采用双进程的方式，对父进程进行保护，基于信号的发送和接收，实现相互的保护防止被动态攻击。
简单的双进程保护就是从原进程再fork一个空进程出来,让逆向分析的时候附加到空进程中导致hook不上
双进程进程保护主要功能： 1、保护父进程，ptrace所有线程，防止被附加、调试、暂停； 2、保护子进程，防止被暂停、异常退出；

下面是我用objection附加双进程保护的app的时候报错,一般双进程保护,先把app关掉直接用spwan模式就能附加上

root@arr:~/Desktop/frida_js# objection -d -g com.xc.p2p explore[debug] Agent path is: /root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/objection/agent.js
[debug] Injecting agent...
Using USB device `Google Pixel`
[debug] Attempting to attach to process: `com.xc.p2p`
[debug] Process attached!
Agent injected and responds ok!
Traceback (most recent call last):
File "/root/.pyenv/versions/3.8.1/bin/objection", line 11, in <module>
load_entry_point('objection==1.8.4', 'console_scripts', 'objection')()
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/objection/console/cli.py", line 156, in explore
device_info = get_device_info()
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/objection/commands/device.py", line 41, in get_device_info
package_info = api.env_android()
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/frida/core.py", line 401, in method
return script._rpc_request('call', js_name, args, **kwargs)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/site-packages/frida/core.py", line 333, in _rpc_request
raise result[2]
frida.core.RPCException: Error: expected a pointer
at M (frida/node_modules/frida-java-bridge/index.js:437)
at frida/node_modules/frida-java-bridge/index.js:285
at src/android/lib/libjava.ts:15
at node_modules/core-js/library/modules/es6.promise.js:83
at src/android/lib/libjava.ts:16
at frida/runtime/message-dispatcher.js:15
at c (frida/runtime/message-dispatcher.js:25)
Asking jobs to stop...
Unloading objection agent...
[debug] Calling unload()
Exception ignored in: <function Pool.__del__ at 0x7fe01269f940>
Traceback (most recent call last):
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/pool.py", line 268, in __del__
self._change_notifier.put(None)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/queues.py", line 368, in put
self._writer.send_bytes(obj)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/connection.py", line 200, in send_bytes
self._send_bytes(m[offset:offset + size])
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/connection.py", line 411, in _send_bytes
self._send(header + buf)
File "/root/.pyenv/versions/3.8.1/lib/python3.8/multiprocessing/connection.py", line 368, in _send
n = write(self._handle, buf)
OSError: [Errno 9] Bad file descriptor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
报错分析大概就是说找不到进程,进程被关闭了,但是用frida又能附加上

直接看frida和objection源码
frida附加的顺序:spwan->resume->attach
objection附加的顺序:spwan->attach->resume

可以看出应该是因为objection通过spwan启动app之后attach得太快,然后app又正在复制进程,所以app卡死了,objection也卡死了.

然后我们可以通过改objection的源码来修改他附加的顺序

在objection的agent.py中找到

def get_session(self) -> frida.core.Session:
"""
Attempt to get a Frida session on a device.
"""

if self.session:
return self.session

self.device = self._get_device()

# try and get the target process.
try:

debug_print('Attempting to attach to process: `{process}`'.format(
process=state_connection.gadget_name))
self.session = self.device.attach(state_connection.gadget_name)
debug_print('Process attached!')
self.resumed = True

self.session.on('detached', self.on_detach)

return self.session

except frida.ProcessNotFoundError:
debug_print('Unable to find process: `{process}`, attempting spawn'.format(
process=state_connection.gadget_name))

# TODO: Handle the fact that gadget mode can't spawn

self.spawned_pid = self.device.spawn(state_connection.gadget_name)
debug_print('PID `{pid}` spawned, attaching...'.format(pid=self.spawned_pid))

***~~debug_print('Resuming PID test `{pid}`'.format(pid=self.spawned_pid))
self.device.resume(self.spawned_pid)~~ ***

self.session = self.device.attach(self.spawned_pid)
return self.session
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
这一块是后面加上去的
debug_print('Resuming PID test {pid}'.format(pid=self.spawned_pid))
self.device.resume(self.spawned_pid)

def inject(self):
"""
Injects the Objection Agent.

:return:
"""

debug_print('Injecting agent...')

session = self.get_session()
self.script = session.create_script(source=self._get_agent_source())
self.script.on('message', self.on_message)
self.script.load()

# if not self.resumed:
# debug_print('Resuming PID 1 `{pid}`'.format(pid=self.spawned_pid))
# self.device.resume(self.spawned_pid)

# ping the agent
if not self.exports().ping():
click.secho('Failed to ping the agent', fg='red')
raise Exception('Failed to communicate with agent')

click.secho('Agent injected and responds ok!', fg='green', dim=True)

return self
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
这一块是删除的
# if not self.resumed:
# debug_print('Resuming PID 1 {pid}'.format(pid=self.spawned_pid))
# self.device.resume(self.spawned_pid)

实际就是把resume放到步骤的中间,如果不行的话适当加个sleep就能附加上了

成功辣
————————————————
版权声明：本文为CSDN博主「[meng」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/weixin_42453905/article/details/109395414