Frida
是一款轻量级 HOOK
框架,可用于多平台上,例如 Android
、Windows
、iOS
等。
Frida
分为两部分,服务端运行在目标机上,通过注入进程的方式来实现劫持应用函数,另一部分运行在系统机器上。
Frida
上层接口支持 js
、python
、c
等。
Frida
官方 Github
地址为:Frida
官方 Github
地址
安装 Python
略.
可以参考:入门 Python 二三事
安装包
1
| pip install frida-tools frida requests
|
脚本示例
启动 Frida
服务
自动识别设备指令集, 下载并启动 frida-server
, 要求已经配置好 adb
, 且设备已经 root
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
| # coding: utf-8
import os import frida import requests import lzma import logging
logging.basicConfig( level=logging.INFO, format='%(asctime)s - %(name)s - %(levelname)s - %(message)s' ) logger = logging.getLogger(__name__)
def get_version(): version = frida.__version__ logger.info('get_version:%s' % version) return version
def get_abi(): abi_string = os.popen("adb shell getprop ro.product.cpu.abi").readlines()[0] abi = abi_string[0:(abi_string.index('-'))] logger.info('get_abi:%s' % abi) return abi
def download(url, file): logger.info('download:%s, store:%s' % (url, file)) response = requests.get(url, allow_redirects=True, verify=False) content = response.content bytes = lzma.decompress(content) open(file, 'wb').write(bytes) logger.info('download completed, package size:%d, binary size:%d' % (content.__len__, bytes.__len__))
def main(): abi = get_abi() version = get_version() file = 'frida-server-{0}-android-{1}'.format(version, abi) url = 'https://github.com/frida/frida/releases/download/{0}/{1}.xz'.format( version, file, )
if not os.path.exists(file): logger.info('file not exists, downloading...') download(url, file)
logger.info('check root permission...') os.system('adb root') logger.info('push binary...') os.system('adb push .\%s /data/local/tmp/' % file) logger.info('add exec permission...') os.system('adb shell "chmod 755 /data/local/tmp/%s"' % file) logger.info('start server...') os.system('adb shell "/data/local/tmp/%s"' % file)
main()
|
启动 HOOK
脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| # coding: utf-8
import frida import sys import logging
logging.basicConfig( level=logging.DEBUG, format='%(asctime)s - %(name)s - %(levelname)s - %(message)s' ) logger = logging.getLogger(__name__)
with open('hook.js') as file: jscode = file.read() file.closed
def on_message(message, data): if message['type'] == 'send': logger.debug(message['payload']) else: logger.debug(message)
process = frida.get_usb_device().attach('com.android.settings') script = process.create_script(jscode) script.on('message', on_message) script.load() on_message({'type': 'send', 'payload': 'Hook running...'}, None) sys.stdin.read()
|
主要的 hook.js
脚本
1 2 3 4 5 6 7 8 9 10 11
| Java.perform(function () { var Activity = Java.use('android.app.Activity'); Activity.onCreate.overload('android.os.Bundle').implementation = function (bundle) { send('onCreate(android.os.Bundle) got called! title:' + this.getTitle() + ', class:' + this.getClass().getName()); this.onCreate(bundle); }; Activity.onDestroy.implementation = function () { send('onDestroy() got called! title:' + this.getTitle() + ', class:' + this.getClass().getName()); this.onDestroy(); }; });
|