主页 / user-11005634

ibse's questions

Martin Hope
ibse
Asked: 2025-03-09 17:54:04 +0800 CST
  • 6

我想在运行时以以下方式修补类似文本编辑器的应用程序:当用户打开任何文件时,/tmp/predefined应该打开我预定义的文件(例如)而不是用户的原始文件。对于此任务,我使用带有 JavaScript API 的 Frida 工具包。我拦截所有open()系统调用,决定是否需要进行替换,如果需要,则用我预定义的参数替换第一个open()参数(要打开的文件的路径)。

脚本patcher.js

function main()
{

Interceptor.attach(Module.getExportByName(null, 'open'), {
    onEnter(args) {
        const originalPath = args[0].readCString();
        if (shouldReplace(originalPath)){
            args[0].writeUtf8String('/tmp/predefined'); // (1)
            //args[0] = Memory.allocUtf8String("/tmp/predefined"); (2)
        }
    },
  });
}

function shouldReplace(path) {
if (!path) return false;
// Do not replace essential system or config files:
if (path.startsWith("/usr/") || path.startsWith("/etc/") || path.startsWith("/lib") || 
    path.startsWith("/var/") || path.startsWith("/proc/") || path.startsWith("/sys/") || 
    path.startsWith("/dev/") || path.startsWith("/run/") || path.startsWith("/home/user/.config/")
||  path.startsWith("/home/user/.cache") || path.startsWith("/home/user/.local") ) {
    return false;
}
// Avoid replacing if it's already the predefined file (prevent infinite loop)
if (path === "/tmp/predefined") {
    return false;
}
// Otherwise, assume it's a user-requested file and should be repalced
return true;
}

main()

作为文本编辑器,我使用gnome-text-editor Run frida 作为:./frida -l patcher.js -f /usr/bin/gnome-text-editor /tmp/originalFile

这似乎有效:/tmp/predefined打开而不是/tmp/originalFile。但是,如果我想为字符串“/tmp/predefined”分配新内存,并将指向此新内存的指针分配给 args[0],而不是重写 args[0] 指向的内存的内容(取消注释 (2) 行,注释掉 (1) 行),我会收到错误:

  1. 编辑器无法打开/tmp/predefined并写入Could Not Open File You do not have permissions to open the file
  2. 在终端中:(gnome-text-editor:9036): editor-document-WARNING **: 11:11:33.542: Failed to load file: Error opening file /tmp/originalFile: No such file or directory,但是/tmp/originalFile存在。

由于这些错误仅当我尝试为字符串分配新内存并更改args[0]指针的值时才会发生,所以我想知道我是否正确使用了 Frida 的 JavaScript API 中的内存分配?

javascript
Martin Hope
ibse
Asked: 2024-02-19 21:07:27 +0800 CST
  • 5

我需要使用 openssl 生成的密钥通过 cryptopp lib 来签署消息。

生成的密钥: openssl genrsa -out privatKey.pem 2048

为了消除CryptoPP::BERDecodeErr将此密钥加载到 时出现的错误RSA::PrivateKey,该密钥已从 转换为PEMDER如此处所述Load PEM 编码的私有 RSA 密钥 in Crypto++openssl pkcs8 -in privatKey.pem -out privatKey.der -topk8 -nocrypt -outform der

从文件加载转换后的密钥的代码成功运行:

ByteQueue queue;
FileSource file("privatKey.der", true);
file.TransferTo(queue);
queue.MessageEnd();

RSA::PrivateKey rsaPrivate;
rsaPrivate.Load(queue);

现在我想将此密钥直接硬编码到程序文本中。我通过读取其内容xxd -p privatKey.der并将其复制到代码中:

std::string privKeyStr = "308204bd020100300d06092a864886f70d0101010500048204a7308204a3"
"0201000282010100ba077fcaf8908c0b9bfef58f4493c93affb6ca7b2947"
"ad2d066eca92f42be3b8695c1dbb1b30ccc08ae844d503bcd4f8261c4aa2"
"4e07b3d4c20a5c2e651588ca5b167c320b903c11dc178f802698b5ea8ab2"
"a62c853648f985ffc61490c63472a4a2f84299550f58eb3254d822fbaaa4"
"529fba6d6daa9ba32550f2691058f2b34299482adb4012028419261fd01b"
"62d3affbae524d0892776f4147d37bb10079a83c91898e6d42abb939018a"
"6c63055efe0b30ca34f21bd3e5d861dd29ba0f97d05bf4ba8b22ab50db94"
"d14a0bb7ff671ef415e1bdc52aa9fd83140c6de08ec69a66d333f6c1f53d"
"4f9b1245676ba68c20f15cf28dd81b90e7526ee2796aa461020301000102"
"8201006d244d339615a8347f775c368bf370d26e889dcf186ef7093d86ee"
"cebcf6ab09dcb6b0b2bfc727b9a745926caf5eb04c4e7fb6c1f6a9ca35ff"
"09f8ff374b251023d4d354c13804262e4c9c628142832871eb525738689a"
"f3da4c2fb88d1fdc518e8a16c16c185d82bbaab1e084d5c64dd633e43aa3"
"66bf1d3e9d793b6edde0b58e9cd8df8b084cef3656a8fc061eb5464df71a"
"c89684684571951552d342736286fea796f8c2bbd763d8451fad44eab2ac"
"81d852ab968a46cf95e4a5350577c38e856902a37b04da451d63c0542661"
"774caf68b37008cfe6beeeb843cfbc0a68688d91daadf27f507d2cfe526f"
"295ac69ce748e331290d9f77a3f9f46823cde902818100ea41fc3e0e4afb"
"ce2473fa019df29de5a1d804b04378efee0bc9a9f3e064b2aa2b310377ad"
"8bceb88d0a7e1a96a64017e04a05fa74616987de7203adcfddcbc2279474"
"8fc075b498683efb23ead8aa0be06c720f31c2006372e5d9c43d84065bd6"
"b2e75f683378ba6e07573a59dbf5a3875d27a84244402f5aaae407a7eeb7"
"f302818100cb4b9862023585e70334d7d622bf6e3232bfb89a28afef2bd4"
"d2a3888af36a57152c2974e83baa2f63bd005e2cdf90c68ad28a010fda99"
"e4a19159b4164a620e1a99158f190ae47ee2bd3abd66158f07b6469f3c71"
"b2c37aa0c9f2b7e22bc164a8ca95132eed353ccbba9ddf23e82d1ed32508"
"c8f4e6f18c78c702c342fcfb5b02818100a85772e545702d341e8e19833f"
"f631f1eb34496a41928f1909ef89ea6fbeed85cc3414c1d43d3bf8f3a22e"
"acfcc5cc195c5cd59efe33629af908060cc9ec21990cc86a5b437b52a493"
"856f0488a7dacb5e239073cad6176160183d3e00d6f79ad7d708de4f0b6e"
"1ecb230b542b6f1e3ebdeffba7b6b74548c2673c27244f3071028180568b"
"ac27ad4113ec30d5423d8b356bb83b1a9b80256a20abcc42901404f37385"
"f72181d49f39274e5d6b8cc88ad9f24c53b525c325f8ae23431519d72cd6"
"25c0535a706f26fe18205c6eaa9f0ee286ad85cfb2e28c94c9db5eb01a80"
"65ecb2bc238f7abf5beee80725c420896a43e1518a19ee0f7f13022a0710"
"d200467864990281801e82172f07d59df235c7ca403f6c7cfa6c0e85a0c6"
"27f90dcc46c114b6146aa2927ce507b1698938db42a73ec50da8531eda23"
"a4e997a2ab7bfdfce3a963b353e472e7d77bf01c60942b7266640f74189e"
"b974b69c2eefeb522f6024c839738f8620d55b79d3cd3155b51c011602ec"
"64c1af4ce4857b1cba7b21d7d59a7e5ab9";

我正在尝试通过以下方式从字符串加载此硬编码密钥CryptoPP::StringSource

ByteQueue queue;
StringSource str(privKeyStr, true);
str.TransferTo(queue);
queue.MessageEnd();

RSA::PrivateKey rsaPrivate;
rsaPrivate.Load(queue);

但我得到了例外CryptoPP::BERDecodeErr

如何正确做呢?

c++