FRIDA 实用手册
生活随笔
收集整理的這篇文章主要介紹了
FRIDA 实用手册
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
FRIDA 實用手冊
本文目的是作為工具類文章,收集整理了一些 FRIDA 的使用技巧和用例,方便同學們在開發使用過程中開袋即食。
frida 的基礎教程可以直接參看官網說明。
Python 部分
JS 中文支持
使用?codecs.open(scriptpath, "r", "utf-8")?打開文件讀取 js 即可。
獲取指定 UID 設備
device = frida.get_device_manager().get_device("094fdb0a0b0df7f8")獲取遠程設備
mgr = frida.get_device_manager() device = mgr.add_remote_device("30.137.25.128:13355")啟動調試進程
pid = device.spawn([packename]) process = device.attach(pid) script = process.create_script(jscode) script.on('message', on_message) script.load() device.resume(pid)python 與 js 交互的官方示例
from __future__ import print_function import frida import syssession = frida.attach("hello") script = session.create_script(""" Interceptor.attach(ptr("%s"), {onEnter: function(args) {send(args[0].toString());var op = recv('input', function(value) {args[0] = ptr(value.payload);});op.wait();} }); """ % int(sys.argv[1], 16)) def on_message(message, data):print(message)val = int(message['payload'], 16)script.post({'type': 'input', 'payload': str(val * 2)}) script.on('message', on_message) script.load() sys.stdin.read()從 bytecode 加載腳本
# -*- coding: utf-8 -*- from __future__ import print_functionimport fridasystem_session = frida.attach(0) bytecode = system_session.compile_script(name="bytecode-example", source="""\ 'use strict'; rpc.exports = {listThreads: function () {return Process.enumerateThreadsSync();} }; """)session = frida.attach("Twitter") script = session.create_script_from_bytes(bytecode) script.load() api = script.exports # 這里的 list_threads 是 listThreads 駝峰命名法自動轉換后的結果,由 rpc exports 功能導出給 python 調用 print("api.list_threads() =>", api.list_threads())JS 部分
hook Android 短信發送 SendDataMessage
function hook_sms() {var SmsManager = Java.use('android.telephony.SmsManager');SmsManager.sendDataMessage.implementation = function (destinationAddress, scAddress, destinationPort, data, sentIntent, deliveryIntent) {console.log("sendDataMessage destinationAddress: " + destinationAddress + " port: " + destinationPort);showStacks();this.sendDataMessage(destinationAddress, scAddress, destinationPort, data, sentIntent, deliveryIntent);} }定時執行函數
bin array 轉字符串
function bin2String(array) {if (null == array) {return "null";}var result = "";try {var String_java = Java.use('java.lang.String');result = String_java.$new(array);}catch (e) {dmLogout("== use bin2String_2 ==");result = bin2String_2(array);}return result; }function bin2String_2(array) {var result = "";try {var tmp = 0;for (var i = 0; i < array.length; i++) {tmp = parseInt(array[i]);if ( tmp == 0xc0|| (tmp < 32 && tmp != 10)|| tmp > 126 ) {return result;} // 不是可見字符就返回了, 換行符除外result += String.fromCharCode(parseInt(array[i].toString(2), 2));}}catch (e) {console.log(e);}return result; }自己封裝輸出函數加入線程ID 和時間
function getFormatDate() {var date = new Date();var month = date.getMonth() + 1;var strDate = date.getDate();if (month >= 1 && month <= 9) {month = "0" + month;}if (strDate >= 0 && strDate <= 9) {strDate = "0" + strDate;}var currentDate = date.getFullYear() + "-" + month + "-" + strDate+ " " + date.getHours() + ":" + date.getMinutes() + ":" + date.getSeconds();return currentDate; }function dmLogout(str) {var threadid = Process.getCurrentThreadId();console.log("["+threadid+"][" + getFormatDate() + "]" + str); }打印 Android Java 層堆棧
var showStacks = function () {Java.perform(function () {dmLogout(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new())); // 打印堆棧}); }TracerPid fgets 反調試
var anti_fgets = function () {dmLogout("anti_fgets");var fgetsPtr = Module.findExportByName("libc.so", "fgets");var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']);Interceptor.replace(fgetsPtr, new NativeCallback(function (buffer, size, fp) {var retval = fgets(buffer, size, fp);var bufstr = Memory.readUtf8String(buffer);if (bufstr.indexOf("TracerPid:") > -1) {Memory.writeUtf8String(buffer, "TracerPid:\t0");// dmLogout("tracerpid replaced: " + Memory.readUtf8String(buffer));}return retval;}, 'pointer', ['pointer', 'int', 'pointer'])); };反調試時讀取 LR 寄存器溯源
var anti_antiDebug = function() {var funcPtr = null;funcPtr = Module.findExportByName("xxxx.so", "p57F7418DCD0C22CD8909F9B22F0991D3");dmLogout("anti_antiDebug " + funcPtr);Interceptor.replace(funcPtr, new NativeCallback(function (pathPtr, flags) {dmLogout("anti ddddddddddddddebug LR: " + this.context.lr);return 0;}, 'int', ['int', 'int'])); };hook JNI API NewStringUTF
function hook_native_newString() {var env = Java.vm.getEnv();var handlePointer = Memory.readPointer(env.handle);dmLogout("env handle: " + handlePointer);var NewStringUTFPtr = Memory.readPointer(handlePointer.add(0x29C));dmLogout("NewStringUTFPtr addr: " + NewStringUTFPtr);Interceptor.attach(NewStringUTFPtr, {onEnter: function (args) {...}}); }hook JNI API GetStringUTFChars
function hook_native_GetStringUTFChars() {var env = Java.vm.getEnv();var handlePointer = Memory.readPointer(env.handle);dmLogout("env handle: " + handlePointer);var GetStringUTFCharsPtr = Memory.readPointer(handlePointer.add(0x2A4));dmLogout("GetStringUTFCharsPtr addr: " + GetStringUTFCharsPtr);Interceptor.attach(GetStringUTFCharsPtr, {onEnter: function (args) {var str = "";Java.perform(function () {str = Java.cast(args[1], Java.use('java.lang.String'));});dmLogout("GetStringUTFChars: " + str);if (str.indexOf("linkData:") > -1) { // 設置過濾條件dmLogout("========== found linkData LR: " + this.context.lr + " ==========");}}}); };循環輸出參數的值
Interceptor.attach(Module.findExportByName("libc.so", "strcat"), {onEnter: function (args) {for (var i = 0; i < args.length; i ++) {dmLogout("strcat args[" + i + "](" + ptr(args[i]) + "): " + Memory.readUtf8String(args[i]));}} });hook Android URI 打印堆棧
var hook_uri = function() {// coord: (7520,0,19) | addr: Ljava/net/URI;->parseURI(Ljava/lang/String;Z)V | loc: ?var uri = Java.use('java.net.URI');uri.parseURI.implementation = function (a1, a2) {a1 = a1.replace("xxxx.com", "yyyy.com");dmLogout("uri: " + a1);showStacks();return this.parseURI(a1, a2);} }hook KXmlSerializer 拼裝內容
function hook_xml() {var xmlSerializer = Java.use('org.kxml2.io.KXmlSerializer'); // org.xmlpull.v1.XmlSerializerxmlSerializer.text.overload('java.lang.String').implementation = function (text) {dmLogout("xtext: " + text);if ("GPRS" == text) {dmLogout("======>>> found GPRS");showStacks();}return this.text(text);} }hook Android Log 輸出
function hook_log() {dmLogout(TAG, "do hook log");var Log = Java.use('android.util.Log');Log.v.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {dmLogout(tag + " v", content);};Log.d.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {dmLogout(tag + " d", content);};Log.w.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {dmLogout(tag + " w", content);};Log.i.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {dmLogout(tag + " i", content);};Log.e.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {dmLogout(tag + " e", content);}; }native 主動調用
var friendlyFunctionName = new NativeFunction(friendlyFunctionPtr, 'void', ['pointer', 'pointer']); var returnValue = Memory.alloc(sizeOfLargeObject); friendlyFunctionName(returnValue, param1);就先整理這么多,日后再追加。歡迎大佬們追加分享和指正錯誤。
原文鏈接
本文為云棲社區原創內容,未經允許不得轉載。
總結
以上是生活随笔為你收集整理的FRIDA 实用手册的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: “有趣”的投影:当PCA失效时怎么办?
- 下一篇: 五四,阿里巴巴新青年了解下?