准备软件
1: android studio
2: Frida
3: 文本编辑器
4:模拟器
参考文档:
效果图:
拦截前
拦截后
安卓源码
package com.example.myapplication;
import android.app.Activity;
import android.app.AlertDialog;
import android.content.DialogInterface;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import androidx.appcompat.app.AppCompatActivity;
public class MainActivity2 extends Activity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Button button = findViewById(R.id.button);
button.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
AlertDialog.Builder alertDialog = new AlertDialog.Builder(MainActivity2.this);
alertDialog.setTitle("弹框");
alertDialog.setMessage(getString());
alertDialog.setCancelable(false);
alertDialog.setPositiveButton("OK", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
}
});
alertDialog.setNegativeButton("CANCEL", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
}
});
alertDialog.show();
}
});
}
private String getString(){
return "未被hook,我是原始函数";
}
}
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:app="http://schemas.android.com/apk/res-auto"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:gravity="center"
android:orientation="vertical"
tools:context=".MainActivity2">
<Button
android:id="@+id/button"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:text="弹框"/>
</LinearLayout>
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapplication">
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme">
<activity android:name=".MainActivity2">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<meta-data
android:name="xposedmodule"
android:value="true"/>
<meta-data
android:name="xposeddescription"
android:value="这是一个xposed应用"/>
<meta-data
android:name="xposedminversion"
android:value="54"/>
</application>
</manifest>
js源码
文件命名为Trace1.js
function hookTest1(){
console.log("执行方法hookTest1");
//以下为使用方法
var Activity = Java.use("com.example.myapplication.MainActivity2");
console.log("执行到2");
Activity.getString.implementation=function(){
console.log("执行到3");
var result = this.getString();
send("getString = " + result);
var newResult = "我已被劫持!";
send(newResult);
return newResult;
};
}
function wrapFn(){
Java.perform(function(){
hookTest1();
});
}
function main(){
console.log("====停顿5秒钟 ====");
//延迟5秒调用Hook方法
setTimeout(wrapFn, 5000);
// wrapFn()
console.log("====start ====");
}
setImmediate(main);
调用方式
frida -U -l D:/Trace1.js -f com.example.myapplication
其中 frida -U -l {脚本位置} -f {应用包名}
出现的问题
今天做测试过程中出现问题
Process crashed: Bad access due to invalid address
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/android_x86/x86:7.1.2/N2G47H/N975FXXU1ASGO:/release-keys'
Revision: '0'
ABI: 'x86'
pid: 4798, tid: 4798, name: re-initialized> >>> <pre-initialized> <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10
eax 00000000 ebx 000012be ecx 000012be edx 0000000b
esi cfff998c edi cfff9720
xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
eip c7f29c10 ebp cfff97a0 esp cfff96b8 flags 00000296backtrace:
#00 pc 00000c10 [vdso:c7f29000] (__kernel_vsyscall+16)
#01 pc 0007fc08 /system/bin/linker (__dl_syscall+40)
#02 pc 000046d1 /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+1201)
#03 pc 0000b7fd /system/bin/app_process32_xposed (InvokeUserSignalHandler+317)
#04 pc 000ff441 /system/lib/libart.so (offset 0x10a000)
***
[Android Emulator 5554::com.example.myapplication]->
解决方案:
1:重启了模拟器,失败
2:重启了电脑,失败
3:更换为手机,但是由于手机没有root,执行时没有ll命令也没有ls命令,所以直接退回模拟器了
4:js代码重写了一遍,莫名奇妙的就好了。估计还是代码写错了。
方案2:
2.1 后来在调试中也发生过类似问题,通过手动把模拟器上的应用关闭就可以继续了。