Android逆向-Frida-CheatSheet

2023-09-04

字数统计: 23.7k字 | 阅读时长≈ 128分

Frida-CheatSheet

Android逆向-Frida-CheatSheet

加载脚本

直接执行Js脚本（Windows）

1	frida <进程路径> -l <js脚本>

直接启动APP并执行Js脚本（Android）

1	frida -U -f com.example.a11x256.frida_test -l <js脚本>

换端口（Android）

首先在frida-server执行：（server的名字被我改了）

1	./data/local/tmp/rf-server --listen=0.0.0.0:11451

然后执行：

1 2	adb forward tcp:11451 tcp:11451 frida -H 127.0.0.1:11451 -f <packageName> -l <script.js>

Python loader脚本（Android）

这个脚本用于在Python中加载Js的frida脚本。

import time

import frida

# 回显报错消息等
def my_message_handler(message, payload):
    print(message)
    print(payload)
    
device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)
with open("s1.js") as f:
    script = session.create_script(f.read())
script.on("message", my_message_handler)
script.load()

# prevent the python script from terminating
halt = input()

获取指定 UID 设备

1	device = frida.get_device_manager().get_device("094fdb0a0b0df7f8")

获取远程设备

1 2	mgr = frida.get_device_manager() device = mgr.add_remote_device("30.137.25.128:13355")

交互式界面

似乎只要使用

1	frida <程序路径> (-l <脚本路径>)

这样的命令就可以在终端中启动Frida的交互式界面。配合自带的补全功能，就可以随意测试函数了。

RPC远程调用-Js与Python脚本通信

js与py脚本交互

import frida

def on_message(message, data):
    if message['type'] == 'send':
        print(message['payload'])
    elif message['type'] == 'error':
        print(message['stack'])

session = frida.get_usb_device().attach('com.roysue.roysueapplication')

source = """
    rpc.exports = {
    add: function (a, b) {
        return a + b;
    },
    sub: function (a, b) {
        return new Promise(function (resolve) {
        setTimeout(function () {
            resolve(a - b);
        }, 100);
        });
    }
    };
"""

script = session.create_script(source)
script.on('message', on_message)
script.load()
print(script.exports.add(2, 3))
print(script.exports.sub(5, 3))
session.detach()

Python这边就是script.export向其中传入json对象；Js这边是用rpc.exports构成一个导出函数字典。

又有一个例子：

//Javascript code
console.log("Script loaded successfully ");

function callSecretFun() { //Defining the function that will be exported
    Java.perform(function () { //code that calls `secret` function from the previous example

        Java.choose("com.example.a11x256.frida_test.my_activity", {
            onMatch: function (instance) {
                console.log("Found instance: " + instance);
                console.log("Result of secret func: " + instance.secret());
            },
            onComplete: function () { }

        });

    });


}
rpc.exports = {
    callsecretfunction: callSecretFun //exporting callSecretFun as callsecretfunction
  // the name of the export (callsecretfunction) cannot have  neither Uppercase letter nor uderscores.
};

过时警告⭐

1	DeprecationWarning: Script.exports will become asynchronous in the future, use the explicit Script.exports_sync instead

以后用Script.exports_sync。

send/recv

首先是Js2Py：

在Js中：

1	send(data)

然后在Python中：

def my_message_handler(message, payload):
    print (message)
    print (payload)
    if message["type"] == "send":
        # print message["payload"]
        print(message)

其次是Py2Js，首先在Python里：

1	script.post({"my_data": data}) # send JSON object

在Js端：

1
2
3

recv(function (received_json_object) {
    string_to_recv = received_json_object.my_data
}).wait(); //block execution till the message is received

注意这里要用wait方法等待数据完全传输过来。

执行函数

setTimeout 延迟执行一次

1	setTimeout(funcA, 15000);

setInterval 间隔循环执行

1 2	var id_ = setInterval(funcB, 15000); clearInterval(id_); // 终止

变量类型

FRIDA-API使用篇：rpc、Process、Module、Memory使用方法及示例-安全客 - 安全资讯平台 (anquanke.com)

索引	API	含义
1	new Int64(v)	定义一个有符号Int64类型的变量值为v，参数v可以是字符串或者以0x开头的的十六进制值
2	new UInt64(v)	定义一个无符号Int64类型的变量值为v，参数v可以是字符串或者以0x开头的的十六进制值
3	new NativePointer(s)	定义一个指针，指针地址为s
4	ptr(“0”)	同上

例子：

Java.perform(function () {
    console.log("");
    console.log("new Int64(1):"+new Int64(1));
    console.log("new UInt64(1):"+new UInt64(1));
    console.log("new NativePointer(0xEC644071):"+new NativePointer(0xEC644071));
    console.log("new ptr('0xEC644071'):"+new ptr(0xEC644071));
});
    输出效果如下：
    new Int64(1):1
    new UInt64(1):1
    new NativePointer(0xEC644071):0xec644071
    new ptr('0xEC644071'):0xec644071

frida也为Int64(v)提供了一些相关的API：

索引	API	含义
1	add(rhs)、sub(rhs)、and(rhs)、or(rhs)、xor(rhs)	加、减、逻辑运算
2	shr(N)、shl(n)	向右/向左移位n位生成新的Int64
3	Compare(Rhs)	返回整数比较结果
4	toNumber()	转换为数字
5	toString([radix=10])	转换为可选基数的字符串(默认为10)

我也写了一些使用案例，代码如下。

function hello_type() {
    Java.perform(function () {
        console.log("");
        //8888 + 1 = 8889
        console.log("8888 + 1:"+new Int64("8888").add(1));
        //8888 - 1 = 8887
        console.log("8888 - 1:"+new Int64("8888").sub(1));
        //8888 << 1 = 4444
        console.log("8888 << 1:"+new Int64("8888").shr(1));
        //8888 == 22 = 1 1是false
        console.log("8888 == 22:"+new Int64("8888").compare(22));
        //转string
        console.log("8888 toString:"+new Int64("8888").toString());
    });
}

Java Hook

打印Java函数参数&返回值（免写参数）

简单来说就是，不需要单独写函数原型里的每一个形参，直接用arguments即可。匿名函数function的形参表里都不需要放个args。

// 函数原型 encodeRequest(int i, String str, String str2, String str3, String str4, String str5, byte[] bArr, int i2, int i3, String str6, byte b, byte b2, byte[] bArr2, boolean z)
var CodecWarpper = Java.use("xx.CodecWarpper");
CodecWarpper.encodeRequest.implementation = function() {
    // this.encodeRequest指向的是CodecWarpper对象的encodeRequest方法本身
    var ret = this.encodeRequest.apply(this, arguments);
    //这里可以打印参数和返回值
    return ret;
}

Hook所有重载函数

重载方法（Overloaded methods）是指在同一个类中定义了多个具有相同名称但参数列表不同的方法。

function hookAllOverloads(targetClass, targetMethod) {
    Java.perform(function () {
         var targetClassMethod = targetClass + '.' + targetMethod;
         var hook = Java.use(targetClass);
         var overloadCount = hook[targetMethod].overloads.length;
         for (var i = 0; i < overloadCount; i++) {
                hook[targetMethod].overloads[i].implementation = function() {
                     var retval = this[targetMethod].apply(this, arguments);
                     //这里可以打印结果和参数
                     return retval;
                 }
              }
   });
 }

Hook Java String类

function hook_javalangString() {
    Java.perform(function () {
        var JavaString = Java.use('java.lang.String');
 
        JavaString.$init.overload('java.lang.String').implementation = function (content) {
            console.log('[HOOK] JavaString.$init.overload(\'java.lang.String\')->' + content);
            var result = this.$init(content);
            return result;
        };
        JavaString.$init.overload('[C').implementation = function (content) {
            console.log("[HOOK] JavaString.$init.overload('[C')->" + content);
            var result = this.$init(content);
            return result;
        };
        var StringFactory = Java.use('java.lang.StringFactory');
        StringFactory.newStringFromString.implementation = function (arg0) {
            console.log("[HOOK] java.lang.StringFactory.newStringFromString->" + arg0);
            var result = this.newStringFromString(arg0);
            return result;
        };
        var exampleString1 = JavaString.$new('Hello World, this is an example string in Java.');
        console.log('[+] exampleString1: ' + exampleString1);
    })
 
}

setImmediate(hook_javalangString, 0);

Hook JSONObject

调用了send方法与Python进行RPC通信。

var JSONObject=Java.use('org.json.JSONObject');
JSONObject.toString.overload().implementation = function(){
    send("=================org.json.JSONObject.toString====================");
    send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    var data=this.toString();
    send("org.json.JSONObject.toString result:"+data);
    return data;
}
for(var i = 0; i < JSONObject.put.overloads.length; i++){
    JSONObject.put.overloads[i].implementation = function(){
        send("=================org.json.JSONObject.put====================");
        if(arguments.length == 2){
            send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
            send("key:"+arguments[0]);
            send("value:"+arguments[1]);
            var data=this.put(arguments[0],arguments[1]);
            return data;
        }
    }
}
for(var i = 0; i < JSONObject.$init.overloads.length; i++){
    JSONObject.$init.overloads[i].implementation = function(){
        send("=================org.json.JSONObject.$init====================");
        send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        if(arguments.length == 1){//只有1个string参数
            send("string:"+arguments[0]);
        }else if(arguments.length == 2){ //其他构造函数用到的时候可以继续添加
            
        }
    }
}

Hook LinkedHashMap

var linkerHashMap=Java.use('java.util.LinkedHashMap');
linkerHashMap.put.implementation = function(arg1,arg2){
    send("=================linkerHashMap.put====================");
    var data=this.put(arg1,arg2);
    send(arg1+"-----"+arg2);
    send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    return data;
}

Hook Java普通函数（非重载）⭐

Hook一个最简单的Java函数：

1
2
3

void fun(int x, int y) {
    Log.d("Sum", String.valueOf(x + y));
}

下面是Hook：

console.log("Script loaded successfully ");
Java.perform(function x(){ //Silently fails without the sleep from the python code
console.log("Inside java perform function");
    //get a wrapper for our class
    var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
    //replace the original implmenetation of the function `fun` with our custom function
    my_class.fun.implementation = function(x,y){
    //print the original arguments
    console.log( "original call: fun("+ x + ", " + y + ")");
    //call the original implementation of `fun` with args (2,5)
    var ret_value = this.fun(2,5);
    return ret_value;
}});

核心点即：

1	class.function.implementation = function() {}

Hook Java重载函数

void fun(int x , int y ){

    Log.d("Sum" , String.valueOf(x+y));
}

String fun(String x){
    total +=x;
    return x.toLowerCase();
}

Hook 类构造函数

1	JavaClass.$init.implementation = function () {}

Hook 类实例化函数

1	JavaClass.$new.implementation = function () {}

注册Java接口

看Java/注册Java类章节。

主要利用Java.registerClass方法。

Hook Log类

var cLog = Java.use("android.util.Log");
cLog.d.overload('java.lang.String', 'java.lang.String').implementation = function(a1, a2) {
    var ret = this.d.apply(this, arguments);
    console.log("Log:" + a1 + ", " + a2);
    return ret;
}
cLog.d.overload('java.lang.String', 'java.lang.String', 'java.lang.Throwable').implementation = function(a1, a2) {
    var ret = this.d.apply(this, arguments);
    console.log("Log:" + a1 + ", " + a2);
    return ret;
}

Hook 已经存在的Java类⭐

使用Java.choose方法。

Java.choose("com.example.a11x256.frida_test.my_activity", {
    onMatch: function (instance) {
        console.log("Found instance: " + instance);
        console.log("Result of secret func: " + instance.secret());
    },
    onComplete: function () { }

});

Hook Crypto库

Frida hooking android part 5: Bypassing AES encryption - 11x256’s Infosec blog (infosec-blog.com)

console.log("Script loaded successfully 55");


Java.perform(function x(){
    var secret_key_spec = Java.use("javax.crypto.spec.SecretKeySpec");
    secret_key_spec.$init.overload("[B", "java.lang.String").implementation  = function(x , y){
        send('{"my_type" : "KEY"}' ,new Uint8Array(x));
       //console.log(xx.join(" "))
        return this.$init(x , y);
    }
    var iv_parameter_spec = Java.use("javax.crypto.spec.IvParameterSpec");
    iv_parameter_spec.$init.overload("[B").implementation = function(x){
        send('{"my_type" : "IV"}' , new Uint8Array(x));
        return this.$init(x);
    }
    var cipher = Java.use("javax.crypto.Cipher");
    cipher.init.overload("int" , "java.security.Key" , "java.security.spec.AlgorithmParameterSpec").implementation = function(x,y,z){
        //console.log(z.getClass());
        if (x == 1)
            send('{"my_type" : "hashcode_enc", "hashcode" :"' +this.hashCode().toString() +'" }');
        else
            send('{"my_type" : "hashcode_dec", "hashcode" :"' +this.hashCode().toString() +'" }');

        send('{"my_type" : "Key from call to cipher init"}', new Uint8Array(y.getEncoded()) );
        send('{"my_type" : "IV from call to cipher init"}' , new Uint8Array(Java.cast(z , iv_parameter_spec).getIV() ));
        return cipher.init.overload("int" , "java.security.Key" , "java.security.spec.AlgorithmParameterSpec").call(this,x,y,z);

    }

    cipher.doFinal.overload("[B").implementation = function(x){
        send('{"my_type" : "before_doFinal" , "hashcode" :"' +this.hashCode().toString() +'" }' , new Uint8Array(x));
        var ret = cipher.doFinal.overload("[B").call(this,x);
        send('{"my_type" : "after_doFinal" , "hashcode" :"' +this.hashCode().toString() +'" }' , new Uint8Array(ret));

        return ret;
    }
});

以及对应的Py脚本：（懒得改Python3版本了）

import time
import frida
import json
enc_cipher_hashcodes = [] #cipher objects with Cipher.ENCRYPT_MODE will be stored here
dec_cipher_hashcodes = [] #cipher objects with Cipher.ENCRYPT_MODE will be stored here


def my_message_handler(message, payload):
    #mainly printing the data sent from the js code, and managing the cipher objects according to their operation mode  
    if message["type"] == "send":
        # print message["payload"]
        my_json = json.loads(message["payload"])
        if my_json["my_type"] == "KEY":
            print "Key sent to SecretKeySpec()", payload.encode("hex")
        elif my_json["my_type"] == "IV":
            print "Iv sent to IvParameterSpec()", payload.encode("hex")
        elif my_json["my_type"] == "hashcode_enc":
            enc_cipher_hashcodes.append(my_json["hashcode"])
        elif my_json["my_type"] == "hashcode_dec":
            dec_cipher_hashcodes.append(my_json["hashcode"])
        elif my_json["my_type"] == "Key from call to cipher init":
            print "Key sent to cipher init()", payload.encode("hex")
        elif my_json["my_type"] == "IV from call to cipher init":
            print "Iv sent to cipher init()", payload.encode("hex")
        elif my_json["my_type"] == "before_doFinal" and my_json["hashcode"] in enc_cipher_hashcodes:
            #if the cipher object has Cipher.MODE_ENCRYPT as the operation mode, the data before doFinal will be printed
            #and the data returned (ciphertext) will be ignored
            print "Data to be encrypted :", payload
        elif my_json["my_type"] == "after_doFinal" and my_json["hashcode"] in dec_cipher_hashcodes:
            print "Decrypted data :", payload
    else:
        print message
        print '*' * 16
        print payload


device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)

with open("s5.js") as f:
    script = session.create_script(f.read())
script.on("message", my_message_handler)  # register the message handler
script.load()

raw_input()

Hook 短信发送

function hook_sms() {
    var SmsManager = Java.use('android.telephony.SmsManager');
    SmsManager.sendDataMessage.implementation = function (
        destinationAddress, scAddress, destinationPort, data, sentIntent, deliveryIntent) {
        console.log("sendDataMessage destinationAddress: " + destinationAddress + " port: " + destinationPort);
        showStacks();
        this.sendDataMessage(destinationAddress, scAddress, destinationPort, data, sentIntent, deliveryIntent);
    }
}

Hook URI

var hook_uri = function() {
    // coord: (7520,0,19) | addr: Ljava/net/URI;->parseURI(Ljava/lang/String;Z)V | loc: ?
    var uri = Java.use('java.net.URI');
    uri.parseURI.implementation = function (a1, a2) {
        // a1 = a1.replace("xxxx.com", "yyyy.com");

        console.log("uri: " + a1);
        //showStacks();
        return this.parseURI(a1, a2);
    }
}

Hook KXmlSerializer 拼装内容

用来看XML什么的。随便找了个blog：

Android 之 pull 生成 XML 及 XmlSerializer 详解 - 掘金 (juejin.cn)

function hook_xml() {
    var xmlSerializer = Java.use('org.kxml2.io.KXmlSerializer');    // org.xmlpull.v1.XmlSerializer
    xmlSerializer.text.overload('java.lang.String').implementation = function (text) {
        console.log("xtext: " + text);
        if ("GPRS" == text) {
            console.log("======>>> found GPRS");
            //showStacks();
        }
        return this.text(text);
    }
}

Hook 常见密码库

Java.perform(function () {
    var ByteString = Java.use("com.android.okhttp.okio.ByteString");
    var MessageDigest = Java.use('java.security.MessageDigest');
    var StringClass = Java.use("java.lang.String");

    // hook md5
    md.getInstance.overload("java.lang.String").implementation = function (str) {
        return this.getInstance(str)
    }
    md.update.overload('[B').implementation = function (a) {
        var result = this.update(a);
        return result;
    }
    md.digest.overload().implementation = function () {
        var result = this.digest();
        return result;
    }

    // hook aes
    var secretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
    var iv = Java.use("javax.crypto.spec.IvParameterSpec");
    var cipher = Java.use("javax.crypto.Cipher");
    // hook aes key
    secretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function (a, b) {
        console.log("secretKeySpec.$init - UTF8密钥: " + StringClass.$new(a));
        console.log("secretKeySpec.$init - hex密钥 : " + ByteString.of(a).hex());
        console.log("secretKeySpec.$init - 算法类型: " + b);
        var result = this.$init(a, b);
        return result;
    }
    // hook aes 偏移
    iv.$init.overload('[B').implementation = function (a) {
        console.log("IvParameterSpec.$init - 向量偏移量utf8: ", StringClass.$new(a));
        console.log("IvParameterSpec.$init - 向量偏移量hex: ", bytes2Hex(a))
        var result = this.$init(a);
        return result;
    }
    // hook aes 加密模式
    cipher.getInstance.overload('java.lang.String').implementation = function (a) {
        console.log("cipher.getInstance - 加密模式、填充类型: ", a)
        var result = this.getInstance(a);
        return result;
    }
    cipher.doFinal.overload('[B').implementation = function (a) {
        console.log("Cipher.doFinal - 待加密字符串: ", bytes2Hex(a))
        var result = this.doFinal(a);
        console.log("Cipher.doFinal - 加密后字符串: ", bytes2Hex(result))
        return result;
    }
})

Java.retrain保存对象

Java.perform(() => {
  const Activity = Java.use('android.app.Activity');
  let lastActivity = null;
  Activity.onResume.implementation = function () {
    lastActivity = Java.retain(this);
    this.onResume();
  };
});

Hook 内部类

function main(){
    Java.perfor(function(){
        // hook 内部类
        // 内部类使用$进行分隔 不使用.
        var InnerClass = Java.use("com.xiaojianbang.app.Money$innerClass");
        // 重写内部类的 $init 方法
        InnerClass.$init.overload("java.lang.String","int").implementation = function(x,y){
            console.log("x: ",x);
            console.log("y: ",y);
            this.$init(x,y);
        }
    })
}

setImmediate(main)

Hook 匿名类

// 接口, 抽象类, 不可以被new
// 接口, 抽象类 要使用必须要实例化, 实例化不是通过new, 而是通过实现接口方法, 继承抽象类等方式
// new __接口__{} 可以理解成 new 了一个实现接口的匿名类, 在匿名类的内部(花括号内),实现了这个接口

function main(){
    Java.perform(function(){
        // hook 匿名类
        // 匿名类在 smail中以 $1, $2 等方式存在, 需要通过 java 行号去 smail 找到准确的匿名类名称 
        var NiMingClass = Java.use("com.xiaojianbang.app.MainActivity$1");
        NiMingClass.getInfo.implementation = function (){
            return "kevin change 匿名类";
        }
    })
}

setImmediate(main)

Hook 动态替换 ClassLoader（不知道干啥的）

说实话我也不知道这是用来干啥的。

java ClassLoader（类加载器） - 知乎 (zhihu.com)

// 方法一
var className = 'com.taobao.wireless.security.adapter.JNICLibrary';
Java.enumerateClassLoaders({
    onMatch: function (loader) {
        try {
            if (loader.findClass(className)) {
                Java.classFactory.loader = loader;
                var hookClass = Java.use(className);
                console.log("successfully hook:", hookClass);
            }
        } catch (error) {}
    },
    onComplete: function () {}
})

// 方法二
var classApplication = Java.use('android.app.Application');
classApplication.onCreate.implementation = function () {
    Java.enumerateClassLoadersSync().forEach(function (loader) {
        try {
            if (loader.loadClass(className)) {
                Java.classFactory.loader = loader;
            }
        } catch (error) {}
    });
}

经常在加壳的 app 中, 没办法正确找到正常加载 app 类的 classloader, 可以使用以下代码：

function hook() {
    Java.perform(function () {
        Java.enumerateClassLoadersSync().forEach(function (classloader) {
            try {
                console.log("classloader", classloader);
                classloader.loadClass("com.kanxue.encrypt01.MainActivity");
                Java.classFactory.loader = classloader;
                var mainActivityClass = Java.use("com.kanxue.encrypt01.MainActivity");
                console.log("mainActivityClass", mainActivityClass);
            } catch (error) {
                console.log("error", error);
            }
        });
    })
}

Hook Runnable

用于多线程的。而且这个代码还关闭了FLAG_SECURE标志，使得能够截屏。

Java.perform(function() {
   // https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_SECURE
   var FLAG_SECURE = 0x2000;
   var Runnable = Java.use("java.lang.Runnable");
   var DisableSecureRunnable = Java.registerClass({
      name: "me.bhamza.DisableSecureRunnable",
      implements: [Runnable],
      fields: {
          activity: "android.app.Activity",
       },
       methods: {
          $init: [{
             returnType: "void",
             argumentTypes: ["android.app.Activity"],
             implementation: function (activity) {
                this.activity.value = activity;
             }
          }],
          run: function() {
             var flags = this.activity.value.getWindow().getAttributes().flags.value; // get current value
             flags &= ~FLAG_SECURE; // toggle it
             this.activity.value.getWindow().setFlags(flags, FLAG_SECURE); // disable it!
             console.log("Done disabling SECURE flag...");
          }
       }
    });

    Java.choose("com.example.app.FlagSecureTestActivity", {
       "onMatch": function (instance) {
          var runnable = DisableSecureRunnable.$new(instance);
          instance.runOnUiThread(runnable);
       },
       "onComplete": function () {}
    });
 });

Hook onClick

可以Hook按钮点击事件。

var jclazz = null;
var jobj = null;

function getObjClassName(obj) {
    if (!jclazz) {
        var jclazz = Java.use("java.lang.Class");
    }
    if (!jobj) {
        var jobj = Java.use("java.lang.Object");
    }
    return jclazz.getName.call(jobj.getClass.call(obj));
}

function watch(obj, mtdName) {
    var listener_name = getObjClassName(obj);
    var target = Java.use(listener_name);
    if (!target || !mtdName in target) {
        return;
    }
    // send("[WatchEvent] hooking " + mtdName + ": " + listener_name);
    target[mtdName].overloads.forEach(function (overload) {
        overload.implementation = function () {
            //send("[WatchEvent] " + mtdName + ": " + getObjClassName(this));
            console.log("[WatchEvent] " + mtdName + ": " + getObjClassName(this))
            return this[mtdName].apply(this, arguments);
        };
    })
}

function OnClickListener() {
    Java.perform(function () {

        //以spawn启动进程的模式来attach的话
        Java.use("android.view.View").setOnClickListener.implementation = function (listener) {
            if (listener != null) {
                watch(listener, 'onClick');
            }
            return this.setOnClickListener(listener);
        };

        //如果frida以attach的模式进行attch的话
        Java.choose("android.view.View$ListenerInfo", {
            onMatch: function (instance) {
                instance = instance.mOnClickListener.value;
                if (instance) {
                    console.log("mOnClickListener name is :" + getObjClassName(instance));
                    watch(instance, 'onClick');
                }
            },
            onComplete: function () {
            }
        })
    })
}
setImmediate(OnClickListener);

Hook startActivity

startActivity()是一个用于启动新的Activity的方法。比如：

// 创建一个Intent对象，指定要启动的目标Activity
Intent intent = new Intent(MainActivity.this, TargetActivity.class);

// 可选：传递数据到目标Activity
intent.putExtra("key", value);

// 启动目标Activity
startActivity(intent);

Java.perform(function () {
    var Activity = Java.use("android.app.Activity");
    //console.log(Object.getOwnPropertyNames(Activity));
    Activity.startActivity.overload('android.content.Intent').implementation=function(p1){
        console.log("Hooking android.app.Activity.startActivity(p1) successfully,p1="+p1);
        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        console.log(decodeURIComponent(p1.toUri(256)));
        this.startActivity(p1);
    }
    Activity.startActivity.overload('android.content.Intent', 'android.os.Bundle').implementation=function(p1,p2){
        console.log("Hooking android.app.Activity.startActivity(p1,p2) successfully,p1="+p1+",p2="+p2);
        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        console.log(decodeURIComponent(p1.toUri(256)));
        this.startActivity(p1,p2);
    }
    Activity.startService.overload('android.content.Intent').implementation=function(p1){
        console.log("Hooking android.app.Activity.startService(p1) successfully,p1="+p1);
        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        console.log(decodeURIComponent(p1.toUri(256)));
        this.startService(p1);
    }
})

Hook Intent实现Activity跳转

function jumpActivity() {
    Java.perform(function () {
        var context = Java.use("android.app.ActivityThread").currentApplication().getApplicationContext();
        var intentClazz = Java.use("android.content.Intent");
        var activityClazz = Java.use("ctrip.android.hotel.view.UI.inquire.HotelInquireActivity");
        var intentObj = intentClazz.$new(context, activityClazz.class);
        intentObj.setFlags(0x10000000);
        context.startActivity(intentObj);
        console.log("startActivity");
    })
}

Hook root检测

太强了。这位师傅的代码：分类: frida | 凡墙总是门 (kevinspider.github.io)

// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh): 
//  - I added extra whitelisted items to deal with the latest versions 
//             of RootBeer/Cordova iRoot as of August 6, 2019
//  - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so

Java.perform(function() {

    var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
        "com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.koushikdutta.rommanager",
        "com.koushikdutta.rommanager.license", "com.dimonvideo.luckypatcher", "com.chelpus.lackypatch",
        "com.ramdroid.appquarantine", "com.ramdroid.appquarantinepro", "com.devadvance.rootcloak", "com.devadvance.rootcloakplus",
        "de.robv.android.xposed.installer", "com.saurik.substrate", "com.zachspong.temprootremovejb", "com.amphoras.hidemyroot",
        "com.amphoras.hidemyrootadfree", "com.formyhm.hiderootPremium", "com.formyhm.hideroot", "me.phh.superuser",
        "eu.chainfire.supersu.pro", "com.kingouser.com", "com.android.vending.billing.InAppBillingService.COIN","com.topjohnwu.magisk"
    ];

    var RootBinaries = ["su", "busybox", "supersu", "Superuser.apk", "KingoUser.apk", "SuperSu.apk","magisk"];

    var RootProperties = {
        "ro.build.selinux": "1",
        "ro.debuggable": "0",
        "service.adb.root": "0",
        "ro.secure": "1"
    };

    var RootPropertiesKeys = [];

    for (var k in RootProperties) RootPropertiesKeys.push(k);

    var PackageManager = Java.use("android.app.ApplicationPackageManager");

    var Runtime = Java.use('java.lang.Runtime');

    var NativeFile = Java.use('java.io.File');

    var String = Java.use('java.lang.String');

    var SystemProperties = Java.use('android.os.SystemProperties');

    var BufferedReader = Java.use('java.io.BufferedReader');

    var ProcessBuilder = Java.use('java.lang.ProcessBuilder');

    var StringBuffer = Java.use('java.lang.StringBuffer');

    var loaded_classes = Java.enumerateLoadedClassesSync();

    send("Loaded " + loaded_classes.length + " classes!");

    var useKeyInfo = false;

    var useProcessManager = false;

    send("loaded: " + loaded_classes.indexOf('java.lang.ProcessManager'));

    if (loaded_classes.indexOf('java.lang.ProcessManager') != -1) {
        try {
            //useProcessManager = true;
            //var ProcessManager = Java.use('java.lang.ProcessManager');
        } catch (err) {
            send("ProcessManager Hook failed: " + err);
        }
    } else {
        send("ProcessManager hook not loaded");
    }

    var KeyInfo = null;

    if (loaded_classes.indexOf('android.security.keystore.KeyInfo') != -1) {
        try {
            //useKeyInfo = true;
            //var KeyInfo = Java.use('android.security.keystore.KeyInfo');
        } catch (err) {
            send("KeyInfo Hook failed: " + err);
        }
    } else {
        send("KeyInfo hook not loaded");
    }

    PackageManager.getPackageInfo.overload('java.lang.String', 'int').implementation = function(pname, flags) {
        var shouldFakePackage = (RootPackages.indexOf(pname) > -1);
        if (shouldFakePackage) {
            send("Bypass root check for package: " + pname);
            pname = "set.package.name.to.a.fake.one.so.we.can.bypass.it";
        }
        return this.getPackageInfo.call(this, pname, flags);
    };

    NativeFile.exists.implementation = function() {
        var name = NativeFile.getName.call(this);
        var shouldFakeReturn = (RootBinaries.indexOf(name) > -1);
        if (shouldFakeReturn) {
            send("Bypass return value for binary: " + name);
            return false;
        } else {
            return this.exists.call(this);
        }
    };

    var exec = Runtime.exec.overload('[Ljava.lang.String;');
    var exec1 = Runtime.exec.overload('java.lang.String');
    var exec2 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;');
    var exec3 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;');
    var exec4 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File');
    var exec5 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;', 'java.io.File');

    exec5.implementation = function(cmd, env, dir) {
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
            var fakeCmd = "grep";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        if (cmd == "su") {
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        if (cmd == "which") {
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
            send("Bypass which command");
            return exec1.call(this, fakeCmd);
        }
        return exec5.call(this, cmd, env, dir);
    };

    exec4.implementation = function(cmdarr, env, file) {
        for (var i = 0; i < cmdarr.length; i = i + 1) {
            var tmp_cmd = cmdarr[i];
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmdarr + " command");
                return exec1.call(this, fakeCmd);
            }

            if (tmp_cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmdarr + " command");
                return exec1.call(this, fakeCmd);
            }
        }
        return exec4.call(this, cmdarr, env, file);
    };

    exec3.implementation = function(cmdarr, envp) {
        for (var i = 0; i < cmdarr.length; i = i + 1) {
            var tmp_cmd = cmdarr[i];
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmdarr + " command");
                return exec1.call(this, fakeCmd);
            }

            if (tmp_cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmdarr + " command");
                return exec1.call(this, fakeCmd);
            }
        }
        return exec3.call(this, cmdarr, envp);
    };

    exec2.implementation = function(cmd, env) {
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
            var fakeCmd = "grep";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        if (cmd == "su") {
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        return exec2.call(this, cmd, env);
    };

    exec.implementation = function(cmd) {
        for (var i = 0; i < cmd.length; i = i + 1) {
            var tmp_cmd = cmd[i];
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }

            if (tmp_cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }
        }

        return exec.call(this, cmd);
    };

    exec1.implementation = function(cmd) {
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
            var fakeCmd = "grep";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        if (cmd == "su") {
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        return exec1.call(this, cmd);
    };

    String.contains.implementation = function(name) {
        if (name == "test-keys") {
            send("Bypass test-keys check");
            return false;
        }
        return this.contains.call(this, name);
    };

    var get = SystemProperties.get.overload('java.lang.String');

    get.implementation = function(name) {
        if (RootPropertiesKeys.indexOf(name) != -1) {
            send("Bypass " + name);
            return RootProperties[name];
        }
        return this.get.call(this, name);
    };

    Interceptor.attach(Module.findExportByName("libc.so", "fopen"), {
        onEnter: function(args) {
            var path1 = Memory.readCString(args[0]);
            var path = path1.split("/");
            var executable = path[path.length - 1];
            var shouldFakeReturn = (RootBinaries.indexOf(executable) > -1)
            if (shouldFakeReturn) {
                Memory.writeUtf8String(args[0], "/ggezxxx");
                send("Bypass native fopen >> "+path1);
            }
        },
        onLeave: function(retval) {

        }
    });

    Interceptor.attach(Module.findExportByName("libc.so", "fopen"), {
        onEnter: function(args) {
            var path1 = Memory.readCString(args[0]);
            var path = path1.split("/");
            var executable = path[path.length - 1];
            var shouldFakeReturn = (RootBinaries.indexOf(executable) > -1)
            if (shouldFakeReturn) {
                Memory.writeUtf8String(args[0], "/ggezxxx");
                send("Bypass native fopen >> "+path1);
            }
        },
        onLeave: function(retval) {

        }
    });

    Interceptor.attach(Module.findExportByName("libc.so", "system"), {
        onEnter: function(args) {
            var cmd = Memory.readCString(args[0]);
            send("SYSTEM CMD: " + cmd);
            if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id") {
                send("Bypass native system: " + cmd);
                Memory.writeUtf8String(args[0], "grep");
            }
            if (cmd == "su") {
                send("Bypass native system: " + cmd);
                Memory.writeUtf8String(args[0], "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled");
            }
        },
        onLeave: function(retval) {

        }
    });

    /*
    TO IMPLEMENT:
    Exec Family
    int execl(const char *path, const char *arg0, ..., const char *argn, (char *)0);
    int execle(const char *path, const char *arg0, ..., const char *argn, (char *)0, char *const envp[]);
    int execlp(const char *file, const char *arg0, ..., const char *argn, (char *)0);
    int execlpe(const char *file, const char *arg0, ..., const char *argn, (char *)0, char *const envp[]);
    int execv(const char *path, char *const argv[]);
    int execve(const char *path, char *const argv[], char *const envp[]);
    int execvp(const char *file, char *const argv[]);
    int execvpe(const char *file, char *const argv[], char *const envp[]);
    */

    BufferedReader.readLine.overload().implementation = function() {
        var text = this.readLine.call(this);
        if (text === null) {
            // just pass , i know it's ugly as hell but test != null won't work :(
        } else {
            var shouldFakeRead = (text.indexOf("ro.build.tags=test-keys") > -1);
            if (shouldFakeRead) {
                send("Bypass build.prop file read");
                text = text.replace("ro.build.tags=test-keys", "ro.build.tags=release-keys");
            }
        }
        return text;
    };

    var executeCommand = ProcessBuilder.command.overload('java.util.List');

    ProcessBuilder.start.implementation = function() {
        var cmd = this.command.call(this);
        var shouldModifyCommand = false;
        for (var i = 0; i < cmd.size(); i = i + 1) {
            var tmp_cmd = cmd.get(i).toString();
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd.indexOf("mount") != -1 || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd.indexOf("id") != -1) {
                shouldModifyCommand = true;
            }
        }
        if (shouldModifyCommand) {
            send("Bypass ProcessBuilder " + cmd);
            this.command.call(this, ["grep"]);
            return this.start.call(this);
        }
        if (cmd.indexOf("su") != -1) {
            send("Bypass ProcessBuilder " + cmd);
            this.command.call(this, ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]);
            return this.start.call(this);
        }

        return this.start.call(this);
    };

    if (useProcessManager) {
        var ProcManExec = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File', 'boolean');
        var ProcManExecVariant = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.lang.String', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'boolean');

        ProcManExec.implementation = function(cmd, env, workdir, redirectstderr) {
            var fake_cmd = cmd;
            for (var i = 0; i < cmd.length; i = i + 1) {
                var tmp_cmd = cmd[i];
                if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") {
                    var fake_cmd = ["grep"];
                    send("Bypass " + cmdarr + " command");
                }

                if (tmp_cmd == "su") {
                    var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"];
                    send("Bypass " + cmdarr + " command");
                }
            }
            return ProcManExec.call(this, fake_cmd, env, workdir, redirectstderr);
        };

        ProcManExecVariant.implementation = function(cmd, env, directory, stdin, stdout, stderr, redirect) {
            var fake_cmd = cmd;
            for (var i = 0; i < cmd.length; i = i + 1) {
                var tmp_cmd = cmd[i];
                if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") {
                    var fake_cmd = ["grep"];
                    send("Bypass " + cmdarr + " command");
                }

                if (tmp_cmd == "su") {
                    var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"];
                    send("Bypass " + cmdarr + " command");
                }
            }
            return ProcManExecVariant.call(this, fake_cmd, env, directory, stdin, stdout, stderr, redirect);
        };
    }

    if (useKeyInfo) {
        KeyInfo.isInsideSecureHardware.implementation = function() {
            send("Bypass isInsideSecureHardware");
            return true;
        }
    }

});

Hook 强制主线程运行

Java.perform(function() {
    var Toast = Java.use('android.widget.Toast');
    var currentApplication = Java.use('android.app.ActivityThread').currentApplication(); 
    var context = currentApplication.getApplicationContext();

    var JavaString =Java.use("java.lang.String");
    var a = JavaString.$new("ABCDEFG");
    Java.scheduleOnMainThread(function() {
    	Toast.makeText(context, Java.cast(a, CharSequence), Toast.LENGTH_LONG.value).show();
    })
})

Hook Java exit禁止退出

function hookExit(){
    Java.perform(function(){
        console.log("[*] Starting hook exit");
        var exitClass = Java.use("java.lang.System");
        exitClass.exit.implementation = function(){
            console.log("[*] System.exit.called");
        }
        console.log("[*] hooking calls to System.exit");
    })
}

setImmediate(hookExit);

Hook 修改设备参数

修改了IMEI，IMSI，ANDROID_ID等一系列数据。

// frida hook 修改设备参数
Java.perform(function() {
  var TelephonyManager = Java.use("android.telephony.TelephonyManager");

    //IMEI hook
    TelephonyManager.getDeviceId.overload().implementation = function () {
               console.log("[*]Called - getDeviceId()");
               var temp = this.getDeviceId();
               console.log("real IMEI: "+temp);
               return "867979021642856";
    };
    // muti IMEI
    TelephonyManager.getDeviceId.overload('int').implementation = function (p) {
               console.log("[*]Called - getDeviceId(int) param is"+p);
               var temp = this.getDeviceId(p);
               console.log("real IMEI "+p+": "+temp);
               return "867979021642856";
    };

    //IMSI hook
  TelephonyManager.getSimSerialNumber.overload().implementation = function () {
               console.log("[*]Called - getSimSerialNumber(String)");
               var temp = this.getSimSerialNumber();
               console.log("real IMSI: "+temp);
               return "123456789";
    };
    //////////////////////////////////////

    //ANDOID_ID hook
    var Secure = Java.use("android.provider.Settings$Secure");
    Secure.getString.implementation = function (p1,p2) {
      if(p2.indexOf("android_id")<0) return this.getString(p1,p2);
      console.log("[*]Called - get android_ID, param is:"+p2);
      var temp = this.getString(p1,p2);
      console.log("real Android_ID: "+temp);
      return "844de23bfcf93801";

    }

    //android的hidden API，需要通过反射调用
    var SP = Java.use("android.os.SystemProperties");
    SP.get.overload('java.lang.String').implementation = function (p1) {
      var tmp = this.get(p1);
      console.log("[*]"+p1+" : "+tmp);

      return tmp;
    }
    SP.get.overload('java.lang.String', 'java.lang.String').implementation = function (p1,p2) {
      
      
      var tmp = this.get(p1,p2)
      console.log("[*]"+p1+","+p2+" : "+tmp);
      return tmp;
    } 
    // hook MAC
    var wifi = Java.use("android.net.wifi.WifiInfo");
    wifi.getMacAddress.implementation = function () {
      var tmp = this.getMacAddress();
      console.log("[*]real MAC: "+tmp);
      return tmp;
    }
  
})

Hook 打印调用栈

这里举了socket为例。用这个代码能够通过stacktrace跟踪上级调用这个socket的函数与类。

var class_Socket = Java.use("java.net.Socket");
class_Socket.getOutputStream.overload().implementation = function(){
    send("getOutputSteam");
    var result = this.getOutputStream();
    var bt = Java.use("android.util.Log").getStackTraceString(
        Java.use("java.lang.Exception").$new();
    )
    console.log("Backtrace:" + bt);
    send(result);
    return result;
}

Hook UI注入

说白话就是能强制调用Toast等UI显示类：

Java.perform(function() {
    var Toast = Java.use('android.widget.Toast');
    var currentApplication = Java.use('android.app.ActivityThread').currentApplication(); 
    var context = currentApplication.getApplicationContext();

    var JavaString =Java.use("java.lang.String");
    var a = JavaString.$new("ABCDEFG");
    Java.scheduleOnMainThread(function() {
    	Toast.makeText(context, Java.cast(a, CharSequence), Toast.LENGTH_LONG.value).show();
    })
})

Universal antidebug

说是Universal，但应该不保真。

Frida CodeShare

1	frida --codeshare meerkati/universal-android-debugging-bypass -f YOUR_BINARY

代码：

/*
    frida --codeshare meerkati/universal-android-debugging-bypass -f YOUR_BINARY
    Universal Android Debugging Bypass frida script v0.1
    
    Useful when bypassing USB debugging detection on Android!
    If it doesn't work, remove the conditional statement
    
*/

setTimeout(function() {
    Java.perform(function() {
        var androidSettings = ['adb_enabled'];
        var sdkVersion = Java.use('android.os.Build$VERSION');
        console.log("SDK Version : " + sdkVersion.SDK_INT.value);

        /* API 16 or lower Settings.Global Hook */
        if (sdkVersion.SDK_INT.value <= 16) {
            var settingSecure = Java.use('android.provider.Settings$Secure');

            settingSecure.getInt.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
                //console.log("[*]settingSecure.getInt(cr,name) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Secure.getInt(cr, name) Bypassed');
                    return 0;
                }
                var ret = this.getInt(cr, name);
                return ret;
            }

            settingSecure.getInt.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(cr, name, def) {
                //console.log("[*]settingSecure.getInt(cr,name,def) : " + name);
                if (name == (androidSettings[0])) {
                    console.log('[+]Secure.getInt(cr, name, def) Bypassed');
                    return 0;
                }
                var ret = this.getInt(cr, name, def);
                return ret;
            }

            settingSecure.getFloat.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
                //console.log("[*]settingSecure.getFloat(cr,name) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Secure.getFloat(cr, name) Bypassed');
                    return 0;
                }
                var ret = this.getFloat(cr, name)
                return ret;
            }

            settingSecure.getFloat.overload('android.content.ContentResolver', 'java.lang.String', 'float').implementation = function(cr, name, def) {
                //console.log("[*]settingSecure.getFloat(cr,name,def) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Secure.getFloat(cr, name, def) Bypassed');
                    return 0;
                }
                var ret = this.getFloat(cr, name, def);
                return ret;
            }

            settingSecure.getLong.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
                //console.log("[*]settingSecure.getLong(cr,name) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Secure.getLong(cr, name) Bypassed');
                    return 0;
                }
                var ret = this.getLong(cr, name)
                return ret;
            }

            settingSecure.getLong.overload('android.content.ContentResolver', 'java.lang.String', 'long').implementation = function(cr, name, def) {
                //console.log("[*]settingSecure.getLong(cr,name,def) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Secure.getLong(cr, name, def) Bypassed');
                    return 0;
                }
                var ret = this.getLong(cr, name, def);
                return ret;
            }

            settingSecure.getString.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
                //console.log("[*]settingSecure.getString(cr,name) : " + name);
                if (name == androidSettings[0]) {
                    var stringClass = Java.use("java.lang.String");
                    var stringInstance = stringClass.$new("0");

                    console.log('[+]Secure.getString(cr, name) Bypassed');
                    return stringInstance;
                }
                var ret = this.getString(cr, name);
                return ret;
            }
        }

        /* API 17 or higher Settings.Global Hook */
        if (sdkVersion.SDK_INT.value >= 17) {
            var settingGlobal = Java.use('android.provider.Settings$Global');

            settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
                //console.log("[*]settingGlobal.getInt(cr,name) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Global.getInt(cr, name) Bypassed');
                    return 0;
                }
                var ret = this.getInt(cr, name);
                return ret;
            }

            settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(cr, name, def) {
                //console.log("[*]settingGlobal.getInt(cr,name,def) : " + name);
                if (name == (androidSettings[0])) {
                    console.log('[+]Global.getInt(cr, name, def) Bypassed');
                    return 0;
                }
                var ret = this.getInt(cr, name, def);
                return ret;
            }

            settingGlobal.getFloat.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
                //console.log("[*]settingGlobal.getFloat(cr,name) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Global.getFloat(cr, name) Bypassed');
                    return 0;
                }
                var ret = this.getFloat(cr, name);
                return ret;
            }

            settingGlobal.getFloat.overload('android.content.ContentResolver', 'java.lang.String', 'float').implementation = function(cr, name, def) {
                //console.log("[*]settingGlobal.getFloat(cr,name,def) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Global.getFloat(cr, name, def) Bypassed');
                    return 0;
                }
                var ret = this.getFloat(cr, name, def);
                return ret;
            }

            settingGlobal.getLong.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
                //console.log("[*]settingGlobal.getLong(cr,name) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Global.getLong(cr, name) Bypassed');
                    return 0;
                }
                var ret = this.getLong(cr, name);
                return ret;
            }

            settingGlobal.getLong.overload('android.content.ContentResolver', 'java.lang.String', 'long').implementation = function(cr, name, def) {
                //console.log("[*]settingGlobal.getLong(cr,name,def) : " + name);
                if (name == androidSettings[0]) {
                    console.log('[+]Global.getLong(cr, name, def) Bypassed');
                    return 0;
                }
                var ret = this.getLong(cr, name, def);
                return ret;
            }

            settingGlobal.getString.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
                //console.log("[*]settingGlobal.getString(cr,name) : " + name);
                if (name == androidSettings[0]) {
                    var stringClass = Java.use("java.lang.String");
                    var stringInstance = stringClass.$new("0");

                    console.log('[+]Global.getString(cr, name) Bypassed');
                    return stringInstance;
                }
                var ret = this.getString(cr, name);
                return ret;
            }
        }
    });
}, 0);

Bypass Android Debug mode

setTimeout(function() {
    Java.perform(function() {
        console.log("");
        console.log("[.] Debug check bypass");

        var Debug = Java.use('android.os.Debug');
        Debug.isDebuggerConnected.implementation = function() {
            //console.log('isDebuggerConnected Bypassed !');
            return false;
        }


    });
}, 0);

Native Hook

Hook so导出函数模板⭐

function hookNativeFun(callback, funName, moduleName) {
    /*
    @callback: Hook函数
    @funcName: 导出函数名称
    @moduleName: 导出函数所在模块
    */
    var time = 1000;
    moduleName = moduleName || null;
    if (!(callback && callback.onEnter && callback.onLeave)) {
        console.log("callback error");
        return
    }
    var address = Module.findExportByName(moduleName, funName);
    if (address == null) {
        // 非常好的思路，如果模块还没加载进来的话，就缓冲1000ms等待下一次Hook尝试
        setTimeout(hookNativeFun, time, callback, funName, moduleName);
    } else {
        console.log(funName + " hook ok")
        var nativePointer = new NativePointer(address);
        Interceptor.attach(nativePointer, callback);
    }
}

寻找模块基址

jscode = """
send("Start Run....");
function StartHook(){
    send("in start hook function..");
    var hook_base = Module.findBaseAddress("xxxxx.so");
    if(null == hook_base || hook_base < 0)
    {
        setTimeout(StartHook, 500);
        return;
    }
     
    send("base : "+hook_base);
// ..................
    }); 
}
 
setTimeout(StartHook, 0);
"""

Hook未导出Native函数（指定地址）

Java.perform(function(){
    function get_func_by_offset(module_name,offset){
        module=Process.getModuleByName(module_name)
        addr=module.base.add(offset);
        console.log("moduleName:"+module_name+",addr:"+addr.toString());
        return new NativePointer(addr.toString());
    }

    function attach(){
        //0x1A05AC是偏移地址，xxxx.so是要hook的so名称
        //合起来就是要hook哪个so里面偏移地址是多少的函数
        var func = get_func_by_offset("xxxx.so",0x1A05AC);
        console.log('[+] hook '+func.toString())
        Interceptor.attach(func, {
            onEnter: function (args) { 
                console.log('**********************')
                //在方法执行前需要修改的逻辑写在此处
            },
            onLeave: function (retval) {
                //在方法执行后，如果需要修改返回值则写在此处，参考retval.replace()
            }
        });
    }
    //调用函数
    attach()
}

Hook registerNative

有的so不直接在导出表里面导出函数，而是后面用这个API去动态注册。因此Hook这个函数来获得某个so真正想要导出的函数名和地址。

function hook_libart() {
    var module_libart = Process.findModuleByName("libart.so");
    var symbols = module_libart.enumerateSymbols();     //枚举模块的符号
 
    var addr_GetStringUTFChars = null;
    var addr_FindClass = null;
    var addr_GetStaticFieldID = null;
    var addr_SetStaticIntField = null;
    var addr_RegisterNatives = null;        
 
    for (var i = 0; i < symbols.length; i++) {
        var name = symbols[i].name;
        if (name.indexOf("art") >= 0) {//动态获取各个函数的地址
            if ((name.indexOf("CheckJNI") == -1) && (name.indexOf("JNI") >= 0)) {
                if (name.indexOf("GetStringUTFChars") >= 0) {
                    console.log(name);
                    addr_GetStringUTFChars = symbols[i].address;
                } else if (name.indexOf("FindClass") >= 0) {
                    console.log(name);
                    addr_FindClass = symbols[i].address;
                } else if (name.indexOf("GetStaticFieldID") >= 0) {
                    console.log(name);
                    addr_GetStaticFieldID = symbols[i].address;
                } else if (name.indexOf("SetStaticIntField") >= 0) {
                    console.log(name);
                    addr_SetStaticIntField = symbols[i].address;
                } else if (name.indexOf("RegisterNatives") >= 0) {
                    console.log(name);
                    addr_RegisterNatives = symbols[i].address;
                }
            }
        }
    }
 
    if (addr_RegisterNatives) {
        Interceptor.attach(addr_RegisterNatives, {
            onEnter: function (args) {
                console.log("addr_RegisterNatives:", hexdump(args[2]));    //打印第三个参数，也就是java和native映射的数组首地址
                console.log("addr_RegisterNatives name:", ptr(args[2]).readPointer().readCString())//java层函数名称
                console.log("addr_RegisterNatives sig:", ptr(args[2]).add(Process.pointerSize).readPointer().readCString());//函数参数
                console.log("addr_RegisterNatives addr:", ptr(args[2]).add(Process.pointerSize+Process.pointerSize));//native函数入口地址
            }, onLeave: function (retval) {
 
            }
        });
    }
}

注意：因为一个jni函数注册只调用一次registerNative，所以这里建议用frida -U -f com.xxxx.xxxx -l xxxx.js命令注入js，同时启动目标app；如果人为开启目标app，再运行frida，可能regiserNative函数已经执行过了！

Inline Hook

this.context.x13打印此地址时的寄存器值，和调试器很像了。

//刚注入的时候这个so还没加载，需要hook dlopen
function inline_hook() {
    var base_hello_jni = Module.findBaseAddress("libxxxx.so");
    console.log("base_hello_jni:", base_hello_jni);
    if (base_hello_jni) {
        console.log(base_hello_jni);
        //inline hook
        var addr_07320 = base_hello_jni.add(0x07320);//指令执行的地址，不是变量所在的栈或堆
        Interceptor.attach(addr_07320, {
            onEnter: function (args) {
                console.log("addr_07320 x13:", this.context.x13);//注意这里是怎么得到寄存器值的
            }, onLeave: function (retval) {
            }
        });
    }
}

Hook dlopen 打印并Hook刚刚加载完的so⭐⭐⭐

可以与Android逆向-Native调试init，init-array，JNI-Onload段结合。

这个方法只能在.init与.init_array被执行后去Hook。如果想要在.init段执行之前，需要更细节的操作。

this.context.xxx寄存器

~~不过说来高版本frida有了Module.load()，可能就不需要这样麻烦的加载so了~~

//刚注入的时候这个so还没加载，需要hook dlopen
function inline_hook() {
    var base_hello_jni = Module.findBaseAddress("libxxxx.so");
    console.log("base_hello_jni:", base_hello_jni);
    if (base_hello_jni) {
        console.log(base_hello_jni);
        //inline hook
        var addr_07320 = base_hello_jni.add(0x07320);//指令执行的地址，不是变量所在的栈或堆
        Interceptor.attach(addr_07320, {
            onEnter: function (args) {
                console.log("addr_07320 x13:", this.context.x13);//注意这里是怎么得到寄存器值的
            }, onLeave: function (retval) {
            }
        });
    }
}
 
//8.0以下所有的so加载都通过dlopen
function hook_dlopen() {
    var dlopen = Module.findExportByName(null, "dlopen");
    Interceptor.attach(dlopen, {
        onEnter: function (args) {
            this.call_hook = false;
            var so_name = ptr(args[0]).readCString();
            console.log("dlopen:", so_name);
            // if (so_name.indexOf("libxxxx.so") >= 0) {
            //     console.log("dlopen:", ptr(args[0]).readCString());
            //     this.call_hook = true;//dlopen函数找到了
            // }
 
        }, onLeave: function (retval) {
            if (this.call_hook) {//dlopen函数找到了就hook so
                // inline_hook();
            }
        }
    });
    // 高版本Android系统使用android_dlopen_ext
    var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
    Interceptor.attach(android_dlopen_ext, {
        onEnter: function (args) {
            this.call_hook = false;
            var so_name = ptr(args[0]).readCString();
            console.log("dlopen:", so_name);
            // if (so_name.indexOf("libhxxxx.so") >= 0) {
            //     console.log("android_dlopen_ext:", ptr(args[0]).readCString());
            //     this.call_hook = true;
            // }
 
        }, onLeave: function (retval) {
            if (this.call_hook) {
                // inline_hook();
            }
        }
    });
}

setImmediate(hook_dlopen, 0);

测试结果：（也必须在刚刚打开APP的时候Hook上去）

dlopen: /data/app/~~gdw57-wVrIhpUjCSB8JIeA==/com.example.hookinunidbg-m7RhT-gNYVLxau89hcsDig==/oat/arm/base.odex
dlopen: libframework-connectivity-jni.so
dlopen: libandroid.so
dlopen: /data/app/~~gdw57-wVrIhpUjCSB8JIeA==/com.example.hookinunidbg-m7RhT-gNYVLxau89hcsDig==/lib/arm/libhookinunidbg.so
dlopen: /vendor/lib/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: /vendor/lib/hw/gralloc.lito.so
dlopen: libadreno_app_profiles.so
dlopen: libEGL_adreno.so
dlopen: /vendor/lib/hw/android.hardware.graphics.mapper@4.0-impl-qti-display.so
dlopen: libadreno_utils.so
dlopen: libandroid.so

Hook JNI API函数

在Java/调用JNI native API（创建JNI对象）⭐中，可以获取JNIEenv对象然后调用JNI函数。但是这只是调用，并不能Hook JNI函数。下面提供一个可能可行的思路，即直接获得env的handle地址，然后+offset拿到函数地址，再直接替换。

newStringUTF（没测试）

function hook_native_newString() {
    var env = Java.vm.getEnv();
    var handlePointer = Memory.readPointer(env.handle);
    dmLogout("env handle: " + handlePointer);
    var NewStringUTFPtr = Memory.readPointer(handlePointer.add(0x29C));
    dmLogout("NewStringUTFPtr addr: " + NewStringUTFPtr);
    Interceptor.attach(NewStringUTFPtr, {
        onEnter: function (args) {
            ...
        }
    });
}

getStringUTFChars（没测试）

function hook_native_GetStringUTFChars() {
    var env = Java.vm.getEnv();
    var handlePointer = Memory.readPointer(env.handle);
    dmLogout("env handle: " + handlePointer);
    var GetStringUTFCharsPtr = Memory.readPointer(handlePointer.add(0x2A4));
    dmLogout("GetStringUTFCharsPtr addr: " + GetStringUTFCharsPtr);
    Interceptor.attach(GetStringUTFCharsPtr, {
        onEnter: function (args) {
            var str = "";
            Java.perform(function () {
                str = Java.cast(args[1], Java.use('java.lang.String'));
            });
            dmLogout("GetStringUTFChars: " + str);
            if (str.indexOf("linkData:") > -1) {    // 设置过滤条件
                dmLogout("========== found linkData LR: " + this.context.lr + "  ==========");
            }
        }
    });
};

Hook init/init_array⭐

在另外一个blog里。

类型转换

主要是用于输入输出的。

如果漏了什么，看#43：

分类: frida | 凡墙总是门 (kevinspider.github.io)

frida打印与参数构造 - Runope丶 - 博客园 (cnblogs.com)

Java2Frida

`java type`	`frida type`
`int`	`int`
`float`	`float`
`boolean`	`boolean`
`string`	`java.lang.String`
`byte array`	`[B`

array

`java type`	`so type`
`int`	`I`
`float`	`F`
`boolean`	`Z`
`string`	`java.lang.String`
`byte`	`B`
`long`	`J`
`short`	`S`
`double`	`D`
`char`	`C`

在Frida中用[表示数组。例如是int类型的数组，写法为：[I如果是String类型的数组，则写法为： [java.lang.String;

注意：后面还有个;号

具体怎么创建的话可以看参数构造一节，提供了Java.array方法。

jstring，jbyteArray输出（JNI）

主要是用于与JNI对象交互的。转换为Java对象，与Java层的东西交互。

function jstring2Str(jstring) {
   var ret;
   Java.perform(function() {
       var String = Java.use("java.lang.String");
       ret = Java.cast(jstring, String);
   });
   return ret;
}
 
function jbyteArray2Array(jbyteArray) {
   var ret;
   Java.perform(function() {
       var b = Java.use('[B');
       var buffer = Java.cast(jbyteArray, b);
       ret = Java.array('byte', buffer);
   });
   return ret;
}

Java Array 2 Hex string打印

主要是格式化打印Javascript的bytes对象的。

function bytes2hex(arr) {
    var str = "[";
    for (var i = 0; i < arr.length; i++) {
        var z = parseInt(arr[i]);
        if (z < 0) z = 255 + z;
        var tmp = z.toString(16);
        if (tmp.length == 1) {
            tmp = "0" + tmp;
        }
        str = str + " " + tmp;
    }
    return (str + " ]").toUpperCase();
}

举个例子：

var b = new Uint8Array([0x41, 0x42, 0x43]);

bytes2hex(b)
// '[ 41 42 43 ]'

Js Str 2 Js Bytes

function string2Bytes(str) {
    var bytes = new Array();
    var len, c;
    len = str.length;
    for(var i = 0; i < len; i++) {
        c = str.charCodeAt(i);
        if(c >= 0x010000 && c <= 0x10FFFF) {
            bytes.push(((c >> 18) & 0x07) | 0xF0);
            bytes.push(((c >> 12) & 0x3F) | 0x80);
            bytes.push(((c >> 6) & 0x3F) | 0x80);
            bytes.push((c & 0x3F) | 0x80);
        } else if(c >= 0x000800 && c <= 0x00FFFF) {
            bytes.push(((c >> 12) & 0x0F) | 0xE0);
            bytes.push(((c >> 6) & 0x3F) | 0x80);
            bytes.push((c & 0x3F) | 0x80);
        } else if(c >= 0x000080 && c <= 0x0007FF) {
            bytes.push(((c >> 6) & 0x1F) | 0xC0);
            bytes.push((c & 0x3F) | 0x80);
        } else {
            bytes.push(c & 0xFF);
        }
    }
    return bytes;
}

举例：

string2Bytes("aaa124123242")
[
    97,
    97,
    97,
    49,
    50,
    52,
    49,
    50,
    51,
    50,
    52,
    50
]

Js Bytes 2 Js Str

function bytes2String(arr) {
    if(typeof arr === 'string') {
        return arr;
    }
    var str = '',
        _arr = arr;
    for(var i = 0; i < _arr.length; i++) {
        var one = _arr[i].toString(2),
            v = one.match(/^1+?(?=0)/);
        if(v && one.length == 8) {
            var bytesLength = v[0].length;
            var store = _arr[i].toString(2).slice(7 - bytesLength);
            for(var st = 1; st < bytesLength; st++) {
                store += _arr[st + i].toString(2).slice(2);
            }
            try {
                str += String.fromCharCode(parseInt(store, 2));
            } catch (error) {
                str += parseInt(store, 2).toString(); 
                console.log(error);
            }
            i += bytesLength - 1;
        } else {
            try {
                str += String.fromCharCode(_arr[i]);
            } catch (error) {
                str += parseInt(store, 2).toString(); 
                console.log(error);
            }
        }
    }
    return str;
}

举例：

1
2
3

var d = [1,2,3, 0x41, 0x42 , 0x1234]
bytes2String(d)
"\u0001\u0002\u0003AB\u1234"

Js Bytes 2 Base64

function bytes2Base64(e) {
    var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
    var r, a, c, h, o, t;
    for (c = e.length, a = 0, r = ''; a < c;) {
        if (h = 255 & e[a++], a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4),
                r += '==';
            break
        }
        if (o = e[a++], a == c) {
            r += base64EncodeChars.charAt(h >> 2),
                r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
                r += base64EncodeChars.charAt((15 & o) << 2),
                r += '=';
            break
        }
        t = e[a++],
            r += base64EncodeChars.charAt(h >> 2),
            r += base64EncodeChars.charAt((3 & h) << 4 | (240 & o) >> 4),
            r += base64EncodeChars.charAt((15 & o) << 2 | (192 & t) >> 6),
            r += base64EncodeChars.charAt(63 & t)
    }
    return r
}

举例：

c = [
    97,
    97,
    97,
    49,
    50,
    52,
    49,
    50,
    51,
    50,
    52,
    50
]
bytes2Base64(c)
"YWFhMTI0MTIzMjQy"

Base64 2 Js Bytes

function base64ToBytes(e) {
    var r, a, c, h, o, t, d;
    for (t = e.length, o = 0, d = []; o < t;) {
        do
            r = base64DecodeChars[255 & e.charCodeAt(o++)];
        while (o < t && r == -1);
        if (r == -1)
            break;
        do
            a = base64DecodeChars[255 & e.charCodeAt(o++)];
        while (o < t && a == -1);
        if (a == -1)
            break;
        d.push(r << 2 | (48 & a) >> 4);
        do {
            if (c = 255 & e.charCodeAt(o++), 61 == c)
                return d;
            c = base64DecodeChars[c]
        } while (o < t && c == -1);
        if (c == -1)
            break;
        d.push((15 & a) << 4 | (60 & c) >> 2);
        do {
            if (h = 255 & e.charCodeAt(o++), 61 == h)
                return d;
            h = base64DecodeChars[h]
        } while (o < t && h == -1);
        if (h == -1)
            break;
        d.push((3 & c) << 6 | h)
    }
    return d
}

JNI jobject 2 Js Str（JSON化）

将JNI的jobject序列化

function jobj2Str(jobject) {
    var ret = JSON.stringify(jobject);
    return ret;
}

举例：

var jstr = Java.vm.getEnv().newStringUtf("aaaaa");
a = jstring2Str(jstr);
a.toCharArray();
/*
[
    "a",
    "a",
    "a",
    "a",
    "a"
]
*/

ArrayBuffer 输出

ArrayBuffer是JavaScript对象。

function ab2Hex(buffer) {
    var arr = Array.prototype.map.call(new Uint8Array(buffer), function (x) {return ('00' + x.toString(16)).slice(-2)}).join(" ").toUpperCase();
    return "[" + arr + "]";
}
 
function ab2Str(buffer) {
    return String.fromCharCode.apply(null, new Uint8Array(buffer));
}

举例：

// 创建一个长度为 3 字节的 ArrayBuffer
var buffer = new ArrayBuffer(3);

// 获取 ArrayBuffer 对应的 Uint8Array 视图
var view = new Uint8Array(buffer);

// 写入字节数据
view[0] = 0x31;
view[1] = 0x32;
view[2] = 0x33;

ab2Hex(buffer)
// "[31 32 33]"
ab2Str(buffer)
// "123"

Hexdump

var libc = Module.findBaseAddress('libc.so');
console.log(hexdump(libc, {
  offset: 0,
  length: 64,
  header: true,
  ansi: true
}));
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00000000  7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00  .ELF............
00000010  03 00 28 00 01 00 00 00 00 00 00 00 34 00 00 00  ..(.........4...
00000020  34 a8 04 00 00 00 00 05 34 00 20 00 08 00 28 00  4.......4. ...(.
00000030  1e 00 1d 00 06 00 00 00 34 00 00 00 34 00 00 00  ........4...4...

Java String 2 Java Byte Array

1	var javaBytes = Java.use('java.lang.String').$new("aaaaa").getBytes();

Java Byte Array 2 Java Object

1	var javaBytesClass = Java.cast(javaBytes, Java.use('java.lang.Object')).getClass();

Js Array 2 Java Array

// 使用 Java.array 把 js array 转成 java Object array
var params = [
    Java.use('java.lang.String').$new('str1'),
    Java.use('java.lang.String').$new('str2'),
    Java.use('java.lang.Boolean').$new(false),
    Java.use('java.lang.Integer').$new(0)
];
var ps = Java.array('Ljava.lang.Object;', params);

Java Map 2 Js Map

将 Java 中的 Map 对象转换为 JavaScript 中的对象

function getMapData(mapSet) {
    try {
        var result = {};
        var key_set = mapSet.keySet();
        var it = key_set.iterator();
        while (it.hasNext()) {
            var key_str = it.next().toString();
            result[key_str] = mapSet.get(key_str).toString();
        }
        return result
    } catch (error) {
        return mapSet
    }
}

举例：

var cHashMap = Java.use('java.util.HashMap');
var m = cHashMap.$new();
m.put("key1", "val1");
m.put("key2", "val2");
console.log(m)

getMapData(m);
/*
{
    "key1": "val1",
    "key2": "val2"
}
*/

Js Bytes 2 Java Bytes

可行的方法：ArrayBuffer–>Uint8Array–>Java.array

let file = new File("/data/local/tmp/a.enc", "rb")
var data = file.readBytes();
var data2 = new Uint8Array(data);
var a0 = Java.array('byte', data2);

Java Bytes 2 Js Bytes

调用了Java方法，返回了一个Java的bytes[]对象后，得转化成Js对象输出。

可行的方法：Java bytes[]–>Uint8Array

这是一个例子：

var b = AES256JNCryptor_obj.decryptData(a0, a1);
console.log(typeof b[0])	// number
var arr = new Uint8Array(b);
console.log(arr[0]);	// 60

var newf = new File("/data/data/com.littlelabs.themartian/a.dec", "wb");
newf.write(arr);
newf.flush();
newf.close();

实用函数

这一节主要用于记录通用模板函数。一般不需要修改，功能也复杂，直接套用即可。

获取正在执行的方法名

这个函数用于获取当前进程正在执行的方法的名称。通过使用Java反射机制，并结合Frida提供的Java.perform方法，可以在运行时动态获取当前方法的名称。

在函数内部，通过JavaThread.currentThread().getStackTrace()[2].getMethodName()这一行代码，获取了当前线程的调用栈，并从中获取了正在执行的方法的名称。通过使用索引2，可以获取调用栈中的第三个元素，即调用getMethodName函数的方法。

需要注意的是，由于Frida的Java.perform方法是异步执行的，获取到的方法名称可能需要一些时间才能返回。此外，这个函数只能获取当前线程正在执行的方法的名称，并不能获取其他线程的方法名称。

function getCurrMethodName() {
    var ret;
    Java.perform(function() {
        var JavaThread = Java.use("java.lang.Thread");
        var StackTrace = JavaThread.currentThread().getStackTrace();
        if(StackTrace.length > 2) {
            // [0]: getThreadStackTrace
            // [1]: getStackTrace
            ret = StackTrace[2].getMethodName();
        } else {
            ret = "None"
        }
    });
    return ret;
}

打印堆栈

按理来说应该会打印堆栈，但是我测试的时候没啥效果，可能是因为现在没有执行任何方法吧。

function showStacks() {
    Java.perform(function() {
		console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
    });
}

如果不起效果，可以尝试上面获取正在执行的方法名的JavaThread.currentThread().getStackTrace()。

枚举Java类所有方法名

传入的targetClass是类名字符串。

function enumMethods(targetClass) {
    var ret;
    Java.perform(function() {
            var hook = Java.use(targetClass);
            var ret = hook.class.getDeclaredMethods();
            ret.forEach(function(s) {
                console.log("enum:", s);
            })
    })
    return ret;
}

用Objection可以达到同样的效果。

枚举Java类

Java.enumerateLoadedClasses

function enumClass() {
    Java.perform(function () {
        if(Java.available)
        {
            //console.log("",Java.androidVersion);
            //枚举当前加载的所有类
            Java.enumerateLoadedClasses({
                //每一次回调此函数时其参数className就是类的信息
                onMatch: function (className)
                {
                    //输出类字符串
                	if(typeof className === 'string' && className.includes("my_activity")) {
                           console.log("",className);
               		}

                },
                //枚举完毕所有类之后的回调函数
                onComplete: function ()
                {
                    //输出类字符串
                    console.log("输出完毕");
                }
            });
        }else{
            console.log("error");
        }
    });
}       
setImmediate(enumClass,0);

它还有一个好兄弟 Java.enumerateLoadedClassesSync()，它返回的是一个数组。

Java.choose好像都行：

function enumPrint(){
    Java.perform(function(){
        Java.choose("com.r0ysue.a0526printout.Signal",{
            onComplete: function(){},
            onMatch: function(instance){
                console.log('find it ,',instance);
                console.log(instance.class.getName());
            }
        })
    })
}

获取类型⭐

很好用的函数，可以用于判断参数，变量，对象的类型。

1
2
3

function getParamType(obj) {
    return obj == null ? String(obj) : Object.prototype.toString.call(obj).replace(/\[object\s+(\w+)\]/i, "$1") || "object";
}

打印指定地址的C字符串

function print_string(addr) {
    var base_hello_jni = Module.findBaseAddress("libxxxx.so");
    var addr_str = base_hello_jni.add(addr);
    console.log("addr:", addr, " ", ptr(addr_str).readCString());
}

反汇编

function dis(address, number) {
    var addr_ptr = ptr(address);
    for (var i = 0; i < number; i++) {
        var ins = Instruction.parse(addr_ptr);
        console.log("address:" + addr_ptr + "--dis:" + ins.toString());
        address = ins.next;
    }
}

封装log函数加入线程ID 和时间

function getFormatDate() {
    var date = new Date();
    var month = date.getMonth() + 1;
    var strDate = date.getDate();
    if (month >= 1 && month <= 9) {
        month = "0" + month;
    }
    if (strDate >= 0 && strDate <= 9) {
        strDate = "0" + strDate;
    }
    var currentDate = date.getFullYear() + "-" + month + "-" + strDate
            + " " + date.getHours() + ":" + date.getMinutes() + ":" + date.getSeconds();
    return currentDate;
}

function dmLogout(str) {
    var threadid = Process.getCurrentThreadId();
    console.log("["+threadid+"][" + getFormatDate() + "]" + str);
}

sleep

function sleep(numberMillis) {
    var now = new Date();
    var exitTime = now.getTime() + numberMillis;
    while (true) {
        now = new Date();
        if (now.getTime() > exitTime)
            return;
    }
}

// 毫秒级别
sleep(1000)

遍历实例对象的方法，成员变量

function main(){
    Java.perform(function(){
        var Class = Java.use("java.lang.Class");
        
        function inspectObject(obj){
            var obj_class = Java.cast(obj.getClass(), Class);
            var fields = obj_class.getDeclaredFields();
            var methods = obj_class.getMethods();
            console.log("Inspectiong " + obj.getClass().toString());
            console.log("\t Fields:")
            for (var i in fields){
                console.log("\t\t" + fields[i].toString());
            }
            console.log("\t Methods:")
            for (var i in methods){
                console.log("\t\t" + methods[i].toString())
            }
        }

        Java.choose("com.example.a11x256.frida_test.my_activity",{
            onComplete: function(){
                console.log("complete!");
                
            },
            onMatch: function(instance){
                console.log("find instance", instance);
                inspectObject(instance);
            }
        })
    })
}

setImmediate(main)

Process

枚举进程中的线程

function enumThreads() {
    Java.perform(function () {
       var enumerateThreads =  Process.enumerateThreads();
       for(var i = 0; i < enumerateThreads.length; i++) {
        console.log("");
        console.log("id:",enumerateThreads[i].id);
        console.log("state:",enumerateThreads[i].state);
        console.log("context:",JSON.stringify(enumerateThreads[i].context));
        }
    });
}
setImmediate(enumThreads,0);

获取线程ID

1	Process.getCurrentThreadId() // 获取此线程的操作系统特定 ID 作为数字

枚举进程模块

var mods = Process.enumerateModules()
mods.forEach((mod)=>{
    console.log(mod.name);
    console.log(mod.base);
})

获取模块

1	Process.findModuleByName(module_name)

Module

获取模块信息

function frida_Module() {
    Java.perform(function () {
         //参数为so的名称 返回一个Module对象
         const hooks = Module.load('libhello.so');
         //输出
         console.log("模块名称:",hooks.name);
         console.log("模块地址:",hooks.base);
         console.log("大小:",hooks.size);
         console.log("文件系统路径",hooks.path);
    });
}
setImmediate(frida_Module,0);

/*
输出如下：
模块名称: libhello.so
模块地址: 0xdf2d3000
大小: 24576
文件系统路径 /data/app/com.roysue.roysueapplication-7adQZoYIyp5t3G5Ef5wevQ==/lib/arm/libhello.so
*/

枚举模块导入函数

function enumImport(moduleName) {
    Java.perform(function () {
        const hooks = Module.load(moduleName);
        var Imports = hooks.enumerateImports();
        for(var i = 0; i < Imports.length; i++) {
            //函数类型
            console.log("type:",Imports[i].type);
            //函数名称
            console.log("name:",Imports[i].name);
            //属于的模块
            console.log("module:",Imports[i].module);
            //函数地址
            console.log("address:",Imports[i].address);
         }
    });
}
setImmediate(enumImport, "libhookinunidbg.so");

/*
输出如下：
[Google Pixel::com.roysue.roysueapplication]-> type: function
name: __cxa_atexit
module: /system/lib/libc.so
address: 0xf58f4521
type: function
name: __cxa_finalize
module: /system/lib/libc.so
address: 0xf58f462d                                                                                                                                           
type: function
name: __stack_chk_fail
module: /system/lib/libc.so
address: 0xf58e2681
...
*/

枚举模块导出函数

function enumExports(moduleName) {
    Java.perform(function () {
        const hooks = Module.load(moduleName);
        var Exports = hooks.enumerateExports();
        for(var i = 0; i < Exports.length; i++) {
            //函数类型
            console.log("type:",Exports[i].type);
            //函数名称
            console.log("name:",Exports[i].name);
            //函数地址
            console.log("address:",Exports[i].address);
         }
    });
}
setImmediate(enumExports, "libhookinunidbg.so");

/*
输出如下：
[Google Pixel::com.roysue.roysueapplication]-> type: function
name: Java_com_roysue_roysueapplication_hellojni_getSum
address: 0xdf2d411b
type: function
name: unw_save_vfp_as_X
address: 0xdf2d4c43
type: function
address: 0xdf2d4209
type: function
...
*/

枚举模块符号

function enumSymbols(moduleName) {
    Java.perform(function () {
        const hooks = Module.load(moduleName);
        var sym = hooks.enumerateSymbols();
        for(var i = 0; i < sym.length; i++) {
            console.log("isGlobal:",sym[i].isGlobal);
            console.log("type:",sym[i].type);
            console.log("section:",JSON.stringify(sym[i].section));
            console.log("name:",sym[i].name);
            console.log("address:",sym[i].address);
         }
    });
}
setImmediate(enumSymbols, "libhookinunidbg.so");

/*
输出如下：
isGlobal: true
type: function
section: {"id":"13.text","protection":"r-x"}
name: _Unwind_GetRegionStart
address: 0xf591c798
isGlobal: true
type: function
section: {"id":"13.text","protection":"r-x"}
name: _Unwind_GetTextRelBase
address: 0xf591c7cc
...
*/

获取模块基地址

在很多代码片段里面都用到了。

1	var baseAddr = Module.findBaseAddress("libnative-lib.so");

获取导出函数地址

1	Module.findExportByName("libc.so", "strcmp");

获取非导出函数地址

1 2	var soAddr = Module.findBaseAddress("libnative-lib.so"); var FuncAddr = soAddr.add(0x1768 + 1);

Memory

内存复制

function frida_Memory() {
    Java.perform(function () {
        //获取so模块的Module对象
        var module = Process.findModuleByName("libhello.so"); 
        //条件
        var pattern = "03 49 ?? 50 20 44";
        //搜字符串 只是为了将so的内存数据复制出来 方便演示~
        var scanSync = Memory.scanSync(module.base, module.size, pattern);
        //申请一个内存空间大小为10个字节
        const r = Memory.alloc(10);
        //复制以module.base地址开始的10个字节 那肯定会是7F 45 4C 46...因为一个ELF文件的Magic属性如此。
        Memory.copy(r,module.base,10);
        console.log(hexdump(r, {
            offset: 0,
            length: 10,
            header: true,
            ansi: false
        }));
    });
}
setImmediate(frida_Memory,0);


输出如下。
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
e8142070  7f 45 4c 46 01 01 01 00 00 00                    .ELF......

内存搜索（并替换）

利用Memory.scan()函数

类似ida的bin search功能

此外，当匹配了之后，还可以直接用address.writeByteArray进行替换。

function frida_Memory() {
    Java.perform(function () {
        //先获取so的module对象
        var module = Process.findModuleByName("libhello.so"); 
        //??是通配符
        var pattern = "03 49 ?? 50 20 44";
        //基址
        console.log("base:"+module.base)
        //从so的基址开始搜索，搜索大小为so文件的大小，搜指定条件03 49 ?? 50 20 44的数据
        var res = Memory.scan(module.base, module.size, pattern, {
            onMatch: function(address, size){
                //搜索成功
                console.log('搜索到 ' +pattern +" 地址是:"+ address.toString());  
                // address.writeByteArray([0x2d, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00]);
            }, 
            onError: function(reason){
                //搜索失败
                console.log('搜索失败');
            },
            onComplete: function()
            {
                //搜索完毕
                console.log("搜索完毕")
            }
          });
    });
}
setImmediate(frida_Memory,0);

Memory.scanSync 功能与Memory.scan一样，只不过它是返回多个匹配到条件的数据。

function frida_Memory() {
    Java.perform(function () {
        var module = Process.findModuleByName("libhello.so"); 
        var pattern = "03 49 ?? 50 20 44";
        var scanSync = Memory.scanSync(module.base, module.size, pattern);
        console.log("scanSync:"+JSON.stringify(scanSync));
    });
}
setImmediate(frida_Memory,0);

输出如下，可以看到地址搜索出来是一样的
scanSync:[{"address":"0xdf2d412a","size":6}]

内存分配

在目标进程中的堆上申请size大小的内存，并且会按照Process.pageSize对齐，返回一个NativePointer，并且申请的内存如果在JavaScript里面没有对这个内存的使用的时候会自动释放的。也就是说，如果你不想要这个内存被释放，你需要自己保存一份对这个内存块的引用。

function frida_Memory() {
    Java.perform(function () {
        const r = Memory.alloc(10);
        console.log(hexdump(r, {
            offset: 0,
            length: 10,
            header: true,
            ansi: false
        }));
    });
}
setImmediate(frida_Memory,0);

Memory.allocUtf8String(str) 分配utf字符串
Memory.allocUtf16String 分配utf16字符串
Memory.allocAnsiString 分配ansi字符串

写入内存

向刚刚分配的arr中写入array

function frida_Memory() {     
    Java.perform(function () {
        //定义需要写入的字节数组 这个字节数组是字符串"roysue"的十六进制
        var arr = [ 0x72, 0x6F, 0x79, 0x73, 0x75, 0x65];
        //申请一个新的内存空间 返回指针 大小是arr.length
        const r = Memory.alloc(arr.length);
        //将arr数组写入R地址中
        Memory.writeByteArray(r,arr);
        //输出
        console.log(hexdump(r, {
            offset: 0,
            length: arr.length,
            header: true,
            ansi: false
        }));  
    });
}
setImmediate(frida_Memory,0);


输出如下。
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00000000  72 6f 79 73 75 65                                roysue

读取内存

function frida_Memory() {     
    Java.perform(function () {
        //定义需要写入的字节数组 这个字节数组是字符串"roysue"的十六进制
        var arr = [ 0x72, 0x6F, 0x79, 0x73, 0x75, 0x65];
        //申请一个新的内存空间 返回指针 大小是arr.length
        const r = Memory.alloc(arr.length);
        //将arr数组写入R地址中
        Memory.writeByteArray(r,arr);
        //读取r指针，长度是arr.length 也就是会打印上面一样的值
        var buffer = Memory.readByteArray(r, arr.length);
        //输出
        console.log("Memory.readByteArray:");
        console.log(hexdump(buffer, {
            offset: 0,
            length: arr.length,
            header: true,
            ansi: false
        }));
      });  
    });
}
setImmediate(frida_Memory,0);

输出如下。
[Google Pixel::com.roysue.roysueapplication]-> Memory.readByteArray:
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00000000  72 6f 79 73 75 65                                roysue

汇编修改

看下面汇编Patch一节。

Java

显示虚拟机（Dalvik）是否启动

Java.available

该函数一般用来判断当前进程是否加载了JavaVM，Dalvik或ART虚拟机，咱们来看代码示例！

function frida_Java() {
    Java.perform(function () {
        //作为判断用
        if(Java.available)
        {
            //注入的逻辑代码
            console.log("hello java vm");
        }else{
            //未能正常加载JAVA VM
            console.log("error");
        }
    });
}       
setImmediate(frida_Java,0);

输出如下。
hello java vm

显示系统版本号

Java.androidVersion

显示android系统版本号

function frida_Java() {
    Java.perform(function () {
        //作为判断用
        if(Java.available)
        {
            //注入的逻辑代码
            console.log("",Java.androidVersion);
        }else{
            //未能正常加载JAVA VM
            console.log("error");
        }
    });
}       
setImmediate(frida_Java,0);

输出如下。
9
因为我的系统版本是9版本~

Java类型转换⭐

见上文复杂函数打印（HashMap等）

1	Java.cast(handle, klass);

Java.cast(handle, klass)，就是将指定变量或者数据强制转换成你所有需要的类型；创建一个 JavaScript 包装器，给定从 Java.use（） 返回的给定类klas的句柄的现有实例。此类包装器还具有用于获取其类的包装器的类属性，以及用于获取其类名的字符串表示的$className属性，通常在拦截so层时会使用此函数将jstring、jarray等等转换之后查看其值。

创建Java数组⭐

Java.perform(function () {
        //定义一个int数组、值是1003, 1005, 1007
        var intarr = Java.array('int', [ 1003, 1005, 1007 ]);
        //定义一个byte数组、值是0x48, 0x65, 0x69
        var bytearr = Java.array('byte', [ 0x48, 0x65, 0x69 ]);
        for(var i=0;i<bytearr.length;i++)
        {
            //输出每个byte元素
            console.log(bytearr[i])
        }
});

索引	type	含义
1	Z	boolean
2	B	byte
3	C	char
4	S	short
5	I	int
6	J	long
7	F	float
8	D	double
9	V	void

注册Java类（Java接口实现）⭐

Java.registerClass：创建一个新的Java类并返回一个包装器，其中规范是一个包含：
name：指定类名称的字符串。
superClass：（可选）父类。要从 java.lang.Object 继承的省略。
implements：（可选）由此类实现的接口数组。
fields：（可选）对象，指定要公开的每个字段的名称和类型。
methods：（可选）对象，指定要实现的方法。

Java.perform(function () {
          //注册一个目标进程中的类，返回的是一个类对象
          var hellojni = Java.registerClass({
            name: 'com.roysue.roysueapplication.hellojni'
          });
          console.log(hellojni.addInt(1,2));
});

比如，下面代码注册了一个自定义的Java类，然后继承了一个父类A，并实现了一个接口类B：

//获取目标进程的SomeBaseClass类
var SomeBaseClass = Java.use('com.example.SomeBaseClass');
//获取目标进程的X509TrustManager类
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');

var MyWeirdTrustManager = Java.registerClass({
  //注册一个类是进程中的MyWeirdTrustManager类
  name: 'com.example.MyWeirdTrustManager',
  //父类是SomeBaseClass类
  superClass: SomeBaseClass,
  //实现了MyWeirdTrustManager接口类
  implements: [X509TrustManager],
  //类中的属性
  fields: {
    description: 'java.lang.String',
    limit: 'int',
  },
  //定义的方法
  methods: {
    //类的构造函数
    $init: function () {
      console.log('Constructor called');
    },
    //X509TrustManager接口中方法之一，该方法作用是检查客户端的证书
    checkClientTrusted: function (chain, authType) {
      console.log('checkClientTrusted');
    },
    //该方法检查服务器的证书，不信任时。在这里通过自己实现该方法，可以使之信任我们指定的任何证书。在实现该方法时，也可以简单的不做任何处理，即一个空的函数体，由于不会抛出异常，它就会信任任何证书。
    checkServerTrusted: [{
      //返回值类型
      returnType: 'void',
      //参数列表
      argumentTypes: ['[Ljava.security.cert.X509Certificate;', 'java.lang.String'],
      //实现方法
      implementation: function (chain, authType) {
         //输出
        console.log('checkServerTrusted A');
      }
    }, {
      returnType: 'java.util.List',
      argumentTypes: ['[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String'],
      implementation: function (chain, authType, host) {
        console.log('checkServerTrusted B');
        //返回null会信任所有证书
        return null;
      }
    }],
    //　返回受信任的X509证书数组。
    getAcceptedIssuers: function () {
      console.log('getAcceptedIssuers');
      return [];
    },
  }
});

获取env对象⭐

1	Java.vm.getEnv()

利用env，像NDK开发一样创建jstring等类型、调用函数。

调用JNI native API（创建JNI对象）⭐

chame1eon/jnitrace: A Frida based tool that traces usage of the JNI API in Android apps. (github.com)

Java.vm.tryGetEnv().xxxx

或者Java.vm.getEnv()

var sign2 = Module.findExportByName("libhello-jni.so", "Java_com_example_hellojni_HelloJni_sign2");
 
    console.log(sign2);
    Interceptor.attach(sign2, {
        onEnter: function (args) {
            //jstring
            console.log("sign2 str1:", ptr(Java.vm.tryGetEnv().getStringUtfChars(args[2])).readCString());
            console.log("sign2 str2:", ptr(Java.vm.tryGetEnv().getStringUtfChars(args[3])).readCString());
        }, onLeave: function (retval) {
            console.log("sign2 retval:", ptr(Java.vm.tryGetEnv().getStringUtfChars(retval)).readCString());
        }
    });

又有拦截JNI函数：

function frida_Java() {     
    Java.perform(function () {
         //拦截getStr函数
         Interceptor.attach(Module.findExportByName("libhello.so" , "Java_com_roysue_roysueapplication_hellojni_getStr"), {
            onEnter: function(args) {
                console.log("getStr");
            },
            onLeave:function(retval){
                //它的返回值的是retval 在jni层getStr的返回值的jstring 
                //我们在这里做的事情就是替换掉结果
                //先获取一个Env对象
                var env = Java.vm.getEnv();
                //通过newStringUtf方法构建一个jstirng字符串
                var jstring = env.newStringUtf('roysue');
                //replace替换掉结果
                retval.replace(jstring);
                console.log("getSum方法返回值为:roysue")
            }
    });
}
setImmediate(frida_Java,0);

寻找已经加载的Java类

Java.choose方法。详情看Java Hook一节。

Interceptor

Hook Native函数⭐

Intercepter.attach

这里的例子使用的还是so里的导出函数，有符号表。

function frida_Interceptor() {
    Java.perform(function () {
        //对So层的导出函数getSum进行拦截
        Interceptor.attach(Module.findExportByName("libhello.so" , "Java_com_roysue_roysueapplication_hellojni_getSum"), {
            onEnter: function(args) {
                //输出
                console.log('Context information:');
                //输出上下文因其是一个Objection对象，需要它进行接送、转换才能正常看到值
                console.log('Context  : ' + JSON.stringify(this.context));
                //输出返回地址
                console.log('Return   : ' + this.returnAddress);
                //输出线程id
                console.log('ThreadId : ' + this.threadId);
                console.log('Depth    : ' + this.depth);
                console.log('Errornr  : ' + this.err);
            },
            onLeave:function(retval){
            }
        });
    });
}
setImmediate(frida_Interceptor,0);

替换 Native函数⭐

Intercepter.replace

将so中一个拥有Symbol的native函数替换成了自行定义的函数，无论什么输入都会返回123。

function frida_Interceptor() {
    Java.perform(function () {
       //这个c_getSum方法有两个int参数、返回结果为两个参数相加
       //这里用NativeFunction函数自己定义了一个c_getSum函数
       var add_method = new NativeFunction(Module.findExportByName('libhello.so', 'c_getSum'), 
       'int',['int','int']);
       //输出结果 那结果肯定就是 3
       console.log("result:",add_method(1,2));
       //这里对原函数的功能进行替换实现
       Interceptor.replace(add_method, new NativeCallback(function (a, b) {
           //h不论是什么参数都返回123
            return 123;
       }, 'int', ['int', 'int']));
       //再次调用 则返回123
       console.log("result:",add_method(1,2));
    });
}

举例：

[HOOK] java.lang.StringFactory.newStringFromString->Hello World, this is an example string in Java.
[+] exampleString1: Hello World, this is an example string in Java.
[HOOK] java.lang.StringFactory.newStringFromString->Hello World, this is an example string in Java.
[+] exampleString1: Hello World, this is an example string in Java.
...

参数构造

Intent

如何在Frida中使用intent - 问答 - 腾讯云开发者社区-腾讯云 (tencent.com)

const intentClass = Java.use("android.content.Intent");
const fooClass = Java.use("Foo"); // TODO: use fully qualified name of Foo
var intent = intentClass.$new();
intent.setAction("com.example.Broadcast");
var foo = fooClass.$new();
intent.putExtra("foo ", foo);

Context

frida-rpc之如何构造context参数_mob604756f828bf的技术博客_51CTO博客

1
2
3

var current_application = Java.use('android.app.ActivityThread').currentApplication();
var context = current_application.getApplicationContext();
var packageName = context.getPackageName();

HashMap（就是Map）

var cHashMap = Java.use('java.util.HashMap');
var args_x = Java.cast(x, cHashMap);
send(args_x.toString());

var m = cHashMap.$new();
m.put("key1", "val1");
m.put("key2", "val2");

console.log(m)

Java String

var arr = Java.use("java.util.Arrays");
var JavaString =Java.use("java.lang.String");
send("参数对应数组:" + arr.toString(x))
send("参数对应字符串:" + JavaString.$new("AAA").toString())

// 方法二
var ByteString = Java.use("com.android.okhttp.okio.ByteString");
// 转成 hex 在转 string
/*
    .overload('[B')
    .overload('[B', 'int', 'int')
*/
ByteString.of(Java.array('byte', [0x41, 0x42, 0x43])).hex();
// "414243"

比如：

var intarr = Java.array('int', [ 1003, 1005, 1007 ]);
var arr = Java.use("java.util.Arrays");
arr.toString(x);
// "[1003, 1005, 1007]"

array

Java.perform(function () {
        //定义一个int数组、值是1003, 1005, 1007
        var intarr = Java.array('int', [ 1003, 1005, 1007 ]);
        //定义一个byte数组、值是0x48, 0x65, 0x69
        var bytearr = Java.array('byte', [ 0x48, 0x65, 0x69 ]);
        for(var i=0;i<bytearr.length;i++)
        {
            //输出每个byte元素
            console.log(bytearr[i])
        }
});

NativePointer（指针）

ptr()这个简化函数意义是一样的。

1 2	p = new NativePointer(0x114514); p2 = ptr(0x1234);

NativeFunction对象（创建Native函数）

Frida Javascript api #NativeFunction #NativeCallback 与 #SystemFunction (中文版) - 简书 (jianshu.com)

创建新的NativeFunction以调用address处的函数(用NativePointer指定)，其中return Type指定返回类型，argTypes数组指定参数类型。如果不是系统默认值，还可以选择指定ABI。对于可变函数，添加一个‘.’固定参数和可变参数之间的argTypes条目，我们来看看官方的例子。

// LargeObject HandyClass::friendlyFunctionName();
//创建friendlyFunctionPtr地址的函数
var friendlyFunctionName = new NativeFunction(friendlyFunctionPtr,
    'void', ['pointer', 'pointer']);
//申请内存空间    
var returnValue = Memory.alloc(sizeOfLargeObject);
//调用friendlyFunctionName函数
friendlyFunctionName(returnValue, thisPtr);

我来看看它的格式，函数定义格式为new NativeFunction(address, returnType, argTypes[, options])，参照这个格式能够创建函数并且调用！returnType和argTypes[，]分别可以填void、pointer、int、uint、long、ulong、char、uchar、float、double、int8、uint8、int16、uint16、int32、uint32、int64、uint64这些类型，根据函数的所需要的type来定义即可。

在定义的时候必须要将参数类型个数和参数类型以及返回值完全匹配，假设有三个参数都是int，则new NativeFunction(address, returnType, ['int', 'int', 'int'])，而返回值是int则new NativeFunction(address, 'int', argTypes[, options])，必须要全部匹配，并且第一个参数一定要是函数地址指针。

### Supported Types

-   void
-   pointer
-   int
-   uint
-   long
-   ulong
-   char
-   uchar
-   float
-   double
-   int8
-   uint8
-   int16
-   uint16
-   int32
-   uint32
-   int64
-   uint64
-   bool

### Supported ABIs

-   default

-   Windows 32-bit:
    -   sysv
    -   stdcall
    -   thiscall
    -   fastcall
    -   mscdecl

- Windows 64-bit:
    -   win64

- UNIX x86:
    -   sysv
    -   unix64

- UNIX ARM:
    -   sysv
    -   vfp

第四个参数 options 是一个包含一个或多个以下键的对象:

abi：和上面一样的枚举.
scheduling：字符串类型的调度行为, 仅限于:
- cooperative
  允许其他线程在调用原生函数时执行JavaScript代码.
  即在调用之前放开锁, 然后再重新获取它. 这是默认行为.
- exclusive
  禁止其他线程在调用原生函数时执行JavaScript代码.
  即持续占有 JavaScript 锁. 这会更快一些, 但有可能导致死锁.
exceptions

字符串类型的异常行为, 仅限于:
- steal：如果被调用的方法抛出了一个原生异常, 例如对一个无效的指针撤销引用, Frida 将调整栈堆并拦截这个异常, 将其转换成一个可以被处理的 JavaScript 异常. 这有可能导致应用处于未定义的状态, 但在试验时能有效避免进程崩溃. 这是默认行为.
- propagate：让应用处理调用方法期间的任何原生异常.(或者让通过Process.setExceptionHandler() 安装的异常处理器进行处理)
traps：字符串类型的, 待启用的代码陷阱. 仅限于:
- default： Interceptor.attach() 回调将在任意方法触发钩子时被调用.
- all：作为 Interceptor 回调的补充, Stalker 也可以在每个方法调用时临时激活. 在某些情况下这很有用, 比如在引导一个模糊器时测量代码覆盖率, 在调试器中实现 “step into” 功能, 等等.
  注意, 这在使用 Java 和 ObjC api 时也是有可能的, 因为方法包装器同样提供了 clone(options) API 用来配合自定义选项创建新的方法包装器.

NativeFunction支持的类型

SUPPORTED TYPES
void
pointer
int
uint
long
ulong
char
uchar
size_t
ssize_t
float
double
int8
uint8
int16
uint16
int32
uint32
int64
uint64
bool

NativeCallback对象（用Javascript函数实现Native方法）⭐

new NativeCallback(func，rereturn Type，argTypes[，ABI])：创建一个由JavaScript函数func实现的新NativeCallback，其中rereturn Type指定返回类型，argTypes数组指定参数类型。您还可以指定ABI(如果不是系统默认值)。有关支持的类型和Abis的详细信息，请参见NativeFunction。注意，返回的对象也是一个NativePointer，因此可以传递给Interceptor#replace。当将产生的回调与Interceptor.replace()一起使用时，将调用func，并将其绑定到具有一些有用属性的对象，就像Interceptor.Attach()中的那样。我们来看一个例子。如下，利用NativeCallback做一个函数替换。

Java.perform(function () {
   var add_method = new NativeFunction(Module.findExportByName('libhello.so', 'c_getSum'), 
   'int',['int','int']);
   console.log("result:",add_method(1,2));
   //在这里new一个新的函数，但是参数的个数和返回值必须对应
   Interceptor.replace(add_method, new NativeCallback(function (a, b) {
        return 123;
   }, 'int', ['int', 'int']));
   console.log("result:",add_method(1,2));
});

SystemFunction

直接借用了：Frida Javascript api #NativeFunction #NativeCallback 与 #SystemFunction (中文版) - 简书 (jianshu.com)

new SystemFunction(address, returnType, argTypes[, abi]):
类似于 NativeFunction, 但它提供了线程最后一个错误状态的快照.
返回的值是一个包裹着实际返回值作为 value 的对象, 以及一个平台相关的字段, UNIX 上是 errno, 而 Windows 上则是 lastError.
new SystemFunction(address, returnType, argTypes[, options]):
和上面一样, 但是像 NativeFunction 对应的构造器一样接受一个 options 对象.

创建jstring并替换函数返回值

1
2
3

var env = Java.vm.getEnv();
var jstring = env.newStringUtf("RHRHRHR");
retval.replace(ptr(jstring));

CharSequence

在Toast.makeText里面用上了。

var CharSequence = Java.use('java.lang.CharSequence');
var JavaString =Java.use("java.lang.String");
var javaStr = JavaString.$new("ABCDEFG");
var cs = Java.cast(javaStr, CharSequence);

Object数组嵌套Java String数组

var string1 = Java.use("java.lang.String").$new("123");
var string2 = Java.use("java.lang.String").$new("");
// var objarr0 = Java.array("Ljava.lang.String;", [string1, string2]);
var Ref_arr  = Java.use('java.lang.reflect.Array')
var stringClass = Java.use("java.lang.String").class
var arg1 = Ref_arr.newInstance(stringClass, 2);
Ref_arr.set(arg1, 0, string1);
Ref_arr.set(arg1, 1, string2);

var objarr1 = Java.use("java.lang.String").$new("24717361");
var objarr2 = Java.use("java.lang.Integer").$new(19);
var objarr3 = Java.use("java.lang.String").$new("");
var objarr = Java.array("Ljava.lang.Object;", [arg1, objarr1, objarr2, objarr3]);

主动调用

Java

实例化一个对象

1 2	var javaString = Java.use("java.lang.String"); javaString.$new();

调用静态函数

1 2	var javaString = Java.use("java.lang.String"); javaString.valueOf(1);

调用类方法

1 2	var javaString = Java.use("java.lang.String"); javaString.$new().toString();

其实就是用Java.use拿到类后，构造好参数，直接调用里面的方法。

这是一个例子，一个爆破脚本：

Frida主动调用爆破密码 - AskTa0 - 博客园 (cnblogs.com)

function main(){
	console.log("Entering the Script!"); /*打印日志，用来确定是否进入main函数开始执行*/
	
    // public static boolean verifyPassword(Context context, String input);
	Java.perform(function x(){
        console.log("Inside java perform");
        // Verifier 类
        var Verifier = Java.use("org.teamsik.ahe17.qualification.Verifier");
        // 传参有个java String类型，所以需要利用这个
        var stringClass = Java.use("java.lang.String");
        // 必须动态new出来
        var p = stringClass.$new("09042ec2c2c08c4cbece042681caf1d13984f24a");
        
        var pSign = p.getBytes();
        for (var i = 0; i < 10000; i++){
            var v = "";
            if (i < 10){
                v = "000" + stringClass.$new(String(i));
            }else if (i>=10&&i<100) {
                v = "00" + stringClass.$new(String(i));
            }else if (i>+100&&i<1000) {
                v = "0" + stringClass.$new(String(i));
            }else{
                v = stringClass.$new(String(i));
            }

            var vSign = Verifier.encodePassword(v);

            if (parseInt(stringClass.$new(pSign))== parseInt(stringClass.$new(vSign)) ) {
                console.log("yes: " + v)
                break
            }
            console.log("not :" + v)
        }

	})

}

setImmediate(main)

修改成员变量

属性和函数名重名了,需要在属性前面加一个下划线 _

function hook_java() {
    // 必须写在 Java 虚拟机中 
    Java.choose('com.example.androiddemo.Activity.FridaActivity3', {
            onMatch: function (instance) {
                // instance.static_bool_var.value = true;
                instance.bool_var.value = true;
                // TODO 关注一下这个属性，他跟函数名重名了，需要加一个  _  下划线
                instance._same_name_bool_var.value = true;
                console.log(instance.bool_var.value, instance._same_name_bool_var.value)
            },
            onComplete: function () {
				// ...
            }
        })

}

主动加载Dex并调用方法⭐

可以主动加载自己实现的Java代码并执行。

比如实现一个自定义个Base64方法：

class Base64DIY {
    private static char[] base64Code = {'i', '5', 'j', 'L', 'W', '7', 'S', '0', 'G', 'X', '6', 'u', 'f', '1', 'c', 'v', '3', 'n', 'y', '4', 'q', '8', 'e', 's', '2', 'Q', '+', 'b', 'd', 'k', 'Y', 'g', 'K', 'O', 'I', 'T', '/', 't', 'A', 'x', 'U', 'r', 'F', 'l', 'V', 'P', 'z', 'h', 'm', 'o', 'w', '9', 'B', 'H', 'C', 'M', 'D', 'p', 'E', 'a', 'J', 'R', 'Z', 'N'};
    private static int[] toInt = new int[128];


    //存储的是与base64编码对应的索引
    static {
        for (int i = 0; i < base64Code.length; i++) {
            toInt[base64Code[i]] = i;
        }
    }

    //主函数
    public static void main(String[] args) {
        String str  = "0123456789bcdef";
        String str2 = toBase64(str.getBytes());
        System.out.println(str2);
        System.out.println(deBase64(str2));
    }

    //Base64编码
    public  static String toBase64(byte[] byteArr){
        //判空
        if(byteArr == null || byteArr.length == 0){
            return  null;
        }
        //确定字符数组的长度
        char[] chars = new char[(byteArr.length + 2) / 3 * 4];
        int i = 0;
        int count = 0;
        while(i < byteArr.length){
            //获取原始数据的ascii码值
            byte b0 = byteArr[i++];
            byte b1 = (i < byteArr.length) ? byteArr[i++] : 0;
            byte b2 = (i < byteArr.length) ? byteArr[i++] : 0;

            //转化为对应的base数
            /**
             * 这是3位转4位
             * 第一位 右移两位高位补0没问题
             * 第二位 b0左移到高4位低四位补0  b1 右移到低四位  结合就是b0原本的低四位 + b1的高四位
             * 这里会有问题？ 我们只要b0的最后两位和b1的高四位， b0左移4位高2位不一定会是00
             * “& 0x3f ”的作用就是保证高2位是00
             * 第三位第四位同理
             * */
            chars[count++] = base64Code[(b0 >> 2) & 0x3f];
            chars[count++] = base64Code[((b0 << 4) | (b1 >> 4)) & 0x3f];
            chars[count++] = base64Code[((b1 << 2) | (b2 >> 6)) & 0x3f];
            chars[count++] = base64Code[b2 & 0x3f];
        }
        //添加'='  case渗透
        switch (byteArr.length % 3){
            case 1 : chars[--count] = '=';
            case 2 : chars[--count] = '=';
        }
        return new String(chars);
    }

    //Base64解码
    public  static String deBase64(String str){
        //先判空
        if(str == null || str.length() == 0){
            return  str;
        }
        int tempNum  = str.endsWith("==") ? 2 : str.endsWith("=") ? 1 : 0;  //判断字符串结尾有几个'='
        byte[] bytes = new byte[str.length() * 3 / 4 - tempNum];     //删除对应个数
        int index = 0;
        //逆序读出明文
        for(int i = 0;i < str.length();i++){
            int c0 = toInt[str.charAt(i++)];    //Base64编码对应的索引
            int c1 =  toInt[str.charAt(i++)];
            bytes[index++] = (byte) ((c0 << 2) | (c1 >> 4));
            if(index >= bytes.length){
                return new String(bytes);
            }
            int c2 = toInt[str.charAt(i++)];
            bytes[index++] = (byte)((c1 << 4) | (c2 >> 2));
            if(index >= bytes.length){
                return new String(bytes);
            }
            int c3 = toInt[str.charAt(i)];
            bytes[index++] = (byte) ((c2 << 6) | c3);
        }
        return new String(bytes);

    }


}

然后用javac Base64DIY.java编译成.class文件

然后打包生成jar文件：

1	.jdks\corretto-1.8.0_382\bin\jar.exe -cvf ddex.jar .\Base64DIY.class

然后再转换成.dex文件：

1	D:\Environment\Android_SDK\build-tools\30.0.3\dx.bat --dex --output=ddex.dex .\ddex.jar

然后push并给权限：

1
2
3

adb push .\ddex.dex /data/local/tmp/ddex.dex
adb shell
chmod 777 /data/local/tmp/ddex.dex

然后在Frida脚本里面实现加载与调用：

///<reference path='./index.d.ts'/>

function hook(){
    Java.perform(function () {
        var ddex = Java.openClassFile("/data/local/tmp/ddex.dex");
        ddex.load();
        var clazz = Java.use("Base64DIY");
        var input = "0123456789bcdef";
        var encodeBase64 = clazz.toBase64(Java.use("java.lang.String").$new(input).getBytes());
        console.log("encodeBase64", encodeBase64);
    })
}

function main(){
    hook();
}

setImmediate(main)

Native

暂时放最简单的一个例子。注意这里返回值是额外分配的一块内存。

1
2
3

var friendlyFunctionName = new NativeFunction(friendlyFunctionPtr, 'void', ['pointer', 'pointer']);
var returnValue = Memory.alloc(sizeOfLargeObject);
friendlyFunctionName(returnValue, param1);

文件读写（File类）⭐

frida native层读写文件_mb5fdb09c3c3319的技术博客_51CTO博客

在Frida Js里面，是用File对象来实现文件读写。下面是一个代码示例：

this.file = new File(this.filepath, "rb");
this.new_path = "/storage/emulated/0/Download/japanwords/";
var tmp = this.filepath.split("/");
this.filename = tmp[tmp.length-1];
this.new_filepath = this.new_path + this.filename;
console.log("new file: " + this.new_filepath);
this.newfile = new File(this.new_filepath, "wb")

var data = this.file.readBytes()
// read(this.file)
this.newfile.write(data)
this.newfile.flush()
this.newfile.close()

除此之外还有一种通过Hook主动调用Native文件读写函数来实现的方法，但是太过复杂，还要考虑存在其他Hook的需要，就pass。

static readAllBytes

/**
 * Opens the binary file at `filePath`, reads all of its content into an
 * ArrayBuffer, and then closes the file.
 *
 * @param filePath The file to read from.
 */
static readAllBytes(filePath: string): ArrayBuffer;

static readAllText

/**
 * Opens the UTF-8 encoded text file at `filePath`, reads all of its text
 * into a string, and then closes the file.
 *
 * @param filePath The file to read from.
 */
static readAllText(filePath: string): string;

static writeAllBytes

/**
 * Creates a new file at `filePath`, writes the specified bytes to it, and
 * then closes the file. The target file is overwritten in case it already
 * exists.
 *
 * @param filePath The file to write to.
 * @param bytes The bytes to write to the file.
 */
static writeAllBytes(filePath: string, bytes: ArrayBuffer | number[]): void;

static writeAllText

/**
 * Creates a new file at `filePath`, writes the specified text to it
 * encoded as UTF-8, and then closes the file. The target file is
 * overwritten in case it already exists.
 *
 * @param filePath The file to write to.
 * @param text The string to write to the file.
 */
static writeAllText(filePath: string, text: string): void;

new File

/**
 * Opens or creates the file at `filePath` with `mode` specifying how
 * it should be opened. For example `"wb"` to open the file for writing
 * in binary mode. This is the same format as `fopen()` from the C
 * standard library.
 *
 * @param filePath Path to file to open or create.
 * @param mode Mode to use.
 */
constructor(filePath: string, mode: string);

tell

/**
 * Returns the current file position, in bytes.
 */
tell(): number;

seek

/**
 * Changes the current file position to the specified `offset`, in bytes.
 * Returns the resulting offset.
 *
 * @param offset The byte offset to seek to.
 * @param whence What the offset is relative to (default: `File.SEEK_SET`).
 */
seek(offset: number, whence?: number): number;

readBytes

/**
 * Reads up to `n` bytes from the file, or the rest of the file if
 * unspecified. Returns an empty buffer when the end of the file is
 * reached.
 *
 * @param n The maximum number of bytes to read.
 */
readBytes(n?: number): ArrayBuffer;

readText

/**
 * Reads up to `n` bytes from the file into a string. If `n` is omitted,
 * the rest of the file is read. Returns an empty string when the end of the
 * file is reached.
 *
 * Ensures that the data is valid UTF-8 and throws an error otherwise.
 *
 * @param n The maximum number of bytes to read.
 */
readText(n?: number): string;

readLine

/**
 * Reads one line of text from the file, with the newline included. Returns
 * an empty string when the end of the file is reached.
 *
 * Ensures that the data is valid UTF-8 and throws an error otherwise.
 */
readLine(): string;

write

/**
 * Synchronously writes `data` to the file.
 *
 * @param data Data to write.
 */
write(data: string | ArrayBuffer | number[]): void;

flush

/**
 * Flushes any buffered data to the underlying file.
 */
flush(): void;

close

/**
 * Closes the file. You should call this function when you’re done with
 * the file unless you are fine with this happening when the object is
 * garbage-collected or the script is unloaded.
 */
close(): void;

反反调试

单独放一个blog吧。

中级使用

https://learnfrida.info/intermediate_usage

主要涉及了更多具体的结构体什么的，可以看看

Table of contents

高级使用

https://learnfrida.info/advanced_usage

NOP函数

让一个函数失效。

使用replace API替换导出函数

Interceptor.replace(CreateFileWPtr, new NativeCallback(function(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile) {}, 'int', ['pointer', 'int', 'int', 'int', 'int', 'int', 'pointer']));

举个例子：

这是Hook的程序：

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

int
main(int argc, char *argv[])
{
    int fd;
    fd = open("code.dat", O_RDONLY);
    if (fd == -1)
    {
        fprintf(stderr, "file not found\n");
    }

    return 0;
}

脚本（这里比较复杂，因为需要具体从指定DLL里面遍历符号找到open函数的地址。）

// var mods = Process.enumerateModules()
// mods.forEach((mod)=>{
//     console.log(mod.name);
//     console.log(mod.base);
// })

var msvcrt = Process.findModuleByName("msvcrt.dll");
console.log(msvcrt.base)

var sym = msvcrt.enumerateSymbols();
for(var i = 0; i < sym.length; i++) {
    if(sym[i].type=="function" && sym[i].name=="open") {
        // console.log("isGlobal:",sym[i].isGlobal);
        // console.log("type:",sym[i].type);
        // console.log("section:",JSON.stringify(sym[i].section));
        console.log("name:",sym[i].name);
        console.log("address:",sym[i].address);
        var open_ptr = sym[i].address;
    }

}

// var open_ptr = Module.findExportByName("msvcrt.dll", "open")
// console.log(open_ptr);
// var open_ptr = 
/*
#ifndef NO_OLDNAMES
__mingw_bos_extern_ovr
int open(const char * __filename, int __flags, ...)
{
  return _open(__filename, __flags, __builtin_va_arg_pack());
}
 */
Interceptor.replace(open_ptr, 
    new NativeCallback(
        function(__filename, __flags) {
            console.log(`__imp_open(${__filename.readCString()},${__flags})`);
            return -1;
        }, 'int', ['pointer', 'int']));  

console.log("hook success")

使用replace API替换模块内函数

比如上面那个例子中的fprintf函数，在编译后就内联了。现在我希望让无效，无论是任何一个其他函数去调用它。

var fprintf_offset = 0x1530
var mod_base = Module.findBaseAddress("nop_func.exe")
var fprintf_ptr = mod_base.add(fprintf_offset)
Interceptor.replace(fprintf_ptr,
    new NativeCallback(function(__stream, __format){
        // console.log(`fprintf("${__stream}", ${__format.readCString()})`);
        return 1;
    }, 'int', ['pointer', 'pointer']))

好吧，其实差不多，主要核心点在于要主动return来提前返回，不继续执行原函数逻辑。

内存Patch

使用Memory.patchCode来直接修改内存。具体怎么用的看下面的章节。

function patch_open() {
    Memory.patchCode(open_ptr, Process.pageSize,
        function(code) {
            const cw = new X86Writer(code, {pc:open_ptr});
            cw.putNopPadding(Process.pageSize);
            cw.putRet();
            cw.flush();
        })
}
patch_open()

使用自定义DLL/so

这里偷个懒，直接复制过来。

Advanced Frida - Frida HandBook (learnfrida.info)

There might be scenarios when using custom libraries is required be it because there are functions in the library that are useful in our instrumentation code hence it is interesting to call them from our instrumentation code or because there are already replacements written in the library for the functions are going to be instrumented (essentially, to avoid reinventing the wheel). For this use case, Frida offers the Module.load method.

Module.load allows to load an external library into our instrumentation session, once loaded it behaves as a regular module in Frida meaning it has access to Module‘s methods like findExportByName, enumerateExports, enumerateImports… etc.

To illustrate how this works, the following C program is used:
1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
#include <stdlib.h>

int main() {
    FILE *fp;
    fp = fopen("file.txt", "w+");
    fprintf(fp, "%s %s", "May the force", "be with you");
    fclose(fp);
    return 0;
}
The purpose of this example is to replace the function fopen using a custom DLL instead of using Frida’s Interceptor.replace.

Creating a custom DLL¶
The first step is having a custom DLL, if you know how this process works then you can skip this subsection.

The DLL will have a single function that envelopes fopen and prints the filepath argument, therefore what is needed is our libtest.c file containing the function my_fopen:
1
2
3
4
5
6
7
#include <stdlib.h>
#include <stdio.h>

FILE *my_fopen(const char *filename, const char *mode) {
    printf("lib: %s\n", filename);
    return fopen(filename, mode);
}
And a separate libtest.h with the my_fopen declaration:
1
2
3
4
#include <stdlib.h>
#include <stdio.h>

FILE *my_fopen(const char *filename, const char *mode);
Once these files are created, then the only remaining task is using clang to create a shared library:
1
$ clang -shared -undefined dynamic_lookup -o libtest.so libtest.c
If everything went well, there should be a libtest.so shared library file in your current folder:
1
2
file libtest.o
libtest.o: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped
Using our custom library¶
Once the custom library is created it can be used from Frida. To illustrate this example everything is done in Frida’s REPL with the aforementioned program, no special arguments are required. This workflow requires us to first load our custom DLL, then obtain a pointer to our custom function and create a NativeFunction from this function so that it can be used from our code. Then the final step is replacing the original function with the custom one.

When inside the command line, the first step is loading our custom library so Module.load provides this functionality:
1
2
3
4
5
6
7
[Local::a.out]-> myModule = Module.load('/home/lazarus/libtest.so')
{
    "base": "0x7f0cf409c000",
    "name": "libtest.so",
    "path": "/home/lazarus/libtest.so",
    "size": 20480
}
When Frida loads the module it returns a module object that now operates as is. For example it is possible to enumerate the loaded library exports:
1
2
3
4
5
6
7
8
[Local::a.out]-> myModule.enumerateExports()
[
    {
        "address": "0x7f0cf409d120",
        "name": "my_fopen",
        "type": "function"
    }
]
Our custom my_fopen function is at the address 0x7f0cf409d120, this is the address that is needed when creating a NativeFunction to the custom function:
1
myfopen = new NativeFunction(ptr("0x7f0cf409d120"), 'pointer', ['pointer', 'pointer']);
The return value is a pointer to a FILE object, so it is set as pointer type and the arguments are pointers to const char as well. Note that once the NativeFunction is created then it can be called from the instrumentation code as main time as desired. The final step is to call Interceptor.replace and call the custom function instead:
1
2
3
Interceptor.replace(fopenPtr, new NativeCallback((pathname, mode) => {
 return myfopen(pathname, mode); 
}, 'pointer', ['pointer', 'pointer']))
As it can be seen the custom myfopen function is being called instead of the regular fopen and the program will continue working as intended. The effects of this replacement can be seen when running the %resume command:
1
2
3
[Local::a.out]-> %resume
[Local::a.out]-> lib: file.txt
lib: /dev/urandom
The custom library function correctly prints the values of the first argument.

读写寄存器

两种方式，Interceptor.attach内直接修改或读取；或者内存Patch。

const addPtr = Module.getExportByName(null, "add");

Interceptor.attach(addPtr, {
    onEnter (args) {
        console.log('x0:' + this.context.x0.toInt32());
        console.log('x1:' + this.context.x1.toInt32());
    }
});

const addPtr = Module.getExportByName(null, "add");
Memory.patchCode(addPtr, Process.pointerSize, function (code) {
    //const cw = new Arm64Writer(code, { pc: addPtr });
    const cw = new Arm64Writer(code, { pc: addPtr });
    cw.putLdrRegU64('x0', 1337);
    cw.putRet();
    cw.flush();
});

读取结构体

struct myStruct
{
  short member_1; // 0x0 (4 bytes)
  int member_2; // 0x4 (4 bytes)
  int member_3; // 0x8 (4 bytes)
  char *member_4; // 0x12 (8 bytes)
} sample_struct;

说白了还是用指针＋偏移的野蛮方法。

// Given s = args[0]:NativePointer

s.readShort() // 1st member.
s.add(4).readInt() // 2nd member.
s.add(8).readInt() // 3rd member.
s.add(12).readPointer().readCString(); // 4th member.

SYSCALL struct

For this example we will be using a known linux SYSCALL named gettimeofday.

MAN page for gettimeofday: https://man7.org/linux/man-pages/man2/gettimeofday.2.html

We have the following declaration:
1
int gettimeofday(struct timeval *tv, struct timezone *tz);
From this we can quickly figure out that timeval and timezone are two structs. And we cannot check what these values are by simply using Frida’s API.

The timeval struct is:
1
2
3
4
struct timeval {
  time_t      tv_sec;     /* seconds */
  suseconds_t tv_usec;    /* microseconds */
};
Note: The time_t size is even dependent on the API level you are targeting in Android systems. Do not forget to get it’s size with Process.PointerSize()

And the timezone struct is:
1
2
3
4
struct timezone {
    int tz_minuteswest;     /* minutes west of Greenwich */
    int tz_dsttime;         /* type of DST correction */
 };
For this example we will write a simple command and compile it with clang:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <sys/time.h>
#include <stdio.h>

int 
main()
{
  struct timeval current_time;
  gettimeofday(&current_time, NULL);
  printf("seconds : %ld\nmicro seconds : %ld\n",
    current_time.tv_sec, current_time.tv_usec);

  printf("%p", &current_time);
  getchar();
  return 0;
}
And run: clang -Wall program.c. The expected output should be:
1
2
3
4
pala@jkded:~/code$ ./a.out 
seconds : 1601394944
micro seconds : 402896
0x7fff4a1f8d48
So, given this we will try to access the time_t structure given 0x7fff4a1f8d48 is the structure pointer:
1
2
3
4
5
6
[Local::a.out]-> structPtr = ptr("0x7fff0b9a3118")
"0x7fff0b9a3118"
[Local::a.out]-> structPtr.readLong()
"1601395177"
[Local::a.out]-> structPtr.add(8).readLong()
"439353"
As we can see, the first member is already at offset 0, however we need to get the process pointer size to guess the next offset:
1
2
[Local::a.out]-> Process.pointerSize
8
Now that we know that the pointerSize is 8, we can infer that long’s size will be 8 bytes and place ourselves in the right offset.

WINAPI struct

There are a lot of structures in the Windows API and therefore we need to be confident in our structure parsing skills. We can find these structures in NTDLL calls to represent strings such as UNICODE_STRING and other structures such as the SYSTEMINFO one.

For this example we will take a look at the WINAPI call GetSystemInfo that takes a LPSYSTEM_INFO structure as an argument. And this is what a LPSYSTEM_INFO struct looks like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
typedef struct _SYSTEM_INFO {
  union {
    DWORD dwOemId;
    struct {
      WORD wProcessorArchitecture;
      WORD wReserved;
    } DUMMYSTRUCTNAME;
  } DUMMYUNIONNAME;
  DWORD     dwPageSize;
  LPVOID    lpMinimumApplicationAddress;
  LPVOID    lpMaximumApplicationAddress;
  DWORD_PTR dwActiveProcessorMask;
  DWORD     dwNumberOfProcessors;
  DWORD     dwProcessorType;
  DWORD     dwAllocationGranularity;
  WORD      wProcessorLevel;
  WORD      wProcessorRevision;
} SYSTEM_INFO, *LPSYSTEM_INFO;
Wow! Quite a complicated struct that we have here right? Let’s first find the size of each offset, especially the ones that can be troublesome such as LPVOID.

On a Windows 10 64-bit system compiled for 32-bit under Visual C++ we get the following values:

Type Size

WORD 2

DWORD 4

DWORD_PTR 4

LPVOID 4

We can check this is true by calling Process.pointerSize() in an attached process:
1
2
[Local::ConsoleApplication2.exe]-> Process.pointerSize
4
Beware that these numbers will change if compiled on 64 bit:

Type Size

WORD 2

DWORD 4

DWORD_PTR 8

LPVOID 8

Beware that compilers may align the stack so ALWAYS be careful when calculating offset.s

Once we have these values, we can infer the offset for each member. Don’t be afraid of the union keyword, it won’t be affecting our calculations for the time being.

Getting all the values is out of the scope of this part, so we will getting some of them as an example:
1
2
3
dwPageSize
lpMinimumApplicationAddress
dwNumberOfProcessors
Complete offset list:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
typedef struct _SYSTEM_INFO {
  union {
    DWORD dwOemId; // offset: 0
    struct {
      WORD wProcessorArchitecture;
      WORD wReserved;
    } DUMMYSTRUCTNAME;
  } DUMMYUNIONNAME;
  DWORD     dwPageSize; // offset: 4
  LPVOID    lpMinimumApplicationAddress; // offset: 8
  LPVOID    lpMaximumApplicationAddress; // offset: 12
  DWORD_PTR dwActiveProcessorMask; // offset: 16
  DWORD     dwNumberOfProcessors; // offset: 20
  DWORD     dwProcessorType; // offset: 24
  DWORD     dwAllocationGranularity; // offset: 28
  WORD      wProcessorLevel; // offset 32
  WORD      wProcessorRevision; // offset 34
} SYSTEM_INFO, *LPSYSTEM_INFO;
And this is the example program that we will be using to test our guesses:
1
2
3
4
5
6
7
8
9
#include <iostream>
#include <Windows.h>
int main()
{
    SYSTEM_INFO sysInfo ;
    GetSystemInfo(&sysInfo);
    printf("%p", &sysInfo);
    getchar();
}
Now that we have the complete offset list, we can know get the values of dwPageSize, lpMinimumApplicationAddress, and dwNumberOfProcessors respectively:
1
2
3
4
5
6
[Local::ConsoleApplication2.exe]-> sysInfoPtr.add(4).readInt()
4096
[Local::ConsoleApplication2.exe]-> sysInfoPtr.add(8).readInt()
65536
[Local::ConsoleApplication2.exe]-> sysInfoPtr.add(20).readInt()
8

CModule⭐⭐⭐

放在另一个blog了。

汇编Patch

一些例子

这是一个Windows的例子。不过也有参考价值。

import {log} from "./logger.js";
let address = Process.findModuleByName("demo.exe");
let codeSize = Process.pageSize;
let imp: NativePointer = Memory.alloc(codeSize);
Memory.patchCode(imp, codeSize, code => {
   let writer = new X86Writer(code, {pc: imp});
   writer.putPushReg("ebp"); 				//push ebp
   writer.putMovRegReg("ebp", "esp");	    //push ebp, esp
   writer.putBytes(new Uint8Array([0xff, 0x75, 8]).buffer as ArrayBuffer); //push dword ptr ss:[ebp + 8]
   writer.putCallAddress(address?.base.add(0x128F)!);	//call 0xxxx128F
   writer.putAddRegImm("esp", 4); 		//add esp, 4
   writer.putMovRegReg("esp", "ebp");	//mov esp, ebp
   writer.putPopReg("ebp"); 			//pop ebp
   writer.putRet();						//ret
   writer.flush();
});
let callMemFun = new NativeFunction(imp, 'void', ['int']);
let result = callMemFun(4);

这是另一个：

function dis(address, number) {
    for (var i = 0; i < number; i++) {
        var ins = Instruction.parse(address);
        console.log("address:" + address + "--dis:" + ins.toString());
        address = ins.next;
    }
}
 
//libc->strstr()  从linker里面找到call_function的地址：趁so代码还未执行前就hook
function hook() {
//call_function("DT_INIT", init_func_, get_realpath());
    var linkermodule = Process.getModuleByName("linker");
    var call_function_addr = null;
    var symbols = linkermodule.enumerateSymbols();
    for (var i = 0; i < symbols.length; i++) {
        var symbol = symbols[i];
        //LogPrint(linkername + "->" + symbol.name + "---" + symbol.address);
        if (symbol.name.indexOf("__dl__ZL13call_functionPKcPFviPPcS2_ES0_") != -1) {
            call_function_addr = symbol.address;
            //LogPrint("linker->" + symbol.name + "---" + symbol.address)
 
        }
    }
    Interceptor.attach(call_function_addr, {
        onEnter: function (args) {
            var type = ptr(args[0]).readUtf8String();
            var address = args[1];
            var sopath = ptr(args[2]).readUtf8String();
            console.log("loadso:" + sopath + "--addr:" + address + "--type:" + type);
            if (sopath.indexOf("libnative-lib.so") != -1) {
                var libnativemodule = Process.getModuleByName("xxxx.so");//call_function正在加载目标so，这时就拦截下来
                var base = libnativemodule.base;
                dis(base.add(0x1234).add(1), 10);
                var patchaddr = base.add(0x2345);//改so的机器码，避免待会完全加载后运行时就错过时机了！
                // 自行patch
                Memory.patchCode(patchaddr, 4, patchaddr => {
                    var cw = new ThumbWriter(patchaddr);
                    cw.putNop();
                    cw = new ThumbWriter(patchaddr.add(0x2));
                    cw.putNop();
                    cw.flush();
                });
                console.log("+++++++++++++++++++++++")
                dis(base.add(0x1234).add(1), 10);
                console.log("----------------------")
 
                dis(base.add(0x2345).add(1), 10);
                Memory.protect(base.add(0x8E78), 4, 'rwx');
                base.add(0x1234).writeByteArray([0x00, 0xbf, 0x00, 0xbf]);
                console.log("+++++++++++++++++++++++")
                dis(base.add(0x2345).add(1), 10);
 
 
            }
        }
    })
}
 
function main() {
    hook();
}
 
setImmediate(main);

模板

Memory.patchCode(open_ptr, Process.pageSize,
        function(code) {
            const cw = new X86Writer(code, {pc:open_ptr});
            cw.putNopPadding(Process.pageSize);
            cw.putRet();
            cw.flush();
        })

下面提供一个更特殊的例子：将原来的函数的第一个指令修改成Jmp，然后在一个用Frida开辟的新内存区域内，用另一个Writer写下nop逻辑，然后返回。

function patch_open2(){
    Memory.patchCode(open_ptr, Process.pageSize,
        function(code) {
            var mem_ptr = Memory.alloc(Process.pageSize)
            const cw2 = new X86Writer(mem_ptr)
            cw2.putNop();
            cw2.putMovRegU32("eax", 0xFFFFFFFF);
            cw2.putRet();
            cw2.flush();

            // console.log(code)
            // console.log(open_ptr)

            const cw = new X86Writer(code);
            // cw.putNopPadding(Process.pageSize);
            // cw.putRet();
            // cw.flush();
            cw2.putJmpAddress(mem_ptr);
        })
}
patch_open2()