首页
论坛
课程
招聘
[原创]JEB脚本(二)(交叉引用 调用图)
2020-10-27 15:21 4853

[原创]JEB脚本(二)(交叉引用 调用图)

2020-10-27 15:21
4853

代码地址:

https://github.com/acbocai/jeb_script
.

目录

  • DEX交叉引用查询(xref)
  • Native调用查询(callee caller)
  • Native交叉引用查询
  • Native地址所属查询
 

.

DEX交叉引用查询

查询DEX中方法的交叉引用信息,
使用ActionXrefsDataActionContext

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# -*- coding: utf-8 -*-
from com.pnfsoftware.jeb.client.api import IClientContext
from com.pnfsoftware.jeb.core import IRuntimeProject
from com.pnfsoftware.jeb.core.actions import ActionXrefsData, Actions, ActionContext
from com.pnfsoftware.jeb.core.units import IUnit
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit
from com.pnfsoftware.jeb.core.units.code.android.dex import IDexMethod, IDexClass
 
def Test(ctx):
    input_path = r"D:\tmp\2\project\about_dex_diff\code\jsq\jsq.dex"
    class_sign  = "Lcom/BestCalculatorCN/MyCalculator;"
    method_sign = "Lcom/BestCalculatorCN/MyCalculator;->b(Lcom/BestCalculatorCN/MyCalculator;Ljava/lang/String;)V"
    unit = ctx.open(input_path);                                   
    prj = ctx.getMainProject();                                    
    dexUnit = prj.findUnit(IDexUnit);                              
    clz = dexUnit.getClass(class_sign);                            
    method = dexUnit.getMethod(method_sign);                       
 
    # 1 查询某method交叉引用列表
    # 使用(unit,操作,地址,itemid)来创建一个context对象,提供给JEB引擎,用于后续执行
    print "------------------------------------------------"
    actionXrefsData = ActionXrefsData()
    actionContext = ActionContext(dexUnit, Actions.QUERY_XREFS, method.getItemId(), None)
    if unit.prepareExecution(actionContext,actionXrefsData):
        for xref_addr in actionXrefsData.getAddresses():
            print xref_addr
 
    # 2 查询整个class的交叉引用列表
    print "------------------------------------------------"
    actionXrefsData = ActionXrefsData()
    actionContext = ActionContext(dexUnit, Actions.QUERY_XREFS, clz.getItemId(), None)
    if unit.prepareExecution(actionContext,actionXrefsData):
        for idx,xref_addr in enumerate(actionXrefsData.getAddresses()):
            print idx,xref_addr

.
.

Native调用查询

查询一个函数被谁调用了,或查询它内部调用了谁,
关注:
INativeCodeAnalyzer
INativeCodeModel
ICallGraphManager
ICallGraph

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# -*- coding: utf-8 -*-
from com.pnfsoftware.jeb.client.api import IClientContext
from com.pnfsoftware.jeb.core import IRuntimeProject
from com.pnfsoftware.jeb.core.units import IUnit, INativeCodeUnit
from com.pnfsoftware.jeb.core.units.code.asm.analyzer import INativeCodeAnalyzer, INativeCodeModel, IReferenceManager, ICallGraphManager, ICallGraph, CallGraphVertex
from com.pnfsoftware.jeb.core.units.code.asm.items import INativeMethodItem
 
 
# callees/callers 调用与被调用信息
def Test(ctx):
    assert isinstance(ctx,IClientContext)
    input_path = r"D:\tmp\2\project\about_dex_diff\code\xmly\libFace3D.so"
    unit = ctx.open(input_path)
    prj = ctx.getMainProject()
 
    # 获取INativeCodeUnit并执行解析
    nativeCodeUnit = prj.findUnit(INativeCodeUnit)
    bool = nativeCodeUnit.process()
 
    # 获取INativeCodeAnalyzer,获取INativeCodeModel
    nativeCodeAnalyzer = nativeCodeUnit.getCodeAnalyzer()
    nativeCodeAnalyzer.analyze()
    nativeCodeModel = nativeCodeAnalyzer.getModel()
 
    # 获取ICallGraph
    callGraph = nativeCodeModel.getCallGraphManager().getGlobalCallGraph()
 
    # 函数
    funcName = "libunwind::LocalAddressSpace::findFunctionName"
    nativeMethodItem = nativeCodeUnit.getMethod(funcName)
    print ">>> funcAddr:",hex(nativeMethodItem.getRoutineAddress())
 
    # callees 目标函数调用了谁
    callGraphVertexList = callGraph.getCallees(nativeMethodItem,False)
    for callGraphVertex in callGraphVertexList:
        print ">>> Callee:",hex(callGraphVertex.getInternalAddress().getAddress())
 
    # callers 目标函数被谁调用
    callerList = callGraph.getCallers(nativeMethodItem,False)
    for caller in callerList:
        print ">>> Callers:",hex(caller)
 
# >>> funcAddr: 0x19a1cL
# >>> Callee: 0xabfcL
# >>> Callee: 0xac08L
# >>> Callee: 0x9cc0L
# >>> Callers: 0x196b2L


 

.

Native交叉引用查询

查询一个Function的交叉引用情况
或查询一个Block入口指令的引用交叉引用情况
关注:
INativeCodeAnalyzer
INativeCodeModel
IReferenceManager
IReference

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# -*- coding: utf-8 -*-
from com.pnfsoftware.jeb.client.api import IClientContext
from com.pnfsoftware.jeb.core import IRuntimeProject
from com.pnfsoftware.jeb.core.units import IUnit, INativeCodeUnit
from com.pnfsoftware.jeb.core.units.code import EntryPointDescription
from com.pnfsoftware.jeb.core.units.code.asm.analyzer import INativeCodeAnalyzer, INativeCodeModel, IReferenceManager, ICallGraphManager, ICallGraph, CallGraphVertex
from com.pnfsoftware.jeb.core.units.code.asm.items import INativeMethodItem
 
 
# 原生库交叉引用信息
def Test(ctx):
    input_path = r"D:\tmp\2\project\about_dex_diff\code\xmly\libFace3D.so"
    unit = ctx.open(input_path)
    prj = ctx.getMainProject()
 
    # 获取INativeCodeUnit并执行解析
    nativeCodeUnit = prj.findUnit(INativeCodeUnit)
    bool = nativeCodeUnit.process()
 
    # 获取INativeCodeAnalyzer,获取INativeCodeModel
    nativeCodeAnalyzer = nativeCodeUnit.getCodeAnalyzer()
    nativeCodeAnalyzer.analyze()
    nativeCodeModel = nativeCodeAnalyzer.getModel()
 
    # 获取一个函数入口指令地址的交叉引用列表
    funcName = "libunwind::LocalAddressSpace::findFunctionName"
    funcAddr = nativeCodeUnit.getMethod(funcName).getRoutineAddress()
    print ">>> funcAddr:",hex(funcAddr)
    referenceManager = nativeCodeModel.getReferenceManager()
    referenceList = referenceManager.getReferencesToTarget(funcAddr)
    print ">>> funcAddr referenceList:",referenceList
 
    # 获取一个基本块入口指令地址的交叉引用列表
    referenceList = referenceManager.getReferencesToTarget(0x19A5E)
    print ">>> block referenceList:",referenceList
 
# >>> funcAddr: 0x19a1cL
# >>> funcAddr referenceList: [196B2h]
# >>> block referenceList: [19A3Ch, 19A40h]

 

 

.
.

Native地址所属查询

获取一条指令的地址,所属Function或Block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# -*- coding: utf-8 -*-
from com.pnfsoftware.jeb.client.api import IClientContext
from com.pnfsoftware.jeb.core import IRuntimeProject
from com.pnfsoftware.jeb.core.units import IUnit, INativeCodeUnit
from com.pnfsoftware.jeb.core.units.code import EntryPointDescription
from com.pnfsoftware.jeb.core.units.code.asm.analyzer import INativeCodeAnalyzer, INativeCodeModel, IReferenceManager, ICallGraphManager, ICallGraph, CallGraphVertex
from com.pnfsoftware.jeb.core.units.code.asm.items import INativeMethodItem
 
 
def Test(ctx):
    input_path = r"D:\tmp\2\project\about_dex_diff\code\xmly\libFace3D.so"
    unit = ctx.open(input_path)
    prj = ctx.getMainProject()
 
    # 获取INativeCodeUnit并执行解析
    nativeCodeUnit = prj.findUnit(INativeCodeUnit)
    bool = nativeCodeUnit.process()
 
    # 获取INativeCodeAnalyzer,获取INativeCodeModel
    nativeCodeAnalyzer = nativeCodeUnit.getCodeAnalyzer()
    nativeCodeAnalyzer.analyze()
    nativeCodeModel = nativeCodeAnalyzer.getModel()
 
    # 返回该地址所在函数的首地址
    print "-------------------"
    r = nativeCodeModel.getContainedRoutineAddresses(0x19A60)
    print ">>> ",hex(r[0])
 
    # 返回该地址所在基本块
    print "-------------------"
    r = nativeCodeModel.getBasicBlockHeader(0x19A60)
    for insn in r.getInstructions():
        print ">>> ",insn.getMnemonic()
 
# -------------------
# >>>  0x19a1cL
# -------------------
# >>>  LDR
# >>>  LDR
# >>>  SUBS
# >>>  ITTT
# >>>  ADDEQ
# >>>  POPEQ
# >>>  POPEQ

image.png


看雪2022 KCTF 秋季赛 防守篇规则,征题截止日期11月12日!(iPhone 14等你拿!)

最后于 2020-10-28 14:32 被爱吃菠菜编辑 ,原因:
收藏
点赞1
打赏
分享
最新回复 (4)
雪    币: 3350
活跃值: 活跃值 (1096)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
Umiade 活跃值 2020-10-27 15:39
2
0
再膜再看
雪    币: 6193
活跃值: 活跃值 (3248)
能力值: (RANK:200 )
在线值:
发帖
回帖
粉丝
LowRebSwrd 活跃值 4 2020-10-27 16:54
3
0
图片重新贴一下吧
雪    币: 459
活跃值: 活跃值 (722)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
huluxia 活跃值 2020-10-28 09:10
4
0
膜拜大神
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
mb_mnqvyswo 活跃值 2020-10-28 09:23
5
0
好人一生平安
游客
登录 | 注册 方可回帖
返回