一. 概述
前一段时间有逆向分析一个windows系统上QT5的软件,要获取其中显示界面中对应数据生成方式。在分析过程中额外去了解QT框架的相关知识是必不可少的,最主要的一点是信号和槽函数怎么对应起来,以及QT中自封装的数据结构怎么处理。框架分析的难点是除了分析基本功能外,还得分析框架自身的API和框架常见的特征,只有这样才能更好地定位功能代码,但只要分析一次,后面如果是碰到相同的框架,则能很快上手。下面对QT框架分析心得做个简单记录。
二. 信号和槽函数的定位
信号与槽函数 对应 Activate 和 connect ,他们有一个参数是一样的,可以通过这个对应上,从而找到信号对应槽函数。正常开发时,信号和槽函数的注册不是Activate 和 connect,但编译生成的可执行文件导入到ida中会看到这两个函数。可以通过 frida hook这两个函数,打印参数和调用堆栈,来确定信号和槽函数对应关系及在代码中位置。
三. QT 中常用数据类型处理
QT 中常用数据类型有QString,QVector等,想以字符串或基本数据类型打印出来,就需要了解这些数据类型的结构,因为有时返回内容直接是这些类型的结构体,而不是指针,所以在frida hook中也要做额外处理,类似std::string类型在frida中打印。不过我也没有分析这些的数据类型结构,我是自己用QT直接编译了一个动态库(版本最好和软件的QT框架库对应,这里如果是可执行文件也可以),其中加入了QString,QVector等转基础数据类型的函数,然后将这个动态库用frida加载,然后找到对应的函数地址,并定义成frida函数,在frida中调用这些函数来转化基础数据类型,如下:
var func_QString2charptr = null var func_QStringLength = null var func_QVector2doublePtrr = null var func_QVectorLength = null var func_QVariant2QString = null var func_QVariantLength = null var func_QVariant2charptr = null var func_QVariant2charptr2 = null function use_self_dll(){ if (func_QString2charptr == null){ var module = Module.load("D:\\UseForFrida.dll"); // 这里替换成自实现的dll,函数在dll中实现 var addr_QString2charptr = module.getExportByName("_ZN11UseForFrida15QString2charptrER7QStringPcj"); var addr_QStringLength = module.getExportByName("_ZN11UseForFrida13QStringLengthER7QString"); var addr_QVector2doublePtrr = module.getExportByName("_ZN11UseForFrida17QVector2doublePtrER7QVectorIdEPdi"); var addr_QVectorLength = module.getExportByName("_ZN11UseForFrida13QVectorLengthER7QVectorIdE"); var addr_QVariant2QString = module.getExportByName("_ZN11UseForFrida16QVariant2QStringER8QVariant"); var addr_QVariantLength = module.getExportByName("_ZN11UseForFrida14QVariantLengthER8QVariant"); var addr_QVariant2charptr = module.getExportByName("_ZN11UseForFrida16QVariant2charptrER8QVariantPcj"); var addr_QVariant2charptr2 = module.getExportByName("_ZN11UseForFrida16QVariant2charptrER8QVariant"); func_QString2charptr = new NativeFunction(addr_QString2charptr, 'void', ['pointer','pointer','int']); func_QStringLength = new NativeFunction(addr_QStringLength, 'int', ['pointer']); func_QVector2doublePtrr = new NativeFunction(addr_QVector2doublePtrr, 'void', ['pointer','pointer','int']); func_QVectorLength = new NativeFunction(addr_QVectorLength, 'int', ['pointer']); func_QVariant2QString = new NativeFunction(addr_QVariant2QString, 'pointer', ['pointer']); func_QVariantLength = new NativeFunction(addr_QVariantLength, 'int', ['pointer']); func_QVariant2charptr = new NativeFunction(addr_QVariant2charptr, 'void', ['pointer','pointer','int']); func_QVariant2charptr2 = new NativeFunction(addr_QVariant2charptr2, 'pointer', ['pointer']); //这里函数便可以拿来使用 } console.log(func_QString2charptr, func_QStringLength, func_QVector2doublePtrr, func_QVectorLength, func_QVariant2charptr, func_QVariantLength, func_QVariant2charptr2); }
四. 额外记录下软件中网络方面分析
通过wireshark对那个软件进行抓包,发现也没有https的包,大多是tcp和udp的包。为了定位这些发包和接受包的位置,只需要对系统库中网络接发包相关api进行hook就能定位到对应代码位置。要知道是那个系统库中哪些api处理了这些发包和接收包,可以在网上搜。或者用一种更准确的方法,自己在对应的操作系统(我这里是windows)上用socket写简单的tcp和udp通信的demo,然后用调试器(gdb,windows上更好的是x64dbg)调试自己写的demo,跟到系统库,看是哪些库及那些api处理了底层socket的发送和接收数据。
windows上是 ws2_32.dll 的 closesocket,connect,getpeername,getsockname,htons,inet_ntoa,recv,recvfrom,send,sendto,WSAConnect,WSAConnectByList,WSAConnectByNameA,WSAConnectByNameW,WSARecv,WSARecvDisconnect,WSARecvFrom,WSASend,WSASendDisconnect,WSASendMsg,WSASendTo 等,可以使用frida hook对应的api,打印socket ip和端口,及recv、send、connect等的代码位置。
function hook_win_socketabout(){ // var modules = Process.enumerateModules(); // for (var i = 0; i < modules.length; i++){ // console.log(modules[i].name, modules[i].base); // } var module = Process.getModuleByName("ws2_32.dll"); //analysis ip port // htons // inet_ntoa // getsockname // getpeername var addr_htons = module.getExportByName("htons"); var addr_inet_ntoa = module.getExportByName("inet_ntoa"); var addr_getsockname = module.getExportByName("getsockname"); var addr_getpeername = module.getExportByName("getpeername"); // console.log("addr_htons", addr_htons, "addr_inet_ntoa", addr_inet_ntoa, // "addr_getsockname", addr_getsockname, "addr_getpeername", addr_getpeername); var getpeername = new NativeFunction(addr_getpeername, "int", ["int", "pointer", "pointer"]); var getsockname = new NativeFunction(addr_getsockname, "int", ["int", "pointer", "pointer"]); // var symbols = module.enumerateExports(); var addr_connect = module.getExportByName("connect"); var addr_recv = module.getExportByName("recv"); var addr_send = module.getExportByName("send"); var addr_closesocket = module.getExportByName("closesocket"); var htons = new NativeFunction(addr_htons, "uint16", ["uint16"]); var inet_ntoa = new NativeFunction(addr_inet_ntoa, "pointer", ["uint32"]); Interceptor.attach(addr_connect, { onEnter:function(argvs){ //console.log("Come", "addr_connect", addr_connect); //connect(clntSock, (SOCKADDR*)& sockAddr, sizeof(SOCKADDR)); var sockAddr = ptr(argvs[1]); var type = sockAddr.readS16(); var port_bf_turn = sockAddr.add(2).readS16(); var ip_bf_turn = sockAddr.add(4).readS32(); var port_af_turn = htons(port_bf_turn); var ip_af_turn = inet_ntoa(ip_bf_turn); console.log("connect server ---> ", "type:", type, "server ip:", ip_af_turn.readCString(), "port:", port_af_turn); console.log('socket connect called from:\n' + Thread.backtrace(this.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\n') +'\n'); },onLeave:function(retvalue){ //retvalue.replace() } }); //follow 3 get server client ip port // getsockname(clntSock, (struct sockaddr *)&connectedAddr, &connectedAddrLen);//获取connfd表示的连接上的本地地址 // printf("connected server address = %s:%d\n", inet_ntoa(connectedAddr.sin_addr), htons(connectedAddr.sin_port)); //本地ip和端口 // getpeername(clntSock, (struct sockaddr *)&peerAddr, &peerLen); //获取connfd表示的连接上的对端地址 // printf("connected peer address = %s:%d\n", inet_ntoa(peerAddr.sin_addr), htons(peerAddr.sin_port)); //远程ip和端口 Interceptor.attach(addr_recv, { onEnter:function(argvs){ //console.log("Come", "addr_recv", addr_recv); var clntSock = argvs[0].toInt32(); var localSockAddr = Socket.localAddress(clntSock); var remoteSockAddr = Socket.peerAddress(clntSock); if (localSockAddr != null && remoteSockAddr != null){ console.log("socket recv ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port); } console.log('socket recv called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n'); },onLeave:function(retvalue){ //retvalue.replace() console.log("recv ret len", retvalue); } }); Interceptor.attach(addr_send, { onEnter:function(argvs){ //console.log("Come", "addr_send", addr_send); var clntSock = argvs[0].toInt32(); var localSockAddr = Socket.localAddress(clntSock); var remoteSockAddr = Socket.peerAddress(clntSock); if (localSockAddr != null && remoteSockAddr != null){ console.log("socket send ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port); } console.log('socket send called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n'); },onLeave:function(retvalue){ //retvalue.replace() } }); Interceptor.attach(addr_closesocket, { onEnter:function(argvs){ //console.log("Come", "addr_closesocket", addr_closesocket); var clntSock = argvs[0].toInt32(); var localSockAddr = Socket.localAddress(clntSock); var remoteSockAddr = Socket.peerAddress(clntSock); if (localSockAddr != null && remoteSockAddr != null){ console.log("closesocket ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port); } console.log('closesocket called from:\n' + Thread.backtrace(this.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\n') +'\n'); },onLeave:function(retvalue){ //retvalue.replace() } }); var WSAConnect = module.getExportByName("WSAConnect"); Interceptor.attach(WSAConnect, { onEnter:function(argvs){ // console.log("Come", "WSAConnect", WSAConnect); var sockAddr = ptr(argvs[1]); var type = sockAddr.readS16(); var port_bf_turn = sockAddr.add(2).readS16(); var ip_bf_turn = sockAddr.add(4).readS32(); var port_af_turn = htons(port_bf_turn); var ip_af_turn = inet_ntoa(ip_bf_turn); console.log("WSAConnect server ---> ", "type:", type, "server ip:", ip_af_turn.readCString(), "port:", port_af_turn); console.log('socket WSAConnect called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n'); },onLeave:function(retvalue){} }); var WSARecv = module.getExportByName("WSARecv"); Interceptor.attach(WSARecv, { onEnter:function(argvs){ // console.log("Come", "WSARecv", WSARecv); var clntSock = argvs[0].toInt32(); var localSockAddr = Socket.localAddress(clntSock); var remoteSockAddr = Socket.peerAddress(clntSock); if (localSockAddr != null && remoteSockAddr != null){ console.log("WSARecv ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port); } console.log('WSARecv called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n'); },onLeave:function(retvalue){} }); var WSARecvFrom = module.getExportByName("WSARecvFrom"); Interceptor.attach(WSARecvFrom, { onEnter:function(argvs){ // console.log("Come", "WSARecvFrom", WSARecvFrom); var clntSock = argvs[0].toInt32(); var localSockAddr = Socket.localAddress(clntSock); var remoteSockAddr = Socket.peerAddress(clntSock); if (localSockAddr != null && remoteSockAddr != null){ console.log("WSARecvFrom ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSoc33446kAddr.port); } console.log('WSARecvFrom called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n'); },onLeave:function(retvalue){} }); var WSASend = module.getExportByName("WSASend"); Interceptor.attach(WSASend, { onEnter:function(argvs){ // console.log("Come", "WSASend", WSASend); var clntSock = argvs[0].toInt32(); var localSockAddr = Socket.localAddress(clntSock); var remoteSockAddr = Socket.peerAddress(clntSock); if (localSockAddr != null && remoteSockAddr != null){ console.log("WSASend ---> ", "localSockAddr", localSockAddr.ip, localSockAddr.port, "remoteSockAddr", remoteSockAddr.ip, remoteSockAddr.port); } console.log('WSASend called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') +'\n'); },onLeave:function(retvalue){} }); }
当时分析时,有一个端口的数据通过wireshark抓到后,在程序中一直hook不到,后来发现是在子进程中实现的tcp通信,然后通过内存映射和主进程进行数据共享。
五. 小结
记地有点简单,因为只有之前电脑环境上有那个分析的软件及安装了QT框架,所以这里也没有贴出QT相关代码,只记录了一些思路。
还没有评论,来说两句吧...