什么是frida
frida是一款代码注入工具,它可以实现hook一个方法,让其返回我们需要的值。这是我刚接触这工具的理解。
如何安装
网上的教程可以说是百花齐放,相得益彰,下面的
教程将教你如何手动安装,而非自动化。为什么不使用自动化呢?手动安装速度更快,可以避免很多如证书错误,
网络延迟等一系列外在因素,造成安装失败的结果。
第一步,下载egg文件到用户目录下
我电脑是mac,使用的版本是12.6.7,
所以我下载的是
frida-12.6.7-py3.6-macosx-10.6-intel.egg,如果你的是
windows或linux,请选择对应版本下载。
第二步,进入文件下载目录,手动进行安装
easy_install frida-12.6.7-py3.6-macosx-10.6-intel.egg
- 提示。若出现以下错误,请将egg文件移动至对应目录再安装。
looking for prebuilt extension in home directory, i.e. /Users/huozhenlin/frida-12.6.11-py3.6-macosx-10.6-intel.egg
no prebuilt extension found in home directory
error: Setup script exited with error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)>
第三步,安装frida-tools
pip3 install frida-tools
若提示如下信息,说明安装成功
Requirement already satisfied: frida-tools in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/frida_tools-2.0.1-py3.6.egg (2.0.1)
Requirement already satisfied: colorama<1.0.0,>=0.2.7 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages (from frida-tools) (0.4.1)
Requirement already satisfied: frida<13.0.0,>=12.5.9 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/frida-12.6.11-py3.6-macosx-10.9-x86_64.egg (from frida-tools) (12.6.11)
Requirement already satisfied: prompt-toolkit<3.0.0,>=2.0.0 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/prompt_toolkit-2.0.9-py3.6.egg (from frida-tools) (2.0.9)
Requirement already satisfied: pygments<3.0.0,>=2.0.2 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/Pygments-2.4.2-py3.6.egg (from frida-tools) (2.4.2)
Requirement already satisfied: six>=1.9.0 in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages (from prompt-toolkit<3.0.0,>=2.0.0->frida-tools) (1.12.0)
Collecting wcwidth (from prompt-toolkit<3.0.0,>=2.0.0->frida-tools)
Using cached https://files.pythonhosted.org/packages/7e/9f/526a6947247599b084ee5232e4f9190a38f398d7300d866af3ab571a5bfe/wcwidth-0.1.7-py2.py3-none-any.whl
Installing collected packages: wcwidth
Successfully installed wcwidth-0.1.7
校验frida是否正常工作
$ frida -h
若正常输出以下信息,说明安装成功
Usage: frida [options] target
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-D ID, --device=ID connect to device with the given ID
-U, --usb connect to USB device
-R, --remote connect to remote frida-server
-H HOST, --host=HOST connect to remote frida-server on HOST
-f FILE, --file=FILE spawn FILE
-n NAME, --attach-name=NAME
attach to NAME
-p PID, --attach-pid=PID
attach to PID
--debug enable the Node.js compatible script debugger
--enable-jit enable JIT
-l SCRIPT, --load=SCRIPT
load SCRIPT
-c CODESHARE_URI, --codeshare=CODESHARE_URI
load CODESHARE_URI
-e CODE, --eval=CODE evaluate CODE
-q quiet mode (no prompt) and quit after -l and -e
--no-pause automatically start main thread after startup
-o LOGFILE, --output=LOGFILE
output to log file
实战
本次选取app为某酒店app,该app设置了任何代理后,都将无法联网。
面对这种情况,经验丰富的逆向人员肯定想到了,该app会监听网络情况,当网络使用了任何代理,都将无法联网。
/*
* 判断设备 是否使用代理上网
* */
private boolean isWifiProxy(Context context) {
final boolean IS_ICS_OR_LATER = Build.VERSION.SDK_INT >= Build.VERSION_CODES.ICE_CREAM_SANDWICH;
String proxyAddress;
int proxyPort;
if (IS_ICS_OR_LATER) {
proxyAddress = System.getProperty("http.proxyHost");
String portStr = System.getProperty("http.proxyPort");
proxyPort = Integer.parseInt((portStr != null ? portStr : "-1"));
} else {
proxyAddress = android.net.Proxy.getHost(context);
proxyPort = android.net.Proxy.getPort(context);
}
return (!TextUtils.isEmpty(proxyAddress)) && (proxyPort != -1);
}
从以上代码中,我们可以知道,使用了代理,将返回true。那么,我们该怎么hook此函数,让其总返回false呢?
- 手机安装frida-server,下载地址
我们将下载到的frida-server安装包放进手机data/local/tmp目录下。方法有很多,我是通过adb方式传送文件
的。
$ adb push frida-server-12.6.6-android-arm64 /data/local/tmp/
- 启动frida-server
$ adb shell #进入adb终端
$ su # 切换至超级用户
$ cd data/local/tmp # 进入frida-server存放目录
$ chomd 777 ./frida-server-12.6.6-android-arm64 # 赋予目录可读可写执行权限
$ ./frida-server
3. 手机启动目标程序,终端查看进程是否存在
$ adb forward tcp:27042 tcp:27042 # 端口转发,将frida端口映射至本地
$ frida-ps -R
输出信息如下
PID Name
----- -----------------------------------------
375 6620_launcher
659 MPED
670 MtkCodecService
651 aal
398 adbd
3064 android.process.acore
1715 android.process.media
668 batterywarning
380 ccci_fsd
382 ccci_fsd
381 ccci_mdinit
383 ccci_mdinit
2468 com.amap.android.location
5051 com.android.calendar
28273 com.android.camera
3766 com.android.defcontainer
3669 com.android.fileexplorer:remote
2673 com.android.phone
5435 com.android.settings
2176 com.android.settings:remote
1699 com.android.systemui
14787 com.android.thememanager
22936 com.android.vending
20588 com.android.vending:instant_app_installer
2017 com.miui.whetstone
26764 com.oyohotels.consumer
27064 com.oyohotels.consumer:remote
6464 com.tencent.mm
4701 com.tencent.mm:push
- 确认进程存在。接着,启动注入程序
$ frida -U com.oyohotels.consumer --no-pause -l hooks.js
此时,我们观察app运行情况及控制台日志输出
huozhenlindeMacBook-Air:frida_demo huozhenlin$ frida -U com.oyohotels.consumer --no-pause -l hooks.js
____
/ _ | Frida 12.6.11 - A world-class dynamic instrumentation toolkit
| (_|