frida多版本环境搭建
参考
https://blog.csdn.net/qq_33530663/article/details/124683704
java层常用hook点枚举
java.io.File
var f = Java.use('java.io.File')
f.$init.overload('java.lang.String').implementation = function (v1) {
console.log(v1)
this.$init(v1)
}
js的map转java的hashmap类型
//jsmap---javamap
function jsmap_to_javamap(data) {
var hashMap = Java.use('java.util.HashMap');
var string = Java.use('java.lang.String');
var h1 = hashMap.$new()
for (var key in data) {
h1.put(string.$new(key), string.$new(data[key]))
}
return h1
}
强转string
//转string
function cast_java_string(jsString) {
var string = Java.use('java.lang.String');
return string.$new(jsString)
}
map转json
//map变成json
function map_to_json(v) {
var Gson = Java.use('com.google.gson.Gson').$new();
return Gson.toJsonTree(v).getAsJsonObject()
}
在某个hook点打印一个堆栈
// 打印一个调用堆栈
function print_call_trace() {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()))
}
动态加载类
function dynamic_load_class_and_hook_encryted_function() {
Java.enumerateClassLoaders({
onMatch: function (loader) {
try {
Java.ClassFactory.loader = loader;
var dynamic_class = Java.use('com.meiyou.framework.ui.http.g');
console.log('动态加载加密函数');
encrypted_test_v1()
} catch (e) {
console.log(e)
}
},
onComplete: function () {
}
})
通过类加载器获得类
Java.choose("dalvik.system.PathClassLoader", {
onMatch: function (instance) {
// console.log(instance)
// console.log(Java.ClassFactory)
var factory = Java.ClassFactory.get(instance)
try {
var method_name = 'initQDHttp$lambda-1'
var myClass = factory.use('com.qidian.QDReader.start.AsyncMainQDHttpTask')
console.log('find it\t=', myClass)
print_all_methods(myClass)
try {
myClass[method_name].implementation = function (v1, v2, v3) {
var v4 = myClass[method_name](v1, v2, v3)
return v4
}
console.log('hook了调用栈方法\t', myClass.class)
} catch (e) {
console.log(e)
}
return "stop"
} catch (e) {
}
}, onComplete: function () {
console.log("Done")
}
})
打印类的所有成员变量
// 打印所有成员变量
function dumpAllFieldValue(obj) {
if (obj === null) {
return;
}
console.log("Dump all fields value for " + obj.getClass() + " :");
var cls = obj.getClass();
while (cls !== null && !cls.equals(Java.use("java.lang.Object").class)) {
var fields = cls.getDeclaredFields();
if (fields === null || fields.length === 0) {
cls = cls.getSuperclass();
continue;
}
if (!cls.equals(obj.getClass())) {
console.log("Dump super class " + cls.getName() + " fields:");
}
for (var i = 0; i < fields.length; i++) {
var field = fields[i];
field.setAccessible(true);
var name = field.getName();
var value = field.get(obj);
var type = field.getType();
console.log('?类型' + type + "\t变量名:" + name + "\t值:" + value);
}
cls = cls.getSuperclass();
}
}
字符串hook stringfactory
var StringFactory = Java.use('java.lang.StringFactory');
StringFactory.newStringFromString.implementation = function (content) {
index += 1;
// console.log(this.$className)
if (content.includes('道爷要长生')) {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()))
}
console.log(index, "->" + content);
var result = this.newStringFromString(content);
return result;
};
hook map
var hmap = Java.use("java.util.HashMap");
// var hmap = Java.use("java.util.HashMap");
hmap.put.implementation = function (key, val) {
console.log(key,val);
return this.put(key, val);
}
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
