Frida入门使用

vscode环境搭建

直接cloen代码,然后在vscode打开文件夹

How to compile & load

$ git clone git://github.com/oleavr/frida-agent-example.git
$ cd frida-agent-example/
$ npm install
$ frida -U -f com.example.android --no-pause -l _agent.js

Development workflow

To continuously recompile on change, keep this running in a terminal:

$ npm run watch

And use an editor like Visual Studio Code for code completion and instant
type-checking feedback.

frida命令

-U 表示通过USB连接设备
-l 表示使用JavaScript文件
-f 会启动指定的app
-D 设备id
-p pid

frida -U -p pid -l app.js

frida代码示例

实例JAVA类

let HashMap = Java.use('java.util.HashMap');     
let hashmap = HashMap.$new();
hashmap .put("PATH", "/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin:/nopd/bin");

HookJva类的方法

两种方式都是可以的 格式如下:

Class[方法名].overload(参数类型).implementation = funcation(形参){...}

function hook_method_impl() {

    // const logger = Java.use("com.invcase.LogUtils");
    // const debug = logger.isDebug.value;
    // console.log("LogUtils debug: ", debug)
    // logger.isDebug.value = true;

    // const Invcase = Java.use("com.invcase.Invcase");
    // const showToast = Invcase.showToast.overload('java.lang.String');

    // showToast.implementation = function (msg) {
    //     console.log('frida_method:', msg);
    //     const result = showToast.call(this, msg + " hooked");
    //     return result;
    // };

    // 写法二
    let Invcase = Java.use("com.invcase.Invcase");
    Invcase["showToast"].overload('java.lang.String').implementation = function (content) {
        console.log('showToast is called' + ', ' + 'content: ' + content);
        const ret = this.showToast(content + " hooked");
        return ret;
    };

}

Java.perform(() => {

    hook_env();
});

输出成员变量值

格式:类名.变量名.value 对用 A.str.value

public class A{
    String str;
}
console.log("st.isOpen:" + A.str.value);

调用对象方法

console.log("isDestroyed:", this.isDestroyed())

调用对象带参数方法

  // 构建一个String
  const JavaString = Java.use('java.lang.String');
  const exampleString1 = JavaString.$new('Hello World, this is an example string in Java.');
  console.log('[+] exampleString1: ' + exampleString1);
  console.log('[+] exampleString1.length(): ' + exampleString1.length());

  this.shwoString(exampleString1);

打印堆栈

    const Exception = Java.use('java.lang.Exception');
    const Log = Java.use('android.util.Log');
    console.log(stackTraceHere());
    
    function stackTraceHere() {
        return Log.getStackTraceString(Exception.$new());
    }
posted @ 2022-11-17 10:09  梦过无声  阅读(439)  评论(0编辑  收藏  举报