Android逆向-Frida源码编译与魔改

字数统计: 1.7k字   |   阅读时长≈ 8分

Frida源码编译与魔改

Android逆向-Frida源码编译与魔改

下载与编译

WSL2(失败)

为了便于开发,我决定用Win10+WSL2的组合来搭建编译开发环境。

首先下载:

1
2
sudo apt-get install build-essential curl git lib32stdc++-9-dev \
    libc6-dev-i386 nodejs npm python3-dev python3-pip

修复nodejs/npm下载问题

首先是解决多余的node/npm。我的WSL上面,在/usr/local/bin里面还有多余的node/npm,这些会被识别出来,但是apt无法去修改他们。因此我手动删除了他们,以及/usr/local/lib里面相关的依赖(似乎只有个node_modules文件夹)。

然后再用apt安装nodejs,安装后就发现都在/usr/bin里面,这就正常了。

whereis指令来看程序所在的位置

1
whereis node

然后解决npm,这一块有点玄学。就是在

1
sudo apt install npm

的时候,瞬间给我列出来一大堆玩意,说is not going to be installed

https://unix.stackexchange.com/questions/394031/apt-get-reasons-for-but-it-is-not-going-to-be-installed

然后解决方案似乎是主动去安装这些玩意。

1
2
sudo apt install nodejs npm
sudo apt install  node-abbrev node-ajv  node-ansi  node-ansi-regex node-ansi-styles  node-ansistyles  node-aproba  node-archy node-are-we-there-yet  node-asap  node-asn1  node-assert-plus  node-asynckit  node-aws4  node-aws-sign2  node-balanced-match  node-bcrypt-pbkdf  node-bl  node-bluebird  node-boxen  node-brace-expansion  node-builtin-modules  node-builtins  node-cacache  node-call-limit  node-camelcase  node-caseless  node-chalk  node-chownr  node-ci-info  node-cli-boxes  node-cliui  node-clone  node-co  node-color-convert  node-color-name  node-colors  node-columnify  node-combined-stream  node-concat-map  node-concat-stream  node-config-chain  node-configstore  node-console-control-strings  node-copy-concurrently  node-core-util-is  node-cross-spawn  node-crypto-random-string  node-cyclist  node-dashdash  node-debug  node-decamelize  node-deep-extend  node-defaults  node-define-properties  node-delayed-stream  node-delegates  node-detect-indent  node-detect-newline  node-dot-prop  node-duplexer3  node-duplexify  node-ecc-jsbn  node-editor  node-encoding  node-end-of-stream  node-err-code  node-errno  node-es6-promise  node-escape-string-regexp  node-execa  node-extend  node-extsprintf  node-fast-deep-equal  node-find-up  node-flush-write-stream  node-forever-agent  node-form-data  node-from2  node-fs.realpath  node-fs-vacuum  node-fs-write-stream-atomic  node-function-bind  node-gauge  node-genfun  node-get-caller-file  node-getpass  node-glob   node-got  node-graceful-fs     node-har-schema  node-har-validator  node-has-flag  node-has-unicode  node-hosted-git-info   node-http-signature  node-iconv-lite  node-iferr  node-import-lazy  node-imurmurhash  node-inflight  node-inherits   node-ini   node-invert-kv  node-ip  node-ip-regex  node-isarray  node-isexe  node-is-npm  node-is-obj  node-is-path-inside  node-is-retry-allowed  node-is-stream  node-isstream  node-is-typedarray  node-jsbn  node-jsonparse  node-json-parse-better-errors  node-json-schema  node-json-schema-traverse  node-jsonstream   node-json-stringify-safe  node-jsprim  node-latest-version  node-lazy-property  node-lcid  node-libnpx  node-locate-path  node-lodash  node-lockfile   node-lowercase-keys  node-lru-cache   node-make-dir  node-mem  node-mime  node-mime-types  node-mimic-fn  node-minimatch  node-minimist  node-mississippi  node-mkdirp   node-move-concurrently  node-ms  node-mute-stream  node-nopt  node-normalize-package-data   node-npm-bundled  node-npm-package-arg   node-npmlog   node-number-is-nan  node-oauth-sign  node-object-assign  node-once   node-opener  node-osenv   node-os-locale  node-os-tmpdir  node-package-json  node-parallel-transform  node-path-exists  node-path-is-absolute  node-path-is-inside  node-promise-inflight  node-promise-retry  node-promzard  node-performance-now  node-p-finally  node-p-is-promise  node-pify  node-p-limit  node-p-locate  node-prepend-http  node-process-nextick-args  node-proto-list  node-prr  node-pseudomap  node-psl  node-pump  node-pumpify  node-punycode  node-qs  node-qw  node-rc  node-read   node-readable-stream  node-read-package-json   node-registry-auth-token  node-registry-url  node-request   node-require-main-filename  node-require-directory  node-resolve-from   node-retry   node-rimraf   node-run-queue  node-safe-buffer  node-semver   node-set-blocking  node-sha   node-shebang-command  node-shebang-regex  node-signal-exit  node-slide   node-sorted-object  node-slash  node-semver-diff  node-spdx-correct  node-spdx-exceptions  node-spdx-expression-parse  node-spdx-license-ids  node-sshpk  node-ssri  node-stream-each  node-stream-iterate  node-stream-shift  node-strict-uri-encode  node-string-decoder  node-string-width  node-strip-ansi   node-strip-json-comments  node-strip-eof  node-supports-color  node-tar   node-term-size  node-text-table  node-through  node-through2  node-timed-out  node-tough-cookie  node-tunnel-agent  node-tweetnacl  node-typedarray  node-uid-number  node-unique-filename  node-unique-string  node-unpipe  node-url-parse-lax  node-util-deprecate  node-uuid  node-validate-npm-package-name  node-verror  node-which   node-which-module  node-wide-align  node-widest-line  node-wrap-ansi  node-wrappy  node-wcwidth.js  node-write-file-atomic

时候发现npm应该是不需要主动用apt安装的,因为安装nodejs的时候似乎自带了。因此这里忽视。

然后安装交叉编译工具。

1
sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu

然后设置ANDROID_NDK_ROOT环境变量(先下载Linux上的Android NDK,版本要是r25的!)

NDK 下载 | Android NDK | Android Developers

1
2
3
vim ~/.zshrc
export ANDROID_NDK_ROOT=/home/tardis/Documents/android-ndk-r25c
source ~/.zshrc

在WSL2中用Git下载:

1
git clone --recurse-submodules https://github.com/frida/frida

编译:

输入

1
make

会输出一大堆的列表。选择我们要的。

core-android-arm64

1
sudo make core-android-arm64 -j4

Windows(没成功)

配置NDK路径

在Windows上,配置好系统环境变量,以我的电脑为例子,设置ANDROID_NDK

1
D:\Environment\Android_SDK\ndk\25.1.8937393

这个文件夹下有ndk-build.cmdndk-gdb.cmd等用于Android平台上交叉编译的工具。

Linux(虚拟机上成功)

换到我的VMWare r0envKali逆向虚拟机里面。

首先

1
2
apt update
apt upgrade

我的openssh-server总是更新报错,anyway不管了。

先remove openssh-server,然后重新安装,然后选择第一个选项,安装新版本,覆盖原来的配置。

然后根据以下命令的需求安装:(不用直接执行这个命令)

1
2
sudo apt-get install build-essential curl git lib32stdc++-9-dev \
    libc6-dev-i386 nodejs npm python3-dev python3-pip

其中的lib32stdc++-9-devlibc6-dev-i386好像没法安装,不过问题不大

这个虚拟机比较好用,这些都有:

1
2
3
node: v18.13.0
npm: 9.2.0
python3 3.8.5

还有一个很重要的就是

1
sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu

开始下载源码

1
git clone --recurse-submodules https://github.com/frida/frida

然后再下载Android NDK r25c,解压并设置好ANDROID_NDK_ROOT

最后

1
make core-linux-arm64 -j8

这里make时,或者前面apt install时需要科学上网,因此可以前面带上proxychains4

现在真的是一切正常了。最后成功编译。

我将frida源码放在了Kali里的Desktop/frida-dev文件夹下了。

strongR-frida-android⭐

hzzheyang/strongR-frida-android: An anti detection version frida-server for android. (github.com)

Patchs/strongR-frida/frida-core at master · hluwa/Patchs (github.com)

这是一个将frida源码进行patch魔改,实现掩盖frida特征的一个项目。

可以偷懒直接下载它提供的release,但也最好自己试试魔改。

隐藏”frida:rpc”

frida-core/lib/base中构造request变量时:

1
.add_string_value("frida:rpc")

问题

releng/detect_os.sh找不到

实际上是从Windows Terminal的Powershell上面,用git下载下来的脚本的回车符是CRLF格式的,和WSL2里Linux shell的解释器基于LF的回车符不一致,就出现bug了。

最好直接用WSL2里的Linux git来下载东西。这样就能成功解决问题。

参考

Frida源码编译及定制 - 掘金 (juejin.cn)

Hacking | Frida • A world-class dynamic instrumentation toolkit

Building | Frida • A world-class dynamic instrumentation toolkit

记录一次成功的frida编译_frida 编译_一只快死的猿的博客-CSDN博客

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

A junior undergraduate
studying in the college of cyber science and engineering
in Sichuan University
in Sichuan , China.
Pronouns:He/him.
A core member of 0x401 CTF team
majorly focus on Reverse Engineering chanllenges.