Hook框架frida使用。

0x1 简介

Frida是一款基于python + javascript 的hook框架,通杀android\ios\linux\win\osx等各平台。
官网为https://www.frida.re

0x2 安装

安装python,安装pip,安装frida执行pip install frida命令,下载frida服务端。
pip下载地址: https://pypi.python.org/pypi/pip
服务器下载地址:https://github.com/frida/frida/releases

0x3 例子

把frida服务器安装到手机,修改权限,运行。
进行端口转发。
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
MainActivity.java
boolean bRet = Debug.isDebuggerConnected();
if (bRet == true) {
Log.e("IsDebug", "IsDebug");
} else {
Log.e("IsNotDebug", "IsNotDebug");
}
Calc MyAdd = new Calc();
int nRet = MyAdd.add(1,2);
Log.e("Add",String.valueOf(nRet));
Calc.java
public class Calc {
public int add(int a,int b)
{
int nRet = a + b;
Log.e("Add",String.valueOf(nRet));
return nRet;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("com.example.xxx.myapplication")
scr = """
Java.perform(function(){
var Debug = Java.use("android.os.Debug");
Debug.isDebuggerConnected.implementation = function(){
send("Called isDebuggerConnected");
return true;
};
var CallCalc = Java.use("com.example.xxx.myapplication.Calc");
send("Called Add");
var instance = CallCalc.$new();
var res = instance.add(100,200);
send(res);
var FakeRet = Java.use("com.example.xxx.myapplication.Calc");
FakeRet.add.implementation = function(){
send("Called Add FakeRet");
return 10 ;
};
var Hello = Java.use("com.example.xxx.myapplication.Calc");
Hello.hello.overload("int").implementation = function(var_0) {
send(var_0);
var ret = this.hello(2);//调用原函数失败
}
});
});
"""
script = session.create_script(scr)
def on_message(message ,data):
print message
script.on("message" , on_message)
script.load()
sys.stdin.read()