前言
frida的官方文檔寫的并不是很好靴拱,有些例子好像還有些問題。這就不得不去研究它的源碼了酒贬。frida的源碼有許多個模塊,我們這只關注 frida-java-bridge這個模塊翠霍。為什么呢锭吨?這個模塊實現(xiàn)了js世界到java世界的單向通道。所以我們主要的代碼在這寒匙×闳纾可以看看這篇文章對frida-java的介紹frida源碼閱讀之frida-java。
這里我就記錄一下frida-java的編譯環(huán)境搭建
環(huán)境
VMware 12
Ubuntu16
Android8.0
步驟
1.下載安裝配置Ubuntu16需要使用到的軟件
1.安裝配置JDK
2.安裝配置SDK
3.安裝配置NDK
4.編譯安裝Nodejs
5.編譯運行frida-java
這里就跳過安裝Ubuntu16虛擬機的步驟了
下載安裝配置Ubuntu16需要使用到的軟件
配置apt國內軟件源鏡像
使用清華大學開源軟件鏡像站
image.png
將軟件源的配置拷貝到
sudo gedit /etc/apt/sources.list
更新apt
sudo apt-get update
安裝curl
sudo apt-get install curl
安裝git
sudo apt-get install git
安裝配置JDK
下載jdk
http://jdk.android-studio.org/
這里為了方便我在家目錄創(chuàng)建一個work目錄蒋情,有關環(huán)境我都安裝到這個目錄下埠况。讀者可以自行選擇目錄、
mkdir work
將下載的jdk解壓
tar -zxvf jdk-8u77-linux-x64.tar.gz
配置環(huán)境變量
sudo gedit /etc/profile
加入配置如下棵癣,請修改自己的jdk位置
#set java env
export JAVA_HOME=/home/fj/work/jdk1.8.0_231
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH
加載配置
source /etc/profile
查看是否配置成功
fj@ubuntu:~/work/jdk1.8.0_231$ java -version
java version "1.8.0_231"
Java(TM) SE Runtime Environment (build 1.8.0_231-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.231-b11, mixed mode)
安裝配置SDK
這里我借助android studio進行下載sdk辕翰。
android studio下載地址:http://www.android-studio.org/
下載后移動到work目錄,解壓運行
tar -zxvf android-studio-ide-191.5977832-linux.tar.gz
cd android-studio/bin
./studio.sh
其他操作和Windows上的as一樣
安裝sdk版本,我們下載29版本狈谊。
image.png
這里可以看到as下載的sdk在/home/fj/Android/Sdk喜命,所以我們需要配置這個目錄的環(huán)境變量
sudo gedit /etc/profile
配置如下,請注意修改自己sdk的位置:
注意配置build-tools/30.0.3 因為編譯時會用到dx
#set sdk
export ANDROID_SDK_HOME=/home/fj/Android/Sdk
export PATH=$PATH:${ANDROID_SDK_HOME}/tools
export PATH=$PATH:${ANDROID_SDK_HOME}/build-tools/30.0.3
export PATH=$PATH:${ANDROID_SDK_HOME}/platform-tools
加載配置文件
source /etc/profile
運行dx命令,如果出現(xiàn)以下信息說明成功
fj@ubuntu:~/work/android-ndk-r21d$ dx
error: no command specified
usage:
dx --dex [--debug] [--verbose] [--positions=<style>] [--no-locals]
[--no-optimize] [--statistics] [--[no-]optimize-list=<file>] [--no-strict]
[--keep-classes] [--output=<file>] [--dump-to=<file>] [--dump-width=<n>]
[--dump-method=<name>[*]] [--verbose-dump] [--no-files] [--core-library]
[--num-threads=<n>] [--incremental] [--force-jumbo] [--no-warning]
[--multi-dex [--main-dex-list=<file> [--minimal-main-dex]]
[--input-list=<file>] [--min-sdk-version=<n>]
[--allow-all-interface-method-invokes]
安裝配置NDK
ndk下載地址:https://developer.android.google.cn/ndk/downloads/
下載android-ndk-r21d-linux-x86_64.zip這個版本,因為frida的ndk默認版本就是這個
下載后移動到work目錄河劝,解壓
unzip android-ndk-r21d-linux-x86_64.zip
cd android-ndk-r21d
添加/etc/profile配置
#set NDK env
export NDK_HOME=/home/fj/work/android-ndk-r21d
export PATH=$NDK_HOME:$PATH
加載配置文件
source /etc/profile
查看ndk版本,如果出現(xiàn)以下信息說明成功
fj@ubuntu:~/work/android-ndk-r21d$ ndk-build --v
GNU Make 4.2.1
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
編譯安裝Nodejs
這里我使用源碼安裝壁榕,使用apt安裝的話版本過老。不支持frida的編譯赎瞎,并且升級麻煩牌里。
$ sudo git clone https://github.com/nodejs/node.git
Cloning into 'node'...
修改目錄權限:
$ sudo chmod -R 755 node
使用 ./configure 創(chuàng)建編譯文件,并按照:
$ cd node
$ sudo ./configure
$ sudo make
$ sudo make install
查看 node 和npm版本:
fj@ubuntu:~/work/node$ npm -v
7.4.2
fj@ubuntu:~/work/node$ node -v
v16.0.0-pre
編譯運行frida-java
使用Git下載frida-java-bridge源碼务甥,這里我選擇3.9.4牡辽,因為我的frida用的就是這個版本
fj@ubuntu:~/work$ git clone https://github.com/frida/frida-java-bridge.git --tag 3.9.4
frida-java對應的版本在test/Makefile下可以看到
frida_version := 12.11.14
修改配置文件
cd frida-java-bridge/
sudo gedit test/config.mk
修改為如下內容
#修改為自己的sdk目錄
ANDROID_SDK_ROOT ?= $(shell echo /home/fj/Android/Sdk)
#修改為自己的ndk目錄
ANDROID_NDK_ROOT ?= /home/fj/work/android-ndk-r21d
ANDROID_ARCH ?= arm64
ANDROID_ABI ?= arm64-v8a
#因為我們前面在As中下載了29版本,所以可以不用更換
ANDROID_API_LEVEL ?= 29
ANDROID_BINDIR ?= /system/bin
ANDROID_LIBDIR ?= /system/lib64
APEX_LIBDIRS ?= /apex/com.android.runtime/$(shell basename $(ANDROID_LIBDIR)):/apex/com.android.art/$(shell basename $(ANDROID_LIBDIR))
DEBUG_PORT ?= 5042
一般情況修改上面我注釋的部分就行了敞临,如果你的機型的架構不一樣注意修改一下态辛。
進行編譯
fj@ubuntu:~/work/frida-java-bridge$ make check
npm install
added 234 packages, and audited 235 packages in 25s
found 0 vulnerabilities
make -C test deploy
make[1]: Entering directory '/home/fj/work/frida-java-bridge/test'
curl -Ls https://github.com/frida/frida/releases/download/12.11.14/frida-gumjs-devkit-12.11.14-android-arm64.tar.xz | tar -xJf - -C build/obj/local/arm64-v8a
/home/fj/work/android-ndk-r21d/ndk-build \
NDK_PROJECT_PATH=$(pwd) \
NDK_APPLICATION_MK=$(pwd)/Application.mk \
NDK_OUT=$(pwd)/build/obj \
NDK_LIBS_OUT=$(pwd)/build \
FRIDA_JAVA_TESTS_DATA_DIR=/data/local/tmp/frida-java-bridge-tests \
FRIDA_JAVA_TESTS_CACHE_DIR=/data/local/tmp/frida-java-bridge-tests/dalvik-cache
make[2]: Entering directory '/home/fj/work/frida-java-bridge/test'
[arm64-v8a] Compile : artpalette <= artpalette.c
[arm64-v8a] SharedLibrary : libartpalette.so
[arm64-v8a] Install : libartpalette.so => build/arm64-v8a/libartpalette.so
[arm64-v8a] Compile : runner <= runner.c
[arm64-v8a] Compile++ : runner <= dummy.cpp
[arm64-v8a] Executable : runner
[arm64-v8a] Install : runner => build/arm64-v8a/runner
make[2]: Leaving directory '/home/fj/work/frida-java-bridge/test'
curl -Ls https://github.com/junit-team/junit4/releases/download/r4.12/junit-4.12.jar > build/junit.jar
curl -Ls https://search.maven.org/remotecontent?filepath=org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar > build/hamcrest.jar
cd build/java/ \
&& jar xf ../junit.jar \
&& jar xf ../hamcrest.jar
javac \
-cp .:build/java/:/home/fj/Android/Sdk/platforms/android-29/android.jar \
-bootclasspath /home/fj/Android/Sdk/platforms/android-29/android.jar \
-source 1.8 \
-target 1.8 \
-Xlint:deprecation \
-Xlint:unchecked \
re/frida/Script.java re/frida/Eatable.java re/frida/Formatter.java re/frida/MethodTest.java re/frida/EatableWithField.java re/frida/ClassCreationTest.java re/frida/Fruit.java re/frida/PrimitiveArray.java re/frida/TestRunner.java re/frida/ClassRegistryTest.java \
-d build/java/
jar cfe build/tests.jar re.frida.tests.Runner -C build/java .
dx --dex --output=build/tests.dex build/tests.jar
npm install
> frida-java-bridge-bundle@1.0.0 prepare
> npm run build
> frida-java-bridge-bundle@1.0.0 build
> frida-compile bundle -o build/frida-java-bridge.js -x -c
added 427 packages, and audited 428 packages in 2m
found 0 vulnerabilities
npm run build
> frida-java-bridge-bundle@1.0.0 build
> frida-compile bundle -o build/frida-java-bridge.js -x -c
adb shell "rm -rf /data/local/tmp/frida-java-bridge-tests && mkdir -p /data/local/tmp/frida-java-bridge-tests"
* daemon not running; starting now at tcp:5037
* daemon started successfully
adb: no devices/emulators found
Makefile:26: recipe for target 'deploy' failed
make[1]: *** [deploy] Error 1
make[1]: Leaving directory '/home/fj/work/frida-java-bridge/test'
Makefile:5: recipe for target 'check' failed
make: *** [check] Error 2
如果你看到
daemon started successfully
adb: no devices/emulators found
這些信息說明編譯成功了,后面的錯誤是因為我還有沒有連接我的手機挺尿。
測試運行
現(xiàn)在連接上我的手機奏黑,這里我使用無線adb的方式連接
fj@ubuntu:~/work/frida-java-bridge$ adb connect 192.168.124.2
connected to 192.168.124.2:5555
fj@ubuntu:~/work/frida-java-bridge$ adb devices
List of devices attached
192.168.124.2:5555 device
再次編譯運行
fj@ubuntu:~/work/frida-java-bridge$ make check
make -C test deploy
make[1]: Entering directory '/home/fj/work/frida-java-bridge/test'
adb shell "rm -rf /data/local/tmp/frida-java-bridge-tests && mkdir -p /data/local/tmp/frida-java-bridge-tests"
adb push build/arm64-v8a/runner build/tests.dex build/frida-java-bridge.js build/arm64-v8a/libartpalette.so /data/local/tmp/frida-java-bridge-tests
build/arm64-v8a/runner: 1 file pushed, 0 skipped. 2.0 MB/s (16624056 bytes in 7.970s)
build/tests.dex: 1 file pushed, 0 skipped. 635.5 MB/s (314016 bytes in 0.000s)
build/frida-java-bridge.js: 1 file pushed, 0 skipped. 0.4 MB/s (293597 bytes in 0.764s)
build/arm64-v8a/libartpalette.so: 1 file pushed, 0 skipped. 0.1 MB/s (5760 bytes in 0.040s)
4 files pushed, 0 skipped. 1.6 MB/s (17237429 bytes in 10.091s)
make[1]: Leaving directory '/home/fj/work/frida-java-bridge/test'
make -C test run
make[1]: Entering directory '/home/fj/work/frida-java-bridge/test'
adb shell "LD_LIBRARY_PATH='/apex/com.android.runtime/lib64:/apex/com.android.art/lib64:/data/local/tmp/frida-java-bridge-tests' /data/local/tmp/frida-java-bridge-tests/runner"
JUnit version 4.12
..........................................................
Time: 18.474
OK (58 tests)
make[1]: Leaving directory '/home/fj/work/frida-java-bridge/test'
看到最后面的OK就知道成功了,其中有58個方法被測試编矾。
