frida安装教程及案例

什么是frida

frida是一款代码注入工具，它可以实现hook一个方法，让其返回我们需要的值。这是我刚接触这工具的理解。

如何安装

网上的教程可以说是百花齐放，相得益彰,下面的
教程将教你如何手动安装，而非自动化。为什么不使用自动化呢？手动安装速度更快，可以避免很多如证书错误，
网络延迟等一系列外在因素，造成安装失败的结果。

第一步，下载egg文件到用户目录下

我电脑是mac，使用的版本是12.6.7,
所以我下载的是
frida-12.6.7-py3.6-macosx-10.6-intel.egg,如果你的是
windows或linux，请选择对应版本下载。

第二步，进入文件下载目录，手动进行安装

easy_install frida-12.6.7-py3.6-macosx-10.6-intel.egg

• 提示。若出现以下错误，请将egg文件移动至对应目录再安装。

looking for prebuilt extension in home directory, i.e. /Users/huozhenlin/frida-12.6.11-py3.6-macosx-10.6-intel.egg
no prebuilt extension found in home directory
error: Setup script exited with error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)>

第三步，安装frida-tools

pip3 install frida-tools

若提示如下信息，说明安装成功

Requirement already satisfied: frida-tools in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/frida_tools-2.0.1-py3.6.egg (2.0.1)
Requirement already satisfied: colorama<1.0.0,>=0.2.7 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages (from frida-tools) (0.4.1)
Requirement already satisfied: frida<13.0.0,>=12.5.9 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/frida-12.6.11-py3.6-macosx-10.9-x86_64.egg (from frida-tools) (12.6.11)
Requirement already satisfied: prompt-toolkit<3.0.0,>=2.0.0 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/prompt_toolkit-2.0.9-py3.6.egg (from frida-tools) (2.0.9)
Requirement already satisfied: pygments<3.0.0,>=2.0.2 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/Pygments-2.4.2-py3.6.egg (from frida-tools) (2.4.2)
Requirement already satisfied: six>=1.9.0 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages (from prompt-toolkit<3.0.0,>=2.0.0->frida-tools) (1.12.0)
Collecting wcwidth (from prompt-toolkit<3.0.0,>=2.0.0->frida-tools)
  Using cached https://files.pythonhosted.org/packages/7e/9f/526a6947247599b084ee5232e4f9190a38f398d7300d866af3ab571a5bfe/wcwidth-0.1.7-py2.py3-none-any.whl
Installing collected packages: wcwidth
Successfully installed wcwidth-0.1.7

校验frida是否正常工作

$ frida -h

若正常输出以下信息，说明安装成功

Usage: frida [options] target

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -D ID, --device=ID    connect to device with the given ID
  -U, --usb             connect to USB device
  -R, --remote          connect to remote frida-server
  -H HOST, --host=HOST  connect to remote frida-server on HOST
  -f FILE, --file=FILE  spawn FILE
  -n NAME, --attach-name=NAME
                        attach to NAME
  -p PID, --attach-pid=PID
                        attach to PID
  --debug               enable the Node.js compatible script debugger
  --enable-jit          enable JIT
  -l SCRIPT, --load=SCRIPT
                        load SCRIPT
  -c CODESHARE_URI, --codeshare=CODESHARE_URI
                        load CODESHARE_URI
  -e CODE, --eval=CODE  evaluate CODE
  -q                    quiet mode (no prompt) and quit after -l and -e
  --no-pause            automatically start main thread after startup
  -o LOGFILE, --output=LOGFILE
                        output to log file

实战

本次选取app为某酒店app,该app设置了任何代理后，都将无法联网。

面对这种情况，经验丰富的逆向人员肯定想到了，该app会监听网络情况，当网络使用了任何代理，都将无法联网。

/*
    * 判断设备 是否使用代理上网
    * */
    private boolean isWifiProxy(Context context) {
   
 
        final boolean IS_ICS_OR_LATER = Build.VERSION.SDK_INT >= Build.VERSION_CODES.ICE_CREAM_SANDWICH;
 
        String proxyAddress;
 
        int proxyPort;
 
        if (IS_ICS_OR_LATER) {
   
 
            proxyAddress = System.getProperty("http.proxyHost");
 
            String portStr = System.getProperty("http.proxyPort");
 
            proxyPort = Integer.parseInt((portStr != null ? portStr : "-1"));
 
        } else {
   
 
            proxyAddress = android.net.Proxy.getHost(context);
 
            proxyPort = android.net.Proxy.getPort(context);
 
        }
 
        return (!TextUtils.isEmpty(proxyAddress)) && (proxyPort != -1);
 
    }

从以上代码中，我们可以知道，使用了代理，将返回true。那么，我们该怎么hook此函数，让其总返回false呢？

1. 手机安装frida-server，下载地址
   我们将下载到的frida-server安装包放进手机data/local/tmp目录下。方法有很多，我是通过adb方式传送文件
   的。

$ adb push frida-server-12.6.6-android-arm64 /data/local/tmp/

2. 启动frida-server

$ adb shell #进入adb终端
$ su # 切换至超级用户
$ cd data/local/tmp # 进入frida-server存放目录
$ chomd 777 ./frida-server-12.6.6-android-arm64 # 赋予目录可读可写执行权限  
$ ./frida-server

3. 手机启动目标程序，终端查看进程是否存在

$ adb forward tcp:27042 tcp:27042 # 端口转发，将frida端口映射至本地 
$ frida-ps -R

输出信息如下

  PID  Name
-----  -----------------------------------------
  375  6620_launcher
  659  MPED
  670  MtkCodecService
  651  aal
  398  adbd
 3064  android.process.acore
 1715  android.process.media
  668  batterywarning
  380  ccci_fsd
  382  ccci_fsd
  381  ccci_mdinit
  383  ccci_mdinit
 2468  com.amap.android.location
 5051  com.android.calendar
28273  com.android.camera
 3766  com.android.defcontainer
 3669  com.android.fileexplorer:remote
 2673  com.android.phone
 5435  com.android.settings
 2176  com.android.settings:remote
 1699  com.android.systemui
14787  com.android.thememanager
22936  com.android.vending
20588  com.android.vending:instant_app_installer
 2017  com.miui.whetstone
26764  com.oyohotels.consumer
27064  com.oyohotels.consumer:remote
 6464  com.tencent.mm
 4701  com.tencent.mm:push

4. 确认进程存在。接着，启动注入程序

$ frida -U com.oyohotels.consumer --no-pause -l hooks.js

此时，我们观察app运行情况及控制台日志输出

huozhenlindeMacBook-Air:frida_demo huozhenlin$ frida -U com.oyohotels.consumer --no-pause -l hooks.js
     ____
    / _  |   Frida 12.6.11 - A world-class dynamic instrumentation toolkit
   | (_|