m0bilesecurity / RMS-Runtime-Mobile-Security

Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
https://twitter.com/mobilesecurity_
GNU General Public License v3.0
2.62k stars 376 forks source link

RMS - Early instrumentation issue #9

Closed balramrexwal closed 4 years ago

balramrexwal commented 4 years ago

I am trying to bypass Frida Script running in Memory and Frida Server Detection by using AntiFrida App. Anti Frida App has two detections as CHECk FRIDA SERVER and CHECK FRIDA IN MEMORY.

I am able to bypass it using Frida CLI but not by Using RMS tool. Using RMS,When Frida Server and is Spawn to Device, its shows both in RED as shown below:

image

Using RMS,When Frida Server and Spawn by adding Script to it (Adding Script in Custom-Scripts Folder and Spawing),It shows only GREEN in check in memory as shown below:

image It cannot bypass Frida Server, I am not able to find the issue because using same script in Frida CLI it bypass both Dection in Memory and server(shows GREEN).

Script is

setTimeout(function(){
    Java.perform(function (){
    console.log("[*] Script loaded")   var MainActivity = Java.use("org.owasp.mstg.antifrida.MainActivity")

        MainActivity.checkMemory.overload().implementation = function() {
            console.log("[*] bypass frida mrmory function invoked")
            return false
        }

        var MainActivity = Java.use("org.owasp.mstg.antifrida.MainActivity")

        MainActivity.setFridaServerTextView.overload().implementation = function() {
            console.log("[*] bypass frida server function invoked")
            return false
        }

    });      });

Decrypted Java File of Anti Frida MainActivity is. here:https://pastebin.com/NdwfvzjK

Is there any issue in Applying this script or in script(using same script in FRIDA CLI it bypasses both DETECTIONs) Please help to resolve this issue

m0bilesecurity commented 4 years ago

Hey it's a very interesting case. I think that RMS runs the script too late (when the check is already done).

Can you kindly share the APK? I'll be happy to perform a check and improve the tool. If you want to have a look directly, the logic is inside the mobilesecurity.py file (Device section). Best

balramrexwal commented 4 years ago

yeah,sure https://we.tl/t-R7SQcVo19N

m0bilesecurity commented 4 years ago

Hey @balramrexwal your bypass is wrong. Check this code:


Java.perform(function () {
    var classname = "org.owasp.mstg.antifrida.MainActivity";
    var classmethod = "PortScanFrida";
    var hookclass = Java.use(classname);

    //public boolean PortScanFrida(java.lang.String) throws java.net.UnknownHostException

    hookclass.PortScanFrida.overload("java.lang.String").implementation = function (v0) {
        send("CALLED: " + classname + "." + classmethod + "()\n");
        var ret = this.PortScanFrida(v0);

        var s="";
        s=s+"HOOK: " + classname + "." + classmethod + "()\n";
        s=s+"IN: "+v0+"\n";
        s=s+"OUT: "+ret+"\n";
        send(s);

        return false;
    };
});

Java.perform(function () {
    var classname = "org.owasp.mstg.antifrida.MainActivity";
    var classmethod = "checkMemory";
    var hookclass = Java.use(classname);

    //public boolean checkMemory()

    hookclass.checkMemory.overload().implementation = function () {
        send("CALLED: " + classname + "." + classmethod + "()\n");
        var ret = this.checkMemory();

        var s="";
        s=s+"HOOK: " + classname + "." + classmethod + "()\n";
        s=s+"IN: "+""+"\n";
        s=s+"OUT: "+ret+"\n";
        send(s);

        return false;
    };
});

checks_bypass

The above FRIDA script works very well but I don't know if there is a smarter way to bypass all the checks I only had a very quick look at the MainActivity via the HOOK LAB view.

NOTE: RMS is very useful in this case because it helps you to focus your attention only on classes and methods that have been loaded in memory 😉

Anyway, I confirm that if you load the script at startup it does not work immediately. You have to click the buttons in order to perform a second sessions of checks.

Unfortunately RMS evaluates the script too late (when the first session of checks has already been performed).

This is the affected code (mobilesecurity.py):

        session = None
        if mode == "Spawn":
            pid = device.spawn([package_name])
            session = device.attach(pid)
            print('[*] Process Spawned')
        if mode == "Attach":
            session = device.attach(package_name)
            print('[*] Process Attached')

        script = session.create_script(frida_code) <-- 1. JS API
        #script.set_log_handler(log_handler)
        script.on('message', on_message)
        script.load() <-- 2. script loaded

        # loading js api
        api = script.exports

        if mode == "Spawn":
            device.resume(pid) <-- 3. APP resumed

        # loading FRIDA startup script if exists
        if frida_script:
            api.loadcustomfridascript(frida_script) <-- 4. custom script loaded
            # DEBUG print(frida_script, file=sys.stdout)

Any ideas for a faster injection?

balramrexwal commented 4 years ago

Thanks @m0bilesecurity , Script provided by you, works, That's what i m trying to tell you, You got it correctly,

loading the script at startup it does not work immediately. On click the buttons in order to perform a second sessions of checks.

Can you fix this issue of script is loading late in Upcoming updates

Unfortunately RMS evaluates the script too late

enovella commented 4 years ago

is this apk public?

m0bilesecurity commented 4 years ago

Hey @enovella Yes I asked @balramrexwal to post the APK. Here is the link: https://we.tl/t-R7SQcVo19N More info and source code: https://github.com/b-mueller/frida-detection-demo

enovella commented 4 years ago

@m0bilesecurity Transfer expired

m0bilesecurity commented 4 years ago

@enovella reuploaded here: https://we.tl/t-j6epcwmNTW 👌🏻

punishell commented 4 years ago

Hey, could you reupload apk?

m0bilesecurity commented 4 years ago

Hey @punishell Here is the apk: https://we.tl/t-sSfe87JzDw

punishell commented 4 years ago

thanks! @m0bilesecurity, this framework is life saver 👍

m0bilesecurity commented 4 years ago

@punishell many thanks 🙏 Feel free to improve it via a Pull Request 😉

Mythili0896 commented 4 years ago

Hey, could you reupload apk?