QT框架软件及其中tcp/udp网络逆向分析要点记录

QT框架软件及其中tcp/udp网络逆向分析要点记录

码农世界 2024-05-30 前端 94 次浏览 0个评论

一. 概述

前一段时间有逆向分析一个windows系统上QT5的软件,要获取其中显示界面中对应数据生成方式。在分析过程中额外去了解QT框架的相关知识是必不可少的,最主要的一点是信号和槽函数怎么对应起来,以及QT中自封装的数据结构怎么处理。框架分析的难点是除了分析基本功能外,还得分析框架自身的API和框架常见的特征,只有这样才能更好地定位功能代码,但只要分析一次,后面如果是碰到相同的框架,则能很快上手。下面对QT框架分析心得做个简单记录。

二. 信号和槽函数的定位

信号与槽函数 对应 Activate 和 connect ,他们有一个参数是一样的,可以通过这个对应上,从而找到信号对应槽函数。正常开发时,信号和槽函数的注册不是Activate 和 connect,但编译生成的可执行文件导入到ida中会看到这两个函数。可以通过 frida hook这两个函数,打印参数和调用堆栈,来确定信号和槽函数对应关系及在代码中位置。

三. QT 中常用数据类型处理

QT 中常用数据类型有QString,QVector等,想以字符串或基本数据类型打印出来,就需要了解这些数据类型的结构,因为有时返回内容直接是这些类型的结构体,而不是指针,所以在frida hook中也要做额外处理,类似std::string类型在frida中打印。不过我也没有分析这些的数据类型结构,我是自己用QT直接编译了一个动态库(版本最好和软件的QT框架库对应,这里如果是可执行文件也可以),其中加入了QString,QVector等转基础数据类型的函数,然后将这个动态库用frida加载,然后找到对应的函数地址,并定义成frida函数,在frida中调用这些函数来转化基础数据类型,如下:

var func_QString2charptr = null
var func_QStringLength = null
var func_QVector2doublePtrr = null
var func_QVectorLength = null
var func_QVariant2QString = null
var func_QVariantLength = null
var func_QVariant2charptr = null
var func_QVariant2charptr2 = null
function use_self_dll(){
  if (func_QString2charptr == null){
    var module = Module.load("D:\\UseForFrida.dll"); // 这里替换成自实现的dll,函数在dll中实现
    var addr_QString2charptr = module.getExportByName("_ZN11UseForFrida15QString2charptrER7QStringPcj");
    var addr_QStringLength = module.getExportByName("_ZN11UseForFrida13QStringLengthER7QString");
    var addr_QVector2doublePtrr = module.getExportByName("_ZN11UseForFrida17QVector2doublePtrER7QVectorIdEPdi");
    var addr_QVectorLength = module.getExportByName("_ZN11UseForFrida13QVectorLengthER7QVectorIdE");
    var addr_QVariant2QString = module.getExportByName("_ZN11UseForFrida16QVariant2QStringER8QVariant");
    var addr_QVariantLength = module.getExportByName("_ZN11UseForFrida14QVariantLengthER8QVariant");
    var addr_QVariant2charptr = module.getExportByName("_ZN11UseForFrida16QVariant2charptrER8QVariantPcj");
    var addr_QVariant2charptr2 = module.getExportByName("_ZN11UseForFrida16QVariant2charptrER8QVariant");
    func_QString2charptr = new NativeFunction(addr_QString2charptr, 'void', ['pointer','pointer','int']);
    func_QStringLength = new NativeFunction(addr_QStringLength, 'int', ['pointer']);
    func_QVector2doublePtrr = new NativeFunction(addr_QVector2doublePtrr, 'void', ['pointer','pointer','int']);
    func_QVectorLength = new NativeFunction(addr_QVectorLength, 'int', ['pointer']);
    func_QVariant2QString = new NativeFunction(addr_QVariant2QString, 'pointer', ['pointer']);
    func_QVariantLength = new NativeFunction(addr_QVariantLength, 'int', ['pointer']);
    func_QVariant2charptr = new NativeFunction(addr_QVariant2charptr, 'void', ['pointer','pointer','int']);
    func_QVariant2charptr2 = new NativeFunction(addr_QVariant2charptr2, 'pointer', ['pointer']); //这里函数便可以拿来使用
  }
  console.log(func_QString2charptr, func_QStringLength, func_QVector2doublePtrr, func_QVectorLength, func_QVariant2charptr, func_QVariantLength, func_QVariant2charptr2);
}

四. 额外记录下软件中网络方面分析

通过wireshark对那个软件进行抓包,发现也没有https的包,大多是tcp和udp的包。为了定位这些发包和接受包的位置,只需要对系统库中网络接发包相关api进行hook就能定位到对应代码位置。要知道是那个系统库中哪些api处理了这些发包和接收包,可以在网上搜。或者用一种更准确的方法,自己在对应的操作系统(我这里是windows)上用socket写简单的tcp和udp通信的demo,然后用调试器(gdb,windows上更好的是x64dbg)调试自己写的demo,跟到系统库,看是哪些库及那些api处理了底层socket的发送和接收数据。

windows上是 ws2_32.dll 的 closesocket,connect,getpeername,getsockname,htons,inet_ntoa,recv,recvfrom,send,sendto,WSAConnect,WSAConnectByList,WSAConnectByNameA,WSAConnectByNameW,WSARecv,WSARecvDisconnect,WSARecvFrom,WSASend,WSASendDisconnect,WSASendMsg,WSASendTo 等,可以使用frida hook对应的api,打印socket ip和端口,及recv、send、connect等的代码位置。

function hook_win_socketabout(){
  // var modules = Process.enumerateModules();
  // for (var i = 0; i < modules.length; i++){
  //   console.log(modules[i].name, modules[i].base);
  // }
  
  var module = Process.getModuleByName("ws2_32.dll");
  
  //analysis ip port
  // htons   
  // inet_ntoa
  // getsockname
  // getpeername
  var addr_htons = module.getExportByName("htons");
  var addr_inet_ntoa = module.getExportByName("inet_ntoa");
  var addr_getsockname = module.getExportByName("getsockname");
  var addr_getpeername = module.getExportByName("getpeername");
  // console.log("addr_htons", addr_htons, "addr_inet_ntoa", addr_inet_ntoa, 
  // "addr_getsockname", addr_getsockname, "addr_getpeername", addr_getpeername);
  var getpeername = new NativeFunction(addr_getpeername, "int", ["int", "pointer", "pointer"]);
  var getsockname = new NativeFunction(addr_getsockname, "int", ["int", "pointer", "pointer"]);
  //  var symbols = module.enumerateExports();
  var addr_connect = module.getExportByName("connect");
  var addr_recv = module.getExportByName("recv");
  var addr_send = module.getExportByName("send");
  var addr_closesocket = module.getExportByName("closesocket");
  var htons = new NativeFunction(addr_htons, "uint16", ["uint16"]);
  var inet_ntoa = new NativeFunction(addr_inet_ntoa, "pointer", ["uint32"]);
    Interceptor.attach(addr_connect, {
          onEnter:function(argvs){
              //console.log("Come", "addr_connect", addr_connect);
              //connect(clntSock, (SOCKADDR*)& sockAddr, sizeof(SOCKADDR));
              var sockAddr = ptr(argvs[1]);
              var type = sockAddr.readS16();
              var port_bf_turn = sockAddr.add(2).readS16();
              var ip_bf_turn = sockAddr.add(4).readS32();
              var port_af_turn = htons(port_bf_turn);
              var ip_af_turn = inet_ntoa(ip_bf_turn);
              console.log("connect server ---> ", "type:", type, "server ip:", ip_af_turn.readCString(), "port:", port_af_turn);
              console.log('socket connect called from:\n' +
        Thread.backtrace(this.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\n') +'\n');
            },onLeave:function(retvalue){
            //retvalue.replace()
          }
      });
    //follow 3   get  server client  ip  port
    // getsockname(clntSock, (struct sockaddr *)&connectedAddr, &connectedAddrLen);//获取connfd表示的连接上的本地地址
    // printf("connected server address = %s:%d\n", inet_ntoa(connectedAddr.sin_addr), htons(connectedAddr.sin_port)); //本地ip和端口
    // getpeername(clntSock, (struct sockaddr *)&peerAddr, &peerLen); //获取connfd表示的连接上的对端地址
    // printf("connected peer address = %s:%d\n", inet_ntoa(peerAddr.sin_addr), htons(peerAddr.sin_port)); //远程ip和端口
    Interceptor.attach(addr_recv, {
        onEnter:function(argvs){
            //console.log("Come", "addr_recv", addr_recv);
            var clntSock = argvs[0].toInt32();
            var localSockAddr = Socket.localAddress(clntSock);
            var remoteSockAddr = Socket.peerAddress(clntSock);
            if (localSockAddr != null && remoteSockAddr != null){
              console.log("socket recv ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port);
            }
            console.log('socket recv called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n');
        },onLeave:function(retvalue){
          //retvalue.replace()
          console.log("recv ret len", retvalue);
        }
    });
    Interceptor.attach(addr_send, {
      onEnter:function(argvs){
          //console.log("Come", "addr_send", addr_send);
          var clntSock = argvs[0].toInt32();
          var localSockAddr = Socket.localAddress(clntSock);
          var remoteSockAddr = Socket.peerAddress(clntSock);
          if (localSockAddr != null && remoteSockAddr != null){
            console.log("socket send ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port);
          }
          console.log('socket send called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n');
      },onLeave:function(retvalue){
        //retvalue.replace()
      }
  });
    Interceptor.attach(addr_closesocket, {
      onEnter:function(argvs){
          //console.log("Come", "addr_closesocket", addr_closesocket);
          var clntSock = argvs[0].toInt32();
          var localSockAddr = Socket.localAddress(clntSock);
          var remoteSockAddr = Socket.peerAddress(clntSock);
          if (localSockAddr != null && remoteSockAddr != null){
            console.log("closesocket ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port);
          }
          console.log('closesocket called from:\n' +
          Thread.backtrace(this.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\n') +'\n');
      },onLeave:function(retvalue){
        //retvalue.replace()
      }
  });
  var WSAConnect = module.getExportByName("WSAConnect");
  Interceptor.attach(WSAConnect, {
      onEnter:function(argvs){
          // console.log("Come", "WSAConnect", WSAConnect);
        var sockAddr = ptr(argvs[1]);
        var type = sockAddr.readS16();
        var port_bf_turn = sockAddr.add(2).readS16();
        var ip_bf_turn = sockAddr.add(4).readS32();
        var port_af_turn = htons(port_bf_turn);
        var ip_af_turn = inet_ntoa(ip_bf_turn);
        console.log("WSAConnect server ---> ", "type:", type, "server ip:", ip_af_turn.readCString(), "port:", port_af_turn);
        console.log('socket WSAConnect called from:\n' +
  Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n');
      },onLeave:function(retvalue){}
  });
  var WSARecv = module.getExportByName("WSARecv");
  Interceptor.attach(WSARecv, {
      onEnter:function(argvs){
          // console.log("Come", "WSARecv", WSARecv);
          var clntSock = argvs[0].toInt32();
          var localSockAddr = Socket.localAddress(clntSock);
          var remoteSockAddr = Socket.peerAddress(clntSock);
          if (localSockAddr != null && remoteSockAddr != null){
            console.log("WSARecv ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port);
          }
          console.log('WSARecv called from:\n' +
          Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n');
      },onLeave:function(retvalue){}
  });
  var WSARecvFrom = module.getExportByName("WSARecvFrom");
  Interceptor.attach(WSARecvFrom, {
      onEnter:function(argvs){
          // console.log("Come", "WSARecvFrom", WSARecvFrom);
          var clntSock = argvs[0].toInt32();
          var localSockAddr = Socket.localAddress(clntSock);
          var remoteSockAddr = Socket.peerAddress(clntSock);
          if (localSockAddr != null && remoteSockAddr != null){
            console.log("WSARecvFrom ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSoc33446kAddr.port);
          }
          console.log('WSARecvFrom called from:\n' +
          Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n');
      },onLeave:function(retvalue){}
  });
  var WSASend = module.getExportByName("WSASend");
  Interceptor.attach(WSASend, {
      onEnter:function(argvs){
          // console.log("Come", "WSASend", WSASend);
          var clntSock = argvs[0].toInt32();
          var localSockAddr = Socket.localAddress(clntSock);
          var remoteSockAddr = Socket.peerAddress(clntSock);
          if (localSockAddr != null && remoteSockAddr != null){
            console.log("WSASend ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port);
          }
          console.log('WSASend called from:\n' +
          Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n');
      },onLeave:function(retvalue){}
  });
}

当时分析时,有一个端口的数据通过wireshark抓到后,在程序中一直hook不到,后来发现是在子进程中实现的tcp通信,然后通过内存映射和主进程进行数据共享。

五. 小结

记地有点简单,因为只有之前电脑环境上有那个分析的软件及安装了QT框架,所以这里也没有贴出QT相关代码,只记录了一些思路。

转载请注明来自码农世界,本文标题:《QT框架软件及其中tcp/udp网络逆向分析要点记录》

百度分享代码,如果开启HTTPS请参考李洋个人博客
每一天,每一秒,你所做的决定都会改变你的人生!

发表评论

快捷回复:

评论列表 (暂无评论,94人围观)参与讨论

还没有评论,来说两句吧...

Top