fixes in setup.py; fixes in hooking on MacOS; fixes in detecting if r…

…unning friTap in MacOS or iOS
fkie-cad · Jan 17, 2025 · b7a9212 · b7a9212
1 parent 38eac3c
commit b7a9212
Show file tree

Hide file tree

Showing 20 changed files with 340 additions and 304 deletions.
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 </p>
 
 # friTap
-![version](https://img.shields.io/badge/version-1.2.7.1-blue) [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&r=r&ts=1683906897&type=6e&v=1.2.7.1&x2=0)](https://badge.fury.io/py/friTap)
+![version](https://img.shields.io/badge/version-1.2.8.0-blue) [![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py&r=r&ts=1683906897&type=6e&v=1.2.8.0&x2=0)](https://badge.fury.io/py/friTap)
 
 friTap is a powerful tool designed to assist researchers in analyzing network traffic encapsulated in SSL/TLS. With its ability to automate key extraction, friTap is especially valuable when dealing with malware analysis or investigating privacy issues in applications. By simplifying the process of decrypting and inspecting encrypted traffic, friTap empowers researchers to uncover critical insights with ease.
 

diff --git a/agent/android/android_agent.ts b/agent/android/android_agent.ts
@@ -61,7 +61,7 @@ function hook_Android_Dynamic_Loader(module_library_mapping: { [key: string]: Ar
 
     })
 
-    console.log(`[*] Android dynamic loader hooked.`)
+    log(`[*] Android dynamic loader hooked.`)
 } catch (error) {
     devlog("Dynamic loader error: "+ error)
     log("No dynamic loader present for hooking on Android.")

diff --git a/agent/android/gnutls_android.ts b/agent/android/gnutls_android.ts
@@ -1,6 +1,7 @@
 
 import {GnuTLS } from "../ssl_lib/gnutls.js";
 import { socket_library } from "./android_agent.js";
+import { devlog } from "../util/log.js";
 
 export class GnuTLS_Linux extends GnuTLS {
 
@@ -22,7 +23,7 @@ export class GnuTLS_Linux extends GnuTLS {
             this.session = args[0]
         },
         onLeave: function (retval: any) {
-            console.log(this.session)
+            devlog("[!] Logging session information: "+this.session);
             GnuTLS.gnutls_session_set_keylog_function(this.session.readPointer(), GnuTLS.keylog_callback)
 
         }

diff --git a/agent/ios/ios_agent.ts b/agent/ios/ios_agent.ts
@@ -43,7 +43,7 @@ function hook_iOS_Dynamic_Loader(module_library_mapping: { [key: string]: Array<
 
         })
 
-        console.log(`[*] iOS dynamic loader hooked.`)
+        log(`[*] iOS dynamic loader hooked.`)
     } catch (error) {
         devlog("Loader error: " + error)
         log("No dynamic loader present for hooking on iOS.")

diff --git a/agent/ios/openssl_boringssl_ios.ts b/agent/ios/openssl_boringssl_ios.ts
@@ -11,6 +11,7 @@ export class OpenSSL_BoringSSL_iOS extends OpenSSL_BoringSSL {
             var CALLBACK_OFFSET = 0x2A8;
 
             var foundationNumber = Module.findExportByName('CoreFoundation', 'kCFCoreFoundationVersionNumber')?.readDouble();
+            devlog("[*] Calculating offset to keylog callback based on the FoundationVersionNumber on iOS: "+foundationNumber)
             if(foundationNumber == undefined){
                 devlog("Installing callback for iOS < 14");
                 CALLBACK_OFFSET = 0x2A8;
@@ -43,8 +44,9 @@ export class OpenSSL_BoringSSL_iOS extends OpenSSL_BoringSSL {
         var library_method_mapping: { [key: string]: Array<string> } = {}
 
         // the iOS implementation needs some further improvements - currently we are not able to get the sockfd from an SSL_read/write invocation
-        library_method_mapping[`*${moduleName}*`] = ["SSL_read", "SSL_write", "BIO_get_fd", "SSL_get_session", "SSL_SESSION_get_id", "SSL_new", "SSL_CTX_set_info_callback"]
-        library_method_mapping[`*${socket_library}*`] = ["getpeername*", "getsockname*", "ntohs*", "ntohl*"] // currently those functions gets only identified if we at an asterisk at the end 
+        //library_method_mapping[`*${moduleName}*`] = ["SSL_read", "SSL_write", "BIO_get_fd", "SSL_get_session", "SSL_SESSION_get_id", "SSL_new", "SSL_CTX_set_info_callback"]
+        library_method_mapping[`*${moduleName}*`] = ["SSL_CTX_set_info_callback"]
+        //library_method_mapping[`*${socket_library}*`] = ["getpeername*", "getsockname*", "ntohs*", "ntohl*"] // currently those functions gets only identified if we at an asterisk at the end 
 
         super(moduleName,socket_library,is_base_hook,library_method_mapping);
     }

diff --git a/agent/linux/linux_agent.ts b/agent/linux/linux_agent.ts
@@ -46,7 +46,7 @@ function hook_Linux_Dynamic_Loader(module_library_mapping: { [key: string]: Arra
 
         })
 
-        console.log(`[*] Linux dynamic loader hooked.`)
+        log(`[*] Linux dynamic loader hooked.`)
     } catch (error) {
         devlog("Loader error: " + error)
         log("No dynamic loader present for hooking.")

diff --git a/agent/linux/nss_linux.ts b/agent/linux/nss_linux.ts
@@ -63,8 +63,8 @@ export class NSS_Linux extends NSS {
                         devlog("Callback Error")
                         var getErrorText = new NativeFunction(Module.getExportByName('libnspr4.so', 'PR_GetErrorText'), "int", ["pointer"])
                         var outbuffer = Memory.alloc(200); // max out size
-                        console.log("typeof outbuffer: " + typeof outbuffer);
-                        console.log("outbuffer: " + outbuffer); // should be a pointer
+                        devlog("typeof outbuffer: " + typeof outbuffer);
+                        devlog("outbuffer: " + outbuffer); // should be a pointer
                         getErrorText(outbuffer.readPointer())
                         devlog("Error msg: " + outbuffer)
                     } else {

diff --git a/agent/macos/openssl_boringssl_macos.ts b/agent/macos/openssl_boringssl_macos.ts
@@ -12,7 +12,7 @@ export class OpenSSL_BoringSSL_MacOS extends OpenSSL_BoringSSL {
             var CALLBACK_OFFSET = 0x2A8;
 
             var foundationNumber = Module.findExportByName('CoreFoundation', 'kCFCoreFoundationVersionNumber')?.readDouble();
-            devlog("[*] Calculating offset to keylog callback based on the FoundationVersionNumber: "+foundationNumber)
+            devlog("[*] Calculating offset to keylog callback based on the FoundationVersionNumber on MacOS: "+foundationNumber)
             if(foundationNumber == undefined){
                 CALLBACK_OFFSET = 0x2A8;
                 devlog("Installing callback for MacOS < 14 using callback offset: "+CALLBACK_OFFSET);
@@ -31,9 +31,7 @@ export class OpenSSL_BoringSSL_MacOS extends OpenSSL_BoringSSL {
             }
             Interceptor.attach(this.addresses[this.module_name]["SSL_CTX_set_info_callback"], {
               onEnter: function (args : any) {
-                var ssl_str_ptr = new NativePointer(args[0]);
-                var callback = new NativePointer(ssl_str_ptr).add(CALLBACK_OFFSET)
-                callback.writePointer(this.keylog_callback);
+                ptr(args[0]).add(CALLBACK_OFFSET).writePointer(OpenSSL_BoringSSL.keylog_callback);
               }
             });
 
@@ -46,8 +44,9 @@ export class OpenSSL_BoringSSL_MacOS extends OpenSSL_BoringSSL {
         var library_method_mapping: { [key: string]: Array<string> } = {}
 
         // the MacOS implementation needs some further improvements - currently we are not able to get the sockfd from an SSL_read/write invocation
-        library_method_mapping[`*${moduleName}*`] = ["SSL_read", "SSL_write", "BIO_get_fd", "SSL_get_session", "SSL_SESSION_get_id", "SSL_new", "SSL_CTX_set_info_callback"]
-        library_method_mapping[`*${socket_library}*`] = ["getpeername*", "getsockname*", "ntohs*", "ntohl*"] // currently those functions gets only identified if we at an asterisk at the end 
+        //library_method_mapping[`*${moduleName}*`] = ["SSL_read", "SSL_write", "BIO_get_fd", "SSL_get_session", "SSL_SESSION_get_id", "SSL_new", "SSL_CTX_set_info_callback"]
+        library_method_mapping[`*${moduleName}*`] = ["SSL_CTX_set_info_callback"]
+        //library_method_mapping[`*${socket_library}*`] = ["getpeername*", "getsockname*", "ntohs*", "ntohl*"] // currently those functions gets only identified if we at an asterisk at the end 
 
         super(moduleName, socket_library, is_base_hook, library_method_mapping);
     }