foundryzero / binder-trace Goto Github PK

View Code? Open in Web Editor NEW

420.0 18.0 34.0 12.59 MB

Binder Trace is a tool for intercepting and parsing Android Binder messages. Think of it as "Wireshark for Binder".

License: MIT License

Python 95.76% JavaScript 4.24%

android binder ipc reverse-engineering

binder-trace's Introduction

Binder Trace

Binder Trace is a tool for intercepting and parsing Android Binder messages. Think of it as "Wireshark for Binder".

Requirements

python version >= 3.9

⚙️ Installation

You'll need a rooted Android device or emulator.

(Linux only) - install xclip or xsel for "copy to clipboard" functionality

sudo apt-get install xclip

sudo apt-get install xsel
Install from PyPi

pip install binder-trace
Check which version of frida is installed (make sure you've pip installed the requirements)

pip list | grep frida
Download the matching version of frida-server from the frida releases page
Make sure adb is running as root, push frida-server to your device and run it

adb root

adb push frida-server /data/local/tmp

adb shell

chmod u+x /data/local/tmp/frida-server

adb shell /data/local/tmp/frida-server

Arguments

Argument	Description
-h	Prints the argument help.
-d DEVICE	The device to attach to e.g. "emulator-5554". Use `adb devices` to list available devices. If not provided defaults to the USB device.
-p PID	The pid of the process on DEVICE to attach to.
-n NAME	The name of the process on DEVICE to attach to e.g. "Messaging".
-a [9, 10, 11, 13]	The version of android to load structures for.
-s STRUCTPATH	The path to the directory of structure files.
-c CONFIG	The path to the config file to filter.

▶️ Starting binder trace

To start binder trace we need to pick a device and process to attach to. In the following example we use adb and frida-ps to identify a process to attach to on a local emulator. As it's an Android 11 emulator we choose the Android 11 structs directory. Pick the struct directory that most closely matches your version of Android. If you would like structures for a different version of Android, please let us know. Once it's running start using the target app to generate some binder transactions.

> adb devices
List of devices attached
emulator-5554   device

> frida-ps -Ua
 PID  Name           Identifier
----  -------------  ----------------------------
8334  Messaging      com.android.messaging
7941  Phone          com.android.dialer
9607  Settings       com.android.settings

> cd binder_trace
> binder-trace -d emulator-5554 -n Messaging -a 11

⌨️ Controls

🌐 Global

Key	Action
`up`	Move up
`down`	Move down
`shift + up`	Page up
`shift + down`	Page down
`home`	Go to top
`end`	Go to bottom
`tab`	Next pane
`shift + tab`	Previous pane
`ctrl + c`	Copy pane to clipboard
`space`	Pause/Unpause transaction recording
`c`	Clear
`h`	Open help
`r`	Reload config file
`q`	Quit

📈 Frequency pane

Key	Action
`p`	Toggle order asc/desc
`w`	Jump to next interface
`s`	Jump to previous interface
`a`	Toggle all filters on
`n`	Toggle all filters off
`enter`	Toggle Filter

🔎 Config File

To filter define any or all of the interface, method, type and inclusive options. To not use an option leave it blank ""

Without -c argument

> binder-trace -d emulator-5554 -n Contacts -a 13

With -c argument

config.json

{
    "filters": [
        {
            "interface": "android.gui.IDisplayEventConnection",
            "method": "requestNextVsync",
            "type": "",
            "inclusive": false
        },
        {
            "interface": "android.content.IContentProvider",
            "method": "",
            "type": "call",
            "inclusive": false
        }
    ]
}

> binder-trace -d emulator-5554 -n Contacts -a 13 -c .\binder_trace\binder_trace\config.json

android.gui.IDisplayEventConnection->requestNextVsync->"" and android.content.IContentProvider->"" ->call have been filtered out

binder-trace's People

Contributors

Stargazers

Watchers

binder-trace's Issues

unable to connect to remote frida-server: closed

Hi , Appreciate your work on tool.
I was digging in the tool , but seems it failed to detect Frida server, even if it's running, Attaching POC for same, help me if I am missing anything.
Test device : macOS Ventura ( silicon - M1 Pro )
Android Device : Emulator - API 33

How to make struct file from android?

May I ask what tool or method you used to extract the binder structure from Android？

Mac Support

Is there anyway we can run this on mac ?

all windows are empty and getting an error in the parsing log

Hello,
I installed on Mac, not sure if I need xclip and xsel as well?

when I attach to an app, all the windows are empty:

in the parser log I get :

2023-11-06 14:56:04,721: ERROR module 'binder_trace.constants' has no attribute 'ANDROID_VERSION'
2023-11-06 14:56:04,722: ERROR Traceback (most recent call last):
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/generator.py", line 66, in _message_handler
    block = parsing.on_message(self.struct_store, message, data, self.android_version)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parsing.py", line 55, in on_message
    block = on_message_in(struct_store, parcel, block_metadata["code"])
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parsing.py", line 125, in on_message_in
    token = parcel.parse_field("interface-token", "", parcel.read_interface_token)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 34, in parse_field
    read_func(field)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 188, in read_interface_token
    elif constants.ANDROID_VERSION == 10:
AttributeError: module 'binder_trace.constants' has no attribute 'ANDROID_VERSION'

2023-11-06 14:56:04,735: ERROR module 'binder_trace.constants' has no attribute 'ANDROID_VERSION'
2023-11-06 14:56:04,735: ERROR Traceback (most recent call last):
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/generator.py", line 66, in _message_handler
    block = parsing.on_message(self.struct_store, message, data, self.android_version)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parsing.py", line 55, in on_message
    block = on_message_in(struct_store, parcel, block_metadata["code"])
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parsing.py", line 125, in on_message_in
    token = parcel.parse_field("interface-token", "", parcel.read_interface_token)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 34, in parse_field
    read_func(field)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 188, in read_interface_token
    elif constants.ANDROID_VERSION == 10:
AttributeError: module 'binder_trace.constants' has no attribute 'ANDROID_VERSION'

2023-11-06 14:56:04,735: ERROR module 'binder_trace.constants' has no attribute 'ANDROID_VERSION'

binder-trace 1.2.0 unresponsive

Hello, I ran the following command
binder-trace -n Zoom -d emulator-5554 -a 10

and my screen went unresponsive:

log:


2023-11-07 10:53:56,458: INFO Starting injector
2023-11-07 10:53:56,458: INFO Injector started
2023-11-07 10:53:56,465: INFO Injector waiting for stop event
2023-11-07 10:54:00,309: DEBUG Field(name=Token Descriptor, type=string, position=Pos(start=8, end=80), content=[
  Field(name=Length, type=uint32, position=Pos(start=8, end=12), content=32)
  Field(name=Value, type=utf_16_le, position=Pos(start=12, end=78), content=android.app.IActivityTaskManager)])
2023-11-07 10:54:00,310: DEBUG Field(name=Token Descriptor, type=string, position=Pos(start=8, end=80), content=[
  Field(name=Length, type=uint32, position=Pos(start=8, end=12), content=32)
  Field(name=Value, type=utf_16_le, position=Pos(start=12, end=78), content=android.app.IActivityTaskManager)])
2023-11-07 10:54:00,312: ERROR Error occurred in UI: 'key' is an invalid keyword argument for insort_left()
2023-11-07 10:54:00,313: ERROR Traceback (most recent call last):
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/__main__.py", line 86, in main
    binder_trace.tui.interface.start_ui(injector.block_queue, injector.pause_unpause, config, args.config)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/tui/interface.py", line 431, in start_ui
    ui.run()
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/tui/interface.py", line 315, in run
    app.run()
  File "/opt/homebrew/lib/python3.9/site-packages/prompt_toolkit/application/application.py", line 967, in run
    return loop.run_until_complete(coro)
  File "/opt/homebrew/Cellar/[email protected]/3.9.18/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/base_events.py", line 634, in run_until_complete
    self.run_forever()
  File "/opt/homebrew/Cellar/[email protected]/3.9.18/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/base_events.py", line 601, in run_forever
    self._run_once()
  File "/opt/homebrew/Cellar/[email protected]/3.9.18/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/base_events.py", line 1869, in _run_once
    event_list = self._selector.select(timeout)
  File "/opt/homebrew/lib/python3.9/site-packages/prompt_toolkit/eventloop/inputhook.py", line 129, in select
    self.inputhook(InputHookContext(self._r, input_is_ready))
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/tui/interface.py", line 424, in inputhook
    if ui.process_data():
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/tui/interface.py", line 401, in process_data
    self.frequency_counter.add_record((block.interface, block.method))
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/tui/frequency_counter.py", line 114, in add_record
    self.add(interface_record)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/tui/frequency_counter.py", line 97, in add
    insort_left(
TypeError: 'key' is an invalid keyword argument for insort_left()

2023-11-07 10:54:00,313: INFO Stopping injector
2023-11-07 10:54:00,313: INFO Stop event received
2023-11-07 10:54:00,318: INFO Script unloaded
2023-11-07 10:54:00,318: INFO Injector stopped
2023-11-07 10:54:00,318: INFO Injector stopped.

parse log:


2023-11-07 10:54:00,260: ERROR unpack_from requires a buffer of at least 108 bytes for unpacking 4 bytes at offset 104 (actual buffer size is 104)
2023-11-07 10:54:00,260: ERROR Traceback (most recent call last):
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parsing.py", line 142, in on_message_in
    read_interface_input(call, parcel, root_field)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parsing.py", line 310, in read_interface_input
    parse(invar, parcel, parent)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parsing.py", line 269, in parse
    parse_value_from_definition(definition, parcel, parent)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parsing.py", line 190, in parse_value_from_definition
    return parcel.parse_field(name, "", reader, parent)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 34, in parse_field
    read_func(field)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 424, in readStrongBinder
    self.parse_field("status", "uint32", self.readUint32, parent)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 34, in parse_field
    read_func(field)
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 112, in readUint32
    parent.content = self._read_uint32()
  File "/opt/homebrew/lib/python3.9/site-packages/binder_trace/parcel.py", line 115, in _read_uint32
    b = struct.unpack_from("<I", self.data, self.pos)
struct.error: unpack_from requires a buffer of at least 108 bytes for unpacking 4 bytes at offset 104 (actual buffer size is 104)

Being able to save out the binary data from a packet would be handy

I want to be able to easily clear the capture history

Eg pressing c should just clear the current messages. This makes it easier to investigate specific app functionality.

find Service provider

Can this tool directly find the corresponding Servervice Provider?

Catching transactions on application launch

Is it possible to launch the app after I attach? I want to catch the transactions when I launch my app, but I could only attach after I launch the app, so I miss those transactions at the start.

Python 3.12 support

The library asyncore has been removed as of Python 3.12. It has been deprecated in favour as asyncio, but is currently being used by binder-trace.

Improve error logging and display

If there is an error parsing a structure (normally due to a bug in the code) it is not shown or logged anywhere. At a minimum we should get it logged to a file so people can report bugs easily. Ideally there should also be a way of showing the error. This could be by including it in the structure window or probably more easily have a key that opens a popup panel with the error details.

IContentProvider messages are often missing most/all content but are still shown in blue

Doing a simple test with the Messages app in an Android 13 emulator gives android.content.IContentProvider messages (eg update) which are shown in blue - indicating they parsed correctly - and with content visible in the hex dump, but with only the basic header information shown in the details pane.

A transaction frequency display would be nice

To show all the types of calls made and how many times they were made

Can hwbinder be supported?

I want to trace hal service which use hwbinder, can it be supported?

Error issues.

yntaxError: invalid syntax
┌──(root💀r0env)-[/binder-trace/binder_trace]
└─# python3.9 -m binder_trace -d 07995251BJ100623 -n Calculator -s ../structs/android11
Traceback (most recent call last):
File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/root/binder-trace/binder_trace/binder_trace/main.py", line 9, in
import binder_trace.structure
File "/root/binder-trace/binder_trace/binder_trace/structure.py", line 7, in
import binder_trace.overrides
File "/root/binder-trace/binder_trace/binder_trace/overrides.py", line 21
match parcelType:
^
SyntaxError: invalid syntax
┌──(root💀r0env)-[/binder-trace/binder_trace]

In kali, show this. how can i Solve it?

Android 12 structures

Would you be able to add android 12 structures to this repository? Or instructions on how to generate the structures. Cheers 👍

When selecting type in filters the enter key does not close dialog

When you try to select a direction from the types field it uses enter to select it and therefore, enter will not work to close the dialog anymore.

Improve string field rendering

The current representation of string field is as follows:

 Token Descriptor: string
      Length: 36
      Value: android.os.INetworkManagementService

When showing string arrays etc. this is a very verbose output format. It would be better to specialise the output from string fields so its rendered something like:

Token Descriptor: string (36) "Value: android.os.INetworkManagementService"

The hexdump view also supports showing multiple selections at once so this ticket should cover highlighting the size and string content separately.

Android 8 Support

Hi. Could we please have the structs for Android 8. I'm trying to give this a go on an older device that's having binder leaking issues. Would be much appreciated. Thank you. I've tried using -a 9 and -a10 with the device but it shows no Binder activity at all, so I'm guessing its the Android version that's the problem.

It would be nice to filter/search on message contents

Eg a string

Add to pypi

The install instructions should really be pip install binder_trace and launch with binder_trace.