Frida for Android 基础环境搭建记录

Frida 是一款轻量级 HOOK 框架，可用于多平台上，例如 Android、Windows、iOS 等。
Frida 分为两部分，服务端运行在目标机上，通过注入进程的方式来实现劫持应用函数，另一部分运行在系统机器上。
Frida 上层接口支持 js、python、c 等。
Frida 官方 Github 地址为：Frida 官方 Github 地址

安装 Python

略.

可以参考:入门 Python 二三事

安装包

pip install frida-tools frida requests

脚本示例

启动 Frida 服务

自动识别设备指令集, 下载并启动 frida-server, 要求已经配置好 adb, 且设备已经 root:

# coding: utf-8

import os
import frida
import requests
import lzma
import logging

logging.basicConfig(
    level=logging.INFO,
    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)


def get_version():
    version = frida.__version__
    logger.info('get_version:%s' % version)
    return version


def get_abi():
    abi_string = os.popen("adb shell getprop ro.product.cpu.abi").readlines()[0]
    abi = abi_string[0:(abi_string.index('-'))]
    logger.info('get_abi:%s' % abi)
    return abi


def download(url, file):
    logger.info('download:%s, store:%s' % (url, file))
    response = requests.get(url, allow_redirects=True, verify=False)
    content = response.content
    bytes = lzma.decompress(content)
    open(file, 'wb').write(bytes)
    logger.info('download completed, package size:%d, binary size:%d' % (content.__len__, bytes.__len__))


def main():
    abi = get_abi()
    version = get_version()
    file = 'frida-server-{0}-android-{1}'.format(version, abi)
    url = 'https://github.com/frida/frida/releases/download/{0}/{1}.xz'.format(
        version,
        file,
    )

    if not os.path.exists(file):
        logger.info('file not exists, downloading...')
        download(url, file)

    logger.info('check root permission...')
    os.system('adb root')
    logger.info('push binary...')
    os.system('adb push .\%s /data/local/tmp/' % file)
    logger.info('add exec permission...')
    os.system('adb shell "chmod 755 /data/local/tmp/%s"' % file)
    logger.info('start server...')
    os.system('adb shell "/data/local/tmp/%s"' % file)


main()

启动 HOOK 脚本

# coding: utf-8

import frida
import sys
import logging

logging.basicConfig(
    level=logging.DEBUG,
    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)

with open('hook.js') as file:
    jscode = file.read()
    file.closed


def on_message(message, data):
    if message['type'] == 'send':
        logger.debug(message['payload'])
    else:
        logger.debug(message)


process = frida.get_usb_device().attach('com.android.settings')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
on_message({'type': 'send', 'payload': 'Hook running...'}, None)
sys.stdin.read()

主要的 hook.js 脚本

Java.perform(function () {
    var Activity = Java.use('android.app.Activity');
    Activity.onCreate.overload('android.os.Bundle').implementation = function (bundle) {
        send('onCreate(android.os.Bundle) got called! title:' + this.getTitle() + ', class:' + this.getClass().getName());
        this.onCreate(bundle);
    };
    Activity.onDestroy.implementation = function () {
        send('onDestroy() got called! title:' + this.getTitle() + ', class:' + this.getClass().getName());
        this.onDestroy();
    };
});