最近在學(xué)習(xí)使用Frida,主要是Android 7之后彼绷,Xposed不大容易安裝。寫這篇文章茴迁,方便之后用的時候寄悯,直接按記錄的文檔進(jìn)行操作。
安裝與環(huán)境配置
- pc端安裝frida
C:\Users\user>pip install frida
- 手機(jī)端設(shè)置
- 下載
frida-serverhttps://github.com/frida/frida/releases
下載好之后堕义,push 進(jìn)手機(jī)猜旬,最好先root
C:\Users\user>adb root
C:\Users\user>adb remount
C:\Users\user>adb push D:\work\demo\Frida\frida-server-14.0.8-android-arm\frida-server-14.0.8-android-arm /data/local/tmp/frida-server
2021-06-03 更新
PS C:\Users\user> adb push E:\work\main_dir\code\Python_job\Frida\frida-server-14.2.18-android-arm\frida-server-14.2.18-android-arm /data/local/tmp/frida-server
更新結(jié)束
- 修改權(quán)限
C:\Users\user>adb -s 16744485 shell
root# cd data/local/tmp/
/data/local/tmp #chmod 777 frida-server
- 運(yùn)行
adb shell ./data/local/tmp/frida-server
/data/local/tmp # ./frida-server
- 代理轉(zhuǎn)發(fā)
C:\Users\user>adb -s 16744485 forward tcp:27043 tcp:27043
C:\Users\user>adb -s 16744485 forward tcp:27042 tcp:27042
如果沒有多臺設(shè)備,直接
C:\Users\user>adb forward tcp:27043 tcp:27043
C:\Users\user>adb forward tcp:27042 tcp:27042
這樣 Frida就運(yùn)行好了,剩下的就是編寫hook代碼了洒擦。
代碼編寫
- 要Hook的類與方法代碼
public class MainActivity extends AppCompatActivity
implements NavigationView.OnNavigationItemSelectedListener {
Button mTest;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Toolbar toolbar = (Toolbar) findViewById(R.id.toolbar);
setSupportActionBar(toolbar);
FloatingActionButton fab = (FloatingActionButton) findViewById(R.id.fab);
fab.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
Snackbar.make(view, "Replace with your own action", Snackbar.LENGTH_LONG)
.setAction("Action", null).show();
}
});
mTest= (Button)findViewById(R.id.test_btn);
mTest.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
//startActivity(new Intent(MainActivity.this, BIanjiActivity.class));
String re = getTest("weuou");
Log.d("Fuck", "reshih = "+re);
}
});
}
private String getTest(String ss){
Log.d("Fuck", "ss ="+ss);
return "123"+ss+"222";
}
}
簡單的測試代碼椿争,只是用來試試,能不能修改getTest的返回值
- python代碼
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("com.vovo.voffice") # 要hook的apk包名
src = """
Java.perform(function(){
var mainAc = Java.use("com.vovo.voffice.MainActivity");
mainAc.getTest.overload("java.lang.String").implementation = function () {
send("Hook Start...");
var arg = arguments[0];
send("getTest arg:"+arg);
var res = this.getTest("5656");
send("getTest res:"+res);
return this.getTest("5656") + "yyyy";
}
});
"""
script = session.create_script(src)
def on_message(message, data):
print(message)
print(data)
script.on("message", on_message)
script.load()
sys.stdin.read()
運(yùn)行結(jié)果:
logcat
08-10 17:01:06.286: D/Fuck(4923): ss =5656
08-10 17:01:06.296: D/Fuck(4923): ss =5656
08-10 17:01:06.297: D/Fuck(4923): reshih = 1235656222yyyy
python輸出log:
{'type': 'send', 'payload': 'Hook Start...'}
None
{'type': 'send', 'payload': 'getTest arg:weuou'}
None
{'type': 'send', 'payload': 'getTest res:1235656222'}
None
可以看到
image.png
調(diào)用了2次getTest秘遏,所以丘薛,logcat中嘉竟,打印了2次ss =5656
但是邦危,最后的結(jié)果是return this.getTest("5656") + "yyyy";運(yùn)行的結(jié)果。
reshih = 1235656222yyyy
簡單的教程結(jié)束舍扰,之后倦蚪,如果有實際運(yùn)用,會繼續(xù)記錄边苹。
3陵且、so的延遲hook
function hookAll(){
....
}
function hookMain(){
Java.perform(function () {
var libc=Module.findExportByName("libc.so","dlopen");
var find = 0;
Interceptor.attach(Module.findExportByName("libc.so" , "dlopen"), {
onEnter: function(args) {
var addr = args[0];
var str = Memory.readCString(addr);
// console.log("dlopen ",soName);
if (str.indexOf(soName) > 0){
find = 1;
console.log("dlopen:",soName);
}else{
find = 0;
}
},
onLeave:function(retval){
if (find > 0){
hookAll();
}
}
});
}
}
參考資料
官網(wǎng):https://www.frida.re/docs/android/
GitHub:https://github.com/frida/frida/releases
Android逆向之旅---Hook神器家族的Frida工具使用詳解
