被hook的内容,需要放在Java.perform中
function hook_java() {
Java.perform(function () {
});
}
一般被hook的内容
var LoginActivity = Java.use("类名");
LoginActivity.a.overload('java.lang.String', 'java.lang.String').implementation = function (str, str2) {
var result = this.a(str, str2);
return result;
};
主动调用
var clazz = Java.use("类名");
clazz.static_var.value = something;
clazz.static_func();
Java.choose("类名", {
onMatch: function (instance) {
instance.nonStaticFunc(arg);
},
onComplete: function () {
}
});
hook内部类
var InnerClasses = Java.use("com.abc.abc$InnerClasses");
hook 类的多个函数
var clazz = Java.use(class_name);
var all_methods = clazz.class.getDeclaredMethods();
for (var i = 0; i < all_methods.length; i++) {
var method = (all_methods[i]);
var methodStr = method.toString();
var substring = methodStr.substr(methodStr.indexOf(class_name) + class_name.length + 1);
var methodname = substring.substr(0, substring.indexOf("("));
InnerClasses[methodname].implementation = function () {
}
}
设置有相同函数名的成员变量的值
instance._same_name_bool_var.value = true;
hook 动态加载的dex
Java.enumerateClassLoaders({
onMatch: function (loader) {
try {
if (loader.findClass("类名")) {
console.log(loader);
Java.classFactory.loader = loader;
}
} catch (error) {
}
}, onComplete: function () {
}
});
枚举Class
Java.enumerateLoadedClasses({
onMatch: function (name) {
if (name.indexOf("类名") >= 0) {
console.log(name);
}
}, onComplete: function () {
}
})
frida启动
frida -U --no-pause -f com.package.abc --l hook.js
hook构造方法
var a = Java.use("类名");
a.$init.implementation = function (a,b,c) {
this.$init(a,b,c);
};
打印堆栈
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
动态加载dex
Java.openClassFile("/data/local/tmp/dex.dex").load();
class转jar,转dex
jar -cvf something.jar something.class
dx --dex --output=something.dex something.jar
android_ndk 下的 d8 命令,直接class ——> dex
hook native func
var v_funcName = Module.findExportByName("libnative.so", "funcName");
Interceptor.attach(v_funcName, {
onEnter: function (args) {
}, onLeave: function (retval) {
}
});
var base_libnative = Module.findBaseAddress("libnative.so.so");
var sub_func = base_libnative.add(funcAddr_In_so);
Interceptor.attach(sub_func, {
onEnter: function (args) {
}, onLeave: function (retval) {
}
});
var module_libart = Process.findModuleByName("libart.so");
var symbols = module_libart.enumerateSymbols();
var addr_GetStringUTFChars = null;
var addr_FindClass = null;
var addr_GetStaticFieldID = null;
var addr_SetStaticIntField = null;
for (var i = 0; i < symbols.length; i++) {
var name = symbols[i].name;
if (name.indexOf("art") >= 0) {
if ((name.indexOf("CheckJNI") == -1) && (name.indexOf("JNI") >= 0)) {
if (name.indexOf("GetStringUTFChars") >= 0) {
console.log(name);
addr_GetStringUTFChars = symbols[i].address;
} else if (name.indexOf("FindClass") >= 0) {
console.log(name);
addr_FindClass = symbols[i].address;
} else if (name.indexOf("GetStaticFieldID") >= 0) {
console.log(name);
addr_GetStaticFieldID = symbols[i].address;
} else if (name.indexOf("SetStaticIntField") >= 0) {
console.log(name);
addr_SetStaticIntField = symbols[i].address;
}
}
}
}
var addr_fopen = Module.findExportByName("libc.so", "fopen");
var addr_fputs = Module.findExportByName("libc.so", "fputs");
var addr_fclose = Module.findExportByName("libc.so", "fclose");
var fopen = new NativeFunction(addr_fopen, "pointer", ["pointer", "pointer"]);
var fputs = new NativeFunction(addr_fputs, "int", ["pointer", "pointer"]);
var fclose = new NativeFunction(addr_fclose, "int", ["pointer"]);
var filename = Memory.allocUtf8String("/sdcard/reg.dat");
var open_mode = Memory.allocUtf8String("w+");
var file = fopen(filename, open_mode);
从地址获取字符串
var c_String = ptr(0x1234).readCString()
一些字符串处理
TODO
frida 的api来写文件
var file = new File("/sdcard/txt.txt", "w");
file.write("12345abcd");
file.flush();
file.close();
打印Java对象的内容
Java.openClassFile("/data/local/tmp/r0gson.dex").load();
const gson = Java.use("com.r0ysue.gson.Gson");
console.log(gson.$new().toJson(XXX));
JSON.stringify()
frida中构造Java数组
var values = Java.array('int', [100, 101, 102]);
接口interface、Java.register
var beer = Java.registerClass({
name : 'com.android.beer',
implements : [Java.use('com.android.water')],
methods : {
funcA : function(arg1,arg2){
},
funcB : function(arg1,arg2){
return arg1 + arg2;
},
}
});
console.log("beer.funcA :" , beer.$new().funcA());
Remote Procedure Call 远程调用
function invoke(){
Java.perform(function(){
Java.choose("",{
onMatch:function(instance){
instance.secret();
},onComplete:function(){}
})
})
}
source = """
rpc.exports = {
add: function (a, b) {
return a + b;
},
sub: function (a, b) {
return new Promise(function (resolve) {
setTimeout(function () {
resolve(a - b);
}, 100);
});
}
invokeFunc:invoke
};
"""
script = session.create_script(source) # 加载脚本
script.on('message', on_message)
script.load()
print(script.exports.add(2, 3)) # 远程调用
print(script.exports.sub(5, 3))
session.detach()
动态修改
Java.perform(function () {
var tv_class = Java.use("android.widget.TextView");
tv_class.setText.overload("java.lang.CharSequence").implementation = function (x) {
var string_to_send = x.toString();
var string_to_recv;
send(string_to_send);
recv(function (received_json_object) {
string_to_recv = received_json_object.my_data
console.log("string_to_recv: " + string_to_recv);
}).wait();
return this.setText(string_to_recv);
}
});
import time
import frida
def my_message_handler(message, payload):
print message
print payload
if message["type"] == "send":
print message["payload"]
data = message["payload"].split(":")[1].strip()
print 'message:', message
data = data.decode("base64")
user, pw = data.split(":")
data = ("admin" + ":" + pw).encode("base64")
print "encoded data:", data
script.post({"my_data": data})
print "Modified data sent"
device = frida.get_usb_device()
pid = device.spawn(["com.roysue.demo04"])
device.resume(pid)
time.sleep(1)
session = device.attach(pid)
with open("s4.js") as f:
script = session.create_script(f.read())
script.on("message", my_message_handler)
script.load()
raw_input()
TODO