Merge branch 'sensepost:master' into patch-1

sensepost · Jun 7, 2024 · 0cbb307 · 0cbb307
2 parents b245d79 + d9c989d
commit 0cbb307
Show file tree

Hide file tree

Showing 56 changed files with 1,196 additions and 2,805 deletions.
diff --git a/agent/package-lock.json b/agent/package-lock.json
diff --git a/agent/package.json b/agent/package.json
@@ -3,6 +3,7 @@
   "version": "0.0.0",
   "description": "Runtime Mobile Exploration",
   "private": true,
+  "type": "module",
   "main": "src/index.ts",
   "scripts": {
     "prepare": "npm run build",
@@ -30,13 +31,13 @@
   "dependencies": {
     "frida-java-bridge": "^6",
     "frida-objc-bridge": "^7",
-    "frida-screenshot": "^3",
-    "macho": "^1"
+    "frida-screenshot": "^5",
+    "macho-ts": "^0.1.0"
   },
   "devDependencies": {
     "@types/frida-gum": "^18",
-    "@types/node": "^17",
-    "frida-compile": "^10",
+    "@types/node": "^18",
+    "frida-compile": "^16",
     "tslint": "^6"
   }
 }
diff --git a/agent/src/android/clipboard.ts b/agent/src/android/clipboard.ts
@@ -1,9 +1,9 @@
-import { colors as c } from "../lib/color";
+import { colors as c } from "../lib/color.js";
 import {
   getApplicationContext,
   wrapJavaPerform
-} from "./lib/libjava";
-import { ClipboardManager } from "./lib/types";
+} from "./lib/libjava.js";
+import { ClipboardManager } from "./lib/types.js";
 
 export const monitor = (): Promise<void> => {
   // -- Sample Java

diff --git a/agent/src/android/filesystem.ts b/agent/src/android/filesystem.ts
@@ -1,14 +1,14 @@
 import * as fs from "fs";
-import { hexStringToBytes } from "../lib/helpers";
-import { IAndroidFilesystem } from "./lib/interfaces";
+import { hexStringToBytes } from "../lib/helpers.js";
+import { IAndroidFilesystem } from "./lib/interfaces.js";
 import {
   getApplicationContext,
   wrapJavaPerform
-} from "./lib/libjava";
+} from "./lib/libjava.js";
 import {
   File,
   JavaClass
-} from "./lib/types";
+} from "./lib/types.js";
 
 export const exists = (path: string): Promise<boolean> => {
   // -- Sample Java

diff --git a/agent/src/android/general.ts b/agent/src/android/general.ts
@@ -1,4 +1,4 @@
-import { wrapJavaPerform } from "./lib/libjava";
+import { wrapJavaPerform } from "./lib/libjava.js";
 
 export const deoptimize = (): Promise<void> => {
   return wrapJavaPerform(() => {

diff --git a/agent/src/android/heap.ts b/agent/src/android/heap.ts
@@ -1,11 +1,11 @@
-import { colors as c } from "../lib/color";
+import { colors as c } from "../lib/color.js";
 import {
   IHeapClassDictionary,
   IHeapObject,
   IJavaField,
   IHeapNormalised
-} from "./lib/interfaces";
-import { wrapJavaPerform } from "./lib/libjava";
+} from "./lib/interfaces.js";
+import { wrapJavaPerform } from "./lib/libjava.js";
 
 export let handles: IHeapClassDictionary = {};
 
@@ -72,20 +72,20 @@ export const getInstances = (clazz: string): Promise<any[]> => {
 
 export const methods = (handle: number): Promise<string[]> => {
   return wrapJavaPerform(() => {
-    const clazz: Java.Wrapper = getInstance(handle);
+    const clazz = getInstance(handle);
     if (clazz == null) {
       return [];
     }
 
-    return clazz.class.getDeclaredMethods().map((method) => {
+    return clazz.class.getDeclaredMethods().map((method: any) => {
       return method.toGenericString();
     });
   });
 };
 
 export const execute = (handle: number, method: string, returnString: boolean = false): Promise<string | null> => {
   return wrapJavaPerform(() => {
-    const clazz: Java.Wrapper = getInstance(handle);
+    const clazz = getInstance(handle);
 
     if (clazz == null) {
       return;
@@ -104,13 +104,13 @@ export const execute = (handle: number, method: string, returnString: boolean =
 
 export const fields = (handle: number): Promise<IJavaField[]> => {
   return wrapJavaPerform(() => {
-    const clazz: Java.Wrapper = getInstance(handle);
+    const clazz = getInstance(handle);
 
     if (clazz == null) {
       return;
     }
 
-    return clazz.class.getDeclaredFields().map((field): IJavaField => {
+    return clazz.class.getDeclaredFields().map((field: any): IJavaField => {
       const fieldName: string = field.getName();
       const fieldInstance: Java.Wrapper = clazz.class.getDeclaredField(fieldName);
       fieldInstance.setAccessible(true);
@@ -132,7 +132,7 @@ export const fields = (handle: number): Promise<IJavaField[]> => {
 
 export const evaluate = (handle: number, js: string): Promise<void> => {
   return wrapJavaPerform(() => {
-    const clazz: Java.Wrapper = getInstance(handle);
+    const clazz = getInstance(handle);
 
     if (clazz == null) {
       return;

diff --git a/agent/src/android/hooking.ts b/agent/src/android/hooking.ts
@@ -1,12 +1,12 @@
-import { colors as c } from "../lib/color";
-import { IJob } from "../lib/interfaces";
-import * as jobs from "../lib/jobs";
-import { ICurrentActivityFragment } from "./lib/interfaces";
+import { colors as c } from "../lib/color.js";
+import { IJob } from "../lib/interfaces.js";
+import * as jobs from "../lib/jobs.js";
+import { ICurrentActivityFragment } from "./lib/interfaces.js";
 import {
   getApplicationContext,
   R,
   wrapJavaPerform
-} from "./lib/libjava";
+} from "./lib/libjava.js";
 import {
   Activity,
   ActivityClientRecord,
@@ -16,7 +16,7 @@ import {
   PackageManager,
   Throwable,
   JavaMethodsOverloadsResult,
-} from "./lib/types";
+} from "./lib/types.js";
 
 enum PatternType {
   Regex = 'regex',
@@ -64,15 +64,36 @@ const getPatternType = (pattern: string): PatternType => {
   return PatternType.Klass;
 };
 
-export const lazyWatchForPattern = (query: string): void => {
+export const lazyWatchForPattern = (query: string, watch: boolean, dargs: boolean, dret: boolean, dbt: boolean): void => {
   // TODO: Use param to control interval
   let found = false;
+  const job: IJob = {
+    identifier: jobs.identifier(),
+    implementations: [],
+    type: `notify-class for: ${query}`,
+  };
+
+  // This method loops over all enumerate matches and then calls watch
+  // with the arguments specified in the parent function
+  const watchMatches = (matches: Java.EnumerateMethodsMatchGroup[]) => {
+    matches.forEach(match => {
+      match.classes.forEach(_class => {
+        _class.methods.forEach(_method => {
+          watchMethod(_class.name + "." + _method, job, dargs, dbt, dret);
+        })
+      })
+    })
+  }
 
   // Check if the pattern is found before starting an interval
   javaEnumerate(query).then(matches => {
     if (matches.length > 0) {
       found = true;
       send(`${c.green(query)} is already loaded / available`);
+      if (watch) {
+        watchMatches(matches);
+        jobs.add(job);
+      }
     }
   });
 
@@ -87,6 +108,10 @@ export const lazyWatchForPattern = (query: string): void => {
       if (!found && matches.length > 0) {
         send(`${c.green(query)} is now available`);
         found = true;
+        if (watch) {
+          watchMatches(matches);
+          jobs.add(job);
+        }
       }
 
       if (found) clearInterval(interval);
@@ -375,7 +400,12 @@ const watchMethod = (
       };
 
       // Push the implementation so that it can be nulled later
-      job.implementations.push(m);
+      if (job.implementations) {
+        job.implementations.push(m);
+      } else {
+        job.implementations = [ m ];
+      }
+
     });
   });
 };
@@ -443,7 +473,7 @@ export const getServices = (): Promise<string[]> => {
     // not using the helper as we need other variables too
     const context = currentApplication.getApplicationContext();
 
-    let services = [];
+    var services: string[] = [];
 
     currentApplication.mLoadedApk.value.mServices.value.values().toArray().map((potentialServices) => {
       Java.cast(potentialServices, arrayMap).keySet().toArray().map((service) => {
@@ -477,7 +507,7 @@ export const getBroadcastReceivers = (): Promise<string[]> => {
       GET_RECEIVERS
     ).receivers.value
 
-    let receivers = [];
+    var receivers: string[] = [];
 
     currentApplication.mLoadedApk.value.mReceivers.value.values().toArray().map((potentialReceivers) => {
       Java.cast(potentialReceivers, arrayMap).keySet().toArray().map((receiver) => {
@@ -540,7 +570,12 @@ export const setReturnValue = (fqClazz: string, filterOverload: string | null, n
       };
 
       // record override
-      job.implementations.push(m);
+      if (job.implementations) {
+        job.implementations.push(m);
+      } else {
+        job.implementations = [ m ];
+      }
+
     });
 
     jobs.add(job);

diff --git a/agent/src/android/intent.ts b/agent/src/android/intent.ts
@@ -1,9 +1,9 @@
-import { colors as c } from "../lib/color";
+import { colors as c } from "../lib/color.js";
 import {
   getApplicationContext,
   wrapJavaPerform
-} from "./lib/libjava";
-import { Intent } from "./lib/types";
+} from "./lib/libjava.js";
+import { Intent } from "./lib/types.js";
 
 // https://developer.android.com/reference/android/content/Intent.html#FLAG_ACTIVITY_NEW_TASK
 const FLAG_ACTIVITY_NEW_TASK = 0x10000000;

diff --git a/agent/src/android/keystore.ts b/agent/src/android/keystore.ts
@@ -1,17 +1,17 @@
-import { colors as c } from "../lib/color";
+import { colors as c } from "../lib/color.js";
 import {
   IKeyStoreDetail,
   IKeyStoreEntry
-} from "./lib/interfaces";
-import { wrapJavaPerform } from "./lib/libjava";
+} from "./lib/interfaces.js";
+import { wrapJavaPerform } from "./lib/libjava.js";
 import {
   KeyFactory,
   KeyInfo,
   KeyStore,
   SecretKeyFactory
-} from "./lib/types";
-import { IJob } from "../lib/interfaces";
-import * as jobs from "../lib/jobs";
+} from "./lib/types.js";
+import { IJob } from "../lib/interfaces.js";
+import * as jobs from "../lib/jobs.js";
 
 // Dump entries in the Android Keystore, together with a flag
 // indicating if its a key or a certificate.
@@ -220,9 +220,9 @@ const keystoreGetKey = (ident: string): any | undefined => {
 export const watchKeystore = (): void => {
   const job: IJob = {
     identifier: jobs.identifier(),
-    implementations: [],
     type: "android-keystore-watch",
   };
+  job.implementations = [];
 
   job.implementations.push(keystoreLoad(job.identifier));
   job.implementations.push(keystoreGetKey(job.identifier));

diff --git a/agent/src/android/monitor.ts b/agent/src/android/monitor.ts
@@ -1,4 +1,4 @@
-import { wrapJavaPerform } from "./lib/libjava";
+import { wrapJavaPerform } from "./lib/libjava.js";
 
 export namespace monitor {
   export const stringCanary = (can: string): Promise<void> => {

diff --git a/agent/src/android/pinning.ts b/agent/src/android/pinning.ts
@@ -1,8 +1,8 @@
-import { colors as c } from "../lib/color";
-import { qsend } from "../lib/helpers";
-import { IJob } from "../lib/interfaces";
-import * as jobs from "../lib/jobs";
-import { wrapJavaPerform } from "./lib/libjava";
+import { colors as c } from "../lib/color.js";
+import { qsend } from "../lib/helpers.js";
+import { IJob } from "../lib/interfaces.js";
+import * as jobs from "../lib/jobs.js";
+import { wrapJavaPerform } from "./lib/libjava.js";
 import {
   ArrayList,
   CertificatePinner,
@@ -11,7 +11,7 @@ import {
   SSLContext,
   TrustManagerImpl,
   X509TrustManager,
-} from "./lib/types";
+} from "./lib/types.js";
 
 
 // a simple flag to control if we should be quiet or not
@@ -367,10 +367,11 @@ export const disable = (q: boolean): void => {
 
   const job: IJob = {
     identifier: jobs.identifier(),
-    implementations: [],
     type: "android-sslpinning-disable",
   };
 
+  job.implementations = [];
+
   job.implementations.push(sslContextEmptyTrustManager(job.identifier));
   job.implementations.push(okHttp3CertificatePinnerCheck(job.identifier));
   job.implementations.push(okHttp3CertificatePinnerCheckOkHttp(job.identifier));

diff --git a/agent/src/android/proxy.ts b/agent/src/android/proxy.ts
@@ -1,5 +1,5 @@
-import { wrapJavaPerform } from "./lib/libjava";
-import { colors as c } from "../lib/color";
+import { wrapJavaPerform } from "./lib/libjava.js";
+import { colors as c } from "../lib/color.js";
 
 export const set = (host: string, port: string): Promise<void> => {
   return wrapJavaPerform(() => {

diff --git a/agent/src/android/root.ts b/agent/src/android/root.ts
@@ -1,13 +1,13 @@
-import { colors as c } from "../lib/color";
-import { IJob } from "../lib/interfaces";
-import * as jobs from "../lib/jobs";
-import { wrapJavaPerform } from "./lib/libjava";
+import { colors as c } from "../lib/color.js";
+import { IJob } from "../lib/interfaces.js";
+import * as jobs from "../lib/jobs.js";
+import { wrapJavaPerform } from "./lib/libjava.js";
 import {
   File,
   IOException,
   JavaString,
   Runtime
-} from "./lib/types";
+} from "./lib/types.js";
 
 const commonPaths = [
   "/data/local/bin/su",
@@ -294,10 +294,11 @@ const jailMonkeyBypass = (success: boolean, ident: string): any => {
 export const disable = (): void => {
   const job: IJob = {
     identifier: jobs.identifier(),
-    implementations: [],
     type: "root-detection-disable",
   };
 
+  job.implementations = [];
+
   job.implementations.push(testKeysCheck(false, job.identifier));
   job.implementations.push(execSuCheck(false, job.identifier));
   job.implementations.push(fileExistsCheck(false, job.identifier));
@@ -322,6 +323,7 @@ export const enable = (): void => {
     implementations: [],
     type: "root-detection-enable",
   };
+  job.implementations = [];
 
   job.implementations.push(testKeysCheck(true, job.identifier));
   job.implementations.push(execSuCheck(true, job.identifier));