一、环境配置
- 安装anaconda3
- 下载frida-server放在手机端
- pip install frida和frida-tools在攻击机
- 转发端口:
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
二、基本命令
js_code = """
Java.perform(function (){
# 肉鸡控制台回显
console.log('--------------frida hook start--------------');
# 查找hook目标实例
var targetClass = Java.use('com.XXX.XXX.PatchProxy');
# 实例.函数名.implementation = 复写函数(原函数入参)
targetClass.proxy.implementation = function(objArr,
obj,
changeQuickRedirect,
z,
i){
# 原函数执行结果=当前实例.原函数(入参)
var patchProxyResult = this.proxy(objArr,
obj,
changeQuickRedirect,
z,
i);
# 发送到攻击机的消息,攻击机使用message对象接收
send(changeQuickRedirect);
# 返回结果给原函数的调用者
return patchProxyResult;
}
})
"""
def print_param(message, data):
if message["type"] == 'send' and message["payload"] is not None:
print(message["payload"])
process = frida.get_remote_device().attach(23040)
script_2_execute = process.create_script(js_code)
script_2_execute.on("message", print_param)
script_2_execute.load()
sys.stdin.read()
三、构造方法的hook
targetClass.$init.implementation = function....
四、重载方法的hook
targetClass.proxy.overload("int", "java.lang.String", "boolean").implementation = function....
五、构造对象实例
var newProxy = targetClass.$init();
六、获取/修改对象公共属性值
var proxyName = proxyName.name.value;
proxyName.name.value = "hello world";
var nameField = Java.cast(targetClass, clazz).getDeclaredField('name');
nameField.setAccessible(true);
var name = nameField.get(targetClass);
name.setString(targetClass, "hello world");