From 3f427a1ee93de50ca0dcdf825cbeeefd61f14ccc Mon Sep 17 00:00:00 2001 From: Ylarod Date: Tue, 18 Jul 2023 19:55:59 +0800 Subject: [PATCH 8/9] Florida: update python script --- src/anti-anti-frida.py | 59 +++++++++++++++++++++++++++++------------- 1 file changed, 41 insertions(+), 18 deletions(-) diff --git a/src/anti-anti-frida.py b/src/anti-anti-frida.py index b4b8dca6..d1ce5f62 100644 --- a/src/anti-anti-frida.py +++ b/src/anti-anti-frida.py @@ -2,36 +2,59 @@ import lief import sys import random import os - + +def log_color(msg): + print(f"\033[1;31;40m{msg}\033[0m") + if __name__ == "__main__": input_file = sys.argv[1] - print(f"[*] Patch frida-agent: {input_file}") - random_name = "".join(random.sample("ABCDEFGHIJKLMNO", 5)) - print(f"[*] Patch `frida` to `{random_name}``") - + random_charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" + log_color(f"[*] Patch frida-agent: {input_file}") binary = lief.parse(input_file) - + if not binary: + log_color(f"[*] Not elf, exit") exit() + + random_name = "".join(random.sample(random_charset, 5)) + log_color(f"[*] Patch `frida` to `{random_name}`") for symbol in binary.symbols: if symbol.name == "frida_agent_main": symbol.name = "main" - + if "frida" in symbol.name: symbol.name = symbol.name.replace("frida", random_name) - + if "FRIDA" in symbol.name: symbol.name = symbol.name.replace("FRIDA", random_name) - + + all_patch_string = ["FridaScriptEngine", "GLib-GIO", "GDBusProxy", "GumScript"] # 字符串特征修改 尽量与源字符一样 + for section in binary.sections: + if section.name != ".rodata": + continue + for patch_str in all_patch_string: + addr_all = section.search_all(patch_str) # Patch 内存字符串 + for addr in addr_all: + patch = [ord(n) for n in list(patch_str)[::-1]] + log_color(f"[*] Patching section name={section.name} offset={hex(section.file_offset + addr)} orig:{patch_str} new:{''.join(list(patch_str)[::-1])}") + binary.patch_address(section.file_offset + addr, patch) + binary.write(input_file) - - # gum-js-loop thread - random_name = "".join(random.sample("abcdefghijklmn", 11)) - print(f"[*] Patch `gum-js-loop` to `{random_name}`") + + # thread_gum_js_loop + random_name = "".join(random.sample(random_charset, 11)) + log_color(f"[*] Patch `gum-js-loop` to `{random_name}`") os.system(f"sed -b -i s/gum-js-loop/{random_name}/g {input_file}") - - # gmain thread - random_name = "".join(random.sample("abcdefghijklmn", 5)) - print(f"[*] Patch `gmain` to `{random_name}`") - os.system(f"sed -b -i s/gmain/{random_name}/g {input_file}") \ No newline at end of file + + # thread_gmain + random_name = "".join(random.sample(random_charset, 5)) + log_color(f"[*] Patch `gmain` to `{random_name}`") + os.system(f"sed -b -i s/gmain/{random_name}/g {input_file}") + + # thread_gdbus + random_name = "".join(random.sample(random_charset, 5)) + log_color(f"[*] Patch `gdbus` to `{random_name}`") + os.system(f"sed -b -i s/gdbus/{random_name}/g {input_file}") + + log_color(f"[*] Patch Finish") \ No newline at end of file -- 2.34.1