查看: 325|回复: 0

hook框架frida添加至于安卓应用中

[复制链接]
发表于 2020-2-3 11:05:15 | 显示全部楼层 |阅读模式
转载至于https://koz.io/using-frida-on-android-without-root/
Frida is a great Toolkit by @oleavr, used to build tools for dynamic instrumentation of apps in userspace. It is often used, like Substrate, Xposed and similar frameworks, during security reviews of mobile applications.
Typically rooted Android devices are used during such reviews. There are several reasons for this, but the most important is that the frida-server binary, which executes on the device, requires root privileges to attach to (ptrace) the target application, in order to inject the Frida gadget library into the memory space of the process.
However, testing on a rooted device is not the only way! I am not sure why this technique is not more widely publicized, but Frida can also be used on non-rooted Android devices and non-jailbroken iPhones, without running frida-server at all. In this post I will focus on Android, however things are pretty similar on iOS - frida can also be used on jailed Apple devices.
A few advantages of using Frida on a non-rooted device:

  • Enables testing on devices you cannot or do not want to root (obviously).
  • Avoids some sideeffects due to application checks for ptracing/debugging or checks for tampered environment.
However:

  • This technique will trigger checks against repackaging (unless those are separately bypassed).
Adding frida-gadget to an Android application

The technique is simple, it can be described in short as “adding a shared library & repackaging the Android application”. Here it is, step by step:

  • Get the the APK binary of te application you want to test, e.g. myapp.apk.
  • Use apktool to decode the APK into it’s contents. Preferably its latest version.
    1. $ apktool d myapp.apk -o extractedFolder
    复制代码
  • Add the frida native libraries (frida-gadget) into the APK’s /lib folder. The gadget libraries for each architecture can be found in Frida’s release page. Make sure to add the libraries for the correct architecture in a suitable folder under /lib, e.g. /lib/armeabi for 32bit ARM devices.
    1. $ apktool --version2.2.2$ apktool d -o out_dir original.apkI: Using Apktool 2.2.2 on original.apkI: loading resource table...I: Decoding AndroidManifest.xml with resources...I: Loading resource table from file: ~/.local/share/apktool/framework/1.apkI: Regular manifest package...I: Decoding file-resources...I: Decoding values XMLs...I: Baksmaling classes.dex...I: Copying assets and libs...I: Copying unknown files...I: Copying original files...# download frida gadget - for 32bit ARM in this case$ wget https://github.com/frida/frida/releases/download/9.1.26/frida-gadget-9.1.26-android-arm.so.xz2017-04-11 10:48:45 (3.29 MB/s) - ‘frida-gadget-9.1.26-android-arm.so.xz’ saved [3680748/3680748]# extract the compressed archive$ unxz frida-gadget-9.1.26-android-arm.so.xz$ lsfrida-gadget-9.1.26-android-arm.so# copy frida gadget library in armeabi directory under lib$ cp frida_libs/armeabi/frida-gadget-9.1.26-android-arm.so out_dir/lib/armeabi/libfrida-gadget.so
    复制代码
  • Inject a System.loadLibrary("frida-gadget") call into the bytecode of the app, ideally before any other bytecode executes or any native code is loaded. A suitable place is typically the static initializer of the entry point classes of the app, e.g. the main application Activity, found via the manifest.
    An easy way to do this is to add the following smali code in a suitable function:
    1. const-string v0, "frida-gadget"invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
    复制代码
    Alternatively someone could create a script that injects the library into the process via ptrace; but this script would need to be packaged with the application (just like gdbserver).
  • Add the internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket.
    1. [/code]
    2. [*]Repackage the application:
    3. [code]$ apktool b -o repackaged.apk out_dir/I: Using Apktool 2.2.2I: Checking whether sources has changed...I: Smaling smali folder into classes.dex...I: Checking whether resources has changed...I: Building resources...I: Copying libs... (/lib)I: Building apk file...I: Copying unknown files/dir...
    复制代码
  • Sign the updated APK using your own keys and zipalign.
    1. # if you dont have a keystore already, here's how to create one$ keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000# sign the APK$ jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore mycustom.keystore -storepass mystorepass repackaged.apk mykeyaliasname# verify the signature you just created$ jarsigner -verify repackaged.apk# zipalign the APK$ zipalign 4 repackaged.apk repackaged-final.apk
    复制代码
  • Install the updated APK to a device.
If this process seems complicated, the good news is that it can be automated. As part of the appmon hooking framework (based on Frida) @dpnishant released apk_builder, a script automating most of the above steps!
Using frida gadget

When you next start the application you are going to see an empty screen: The injected libfrida-gadget.solibrary has opened a TCP socket and waits for a connection from frida.
You should see a message similar to the following in logcat:
  1. Frida: Listening on TCP port 27042
复制代码
Running nestat on the device confirms the listening socket:
  1. [email protected]:/ $ netstat -ln                                                  Active Internet connections (only servers)Proto Recv-Q Send-Q Local Address           Foreign Address         State     tcp        0      0 127.0.0.1:27042         0.0.0.0:*               
复制代码
As you might expect, the next step is connecting to the listening socket: Most frida tools work as expected although there are a few issues that can be handled better, e.g. connecting to the library after initialization, not just during loading.
There is just one thing to keep in mind: The process name you are going to use in Frida tooling should be “Gadget” instead of the normal package name.
  1. $ frida-ps -UWaiting for USB device to appear...  PID  Name-----  ------16071  Gadget
复制代码
Examples!
  1. $ frida -U Gadget     ____    / _  |   Frida 9.1.26 - A world-class dynamic instrumentation framework   | (_| |    > _  |   Commands:   /_/ |_|       help      -> Displays the help system   . . . .       object?   -> Display information about 'object'   . . . .       exit/quit -> Exit   . . . .   . . . .   More info at http://www.frida.re/docs/home/Waiting for USB device to appear...[USB::Samsung SM-G925F::Gadget]-> Java.availabletrue[USB::Samsung SM-G925F::Gadget]->$ frida-trace -U -i open GadgetInstrumenting functions...open: Auto-generated handler at "/tmp/test/__handlers__/libc.so/open.js"Started tracing 1 function. Press Ctrl+C to stop.                                  /* TID 0x2df7 */  4870 ms  open(pathname=0xa280b100, flags=0x241)  4873 ms  open(pathname=0xb6d69df3, flags=0x2)           /* TID 0x33d2 */115198 ms  open(pathname=0xb6d69df3, flags=0x2)115227 ms  open(pathname=0xb6d69df3, flags=0x2)
复制代码
Enjoy!

相关技术服务需求,请联系管理员和客服QQ:2753533861或QQ:619920289
您需要登录后才可以回帖 登录 | 用户注册

本版积分规则

帖子推荐:
客服咨询

QQ:2753533861

服务时间 9:00-22:00

快速回复 返回顶部 返回列表