Project: hsnoop

Try this code out now by running 

$ frida --codeshare imagogitter/hsnoop -f YOUR_BINARY
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
var Java = Java;
// Function to log messages
function log(message) {
console.log('[Frida Hook] ' + message);
}
// Function to check if a class has network capabilities
function hasNetworkCapability(cls) {
var className = cls.toString().split('(')[0];
return className.includes("Http") || className.includes("Https") ||
className.includes("Socket") || className.includes("URLConnection");
}
// Inverse heuristic function (negative heuristic)
function avoidUnrelatedClass(cls) {
var className = cls.toString().split('(')[0];
return !className.includes("Http") && !className.includes("Https") &&
!className.includes("Socket") && !className.includes("URLConnection");
}
// Function to check for network-related permissions
function hasNetworkPermission(cls) {
var className = cls.toString().split('(')[0];
return cls.hasPermission("android.permission.INTERNET") ||
cls.hasPermission("android.permission.ACCESS_NETWORK_STATE");
}
// Function to check for network-related interfaces
function hasNetworkInterface(cls) {
var className = cls.toString().split('(')[0];
return cls.implements('java.net.SocketFactory') ||
cls.implements('javax.net.ssl.SSLSocketFactory');
}
// Persistent hook to survive app lifecycle changes
Java.vm.onLoad(function(className) {
try {
if (!avoidUnrelatedClass(Java.use(className))) {
if (hasNetworkCapability(Java.use(className)) ||
hasNetworkPermission(Java.use(className)) ||
hasNetworkInterface(Java.use(className))) {
log('Found potentially network-capable class: ' + className);
hookClass(className);
}
} else {
log('Skipping unrelated class: ' + className);
}
} catch (error) {
log('Error loading class: ' + className + '. Error: ' + error.message);
}
});
// Function to hook a class
function hookClass(className) {
var classObj = Java.use(className);
// Hook openConnection method
try {
classObj.openConnection.overloads.forEach(function(overload) {
overload.implementation = function(url) {
var original = this.openConnection.apply(this, arguments);
return new Proxy(original, {
get: function(target, prop) {
if (prop === 'getInputStream') {
return function() {
var inputStream = target.getInputStream.apply(target, arguments);
// Capture request data
var requestMethod = target.getRequestMethod();
var requestURL = target.getURL().toString();
var requestHeaders = target.getHeaderFields();
// Capture response data
var responseBody = '';
var buffer = new java.nio.ByteBuffer.allocate(1024);
while (inputStream.read(buffer.array(), 0, buffer.capacity()) != -1) {
responseBody += String.fromCharCode.apply(null, buffer.array());
}
// Log captured data
log('Request:', requestMethod + ' ' + requestURL);
log('Headers:', JSON.stringify(requestHeaders));
log('Response:', responseBody);
return inputStream;
};
}
return target[prop];
},
set: function(target, prop, value) {
if (prop === 'getInputStream') {
target.getInputStream = value;
}
return true;
}
});
};
};
} catch (error) {
log('Error hooking class ' + className + ': ' + error.message);
}
// Hook other potentially relevant methods
try {
['getOutputStream', 'setRequestProperty'].forEach(function(methodName) {
var overload = classObj[methodName].overloads[0];
if (overload && !avoidUnrelatedClass(classObj)) {
overload.implementation = function() {
log('Hooked method: ' + className + '.' + methodName);
var original = this[methodName].apply(this, arguments);
return original;
};
}
});
} catch (error) {
log('Error hooking additional methods in class ' + className + ': ' + error.message);
}
}
// Handle app termination attempts
Java.vm.onExit(function(exitCode) {
log('App exited with code: ' + exitCode);
});
// Implement garbage collection handling
function forceGC() {
Java.vm.gc();
log('Forced Garbage Collection');
}
// Example usage:
// Java.choose('java.net.HttpUrlConnection', function(conn) {
// conn.openConnection.overloads[0].implementation = function(url) {
// // Your custom implementation here
// };
// });
// Run the script every time Frida loads
setTimeout(function() {
log('Frida script loaded. Starting dynamic network packet interception.');
Java.vm.onLoad(function(className) {
// The onLoad handler will run continuously as classes load
});
}, 1000);
log('Frida script initialized. Waiting for app launch...');
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Fingerprint: 0379b80fa8086a97524b35c1aff485fc4c0974262b30105f526872e53ff7cb63