Frida 是一款轻量级 HOOK 框架,可用于多平台上,例如 Android、Windows、iOS 等。
Frida 分为两部分,服务端运行在目标机上,通过注入进程的方式来实现劫持应用函数,另一部分运行在系统机器上。
Frida 上层接口支持 js、python、c 等。
Frida 官方 Github 地址为:Frida 官方 Github 地址
安装 Python
略.
可以参考:入门 Python 二三事
安装包
pip install frida-tools frida requests
脚本示例
启动 Frida 服务
自动识别设备指令集, 下载并启动 frida-server, 要求已经配置好 adb, 且设备已经 root:
# coding: utf-8
import os
import frida
import requests
import lzma
import logging
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)
def get_version():
version = frida.__version__
logger.info('get_version:%s' % version)
return version
def get_abi():
abi_string = os.popen("adb shell getprop ro.product.cpu.abi").readlines()[0]
abi = abi_string[0:(abi_string.index('-'))]
logger.info('get_abi:%s' % abi)
return abi
def download(url, file):
logger.info('download:%s, store:%s' % (url, file))
response = requests.get(url, allow_redirects=True, verify=False)
content = response.content
bytes = lzma.decompress(content)
open(file, 'wb').write(bytes)
logger.info('download completed, package size:%d, binary size:%d' % (content.__len__, bytes.__len__))
def main():
abi = get_abi()
version = get_version()
file = 'frida-server-{0}-android-{1}'.format(version, abi)
url = 'https://github.com/frida/frida/releases/download/{0}/{1}.xz'.format(
version,
file,
)
if not os.path.exists(file):
logger.info('file not exists, downloading...')
download(url, file)
logger.info('check root permission...')
os.system('adb root')
logger.info('push binary...')
os.system('adb push .\%s /data/local/tmp/' % file)
logger.info('add exec permission...')
os.system('adb shell "chmod 755 /data/local/tmp/%s"' % file)
logger.info('start server...')
os.system('adb shell "/data/local/tmp/%s"' % file)
main()
启动 HOOK 脚本
# coding: utf-8
import frida
import sys
import logging
logging.basicConfig(
level=logging.DEBUG,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)
with open('hook.js') as file:
jscode = file.read()
file.closed
def on_message(message, data):
if message['type'] == 'send':
logger.debug(message['payload'])
else:
logger.debug(message)
process = frida.get_usb_device().attach('com.android.settings')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
on_message({'type': 'send', 'payload': 'Hook running...'}, None)
sys.stdin.read()
主要的 hook.js 脚本
Java.perform(function () {
var Activity = Java.use('android.app.Activity');
Activity.onCreate.overload('android.os.Bundle').implementation = function (bundle) {
send('onCreate(android.os.Bundle) got called! title:' + this.getTitle() + ', class:' + this.getClass().getName());
this.onCreate(bundle);
};
Activity.onDestroy.implementation = function () {
send('onDestroy() got called! title:' + this.getTitle() + ', class:' + this.getClass().getName());
this.onDestroy();
};
});