frida用法小彙總

根據cpu版本去下載相應frida-server 運行./frida-sever &

frida官網:https://frida.re/docs/javascript-api/

1.hook靜態函數

當函數內部有相同的函數名，即重載時，hook時就必須指定函數類型

function hook_java() {

    Java.perform(function () {

        var LoginActivity = Java.use("com.example.androiddemo.Activity.LoginActivity");

        console.log(LoginActivity);

        LoginActivity.a.overload('java.lang.String', 'java.lang.String').implementation = function (str, str2) {

            var result = this.a(str, str2);   

            //result = '';

            console.log("LoginActivity.a:", str, str2, result);

            return result;

        };

        //當函數有重載時，錯誤寫法，當函數沒重載時，可以這樣寫

          LoginActivity.a.implementation = function (str1, str2) {

            var result = this.a(str1, str2);     //調用原來的函數

            console.log("LoginActivity.a:", str1, str2, result);

            return result;

        };

}

修改函數返回值和成員變量

(1)修改返回值

function hook_java() {

    Java.perform(function () {

        var FridaActivity1 = Java.use("com.example.androiddemo.Activity.FridaActivity1");

        // FridaActivity1.a.implementation = function (barr) {

        //     console.log("FridaActivity1.a");

        //     // return "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";

        //     var result = this.a(barr);

        //     console.log("FridaActivity1.a result:", result);

        //     return result;

            

        // };

        // 第二種寫法

        FridaActivity1.a.overload('[B').implementation = function (barr) {

            console.log("FridaActivity1.a");

            var result = this.a(barr);

            console.log("FridaActivity1.a 修改前返回值:", result);

            result = "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";

            console.log("FridaActivity1.a 修改後返回值:", result);

            return result;

            

        };

        console.log("hook_java");

    });

}

(2)修改成員變量

function call_FridaActivity3() {

    Java.perform(function () {

        var FridaActivity3 = Java.use("com.example.androiddemo.Activity.FridaActivity3");

        FridaActivity3.$new

        FridaActivity3.static_bool_var.value = true;        //設置靜態成員變量



        console.log(FridaActivity3.static_bool_var.value);

        

        Java.choose("com.example.androiddemo.Activity.FridaActivity3", {

            onMatch: function (instance) {

                //設置非靜態成員變量的值

                instance.bool_var.value = true;

                //設置有相同函數名的成員變量的值

                instance._same_name_bool_var.value = true;

                console.log(instance.bool_var.value, instance._same_name_bool_var.value);

            },

            onComplete: function () {



            }

        });

    });

}

2.hook內部類

第一種寫法

function hook_InnerClasses() {

    Java.perform(function () {

        //hook內部類

        var InnerClasses = Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses");

        console.log(InnerClasses);

        InnerClasses.check1.implementation = function () {

            return true;

        };

        InnerClasses.check2.implementation = function () {

            return true;

        };

        InnerClasses.check3.implementation = function () {

            return true;

        };

        InnerClasses.check4.implementation = function () {

            return true;

        };

        InnerClasses.check5.implementation = function () {

            return true;

        };

        InnerClasses.check6.implementation = function () {

            return true;

        };

    });

}



第二種寫法

function hook_mul_function() {

    Java.perform(function () {

        //hook 類的多個函數

        var class_name = "com.example.androiddemo.Activity.FridaActivity4$InnerClasses";

        var InnerClasses = Java.use(class_name);

        var all_methods = InnerClasses.class.getDeclaredMethods();

        for (var i = 0; i < all_methods.length; i++) {

            var method = (all_methods[i]);

            var methodStr = method.toString();

            var substring = methodStr.substr(methodStr.indexOf(class_name) + class_name.length + 1);

            var methodname = substring.substr(0, substring.indexOf("("));

            console.log(methodname);

            InnerClasses[methodname].implementation = function () {

                console.log("hook_mul_function:", this);

                return true;

            }



        }



    });

}

3.hook動態dex

function hook_dyn_dex() {

    Java.perform(function () {

        //hook 動態加載的dex  （注意點:牛軋糖版本之上）

        Java.enumerateClassLoaders({

            onMatch: function (loader) {

                try {

                    if (loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")) {

                        console.log(loader);

                        // Java.classFactory.loader = loader;      //切換classloader

                    }

                } catch (error) {



                }



            }, onComplete: function () {



            }

        });



        // var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck");

        // console.log(DynamicCheck);

        // DynamicCheck.check.implementation = function () {

        //     console.log("DynamicCheck.check");

        //     return true;

        // }

    });

}

4.frida加載動態dex

function hook_java() {

    //var ddex = Java.openClassFile("/data/local/tmp/ddex.dex");

    //frida動態加載了dex

    /*

    jar -cvf ddex.jar com/example/androiddemo/DecodeUtils.class

    /Users/yang/Library/Android/sdk/build-tools/28.0.3/dx --dex --output=ddex.dex ddex.jar

    */

    var ddex2 = Java.openClassFile("/data/local/tmp/ddex2.dex");



    Java.perform(function () {

        //frida動態加載了dex

        ddex2.load();

        var DecodeUtils = Java.use("com.example.androiddemo.DecodeUtils");

        console.log("DecodeUtils.decode_p:", DecodeUtils.decode_p());

    });

}