frida hook in java

第一课时 Hook In Java

• vscode中自动提示npm i @types/froda-gum

• hook java层代码

  • function hook_java() {
        Java.perform(function() {
        var clazz = Java.use("java class")          // Java.use 是java的类包装器
        clazz.a.implementation = function(str, str2) { // a为函数
          var result = this.a(str, str2);
        }   
      })    
    }
    

• 开启frida frida -U packageName -l hook.js

• 调用函数，静态的能直接调用，非静态的要用Java.Choose来调用函数

  • function call_FridaActivity2() {
        //主动调用函数
        Java.perform(function () {
            var FridaActivity2 = Java.use("com.example.androiddemo.Activity.FridaActivity2");
            FridaActivity2.setStatic_bool_var();    //调用静态函数
                    // 非静态 要找到对象
            Java.choose("com.example.androiddemo.Activity.FridaActivity2", {
                onMatch: function (instance) {
                    instance.setBool_var();
                },
                onComplete: function () {
    
                }
            });
        });
    }
    
    

• 直接设置类中的变量，静态的值就直接修改即可，非静态的需要获取他的对象在修改，如果函数的名字和变量一样，就要在变量前面加个下划线。

  • function call_FridaActivity3() {
        Java.perform(function () {
            var FridaActivity3 = Java.use("com.example.androiddemo.Activity.FridaActivity3");
            FridaActivity3.static_bool_var.value = true;        //设置静态成员变量
    
            console.log(FridaActivity3.static_bool_var.value);
    
            Java.choose("com.example.androiddemo.Activity.FridaActivity3", {
                onMatch: function (instance) {
                    //设置非静态成员变量的值
                    instance.bool_var.value = true;
                    //设置有相同函数名的成员变量的值
                    instance._same_name_bool_var.value = true;
                    console.log(instance.bool_var.value, instance._same_name_bool_var.value);
                },
                onComplete: function () {
    
                }
            });
        });
    }
    

• 内部类的函数

  • function hook_InnerClasses() {
        Java.perform(function () {
            //hook内部类
            var InnerClasses = Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses");
            console.log(InnerClasses);
            InnerClasses.check1.implementation = function () {
                return true;
            };
            InnerClasses.check2.implementation = function () {
                return true;
            };
            InnerClasses.check3.implementation = function () {
                return true;
            };
            InnerClasses.check4.implementation = function () {
                return true;
            };
            InnerClasses.check5.implementation = function () {
                return true;
            };
            InnerClasses.check6.implementation = function () {
                return true;
            };
        });
    }
    
    

• hook 多个函数的

  • function hook_mul_function() {
        Java.perform(function () {
            //hook 类的多个函数
            var class_name = "com.example.androiddemo.Activity.FridaActivity4$InnerClasses";
            var InnerClasses = Java.use(class_name);
            var all_methods = InnerClasses.class.getDeclaredMethods();
            for (var i = 0; i < all_methods.length; i++) {
                var method = (all_methods[i]);
                var methodStr = method.toString();
                var substring = methodStr.substr(methodStr.indexOf(class_name) + class_name.length + 1);
                var methodname = substring.substr(0, substring.indexOf("("));
                console.log(methodname);
    
                InnerClasses[methodname].implementation = function () {
                    console.log("hook_mul_function:", this);
                    return true;
                }
    
            }
    
        });
    }
    

• hook 动态的dex，

  • unction hook_dyn_dex() {
        Java.perform(function () {
            var FridaActivity5 = Java.use("com.example.androiddemo.Activity.FridaActivity5");
            Java.choose("com.example.androiddemo.Activity.FridaActivity5", {
                onMatch: function (instance) {
                    console.log(instance.getDynamicDexCheck().$className);
                }, onComplete: function () {
    
                }
            });
    
    
            //hook 动态加载的dex
            Java.enumerateClassLoaders({
                onMatch: function (loader) {
                    try {
                        if (loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")) {
                            console.log(loader);
                            Java.classFactory.loader = loader;      //切换classloader
                        }
                    } catch (error) {
    
                    }
    
                }, onComplete: function () {
    
                }
            });
    
            var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck");
            console.log(DynamicCheck);
            DynamicCheck.check.implementation = function () {
                console.log("DynamicCheck.check");
                return true;
            }
        });
    }