安装Python环境
anaconda下载地址:https://www.anaconda.com/distribution/
配置环境变量:
D:\develop\Anaconda3\Scripts;
D:\develop\Anaconda3\Library\bin;
D:\develop\Anaconda3\;
D:\develop\Anaconda3\Library\mingw-w64\bin;安装frida库:
pip install frida;
pip install frida-tools;
1.检查手机CPU位数,打开CMD输入如下指令:
adb shell su
cat proc/cpuinfo
(1)
(2)
2.根据你设备的位数,去下载frida-server文件,并发送到手机/data/local/tmp目录
下载地址:https://github.com/frida/frida/releases
发送指令:adb push xxx /data/local/tmp
3.编写hook脚本
import frida
import sys
jsCode = """
Java.perform(function(){
var resultInt = Module.findExportByName("libdemo.so", "Java_com_qianyu_demo_MainActivity_resultInt")
Interceptor.attach(resultInt, {
onEnter: function (args) {
send(args[2]);
send(args[3]);
send(args[4]);
},
onLeave: function (retval) {
//var jstr = Java.cast(retval);
send("addr:"+retval);
}
});
});
"""
def message(message, data):
if message["type"] == 'send':
print(u"[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach("com.qianyu.demo")
script = process.create_script(jsCode)
script.on("message", message)
script.load()
sys.stdin.read()
4.运行frida-server:
adb shell su
cd /data/local/tmp
chmod 777 frida-server
./frida-server
5.执行端口转发/启动app:
adb forward tcp:27042 tcp:27042
frida -U -f com.qianyu.demo --no-pause
6.效果
上面是hookso层的代码,下面的是hook Java层的示例代码,执行流程更上面都是一样的:
import frida
import sys
# HOOK普通方法
jscode = """
Java.perform(function () {
var utils = Java.use('com.xiaojianbang.app.Utils');
utils.getCalc.implementation = function (a, b) {
console.log("Hook Start...");
send(arguments[0]);
send(arguments[1]);
send("Success!");
var num = this._getCalc(100, 200, 300);
send(num);
return num;
}
});
"""
def message(msg, data):
if msg["type"] == 'send':
print("[*] {0}".format(msg['payload']))
else:
print(msg)
# 指定要附加的设备app
process = frida.get_remote_device().attach('com.xiaojianbang.app')
#
script = process.create_script(jscode)
script.on("message", message)
script.load()
sys.stdin.read()
1153
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
