安裝Python環境
anaconda下載地址:https://www.anaconda.com/distribution/
配置環境變量:
D:\develop\Anaconda3\Scripts;
D:\develop\Anaconda3\Library\bin;
D:\develop\Anaconda3\;
D:\develop\Anaconda3\Library\mingw-w64\bin;安裝frida庫:
pip install frida;
pip install frida-tools;
1.檢查手機CPU位數,打開CMD輸入如下指令:
adb shell su
cat proc/cpuinfo
(1)
(2)
2.根據你設備的位數,去下載frida-server文件,併發送到手機/data/local/tmp目錄
下載地址:https://github.com/frida/frida/releases
發送指令:adb push xxx /data/local/tmp
3.編寫hook腳本
import frida
import sys
jsCode = """
Java.perform(function(){
var resultInt = Module.findExportByName("libdemo.so", "Java_com_qianyu_demo_MainActivity_resultInt")
Interceptor.attach(resultInt, {
onEnter: function (args) {
send(args[2]);
send(args[3]);
send(args[4]);
},
onLeave: function (retval) {
//var jstr = Java.cast(retval);
send("addr:"+retval);
}
});
});
"""
def message(message, data):
if message["type"] == 'send':
print(u"[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach("com.qianyu.demo")
script = process.create_script(jsCode)
script.on("message", message)
script.load()
sys.stdin.read()
4.運行frida-server:
adb shell su
cd /data/local/tmp
chmod 777 frida-server
./frida-server
5.執行端口轉發/啓動app:
adb forward tcp:27042 tcp:27042
frida -U -f com.qianyu.demo --no-pause
6.效果
上面是hookso層的代碼,下面的是hook Java層的示例代碼,執行流程更上面都是一樣的:
import frida
import sys
# HOOK普通方法
jscode = """
Java.perform(function () {
var utils = Java.use('com.xiaojianbang.app.Utils');
utils.getCalc.implementation = function (a, b) {
console.log("Hook Start...");
send(arguments[0]);
send(arguments[1]);
send("Success!");
var num = this._getCalc(100, 200, 300);
send(num);
return num;
}
});
"""
def message(msg, data):
if msg["type"] == 'send':
print("[*] {0}".format(msg['payload']))
else:
print(msg)
# 指定要附加的設備app
process = frida.get_remote_device().attach('com.xiaojianbang.app')
#
script = process.create_script(jscode)
script.on("message", message)
script.load()
sys.stdin.read()