reversing-tools/golang/tls_secrets.py at main · stevenjohnstone/reversing-tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import frida
import sys

# e.g. "dockerd"
process = sys.argv[1]

session = frida.attach(process)

# assumes register convention for function calls i.e. go >= 1.17
script = session.create_script("""
        function bufferToHex (buffer) {
            return [...new Uint8Array (buffer)]
                .map (b => b.toString (16).padStart (2, "0"))
                .join ("");
        }

        const symbol = 'crypto/tls.(*Config).writeKeyLog'

        var writeKeyLog = Module.findExportByName(null, symbol);
        console.log(writeKeyLog);
        if (writeKeyLog === null) {
            writeKeyLog = DebugSymbol.fromName(symbol).address;
        }

        Interceptor.attach(writeKeyLog, {
            onEnter(args) {
                const label = this.context.rbx.readUtf8String(this.context.rcx.toInt32());
                const clientRandom = bufferToHex(this.context.rdi.readByteArray(this.context.rsi.toInt32()));
                const secret = bufferToHex(this.context.r9.readByteArray(this.context.r10.toInt32()));
                send(`${label} ${clientRandom} ${secret}`);
            }
        })
""")

def on_message(message, data):
    print(message["payload"])


script.on('message', on_message)
script.load()
sys.stdin.read()