frida hook java 函数_frida hook常用函数分享

本帖最后由 骇客之技术 于 2020-6-12 13:33 编辑

1. 免写参数

[JavaScript] 纯文本查看 复制代码// 函数原型 encodeRequest(int i, String str, String str2, String str3, String str4, String str5, byte[] bArr, int i2, int i3, String str6, byte b, byte b2, byte[] bArr2, boolean z)

var CodecWarpper = Java.use("xx.CodecWarpper");

CodecWarpper.encodeRequest.implementation = function() {

var ret = this.encodeRequest.apply(this, arguments);

//这里可以打印参数和返回值

return ret;

}

2. jstring, jbytearray 输出

[JavaScript] 纯文本查看 复制代码function jstring2Str(jstring) {

var ret;

Java.perform(function() {

var String = Java.use("java.lang.String");

ret = Java.cast(jstring, String);

});

return ret;

}

function jbyteArray2Array(jbyteArray) {

var ret;

Java.perform(function() {

var b = Java.use('[B');

var buffer = Java.cast(jbyteArray, b);

ret = Java.array('byte', buffer);

});

return ret;

}

其它类型可以参考上面的写法

3. bytes2Hex

java中 byte范围 -128~127

16进制范围 0 ~ 255

[JavaScript] 纯文本查看 复制代码function bytes2Hex(arr) {

var str = "[";

for (var i = 0; i < arr.length; i++) {

var z = parseInt(arr[i]);

if (z < 0) z = 255 + z;

var tmp = z.toString(16);

if (tmp.length == 1) {

tmp = "0" + tmp;

}

str = str + " " + tmp;

}

return (str + " ]").toUpperCase();

}

4. 获取方法名

[JavaScript] 纯文本查看 复制代码function getMethodName() {

var ret;

Java.perform(function() {

var Thread = Java.use("java.lang.Thread")

ret = Thread.currentThread().getStackTrace()[2].getMethodName();

});

return ret;

}

5. 打印堆栈

[JavaScript] 纯文本查看 复制代码function showStacks() {

Java.perform(function() {

console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));

});

}

6. 输出类所有方法名

[JavaScript] 纯文本查看 复制代码function enumMethods(targetClass) {

var ret;

Java.perform(function() {

var hook = Java.use(targetClass);

var ret = hook.class.getDeclaredMethods();

ret.forEach(function(s) {

console.log(s);

})

})

return ret;

}

7. hook 所有重载函数

[JavaScript] 纯文本查看 复制代码function hookAllOverloads(targetClass, targetMethod) {

Java.perform(function () {

var targetClassMethod = targetClass + '.' + targetMethod;

var hook = Java.use(targetClass);

var overloadCount = hook[targetMethod].overloads.length;

for (var i = 0; i < overloadCount; i++) {

hook[targetMethod].overloads[i].implementation = function() {

var retval = this[targetMethod].apply(this, arguments);

//这里可以打印结果和参数

return retval;

}

}

});

}

8.输出 byte[] 等 java 对象

[JavaScript] 纯文本查看 复制代码function jobj2Str(jobject) {

var ret = JSON.stringify(jobject);

return ret;

}

9. dump 地址

[JavaScript] 纯文本查看 复制代码function dumpAddr(address, length) {

length = length || 1024;

console.log(hexdump(address, {

offset: 0,

length: length,

header: true,

ansi: false

}));

}

10. ArrayBuffer 转换

[JavaScript] 纯文本查看 复制代码function ab2Hex(buffer) {

var arr = Array.prototype.map.call(new Uint8Array(buffer), function (x) {return ('00' + x.toString(16)).slice(-2)}).join(" ").toUpperCase();

return "[" + arr + "]";

}

function ab2Str(buffer) {

return String.fromCharCode.apply(null, new Uint8Array(buffer));

}

11. 获取类型

[JavaScript] 纯文本查看 复制代码function getParamType(obj) {

return obj == null ? String(obj) : Object.prototype.toString.call(obj).replace(/\[object\s+(\w+)\]/i, "$1") || "object";

}

12. hook native 函数

[JavaScript] 纯文本查看 复制代码function hookNativeFun(callback, funName, moduleName) {

var time = 1000;

moduleName = moduleName || null;

if (!(callback && callback.onEnter && callback.onLeave)) {

console.log("callback error");

return

}

var address = Module.findExportByName(moduleName, funName);

if (address == null) {

setTimeout(hookNativeFun, time, callback, funName, moduleName);

} else {

console.log(funName + " hook ok")

var nativePointer = new NativePointer(address);

Interceptor.attach(nativePointer, callback);

}

}

以上为分析某款软件协议所写, 部分参考于网络~

不定期更新!

欢迎各位补充~