python 脚本 dumpImg.py :
import os import sys import click import frida import logging logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s", datefmt='%m-%d/%H:%M:%S') def get_all_process(device, pkgname): return [process for process in device.enumerate_processes() if process.name == pkgname] def search(api, args=None): """ """ matches = api.scandex() for info in matches: click.secho("[PNGDump] Found: PNGAddr={}, PNGSize={}" .format(info['addr'], hex(info['size'])), fg='green') return matches def dump(pkg_name, api): """ """ matches = api.scanpng() click.secho("[Scanpng]: len={}".format(len(matches))) for info in matches: try: bs = api.memorydump(info['addr'], info['size']) if not os.path.exists("./" + pkg_name + "/"): os.mkdir("./" + pkg_name + "/") with open(pkg_name + "/" + info['addr'] + ".png", 'wb') as out: out.write(bs) click.secho("[PNGDump]: PngSize={}, SavePath={}/{}/{}.png" .format(hex(info['size']), os.getcwd(), pkg_name, info['addr']), fg='green') except Exception as e: click.secho("[Except] - {}: {}".format(e, info), bg='yellow') if __name__ == "__main__": try: device = frida.get_usb_device() except: device = frida.get_remote_device() target = device.get_frontmost_application() pkg_name = target.identifier processes = get_all_process(device, pkg_name) if len(processes) == 1: target = processes[0] else: s_processes = "" for index in range(len(processes)): s_processes += "\t[{}] {}\n".format(index, str(processes[index])) input_id = int(input("[{}] has multiprocess: \n{}\nplease choose target process: " .format(pkg_name, s_processes))) target = processes[input_id] try: for index in range(len(processes)): if index == input_id: os.system("adb shell \"su -c 'kill -18 {}'\"".format(processes[index].pid)) else: os.system("adb shell \"su -c 'kill -19 {}'\"".format(processes[index].pid)) except: pass logging.info("[PNGDump]: found target [{}] {}".format(target.pid, pkg_name)) session = device.attach(target.pid) path = os.path.dirname(sys.argv[0]) path = path if path else "." script = session.create_script(open(path + "/dumpImg.js").read()) script.load() dump(pkg_name, script.exports)
Frida javaScript脚本 dumpImg.js:
rpc.exports = { memorydump: function memorydump(address, size) { return new NativePointer(address).readByteArray(size); }, scanpng: function scanpng() { var result = []; Process.enumerateRanges('r--').forEach(function (range) { try { Memory.scanSync(range.base, range.size, "89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 : 49 45 4E 44 AE 42 60 82").forEach(function (match) { var rng = Process.findRangeByAddress(match.address); // console.log("address ",match.address) // console.log("range ",rng.size); result.push({ "addr": match.address, "size": rng.size }); }); } catch (e) { } }); return result; } };
使用方法:
1、启动frida-server,
2、启动app
3、运行 dumpImg.py
4、搞定。
dump出来图片效果:
扫描二维码关注公众号,回复:
11191828 查看本文章
参考资料:
png 图片格式: https://blog.csdn.net/hherima/article/details/45847043
Frida 内存扫描:https://frida.re/docs/javascript-api/#memory