记录一次Frida框架的使用

前言

最近了解到Frida这个框架，感觉很神奇，同样是hook，但是不用像xposed那么麻烦。而且安装也十分的简单。安装可以看这篇文章

XposedHook

这里用xposed框架实现了一遍。比较简单，就不多讲了。
主要代码如下：

public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
        if(loadPackageParam.packageName.equals("com.example.seccon2015.rock_paper_scissors")){
            Log.d("hx", "handleLoadPackage: "+loadPackageParam.packageName);
            XposedHelpers.findAndHookMethod("com.example.seccon2015.rock_paper_scissors.MainActivity", loadPackageParam.classLoader, "onCreate", Bundle.class, new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    Method calc = XposedHelpers.findMethodBestMatch(param.thisObject.getClass(),"calc");
                    int resultkey = (int)calc.invoke(param.thisObject);
                    String flag = "SECCON{" + String.valueOf((1000 + resultkey) * 107) + "}";
                    Log.d("hx", "afterHookedMethod: "+flag);
                }
            });
        }else{
            XposedBridge.log("can't find the package!");
        }

FridaHook

下面是官网给的代码

import frida, sys

def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

jscode = """
Java.perform(function () {
    // Function to hook is defined here
    var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');

    // Whenever button is clicked
    MainActivity.onClick.implementation = function (v) {
        // Show a message to know that the function got called
        send('onClick');

        // Call the original onClick handler
        this.onClick(v);

        // Set our values after running the original onClick handler
        this.m.value = 0;
        this.n.value = 1;
        this.cnt.value = 999;

        // Log to the console that it's done, and we should have the flag!
        console.log('Done:' + JSON.stringify(this.cnt));
    };
});
"""

process = frida.get_remote_device().attach('com.example.seccon2015.rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()

重点来说一下这个的使用。

# 使用frida attach上需要注入的app
process=frida.get_remote_device().attach("")

# 使用create_script往app中注入js代码块
script=process.create_script(jscode)

# 注册一个代码返回数据的handler
script.on('message',on_message)

# 加载js代码块
script.load()

# on_message用于接受js代码返回的数据
def on_message(message,data):
    if message['type']=="send":
        print("[*] {0}".format(message['payload']))
    else:
        print message

#定义需要hook的类
Java.use('...');

#这里hook了MainActivity类的onClick方法并重写
MainActivity.onClick.implementation = function(v){
        send("click");
        //this.onClick(v);
        //console.log是为了向控制台输出
        console.log("Done");
    };

总结

参考链接：
原文
apk下载
https://www.frida.re/docs/functions/
https://www.frida.re/docs/messages/