0%

Frida for Android 基础环境搭建记录

Frida 是一款轻量级 HOOK 框架,可用于多平台上,例如 AndroidWindowsiOS 等。
Frida 分为两部分,服务端运行在目标机上,通过注入进程的方式来实现劫持应用函数,另一部分运行在系统机器上。
Frida 上层接口支持 jspythonc 等。
Frida 官方 Github 地址为:Frida 官方 Github 地址

安装 Python

略.

可以参考:入门 Python 二三事

安装包

1
pip install frida-tools frida requests

脚本示例

启动 Frida 服务

自动识别设备指令集, 下载并启动 frida-server, 要求已经配置好 adb, 且设备已经 root:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# coding: utf-8

import os
import frida
import requests
import lzma
import logging

logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)


def get_version():
version = frida.__version__
logger.info('get_version:%s' % version)
return version


def get_abi():
abi_string = os.popen("adb shell getprop ro.product.cpu.abi").readlines()[0]
abi = abi_string[0:(abi_string.index('-'))]
logger.info('get_abi:%s' % abi)
return abi


def download(url, file):
logger.info('download:%s, store:%s' % (url, file))
response = requests.get(url, allow_redirects=True, verify=False)
content = response.content
bytes = lzma.decompress(content)
open(file, 'wb').write(bytes)
logger.info('download completed, package size:%d, binary size:%d' % (content.__len__, bytes.__len__))


def main():
abi = get_abi()
version = get_version()
file = 'frida-server-{0}-android-{1}'.format(version, abi)
url = 'https://github.com/frida/frida/releases/download/{0}/{1}.xz'.format(
version,
file,
)

if not os.path.exists(file):
logger.info('file not exists, downloading...')
download(url, file)

logger.info('check root permission...')
os.system('adb root')
logger.info('push binary...')
os.system('adb push .\%s /data/local/tmp/' % file)
logger.info('add exec permission...')
os.system('adb shell "chmod 755 /data/local/tmp/%s"' % file)
logger.info('start server...')
os.system('adb shell "/data/local/tmp/%s"' % file)


main()

启动 HOOK 脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# coding: utf-8

import frida
import sys
import logging

logging.basicConfig(
level=logging.DEBUG,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)

with open('hook.js') as file:
jscode = file.read()
file.closed


def on_message(message, data):
if message['type'] == 'send':
logger.debug(message['payload'])
else:
logger.debug(message)


process = frida.get_usb_device().attach('com.android.settings')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
on_message({'type': 'send', 'payload': 'Hook running...'}, None)
sys.stdin.read()

主要的 hook.js 脚本

1
2
3
4
5
6
7
8
9
10
11
Java.perform(function () {
var Activity = Java.use('android.app.Activity');
Activity.onCreate.overload('android.os.Bundle').implementation = function (bundle) {
send('onCreate(android.os.Bundle) got called! title:' + this.getTitle() + ', class:' + this.getClass().getName());
this.onCreate(bundle);
};
Activity.onDestroy.implementation = function () {
send('onDestroy() got called! title:' + this.getTitle() + ', class:' + this.getClass().getName());
this.onDestroy();
};
});
  • 本文作者: 6x
  • 本文链接: https://6xyun.cn/article/141
  • 版权声明: 本博客所有文章除特别声明外,均采用 BY-NC-ND 许可协议。转载请注明出处!