【Android逆向】定位native函数在哪个so中方法
1. 在逆向过程中经常需要定位方法在哪个so中,而app加载的so很多,比如
那么如何快速定位方法在哪里呢
2. 比如如下案例,首先看日志
03-28 11:01:56.457 14566 14566 D KM-NATIVE: JNI_OnLoad
03-28 11:01:56.457 14566 14566 D KM-NATIVE: JniHelper>>>init>>>start
03-28 11:01:56.457 14566 14566 D KM-NATIVE: JniHelper>>>init>>>finish
03-28 11:01:56.926 14566 14729 D KM-NATIVE: call Java_com_km_encryption_api_Security_sign
03-28 11:01:56.926 14566 14716 D KM-NATIVE: call Java_com_km_encryption_api_Security_sign
启动时发现Java_com_km_encryption_api_Security_sign,在java层找也确实又这个方法,但不能确定在哪个so加载的
3. 通过枚举模块的导出表可以实现定位
function main() {
console.log("==== 0")
Java.perform(function () {
var process_Obj_Module_Arr = Process.enumerateModules();
for(var i = 0; i < process_Obj_Module_Arr.length; i++) {
//包含"lib"字符串的
if(process_Obj_Module_Arr[i].path.indexOf("lib")!=-1)
{
console.log("模块名称:",process_Obj_Module_Arr[i].name);
// console.log("模块地址:",process_Obj_Module_Arr[i].base);
// console.log("大小:",process_Obj_Module_Arr[i].size);
// console.log("文件系统路径",process_Obj_Module_Arr[i].path);
var libname = process_Obj_Module_Arr[i].name
frida_Module_import(libname)
}
}
})
}
function frida_Module_import(libname) {
Java.perform(function () {
const hooks = Module.load(libname);
var Imports = hooks.enumerateExports();
for(var i = 0; i < Imports.length; i++) {
if (Imports[i].name.indexOf('Java') != -1) {
//函数类型
console.log("type:",Imports[i].type);
//函数名称
console.log("name:",Imports[i].name);
//属于的模块
console.log("module:",Imports[i].module);
//函数地址
console.log("address:",Imports[i].address);
}
}
});
}
setImmediate(main)
# frida -UF com.kmxs.reader -l lessonqm.js --no-pause
日志
模块名称: libsmsdk.so
模块名称: libcrashsdk.so
模块名称: libcommon-encryption.so
type: function
name: _ZN9JniHelper4initEP7_JavaVM
module: undefined
address: 0xd2dd8c5d
type: function
name: Java_com_km_encryption_api_Security_init
module: undefined
address: 0xd2dd8fb5
type: function
name: Java_com_km_encryption_api_Security_decode
module: undefined
address: 0xd2dd9051
type: function
name: Java_com_km_encryption_api_Security_token
module: undefined
address: 0xd2dd9205
type: function
name: Java_com_km_encryption_api_Security_sign
module: undefined
address: 0xd2dd9249
....
顺利发现该方法在libcommon-encryption.so中