Skip to content

M
MyOpen

夜猫逐梦 / MyOpen

通知 2
Star 0
Fork 1
M
MyOpen
提交 7a3c7ba8 编写于 作者: K khz_pc
浏览文件
操作

frida测试程序

上级 6df111db
显示空白变更内容
内联 并排
Showing with 232 addition and 0 deletion
course/frida/02_Hook基础/02_Hook基础.md 0 → 100644
浏览文件 @ 7a3c7ba8
## 大纲
[TOC]
## Hook打印参数、堆栈
```
D:\Python\Python371\python.exe frida注入测试.py
````
## 修改参数、返回值
## Hook重载函数
## Hook静态函数
## 参考资料
- http://frida.re/
- https://www.freebuf.com/articles/network/190565.html
\ No newline at end of file
course/frida/02_Hook基础/frida注入测试.js 0 → 100644
浏览文件 @ 7a3c7ba8
function showStacks() {
Java.perform(function () {
send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
});
}
function dump_obj(obj) {
for(var key in obj){
console.log('args_x.persons ----+++-----', key, obj[key])
}
}
// obj含有size函数
function dump_obj_array(intent, obj) {
var len = obj.size()
var arr = obj.toArray()
for(var i = 0; i < len; ++i){
console.log('dump_obj_array =======', i, arr[i], intent.getExtra(arr[i]))
}
}
function my_format(fmt, objs) {
var cls_String = Java.use("java.lang.String");
var fn_format = cls_String.format.overload('java.lang.String', '[Ljava.lang.Object;')
return fn_format.call(cls_String, fmt, objs)
}
function my_hook_log(log_platformtools, fn, flag) {
fn.implementation = function () {
// dump_obj(arguments)
console.log('[khz] fmt= ', arguments[1])
console.log('[khz]', flag, '>>>> ', arguments[0], '>> ', my_format(arguments[1], arguments[2]))
fn.call(log_platformtools, arguments[0], arguments[1], arguments[2])
}
}
// 微信com.tencent.mars.xlog.Xlog接口Hook
var filter_not_care = ["MicroMsg.MemoryWatchDog", "ThreadPool.Execute", "MicroMsg.SimcardService", "MicroMsg.BitmapTracer"]
var filter_care = ["MicroMsg.KVEasyReport", "MicroMsg.ConfigStorage", "MicroMsg.ReportManagerKvCheck", "MicroMsg.ReportService", "MicroMsg.EventCenter"]
function my_hook_log_arguments(log_platformtools, fn, flag) {
fn.implementation = function () {
// console.log(arguments["0"])
if (filter_not_care.indexOf(arguments["0"]) != -1) {
return
}else if (filter_care.indexOf(arguments["0"]) != -1) {
return
} else if (arguments["0"].startsWith("HABBYGE-MALI.")) {
return
}
// dump_obj(arguments)
console.log('[khz] ', flag, JSON.stringify(arguments))
// console.log('[khz]', flag, '>>>> ', arguments[0], '>> ', my_format(arguments[1], arguments[2]))
// fn.call(log_platformtools, arguments[0], arguments[1], arguments[2])
}
}
Java.perform(function(){
console.log('【Java.perform】 ENTER');
// Hook class
var cls = Java.use("com.ninecents.MainActivity");
cls._member_method.implementation = function () {
console.log('【cls._member_method】 ENTER');
// ## Hook打印参数、堆栈
console.log('【cls._member_method】 打印参数:', arguments);
console.log('【cls._member_method】 打印参数:', JSON.stringify(arguments));
console.log('【cls._member_method】 打印参数:', arguments[0], arguments[0].value);
showStacks();
// ## 修改参数
arguments[0] = "随便改改";
// arguments[0].value = "随便改改,当类型是对象的时候,需要加上value属性";
this._member_method(arguments[0])
// ## 修改返回值
return 1;
};
// ## Hook重载函数 overload
cls._overload_method.overload('int').implementation = function () {
console.log('【cls._overload_method】 ENTER');
arguments[0] = 0;
this._overload_method(arguments[0])
}
// ## Hook重载函数 overload
cls._static_method.implementation = function () {
console.log('【cls._static_method】 ENTER');
console.log('【cls._member_method】 打印参数:', arguments);
console.log('【cls._member_method】 打印参数:', JSON.stringify(arguments));
showStacks();
}
});
// 主动调用静态函数
function callStaticFun() { //定义导出函数
Java.perform(function () { //找到隐藏函数并且调用
console.log("Java.isMainThread() = ", Java.isMainThread());
Java.choose("com.ninecents.MainActivity", {
onMatch: function (instance) {
console.log("Found instance: " + instance);
console.log("Result of secret func: " + instance._static_method());
},
onComplete: function () { }
});
});
}
// Java.scheduleOnMainThread(callStaticFun)
// 主动调用成员函数
function callMemberFun() { //定义导出函数
Java.perform(function () { //找到隐藏函数并且调用
console.log("Java.isMainThread() = ", Java.isMainThread());
Java.choose("com.ninecents.MainActivity", {
onMatch: function (instance) {
console.log("Found instance: " + instance);
console.log("Result of secret func: " + instance._member_method("in js..."));
},
onComplete: function () { }
});
});
}
// Java.scheduleOnMainThread(callMemberFun)
// 主动调用点击事件
function call__onClick() { //定义导出函数
Java.perform(function () { //找到隐藏函数并且调用
console.log("Java.isMainThread() = ", Java.isMainThread());
Java.choose("com.ninecents.MainActivity", {
onMatch: function (instance) {
console.log("Found instance: " + instance, JSON.stringify(instance));
console.log("Result of secret func: ", JSON.stringify(instance.button_overload_method));
var ClassView = Java.use("android.view.View");
var instanceClassView = Java.cast(instance.button_overload_method.value, ClassView);
instance.onClick(instanceClassView);
},
onComplete: function () { }
});
});
}
Java.scheduleOnMainThread(call__onClick)
course/frida/02_Hook基础/frida注入测试.py 0 → 100644
浏览文件 @ 7a3c7ba8
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2020-9-27 10:02:11
# @Author : khz_ls
# @Site :
# @File : __init__.py.py
# @Software: ce9nt
import os
def message(message, data):
if message["type"] == 'send':
print(u"[***] {0}".format(message['payload']))
else:
print(message)
def main():
import frida
import sys
jsCode = ""
with open("frida注入测试.js", "r", encoding='utf-8') as f:
jsCode = f.read()
host = '4b0e004e'
app_package_name = 'com.ninecents'
manager = frida.get_device_manager()
device = manager.get_device(host)
process = device.attach(app_package_name)
script = process.create_script(jsCode)
script.on("message", message)
script.load()
sys.stdin.read()
if __name__ == "__main__":
print("------------------ Enter __main__ ------------------")
print(u"[Current work directory is : ]\t" + os.getcwd())
print(u"[Current process ID is : ]\t" + str(os.getpid()))
print("\n")
main()
print("------------------ Leave __main__ ------------------")
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册