Frida Hook Textview

夏沫琅琊

已于 2024-04-05 11:33:11 修改

阅读量744

点赞数 19

分类专栏：逆向文章标签： android

于 2024-01-23 17:11:02 首次发布

本文链接：https://blog.csdn.net/qq_23025319/article/details/135776712

版权

逆向专栏收录该内容

42 篇文章 4 订阅

订阅专栏

Frida Hook Textview

本篇文章简单介绍下frida 如何hook TextView.

1: 编写frida脚本 .

Java.perform(function() {
var textView = Java.use(‘android.widget.TextView’);
textView.setText.overload(“java.lang.CharSequence”).implementation = function (x) {
console.log(“original text :”,x)
var text = ‘xxxx’
console.log(“new text :”,text)
return this.setText(text);
}
});

2: 运行

首先回顾frida-server 的运行:

adb shell 
cd /data/local/tmp 
su
chmod 777 frida-server
cd frida-server
chmod 777 data
./data

然后运行脚本:

frida -U -f com.tencent.mm -l /home/zh/workSpace/test/Xpose/app/src/main/java/com/zh/xpose/js/HookText.js

运行结果如下:

   ____
    / _  |   Frida 16.0.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to LEX820 (id=6b4a96b2)
Spawned `com.tencent.mm`. Resuming main thread!                         
[LEX820::com.tencent.mm ]-> original text : 微信
new text : xxxx
Error: setText(): argument types do not match any of:
	.overload('int')
	.overload('java.lang.CharSequence')
	.overload('int', 'android.widget.TextView$BufferType')
	.overload('java.lang.CharSequence', 'android.widget.TextView$BufferType')
        .overload('[C', 'int', 'int')
	.overload('java.lang.CharSequence', 'android.widget.TextView$BufferType', 'boolean', 'int')
    at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:569)
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:973)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:553)
    at <anonymous> (/home/zh/workSpace/test/Xpose/app/src/main/java/com/zh/xpose/js/HookText.js:18)
    at apply (native)
    at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:620)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:598)

可以看到已经监听到TextView的事件,并且取到textview的原文案了, 但是在settext()时出现错误了.

错误原因:

传递给setText方法的参数类型不匹配。它期望的参数类型是CharSequence，但传递的参数类型是未知的.

所以我们修改脚本:

Java.perform(function() {
  var textView = Java.use('android.widget.TextView');
  textView.setText.overload("java.lang.CharSequence").implementation = function (x) {
       var CharSequence = Java.use("java.lang.CharSequence");
       var String = Java.use("java.lang.String");
       console.log("original text :",x)
       var text = String.$new("xxxxx"); // 创建一个CharSequence对象
       console.log("new text :",text)
       return this.setText(text);
    }
});

重新运行: 这次没有出现错误,并且微信中的textview已经成功替换成了"xxxxx".

    ____
    / _  |   Frida 16.0.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to LEX820 (id=6b4a96b2)
Spawned `com.tencent.mm`. Resuming main thread!                         
[LEX820::com.tencent.mm ]-> original text : 微信
new text : xxxxx
original text : 微信
new text : xxxxx
original text : 
new text : xxxxx
original text : xxxxx
new text : xxxxx
original text : 用声音锁登录
new text : xxxxx
original text : 切换验证方式