UNPKG

rms-runtime-mobile-security

Version:

Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime

github.com/m0bilesecurity/RMS-Runtime-Mobile-Security

m0bilesecurity/RMS-Runtime-Mobile-Security

91 lines (77 loc) • 2.14 kB

JavaScript

/************************************************************************ * Name: File System Monitor * OS: Android * Author: @mobilesecurity_ * Source: https://github.com/m0bilesecurity * Info: (libc.so - open, close, read, write, unlink, remove) *************************************************************************/ Java.perform(function () { Interceptor.attach( Module.findExportByName("libc.so", "open"), { onEnter: function (args) { var file = Memory.readCString(args[0]); if(!file.includes("/dev/ashmem") && !file.includes("/proc/")) print("open",file); }, onLeave: function (retval) { } } ); Interceptor.attach( Module.findExportByName("libc.so", "close"), { onEnter: function (args) { var file = Memory.readCString(args[0]); print("close",file); }, onLeave: function (retval) { } } ); Interceptor.attach( Module.findExportByName("libc.so", "read"), { onEnter: function (args) { var file = Memory.readCString(args[0]); print("read",file); }, onLeave: function (retval) { } } ); Interceptor.attach( Module.findExportByName("libc.so", "write"), { onEnter: function (args) { var file = Memory.readCString(args[0]); print("write",file); }, onLeave: function (retval) { } } ); Interceptor.attach( Module.findExportByName("libc.so", "unlink"), { onEnter: function (args) { var file = Memory.readCString(args[0]); print("remove",file); }, onLeave: function (retval) { } } ); Interceptor.attach( Module.findExportByName("libc.so", "remove"), { onEnter: function (args) { var file = Memory.readCString(args[0]); print("remove",file); }, onLeave: function (retval) { } } ); function print(method,file){ send("API Monitor | "+ "FileSystem" + " | " + method + " - " + file ); } });