java层Hook
效果
这里只是替换了返回值类型为String 的java层方法的返回值。
APK主要代码,忽略底下的Native函数定义。。。
package com.alex.nativehooktarget;
import androidx.appcompat.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
public class MainActivity extends AppCompatActivity {
// Used to load the 'native-lib' library on application startup.
static {
System.loadLibrary("native-lib");
}
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
// Example of a call to a native method
TextView tv = findViewById(R.id.sample_text);
tv.setText(stringFromJNI());
TextView tv1 = findViewById(R.id.tv1);
tv1.setText(String.valueOf(intFromJNI()));
TextView tv2 = findViewById(R.id.tv2);
tv2.setText(String.valueOf( boolFromJNI()));
final TextView tv3 = findViewById(R.id.tv3);
Button btn = findViewById(R.id.btn1);
btn.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
tv3.setText(stringFormJava());
}
});
}
protected String stringFormJava(){
return "Hello Alexw";
}
/**
* A native method that is implemented by the 'native-lib' native library,
* which is packaged with this application.
*/
public native String stringFromJNI();
public native int intFromJNI();
public native boolean boolFromJNI();
}
JNI:
#include <jni.h>
#include <string>
extern "C" JNIEXPORT jstring JNICALL
Java_com_alex_nativehooktarget_MainActivity_stringFromJNI(
JNIEnv *env,
jobject /* this */) {
std::string hello = "Hello from C++";
return env->NewStringUTF(hello.c_str());
}
extern "C" JNIEXPORT jint JNICALL
Java_com_alex_nativehooktarget_MainActivity_intFromJNI(
JNIEnv *env,
jobject /* this */) {
int a=2;
int b=3;
return a+b;
}
extern "C" JNIEXPORT jboolean JNICALL
Java_com_alex_nativehooktarget_MainActivity_boolFromJNI(
JNIEnv *env,
jobject /* this */) {
return JNI_FALSE;
}
python frida:
# coding:utf-8
import frida #导入frida模块
import sys #导入sys模块
jscode = """
Java.perform(function(){
var MainActivity = Java.use('com.alex.nativehooktarget.MainActivity'); //获得MainActivity类
MainActivity.stringFormJava.implementation = function(){ //Hook testFrida函数,用js自己实现
//send('Statr! Hook!'); //发送信息,用于回调python中的函数
return 'Change String!' //劫持返回值,修改为我们想要返回的字符串
}
});
"""
def on_message(message,data): #js中执行send函数后要回调的函数
print(message)
process = frida.get_remote_device().attach('com.alex.nativehooktarget') #得到设备并劫持进程com.example.testfrida(该开始用get_usb_device函数用来获取设备,但是一直报错找不到设备,改用get_remote_device函数即可解决这个问题)
script = process.create_script(jscode) #创建js脚本
script.on('message',on_message) #加载回调函数,也就是js中执行send函数规定要执行的python函数
script.load() #加载脚本
sys.stdin.read()