frida枚舉進程模塊，hook WS2_32.dll recv

py文件：

# -*- coding: utf-8 -*-
import os
import sys
# reload(sys)
# sys.setdefaultencoding( "utf-8" )
import importlib
importlib.reload(sys)
import frida

# frida-ls-devices
# frida-ps
# frida-ps -U ,這行命令是列出手機上所有的進程信息
# frida-ps -R，就可以看到android機器的進程列表
# adb forward tcp:27042 tcp:27042
# adb forward tcp:27043 tcp:27043

def on_message(message, data):
    print("[%s] => %s" % (message, data))


# session = frida.attach('FlashTest.exe')
session = frida.attach('FlashWeb.exe')
# script = session.create_script('''
#     send('ko2020');//參數是字符串時，不能使用雙引號
#     send(2020);
#     rpc.exports={
#         test:function(){
#             console.log('myCall...');
#         }
#     };

# ''')

jsFile = open('frida.js', "rt", encoding="utf-8")
jsStr = jsFile.read()
script = session.create_script(jsStr)
script.on('message', on_message)
retVal = script.load() # 執行js腳本
print(retVal)

script.exports.test()

print("press any key to exit...")
sys.stdin.read()
session.detach()
print("finish...")

js文件：

send('ko2020');//參數是字符串時，不能使用雙引號
send(2020);
rpc.exports={
    test:function(){
        console.log('myCall...');
    }
};

// Process.enumerateModules()

// Find the module for the program itself, always at index 0:
var m = Process.enumerateModules()[0];
send(JSON.stringify(m));
// console.log(JSON.stringify(m));

// 枚舉進程模塊
// Process.enumerateModules({
//     onMatch: function(exp){
//         send(exp.name);
//     },
//     onComplete: function(){
//         send('onComplete');
//     }

// });

// WS2_32.dll
// mswsock.dll
// int recv(SOCKET s, char FAR *buf, int len, int flags);

send(Module.findExportByName('WS2_32.dll', 'recv'));

var recvBuf;
Interceptor.attach(Module.getExportByName('WS2_32.dll', 'recv'), {
    onEnter: function (args) {
        // send('recv enter:');
        // send(args[0].toInt32());
        // send(args[1].toInt32());
        // send(args[2].toInt32());
        recvBuf = args[1];
    },
    onLeave: function (retval) {
        var dataLen = retval.toInt32() - 22; // 封包頭22字節
        if(dataLen > 0){
            send('recv leave:');
            send(retval.toInt32());

            var dataBuf = recvBuf.add(22); // 指針地址加22，不要封包頭
            var buf = Memory.readByteArray(dataBuf, dataLen);
            // var bufData = hexdump(buf, {offset: 0,
            //                             length: retval.toInt32(),
            //                             header: false,
            //                             ansi: false});
            // var bufData = Memory.readUtf16String(recvBuf);
            // var bufData = Memory.readUtf8String(ptr(buf));
            // var bufData = String.fromCharCode.apply(null, new Uint16Array(buf));
            var bufData = String.fromCharCode.apply(null, new Uint8Array(buf));
            send(bufData);

        }
       
    }
  });