Frida hook variable parameters

0x00 Preface:

For the principle of variable parameter hook, please refer to my article:C++ reverse variable parameter hook

I searched the Internet for a long time, but I didn’t find anyone who wrote about the Frida hook variable parameters

0x01 Frida hook variable parameter

args

OK returns to the topic, how Frida hook variable parameters.

First, variable parameters mean that the number and type of parameters are uncertain.

In Frida, the parameters of the function areargsUp. I read the information on the official website. He said that args is aNativeObjectArray of.

But when I use js to traverse this array, I always report an error…. (if any God knows, please tell me how to traverse. Thank you!)

And I just output it directlyargs, he will report oneInvalid array indexError for.

Format control string

At present, I can only do functions that control string variable parameters, such asprintf("%s,%d-%d-%d","hello",1,2,3)In this way.

#include 
int main()
{
    printf("Hello,World!");
    printf("I love %s,test %d-%d-%d %f","C++"，1,2,3,6.6);
}

My idea is to writeJS code, and then according to the judgment%To determine how many parameters there are, and intercept the characters after%.

Different types of output are performed according to characters, such as string, integer, pointer data, etc.

Handle format controllers yourself

/*
/*Used to imitate vsprintf formatting, variable parameter output and functions in C language
*/
function vspritf(format_str,args)
{
    

    //No%, no need to format it
    if (format_str.indexOf("%") === -1) {
        console. Log ("string:", format_str);
        return;
    }

    console.log("format:",format_str);

    //Loop by string length
    var pos = 0;
    var count = 0;
    console. Log ("-- parameter content: -")
    for (let index = 0; index < format_str.length; index++) {
        pos = format_str.indexOf("%",pos);
        if(pos == -1)
            break;
        
        var format_ch = format_str.substr(pos+1, 1);
        switch (format_ch) {
            case "s":
                var ret = Memory.readUtf8String(args[(count+1)])
                console.log(ret);
                count++;
                break;
            case "d":
                //console. Log ("integer");
                console.log(args[(count+1)]);
                count++;
                break;
            case "p":
                //console. Log ("pointer type")
                //var ret = Memory.readPointer(args[(count+2)])
                console.log(hexdump(ret,0x30));
                count++;
                break;
            case "f":
                console.log(args[(count+1)]);
        
            default:
                //console. Log ("other formats");
                console.log(args[(count+1)]);
                count++;
                break;
        }
        pos+=index+2;
        
    }
    //console. Log ("a total of%d occurrences", count);
}

 function hook_printf()
 {
    var baseAddress = Module.getBaseAddress("va_arg.exe");
    var offset      = 0x1410;
    var funcAddress = baseAddress.add(offset);

    console.log("BaseAddress = ",baseAddress);
    console.log("Offset = ",offset);
    console.log("Offset in Module Address = ",funcAddress);

    //var argsp = null;
    Interceptor.attach(funcAddress,
    {
        onEnter: function(args)
        {
            //argsp = ptr(args[0]);
            console.log("")
            console.log("====frida Hook===");
            vspritf(args[0].readUtf8String(),args);
            console.log("=================");
        },
        onLeave: function(retval)
        {
            //console. Log ("return string:", argsp.readutf8string());
        }

    });
 }
 hook_printf();

At present, I can only think of this low-end approach. Please point out any mistakes in the article in time. Thank you! Or if you want to use a better method, please reply in the comment area.