FridaModuleOffsetCrashHandler/crash-handler.py at master · CameroonD/FridaModuleOffsetCrashHandler · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import frida
import os
import time
import re
import argparse

module_list = []
process_active = True

def on_detached(reason, crash):
    if crash != None:
        registers = []
        register_pattern = re.compile(r'\b(x[0-2][0-9]|x[0-9]|lr|sp|pc|pst)\s+([0-9a-fA-Fx]+)')
        print(reason)
        print(crash.report)
        for match in register_pattern.finditer(crash.report):
            register_name = match.group(1)
            register_value = match.group(2)
            registers.append((register_name, int(register_value, 16)))
        results = []
        for reg_name, reg_value_int in registers:
            for module in module_list:
                base_address = module['base']
                module_name = module['name']
                module_size = module['size']
                base_address_int = int(base_address, 16)
                module_size = module_size
                if base_address_int <= reg_value_int < base_address_int + module_size:
                    offset = reg_value_int - base_address_int
                    results.append(f"Register: {reg_name}, Module: {module_name}, Offset: {offset:#x}")
        for result in results:
            print(result)
    else:
        print('No crash report')

    global process_active
    process_active = False

def set_loaded_modules(message, data):
    global module_list
    module_list = message['payload']

if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        prog='crash-handler.py',
        description='Simple Frida script to assist in debugging and bypassing deliberate application crashes by listing the modules and offsets of pointers present in system registers at the time of a crash.'
    )
    parser.add_argument('package_name', help='Name of the target application ex: com.company.appname')
    parser.add_argument('-s', '--scripts', help='Script(s) to run at the same time as crash-handler.js, useful for triggering a crash', nargs='*', required=False)

    args = parser.parse_args()

    package_name = args.package_name
    secondary_scripts = args.scripts

    device = frida.get_usb_device()
    pid = device.spawn(package_name)
    session = device.attach(pid)

    session.on('detached', on_detached)

    script = session.create_script(open(os.path.dirname(os.path.abspath(__file__)) + "/crash-handler.js", "r").read())

    script.on('message', set_loaded_modules)

    script.load()

    if secondary_scripts:
        for secondary_script_path in secondary_scripts:
            secondary_script = session.create_script(open(secondary_script_path, "r").read())
            secondary_script.load()

    device.resume(pid)

    while process_active:
        time.sleep(0.05)