl_lib/nss.js";
 import { socket_library } from "./android_agent.js";
 
 export class NSS_Android extends NSS {

agent/android/openssl_boringssl_android.ts

@@ -1,5 +1,5 @@
 
-import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js"
+import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js";
 import { socket_library } from "./android_agent.js";
 
 export class OpenSSL_BoringSSL_Android extends OpenSSL_BoringSSL {

agent/android/wolfssl_android.ts

@@ -1,7 +1,7 @@
 
 import {WolfSSL } from "../ssl_lib/wolfssl.js";
 import { socket_library } from "./android_agent.js";
-import { toHexString } from "../shared/shared_functions.js"
+import { toHexString } from "../shared/shared_functions.js";
 
 export class WolfSSL_Android extends WolfSSL {
 

agent/ios/ios_agent.ts

@@ -1,7 +1,7 @@
-import { module_library_mapping } from "../shared/shared_structures.js"
-import { log, devlog } from "../util/log.js"
-import { getModuleNames, ssl_library_loader } from "../shared/shared_functions.js"
-import { boring_execute } from "./openssl_boringssl_ios.js"
+import { module_library_mapping } from "../shared/shared_structures.js";
+import { log, devlog } from "../util/log.js";
+import { getModuleNames, ssl_library_loader } from "../shared/shared_functions.js";
+import { boring_execute } from "./openssl_boringssl_ios.js";
 
 
 var plattform_name = "darwin";

agent/ios/openssl_boringssl_ios.ts

@@ -1,7 +1,7 @@
 
-import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js"
+import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js";
 import { socket_library } from "./ios_agent.js";
-import { log, devlog } from "../util/log.js"
+import { log, devlog } from "../util/log.js";
 
 export class OpenSSL_BoringSSL_iOS extends OpenSSL_BoringSSL {
 

agent/linux/gnutls_linux.ts

@@ -1,5 +1,5 @@
 
-import {GnuTLS } from "../ssl_lib/gnutls.js"
+import {GnuTLS } from "../ssl_lib/gnutls.js";
 import { socket_library } from "./linux_agent.js";
 
 export class GnuTLS_Linux extends GnuTLS {

agent/linux/linux_agent.ts

@@ -1,12 +1,12 @@
-import { module_library_mapping } from "../shared/shared_structures.js"
-import { log, devlog } from "../util/log.js"
-import { getModuleNames, ssl_library_loader } from "../shared/shared_functions.js"
-import { gnutls_execute } from "./gnutls_linux.js"
-import { wolfssl_execute } from "./wolfssl_linux.js"
-import { nss_execute } from "./nss_linux.js"
-import { mbedTLS_execute } from "./mbedTLS_linux.js"
-import { boring_execute } from "./openssl_boringssl_linux.js"
-import { matrixSSL_execute } from "./matrixssl_linux.js"
+import { module_library_mapping } from "../shared/shared_structures.js";
+import { log, devlog } from "../util/log.js";
+import { getModuleNames, ssl_library_loader } from "../shared/shared_functions.js";
+import { gnutls_execute } from "./gnutls_linux.js";
+import { wolfssl_execute } from "./wolfssl_linux.js";
+import { nss_execute } from "./nss_linux.js";
+import { mbedTLS_execute } from "./mbedTLS_linux.js";
+import { boring_execute } from "./openssl_boringssl_linux.js";
+import { matrixSSL_execute } from "./matrixssl_linux.js";
 
 var plattform_name = "linux";
 var moduleNames: Array<string> = getModuleNames()

agent/linux/matrixssl_linux.ts

@@ -1,5 +1,5 @@
 
-import {matrix_SSL } from "../ssl_lib/matrixssl.js"
+import {matrix_SSL } from "../ssl_lib/matrixssl.js";
 import { socket_library } from "./linux_agent.js";
 
 export class matrix_SSL_Linux extends matrix_SSL {

agent/linux/mbedTLS_linux.ts

@@ -1,5 +1,5 @@
 
-import {mbed_TLS } from "../ssl_lib/mbedTLS.js"
+import {mbed_TLS } from "../ssl_lib/mbedTLS.js";
 import { socket_library } from "./linux_agent.js";
 
 export class mbed_TLS_Linux extends mbed_TLS {

agent/linux/nss_linux.ts

@@ -1,7 +1,7 @@
 
-import {NSS } from "../ssl_lib/nss.js"
+import {NSS } from "../ssl_lib/nss.js";
 import { socket_library } from "./linux_agent.js";
-import { log, devlog } from "../util/log.js"
+import { log, devlog } from "../util/log.js";
 
 export class NSS_Linux extends NSS {
 

agent/linux/openssl_boringssl_linux.ts

@@ -1,5 +1,5 @@
 
-import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js"
+import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js";
 import { socket_library } from "./linux_agent.js";
 
 export class OpenSSL_BoringSSL_Linux extends OpenSSL_BoringSSL {

agent/linux/wolfssl_linux.ts

@@ -1,7 +1,7 @@
 
 import {WolfSSL } from "../ssl_lib/wolfssl.js";
 import { socket_library } from "./linux_agent.js";
-import { toHexString } from "../shared/shared_functions.js"
+import { toHexString } from "../shared/shared_functions.js";
 
 export class WolfSSL_Linux extends WolfSSL {
 

agent/macos/macos_agent.ts

@@ -1,8 +1,8 @@
 
-import { module_library_mapping } from "../shared/shared_structures.js"
-import { log, devlog } from "../util/log.js"
-import { getModuleNames, ssl_library_loader } from "../shared/shared_functions.js"
-import { boring_execute } from "./openssl_boringssl_macos.js"
+import { module_library_mapping } from "../shared/shared_structures.js";
+import { log, devlog } from "../util/log.js";
+import { getModuleNames, ssl_library_loader } from "../shared/shared_functions.js";
+import { boring_execute } from "./openssl_boringssl_macos.js";
 
 
 var plattform_name = "darwin";

agent/macos/openssl_boringssl_macos.ts

@@ -1,5 +1,5 @@
 
-import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js"
+import {OpenSSL_BoringSSL } from "../ssl_lib/openssl_boringssl.js";
 import { socket_library } from "./macos_agent.js";