FRIDA 實用手冊
本文目的是作為工具類文章,收集整理了一些 FRIDA 的使用技巧和用例,友善同學們在開發使用過程中開袋即食。
frida 的基礎教程可以直接參看
官網說明。
Python 部分
JS 中文支援
使用
codecs.open(scriptpath, "r", "utf-8")
打開檔案讀取 js 即可。
擷取指定 UID 裝置
device = frida.get_device_manager().get_device("094fdb0a0b0df7f8") 擷取遠端裝置
mgr = frida.get_device_manager()
device = mgr.add_remote_device("30.137.25.128:13355") 啟動調試程序
pid = device.spawn([packename])
process = device.attach(pid)
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
device.resume(pid) python 與 js 互動的官方示例
from __future__ import print_function
import frida
import sys
session = frida.attach("hello")
script = session.create_script("""
Interceptor.attach(ptr("%s"), {
onEnter: function(args) {
send(args[0].toString());
var op = recv('input', function(value) {
args[0] = ptr(value.payload);
});
op.wait();
}
});
""" % int(sys.argv[1], 16))
def on_message(message, data):
print(message)
val = int(message['payload'], 16)
script.post({'type': 'input', 'payload': str(val * 2)})
script.on('message', on_message)
script.load()
sys.stdin.read() 從 bytecode 加載腳本
# -*- coding: utf-8 -*-
from __future__ import print_function
import frida
system_session = frida.attach(0)
bytecode = system_session.compile_script(name="bytecode-example", source="""\
'use strict';
rpc.exports = {
listThreads: function () {
return Process.enumerateThreadsSync();
}
};
""")
session = frida.attach("Twitter")
script = session.create_script_from_bytes(bytecode)
script.load()
api = script.exports
# 這裡的 list_threads 是 listThreads 駝峰命名法自動轉換後的結果,由 rpc exports 功能導出給 python 調用
print("api.list_threads() =>", api.list_threads())
JS 部分
hook Android 短信發送 SendDataMessage
function hook_sms() {
var SmsManager = Java.use('android.telephony.SmsManager');
SmsManager.sendDataMessage.implementation = function (
destinationAddress, scAddress, destinationPort, data, sentIntent, deliveryIntent) {
console.log("sendDataMessage destinationAddress: " + destinationAddress + " port: " + destinationPort);
showStacks();
this.sendDataMessage(destinationAddress, scAddress, destinationPort, data, sentIntent, deliveryIntent);
}
} 定時執行函數
-
setTimeout
setTimeout(funcA, 15000); -
setInterval
var id_ = setInterval(funcB, 15000);
clearInterval(id_); // 終止 bin array 轉字元串
function bin2String(array) {
if (null == array) {
return "null";
}
var result = "";
try {
var String_java = Java.use('java.lang.String');
result = String_java.$new(array);
}
catch (e) {
dmLogout("== use bin2String_2 ==");
result = bin2String_2(array);
}
return result;
}
function bin2String_2(array) {
var result = "";
try {
var tmp = 0;
for (var i = 0; i < array.length; i++) {
tmp = parseInt(array[i]);
if ( tmp == 0xc0
|| (tmp < 32 && tmp != 10)
|| tmp > 126 ) {
return result;
} // 不是可見字元就傳回了, 換行符除外
result += String.fromCharCode(parseInt(array[i].toString(2), 2));
}
}
catch (e) {
console.log(e);
}
return result;
} 自己封裝輸出函數加入線程ID 和時間
function getFormatDate() {
var date = new Date();
var month = date.getMonth() + 1;
var strDate = date.getDate();
if (month >= 1 && month <= 9) {
month = "0" + month;
}
if (strDate >= 0 && strDate <= 9) {
strDate = "0" + strDate;
}
var currentDate = date.getFullYear() + "-" + month + "-" + strDate
+ " " + date.getHours() + ":" + date.getMinutes() + ":" + date.getSeconds();
return currentDate;
}
function dmLogout(str) {
var threadid = Process.getCurrentThreadId();
console.log("["+threadid+"][" + getFormatDate() + "]" + str);
} 列印 Android Java 層堆棧
var showStacks = function () {
Java.perform(function () {
dmLogout(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new())); // 列印堆棧
});
} TracerPid fgets 反調試
var anti_fgets = function () {
dmLogout("anti_fgets");
var fgetsPtr = Module.findExportByName("libc.so", "fgets");
var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']);
Interceptor.replace(fgetsPtr, new NativeCallback(function (buffer, size, fp) {
var retval = fgets(buffer, size, fp);
var bufstr = Memory.readUtf8String(buffer);
if (bufstr.indexOf("TracerPid:") > -1) {
Memory.writeUtf8String(buffer, "TracerPid:\t0");
// dmLogout("tracerpid replaced: " + Memory.readUtf8String(buffer));
}
return retval;
}, 'pointer', ['pointer', 'int', 'pointer']));
}; 反調試時讀取 LR 寄存器溯源
var anti_antiDebug = function() {
var funcPtr = null;
funcPtr = Module.findExportByName("xxxx.so", "p57F7418DCD0C22CD8909F9B22F0991D3");
dmLogout("anti_antiDebug " + funcPtr);
Interceptor.replace(funcPtr, new NativeCallback(function (pathPtr, flags) {
dmLogout("anti ddddddddddddddebug LR: " + this.context.lr);
return 0;
}, 'int', ['int', 'int']));
}; hook JNI API NewStringUTF
function hook_native_newString() {
var env = Java.vm.getEnv();
var handlePointer = Memory.readPointer(env.handle);
dmLogout("env handle: " + handlePointer);
var NewStringUTFPtr = Memory.readPointer(handlePointer.add(0x29C));
dmLogout("NewStringUTFPtr addr: " + NewStringUTFPtr);
Interceptor.attach(NewStringUTFPtr, {
onEnter: function (args) {
...
}
});
} hook JNI API GetStringUTFChars
function hook_native_GetStringUTFChars() {
var env = Java.vm.getEnv();
var handlePointer = Memory.readPointer(env.handle);
dmLogout("env handle: " + handlePointer);
var GetStringUTFCharsPtr = Memory.readPointer(handlePointer.add(0x2A4));
dmLogout("GetStringUTFCharsPtr addr: " + GetStringUTFCharsPtr);
Interceptor.attach(GetStringUTFCharsPtr, {
onEnter: function (args) {
var str = "";
Java.perform(function () {
str = Java.cast(args[1], Java.use('java.lang.String'));
});
dmLogout("GetStringUTFChars: " + str);
if (str.indexOf("linkData:") > -1) { // 設定過濾條件
dmLogout("========== found linkData LR: " + this.context.lr + " ==========");
}
}
});
}; hook Android URI 列印堆棧
var hook_uri = function() {
// coord: (7520,0,19) | addr: Ljava/net/URI;->parseURI(Ljava/lang/String;Z)V | loc: ?
var uri = Java.use('java.net.URI');
uri.parseURI.implementation = function (a1, a2) {
a1 = a1.replace("xxxx.com", "yyyy.com");
dmLogout("uri: " + a1);
showStacks();
return this.parseURI(a1, a2);
}
} hook KXmlSerializer 拼裝内容
function hook_xml() {
var xmlSerializer = Java.use('org.kxml2.io.KXmlSerializer'); // org.xmlpull.v1.XmlSerializer
xmlSerializer.text.overload('java.lang.String').implementation = function (text) {
dmLogout("xtext: " + text);
if ("GPRS" == text) {
dmLogout("======>>> found GPRS");
showStacks();
}
return this.text(text);
}
} hook Android Log 輸出
function hook_log() {
dmLogout(TAG, "do hook log");
var Log = Java.use('android.util.Log');
Log.v.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {
dmLogout(tag + " v", content);
};
Log.d.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {
dmLogout(tag + " d", content);
};
Log.w.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {
dmLogout(tag + " w", content);
};
Log.i.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {
dmLogout(tag + " i", content);
};
Log.e.overload('java.lang.String', 'java.lang.String').implementation = function (tag, content) {
dmLogout(tag + " e", content);
};
} native 主動調用
var friendlyFunctionName = new NativeFunction(friendlyFunctionPtr, 'void', ['pointer', 'pointer']);
var returnValue = Memory.alloc(sizeOfLargeObject);
friendlyFunctionName(returnValue, param1); 就先整理這麼多,日後再追加。歡迎大佬們追加分享和指正錯誤。
![使用 ctypes 進行 Python 和 C 的混合程式設計[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)