一.安装frida
pip install frida
pip install frida-tools
二.模拟器上执行frida-server
- 下载对应版本的frida-server
下载地址:https://github.com/frida/frida/releases
注意:模拟器中下载版本x86版本,不然可能报错:unable to inject library into process without libc
- 将下载后的文件解压推送到模拟器中
adb push 电脑地址/文件名 将要推送手机模拟机的地址
- 进入模拟器终端并进入推送frida-server的文件夹,修改文件权限并执行文件
adb shell
cd 地址
chmod 777 文件名
./文件名
查看连接:adb devices
在window查看进程:tasklist
- 端口号转发
adb forward tcp:27042 tcp:27043
解释:pc端27042的端口接收的数据转发成手机27043的端口上
- 查看手机端进程
frida-ps -U
U表示usb
- hook包
frida-trace -i "open" -U com.android.browser
- 如果在执行中出现连接不上的现象:
adb shell
setenforce 0
查看:getenforce
或执行
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
三.案例分析
1.hook普通方法
import frida
import sys
rdev = frida.get_remote_device()
process = rdev.enumerate_processes()#获取手机所有进程
session = rdev.attach("com.simle.gifmaker")
script_js = """
Java.perform(function(){
var k = Java.use("com.yxcorp.gifshow.retrofit.k");
//console.log("Hook start");
k.computeSignature.implementation = function(a,b,c){
send(b.toString());
send(c.toString());
}
}
)
"""
def on_message(message, data):
if message["type"] == "send":
print(message['payloay'])
script = session.create_script(script_js)
script.on("message", on_message)
script.load()
sys.stdin.read()
2.修改参数
import frida
import sys
rdev = frida.get_remote_device()
session = redev.attach("com.smile.gifmaker")
script_js = """
Java.perform(function(){
var a = Java.use("om.yxcorp.retrofit.f.a");
var HashMap = Java.use("java.util.HashMap");
a.b.implementation = function(c,d){
send(c.toString());
send(d.toString());
var ff = HashMap.$new();
var dd = HashMpa.$new();
ff.put("a","3");
ff.put("t","1");
ff.put("h","2");
dd.put("n","9");
dd.put("m","7");
dd.put("g","0");
var ffff = this.b(ff,dd);
send(ffff.toString());
}
}
)
"""
def on_message(message, data):
if message["type"] == "send":
print(message["payload"])
script = session.create_script(script_js)
script.on("message", on_message)
script.load()
sys.stdin.read()
```
参考学习地址:https://www.cnblogs.com/qwangxiao/p/9255328.html