android逆向神器之firda

这东西ios和android有部分相似
ios装插件,android是个原生的arm包,放进去运行一下。不过要端口转发如下:

echo hello world!!
source ~/.bash_profile
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
echo work

写成了脚本,没啥好说的。
花了些时间写了个挂钩脚本模版,留着以后用:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import frida
import sys
import optparse
import re

global session

def enume_proc():
    global session
    rdev = frida.get_remote_device()
    session = rdev.attach("com.tencent.mm")  
    modules = session.enumerate_modules()
    for module in modules:
        print module
        export_funcs = module.enumerate_exports()
        print "\tfunc_name\tRVA"
        for export_func in export_funcs:
            print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))

#枚举某个进程加载的所有模块
def proc_module_show():
    global session
    rdev = frida.get_remote_device()
    session = rdev.attach("com.tencent.mm")  #如果存在两个一样的进程名可以采用rdev.attach(pid)的方式
    modules = session.enumerate_modules()
    for module in modules:
        print module
        export_funcs = module.enumerate_exports()
        print "\tfunc_name\tRVA"
        for export_func in export_funcs:
            print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))


#hook native函数
def native_hook(name):
    global session
    rdev = frida.get_remote_device()
    session = rdev.attach(name)
    scr = """
    Interceptor.attach(Module.findExportByName("libc.so" , "open"), {
        onEnter: function(args) {
            send("open("+Memory.readCString(args[0])+","+args[1]+")");
        },
        onLeave:function(retval){

        }
    });
    """
    script = session.create_script(scr)
    script.on("message" , on_message)
    script.load()
    sys.stdin.read()


'''如下代码为hook微信(测试版本为6.3.13,不同版本由于混淆名字的随机生成的原因或者代码改动导致名称不一样)com.tencent.mm.sdk.platformtools.ay类的随机数生成函数,让微信猜拳随机(tye=2),二摇色子总是为6点(type=5)'''
def hook(name):
    global session
    print name
    rdev = frida.get_remote_device()
    session = rdev.attach(name)
    scr = """
    Java.perform(function () {
    var ay = Java.use("com.sina.deviceidjnisdk.DeviceId");
    DeviceId.getDeviceId.implementation = function(){
        var type = arguments[0];
        send("type="+type);
        var result=this.getDeviceId();
        send("reuslt="+result)
        return result;
    };
    });
    """
    script = session.create_script(scr)
    script.on("message" , on_message)
    script.load()
    sys.stdin.read()
def on_message(message ,data):
    print message

'''枚举手机进程'''
def enume_proc():
    rdev = frida.get_remote_device()
    processes = rdev.enumerate_processes()
    for process in processes:
        print process
def find_proc(name):
    rdev = frida.get_remote_device()
    processes = rdev.enumerate_processes()
    for process in processes:
        if process.name==name:
            return True
    return False
def main():
    if len(sys.argv)>2:
        name=sys.argv[2]
    else:
        name="com.sina.weibo"

    if sys.argv[1]=='ps':
        enume_proc()

    elif sys.argv[1]=='hookjava':
        #等待程序启动,直接附加
        print "please app waiting launched..."
        while True:
            if find_proc(name)==False:
                continue
            else:
                break
        print "find process"
        hook(name)


if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        if session:
            session.detach()
        sys.exit()
    else:
        pass
    finally:
        pass

据说还可以注入dex没试,记录下:



'''通过friada向android进程注入dex'''

def on_message2(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

jscode = """
Java.perform(function () {
    var currentApplication = Java.use("android.app.ActivityThread").currentApplication();
    var context = currentApplication.getApplicationContext();
    var pkgName = context.getPackageName();
    var dexPath = "%s";
    var entryClass = "%s";
    Java.openClassFile(dexPath).load();
    console.log("inject " + dexPath +" to " + pkgName + " successfully!")
    Java.use(entryClass).%s("%s");
    console.log("call entry successfully!")
});
"""

def checkRequiredArguments(opts, parser):
    missing_options = []
    for option in parser.option_list:
        if re.match(r'^\[REQUIRED\]', option.help) and eval('opts.' + option.dest) == None:
            missing_options.extend(option._long_opts)
    if len(missing_options) > 0:
        parser.error('Missing REQUIRED parameters: ' + str(missing_options))

if __name__ == "__main__":
    usage = "usage: python %prog [options] arg\n\n" \
            "example: python %prog -p com.android.launcher " \
            "-f /data/local/tmp/test.apk " \
            "-e com.parker.test.DexMain/main " \
            "\"hello fridex!\""
    parser = optparse.OptionParser(usage)
    parser.add_option("-p", "--package", dest="pkg", type="string",
                      help="[REQUIRED]package name of the app to be injected.")
    parser.add_option("-f", "--file", dest="dexPath", type="string",
                      help="[REQUIRED]path of the dex")
    parser.add_option("-e", "--entry", dest="entry", type="string",
                      help="[REQUIRED]the entry function Name.")

    (options, args) = parser.parse_args()
    checkRequiredArguments(options, parser)
    if len(args) == 0:
        arg = ""
    else:
        arg = args[0]

    pkgName = options.pkg
    dexPath = options.dexPath
    entry = options.entry.split("/")
    if len(entry) > 1:
        entryClass = entry[0]
        entryFunction = entry[1]
    else:
        entryClass = entry[0]
        entryFunction = "main"

    process = frida.get_usb_device(1).attach(pkgName)
    jscode = jscode%(dexPath, entryClass, entryFunction, arg)
    script = process.create_script(jscode)
    script.on('message', on_message2)
    print('[*] Running fridex')
    script.load()
    sys.stdin.read()

你可能感兴趣的:(日常笔记android)