查看: 404|回复: 0

hook框架frida的安装以及简单实用案例

[复制链接]
发表于 2020-2-3 11:09:42 | 显示全部楼层 |阅读模式
1.下载地点

https://github.co/frida/frida/releases
2.别的两种安装方法

1.Install from prebuilt binaries

This is the recommended way to get started. All you need to do is:
  1. pip install frida-tools # CLI toolspip install frida       # Python bindingsnpm install frida       # Node.js bindings
复制代码
You may also download pre-built binaries for various operating systems from Frida's releases page on GitHub.
2.Build your own binaries

Dependencies

For running the Frida CLI tools, i.e. frida, frida-ls-devices, frida-ps, frida-kill, frida-trace, and frida-discover, you need Python plus a few packages:
  1. pip3 install colorama prompt-Toolkit pygments
复制代码
Linux
  1. make
复制代码
macOS and iOS

First make a trusted code-signing certificate. You can use the guide at https://sourceware.org/gdb/wiki/PermissionsDarwin in the sections "Create a certificate in the System Keychain" and "Trust the certificate for code signing". You can use the name frida-cert instead of gdb-cert if you'd like.
Next export the name of the created certificate to the environment variables MAC_CERTID and IOS_CERTID, and run make:
  1. export MAC_CERTID=frida-certexport IOS_CERTID=frida-certmake
复制代码
To ensure that macOS accepts the newly created certificate, restart the taskgated daemon:
  1. sudo killall taskgated
复制代码
Windows
  1. frida.sln
复制代码
(Requires Visual Studio 2017.)
3.简单实用

得到android手机当前最前端Activity所在的进程

get_front_app.py
其中get_front_app.py的内容如下:
  1. import fridardev = frida.get_remote_device()front_app = rdev.get_frontmost_application()print front_app12341234
复制代码
罗列android手机所有的进程

enum_process.py
enum_process.py内容如下:
  1. import fridardev = frida.get_remote_device()processes = rdev.enumerate_processes()for process in processes:    print process1234512345
复制代码
罗列某个进程加载的所有模块以及模块中的导出函数
  1. import fridardev = frida.get_remote_device()session = rdev.attach("com.tencent.mm")  #假如存在两个一样的进程名可以采用rdev.attach(pid)的方式modules = session.enumerate_modules()for module in modules:    print module    export_funcs = module.enumerate_exports()    print "\tfunc_name\tRVA"    for export_func in export_funcs:        print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))1234567891012345678910
复制代码
hook android的native函数
  1. import fridaimport sysrdev = frida.get_remote_device()session = rdev.attach("com.tencent.mm")scr = """Interceptor.attach(Module.findExportByName("libc.so" , "open"), {    onEnter: function(args) {        send("open("+Memory.readCString(args[0])+","+args[1]+")");    },    onLeave:function(retval){    }});"""script = session.create_script(scr)def on_message(message ,data):    print messagescript.on("message" , on_message)script.load()sys.stdin.read()12345678910111213141516171819201234567891011121314151617181920
复制代码
hook android的java层函数

如下代码为hook微信(测试版本为6.3.13,不同版本由于混淆名字的随机生成的原因或者代码改动导致类名不一样)
com.tencent.mm.sdk.platformtools.ay类的随机数生成函数,让微信猜拳随机(type=2),而摇色子总是为6点(type=5)
  1. import fridaimport sysrdev = frida.get_remote_device()session = rdev.attach("com.tencent.mm")scr = """Java.perform(function () {var ay = Java.use("com.tencent.mm.sdk.platformtools.ay");ay.pu.implementation = function(){    var type = arguments[0];    send("type="+type);    if (type == 2)    {    return this.pu(type);    }    else    {    return 5;    }};});"""script = session.create_script(scr)def on_message(message ,data):    print messagescript.on("message" , on_message)script.load()sys.stdin.read()123456789101112131415161718192021222324252627282930123456789101112131415161718192021222324252627282930
复制代码
通过frida向android进程注入dex
  1. import frida, sys, optparse, redef on_message(message, data):    if message['type'] == 'send':        print("
  2. [*] {0}".format(message['payload']))    else:        print(message)jscode = """Java.perform(function () {    var currentApplication = Java.use("android.app.ActivityThread").currentApplication();    var context = currentApplication.getApplicationContext();    var pkgName = context.getPackageName();    var dexPath = "%s";    var entryClass = "%s";    Java.openClassFile(dexPath).load();    console.log("inject " + dexPath +" to " + pkgName + " successfully!")    Java.use(entryClass).%s("%s");    console.log("call entry successfully!")});"""def checkRequiredArguments(opts, parser):    missing_options = []    for option in parser.option_list:        if re.match(r'^\[REQUIRED\]', option.help) and eval('opts.' + option.dest) == None:            missing_options.extend(option._long_opts)    if len(missing_options) > 0:        parser.error('Missing REQUIRED parameters: ' + str(missing_options))if __name__ == "__main__":    usage = "usage: python %prog [options] arg\n\n" \            "example: python %prog -p com.android.launcher " \            "-f /data/local/tmp/test.apk " \            "-e com.parker.test.DexMain/main " \            ""hello fridex!""    parser = optparse.OptionParser(usage)    parser.add_option("-p", "--package", dest="pkg", type="string",                      help="[REQUIRED]package name of the app to be injected.")    parser.add_option("-f", "--file", dest="dexPath", type="string",                      help="[REQUIRED]path of the dex")    parser.add_option("-e", "--entry", dest="entry", type="string",                      help="[REQUIRED]the entry function Name.")    (options, args) = parser.parse_args()    checkRequiredArguments(options, parser)    if len(args) == 0:        arg = ""    else:        arg = args[0]    pkgName = options.pkg    dexPath = options.dexPath    entry = options.entry.split("/")    if len(entry) > 1:        entryClass = entry[0]        entryFunction = entry[1]    else:        entryClass = entry[0]        entryFunction = "main"    process = frida.get_usb_device(1).attach(pkgName)    jscode = jscode%(dexPath, entryClass, entryFunction, arg)    script = process.create_script(jscode)    script.on('message', on_message)    print('
  3. [*] Running fridex')    script.load()    sys.stdin.read()1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666712345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
复制代码
通过注入抛出异常代码实现跟踪程序调用栈

在这本书中第八章有介绍通过重打包写入异常代码进行栈跟踪,但是如许比力麻烦,利用frida注入更方便。

相关技术服务需求,请联系管理员和客服QQ:2753533861或QQ:619920289
您需要登录后才可以回帖 登录 | 用户注册

本版积分规则

帖子推荐:
客服咨询

QQ:2753533861

服务时间 9:00-22:00

快速回复 返回顶部 返回列表