Frida内置
Frida Gadget 方案
配置文件
{
"interaction": {
"type": "script-directory",
"path": "/usr/local/frida/scripts"
}
}
网络方式
{
"interaction": {
"type": "listen",
"address": "127.0.0.1",
"port": 27042,
"on_port_conflict": "fail",
"on_load": "wait"
}
}
参见官网gadget介绍
Frida gumjs 方案
gumjs 是一个js 加载引擎,可以直接运行frida js代码
$ ls external/frida/frida-gumjs-devkit-16.2.5-android-arm64/
frida-gumjs.h libfrida-gumjs.a
从示例代码可以看出来可以直接运行frida js代码进行Hook
/ frida-gumjs-example.c
#include "frida-gumjs.h"
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
static void on_message (const gchar * message, GBytes * data, gpointer user_data);
int
main (__attribute__((unused)) int argc, __attribute__((unused)) char * argv[])
{
GumScriptBackend * backend;
GCancellable * cancellable = NULL;
GError * error = NULL;
GumScript * script;
GMainContext * context;
gum_init_embedded ();
backend = gum_script_backend_obtain_qjs ();
script = gum_script_backend_create_sync (backend, "example",
"console.log('Hello Frida')\n"
"Interceptor.attach(Module.getExportByName(null, 'faccessat'), {\n"
" onEnter(args) {\n"
" console.log(`[*] onEnter faccessat(\"${args[1].readUtf8String()}\")`);\n"
" }\n"
"});\n"
"Interceptor.attach(Module.getExportByName(null, 'close'), {\n"
" onEnter(args) {\n"
" console.log(`[*] onEnter close(${args[0].toInt32()})`);\n"
" }\n"
"});",
NULL, cancellable, &error);
g_assert (error == NULL);
gum_script_set_message_handler (script, on_message, NULL, NULL);
gum_script_load_sync (script, cancellable);
close (open ("/etc/hosts", O_RDONLY));
close (open ("/system/build.prop", O_RDONLY));
access("/etc/business-conf.xml", F_OK);
context = g_main_context_get_thread_default ();
while (g_main_context_pending (context))
g_main_context_iteration (context, FALSE);
gum_script_unload_sync (script, cancellable);
g_object_unref (script);
gum_deinit_embedded ();
return 0;
}
static void
on_message (const gchar * message,
__attribute__((unused)) GBytes * data,
__attribute__((unused)) gpointer user_data)
{
JsonParser * parser;
JsonObject * root;
const gchar * type;
parser = json_parser_new ();
json_parser_load_from_data (parser, message, -1, NULL);
root = json_node_get_object (json_parser_get_root (parser));
type = json_object_get_string_member (root, "type");
if (strcmp (type, "log") == 0)
{
const gchar * log_message;
log_message = json_object_get_string_member (root, "payload");
g_print ("%s\n", log_message);
}
else
{
g_print ("on_message: %s\n", message);
}
g_object_unref (parser);
}
并且提供了静态库libfrida-gumjs.a ,因此只要将静态库链接进去就OK了,我测试的环境是AOSP12, AOSP10中是编译不过去的
cc_prebuilt_library_static {
name: "libfrida-gumjs",
arch: {
arm64: {
srcs: ["frida-gumjs-devkit-16.2.5-android-arm64/libfrida-gumjs.a"],
export_include_dirs: ["frida-gumjs-devkit-16.2.5-android-arm64"],
},
arm: {
srcs: ["frida-gumjs-devkit-16.2.5-android-arm/libfrida-gumjs.a"],
export_include_dirs: ["frida-gumjs-devkit-16.2.5-android-arm"],
},
},
}
cc_binary {
name: "js-loader-test",
srcs: [
"frida-gumjs-devkit-16.2.5-android-arm64/frida-gumjs-example.c",
],
static_libs: [
"libfrida-gumjs",
],
shared_libs: [
"liblog",
"libdl",
"libm",
],
cflags: [
"-Wall",
"-Werror",
"-Wunused",
"-Wunreachable-code",
"-ffunction-sections",
"-fdata-sections",
"-pthread",
],
}
想在AOSP将他编译成动态库,不过一直失败
cc_library_shared {
name: "libjs",
srcs: ["js_loader.c"],
static_libs: [
"libfrida-gumjs",
],
shared_libs: [
"liblog",
"libc++",
],
static_libs: [
"libfrida-gumjs",
],
shared_libs: [
"liblog",
"libc++",
],
cflags: [
// "-Wall",
// "-Werror",
// "-Wunused",
// "-Wunreachable-code",
"-ffunction-sections",
"-fdata-sections",
"-DANDROID",
"-DANDROID_STL=c++_shared"
],
stl: "libc++_static",
}
