hook--Map的put通用脚本
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("xxx")
scr = """
Java.perform(function () {
var TreeMap = Java.use('java.util.TreeMap');
var Map = Java.use("java.util.Map");
TreeMap.put.implementation = function (key,value) {
if(key=="data"){
console.log(key,value);
}
var res = this.put(key,value);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
hook--StringBuilder
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("xxx")
scr = """
Java.perform(function () {
var StringBuilder = Java.use("java.lang.StringBuilder");
StringBuilder.toString.implementation = function () {
var res = this.toString();
console.log(res);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
hook--Base64
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("xxx")
scr = """
Java.perform(function () {
var Base64 = Java.use("android.util.Base64");
Base64.encodeToString.overload('[B', 'int').implementation = function (bArr,val) {
var res = this.encodeToString(bArr,val);
console.log("加密了-->",res);
return res;
}
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
# 通过查看输出,那请求的数据搜索,发现hook到了
hook--拦截器
// hook_Interceptor.js
Java.perform(function () {
var Builder = Java.use('okhttp3.OkHttpClient$Builder');
Builder.addInterceptor.implementation = function (inter) {
console.log(JSON.stringify(inter) );
return this.addInterceptor(inter);
};
})
//frida -Uf com.hupu.shihuo -l hook_Interceptor.js -o all_interceptor3.txt
hook--so文件的函数
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("xxx")
scr = """
Java.perform(function () {
//1 找到那个so文件,libJNIEncrypt.so,第二个参数是要hook的函数名--》返回值是函数的内存地址
var addr_func = Module.findExportByName("libJNIEncrypt.so", "AES_128_ECB_PKCS5Padding_Encrypt");
//2 传入要hook的函数内存地址
Interceptor.attach(addr_func, {
onEnter: function(args){
console.log("--------------------------执行函数--------------------------");
console.log("参数1-v11:", args[0].readUtf8String());
console.log("参数2-v8:", args[1].readUtf8String());
},
onLeave: function(retValue){
console.log(":::", retValue.readUtf8String());
}
})
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
sys.stdin.read()
遍历打印app运行时,加载了那些so文件
import frida
import sys
rdev = frida.get_remote_device()
pid = rdev.spawn(["com.xxx"])
session = rdev.attach(pid)
scr = """
Java.perform(function () {
var dlopen = Module.findExportByName(null, "dlopen");
var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
Interceptor.attach(dlopen, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen:]", path);
},
onLeave: function (retval) {
}
});
Interceptor.attach(android_dlopen_ext, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen_ext:]", path);
},
onLeave: function (retval) {
}
});
});
"""
script = session.create_script(scr)
def on_message(message, data):
print(message, data)
script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()
打印调用栈
import frida
import sys
rdev = frida.get_remote_device()
# session = rdev.attach("xxx")
session = rdev.attach("xxx")
scr = """
Java.perform(function () {
var h = Java.use("xxx);
h.t2.implementation = function(str){
console.log("设置session",str);
this.t2(str);
//调用栈
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
};
});
"""
script = session.create_script(scr)
script.load()
sys.stdin.read()
'''
设置session 69a5568e29c5f5bb120901435e2bd98281c1969d
java.lang.Throwable
at t3.a.i.b.i$j.onPrepared(BL:6)
at tv.danmaku.ijk.media.player.AbstractMediaPlayer.notifyOnPrepared(BL:2)
at tv.danmaku.ijk.media.player.IjkMediaPlayer$EventHandler.handleMessage(BL:107)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7656)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
'''
rpc调用so文件函数
import frida
rdev = frida.get_remote_device()
session = rdev.attach("xxx")
scr = """
rpc.exports = {
encrypt:function(a1,a2,a3){
var res;
Java.perform(function () {
// 包.类
var Crypt = Java.use("com.xxx.Crypt");
// 类中的方法
res = Crypt.encrypt_data(a1,a2,a3);
});
return res;
}
}
"""
script = session.create_script(scr)
script.load()
# python 调用
sign = script.exports.encrypt(0, "abcdefg", 7)
print(sign)