-
Notifications
You must be signed in to change notification settings - Fork 14
/
dereflect.js
110 lines (102 loc) · 3.87 KB
/
dereflect.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
Java.perform(function() {
var internalClasses = ["android.", "org."];
var classDef = Java.use('java.lang.Class');
var classLoaderDef = Java.use('java.lang.ClassLoader');
var loadClass = classLoaderDef.loadClass.overload('java.lang.String', 'boolean');
var forName = classDef.forName.overload('java.lang.String', 'boolean', 'java.lang.ClassLoader');
var reflect = Java.use('java.lang.reflect.Method')
var member = Java.use('java.lang.reflect.Member')
var dalvik = Java.use("dalvik.system.DexFile")
var dalvik2 = Java.use("dalvik.system.DexClassLoader")
var dalvik3 = Java.use("dalvik.system.PathClassLoader")
//var dalvik4 = Java.use("dalvik.system.InMemoryDexClassLoader")
var f = Java.use("java.io.File")
var url = Java.use("java.net.URL")
var obj = Java.use("java.lang.Object")
var fo = Java.use("java.io.FileOutputStream")
var ThreadDef = Java.use('java.lang.Thread');
var ThreadObj = ThreadDef.$new();
obj.getClass.implementation = function(){
o = this.getClass()
return this.getClass()
}
member.getName.implementation = function(){
console.log('Getname -> ' + this.getName())
return this.getName()
}
classDef.getMethods.implementation = function(){
o = this.getMethods()
//console.log(o)
return this.getMethods()
}
reflect.invoke.implementatition = function(a,b){
console.log("invoke catched -> " + a)
this.invoke(a,b)
}
f.$init.overload("java.net.URI").implementation = function(a){
console.log("URI called")
this.$init(a)
}
f.delete.implementation = function(a){
console.log("[+] Delete catched =>" +this.getAbsolutePath())
return true
}
fo.$init.overload('java.lang.String').implementation = function(a){
console.log("[+] Output stream created with the file : " + a)
//stackTrace()
return this.$init(a)
}
fo.write.overload('[B', 'int', 'int').implementation = function(a,b,c) {
console.log("[+] write catched")
stackTrace()
this.write(a,b,c)
}
fo.close.implementation = function(){
console.log("[!] Output stream closed")
fd = this.getFD()
}
dalvik.loadDex.implementation = function(a,b,c){
console.log("[+] loadDex Catched -> " + a)
//stackTrace()
return dalvik.loadDex(a,b,c)
}
dalvik2.$init.implementation = function (a,b,c,d) {
console.log("[+] DexClassLoader Catched -> " + a)
//stackTrace()
this.$init(a,b,c,d)
}
forName.implementation = function(class_name, flag, class_loader) {
var isGood = true;
for (var i = 0; i < internalClasses.length; i++) {
if (class_name.startsWith(internalClasses[i])) {
isGood = false;
}
}
if (isGood) {
console.log("Reflection => forName => " + class_name);
//stackTrace()
}
return forName.call(this, class_name, flag, class_loader);
}
loadClass.implementation = function(class_name, resolve) {
var isGood = true;
for (var i = 0; i < internalClasses.length; i++) {
if (class_name.startsWith(internalClasses[i])) {
isGood = false;
}
}
if (isGood) {
console.log("Reflection => loadClass => " + class_name);
}
return loadClass.call(this, class_name, resolve);
}
function stackTrace() {
console.log("--------------------------START STACK-------------------------------------")
var stack = ThreadObj.currentThread().getStackTrace();
send(stack[4])
for (var i = 0; i < stack.length; i++) {
console.log(i + " => " + stack[i].toString());
}
console.log("---------------------------END STACK--------------------------------------");
}
});