frida替换iOS摄像头捕获的图像数据?

技能讨论
1

image
image1500×198 36.6 KB

使用frida hook到了如图的摄像头数据函数,如果想要替换其中的图像数据,应该替换sampleBuffer中的哪些数据呢?
以下是hook 该函数打印出的sampleBuffer参数

CMSampleBuffer 0x10f219ec0 retainCount: 1 allocator: 0x1d2711b40
invalid = NO
dataReady = YES
makeDataReadyCallback = 0x0
makeDataReadyRefcon = 0x0
buffer-level attachments:
Orientation(P) = 1
DPIWidth (P) = 72
{Exif} (P) = {
ApertureValue = “2.27500704749987”;
BrightnessValue = “2.389935456234674”;
ColorSpace = 1;
DateTimeDigitized = “2021:09:09 10:43:07”;
DateTimeOriginal = “2021:09:09 10:43:07”;
ExifVersion = 0232;
ExposureBiasValue = 0;
ExposureTime = “0.05882352941176471”;
FNumber = “2.2”;
Flash = 0;
FocalLenIn35mmFilm = 85;
FocalLength = “2.87”;
ISOSpeedRatings = (
64
);
LensMake = Apple;
LensModel = “iPhone 7 front camera 2.87mm f/2.2”;
LensSpecification = (
“2.87”,
“2.87”,
“2.2”,
“2.2”
);
MeteringMode = 3;
OffsetTime = “+08:00”;
OffsetTimeDigitized = “+08:00”;
OffsetTimeOriginal = “+08:00”;
PixelXDimension = 720;
PixelYDimension = 1280;
SceneType = 1;
SensingMethod = 2;
ShutterSpeedValue = “4.058893689053568”;
SubsecTimeDigitized = 275;
SubsecTimeOriginal = 275;
WhiteBalance = 0;
}
{TIFF} (P) = {
DateTime = “2021:09:09 10:43:07”;
Make = Apple;
Model = “iPhone 7”;
ResolutionUnit = 2;
Software = “14.0”;
XResolution = 72;
YResolution = 72;
}
DPIHeight (P) = 72
{MakerApple}(P) = {
1 = 3;
10 = 0;
14 = 4;
3 = {
epoch = 0;
flags = 1;
timescale = 1000000000;
value = 907037707012125;
};
4 = 0;
5 = 204;
51 = 0;
52 = 0;
53 = 0;
58 = 0;
6 = 173;
7 = 1;
8 = (
“0.03708286”,
“-0.705703”,
“-0.6531051”
);
9 = 0;
}
formatDescription = <CMVideoFormatDescription 0x284fe3d80 [0x1d2711b40]> {
mediaType:‘vide’
mediaSubType:‘BGRA’
mediaSpecific: {
codecType: ‘BGRA’ dimensions: 720 x 1280
}
extensions: {{
CVBytesPerRow = 2880;
CVImageBufferColorPrimaries = “ITU_R_709_2”;
CVImageBufferTransferFunction = “ITU_R_709_2”;
CVImageBufferYCbCrMatrix = “ITU_R_601_4”;
Version = 2;
}}
}
sbufToTrackReadiness = 0x0
numSamples = 1
outputPTS = {907037707012125/1000000000 = 907037.707}(based on outputPresentationTimeStamp)
sampleTimingArray[1] = {
{PTS = {907037707012125/1000000000 = 907037.707}, DTS = {INVALID}, duration = {INVALID}},
}
imageBuffer = 0x287361ae0

另外 像是上面打印的sampleBuffer参数中的内存地址, frida应该怎么去获取到其中的具体值?

2

https://stackoverflow.com/questions/18811917/nsdata-or-bytes-from-cmsamplebufferref

3

自己构造一个CMSampleBufferRef 你会构造就明白要替换啥了

4

怎么样,解决了吗?