frida hook hashmap

一、hook hasmap:

js_code = """
Java.perform(function () {
   var linkerHashMap=Java.use('java.util.HashMap');
    linkerHashMap.put.implementation = function(arg1,arg2){
        send("=================linkerHashMap.put====================");
        var data=this.put(arg1,arg2);
        send(arg1+"-----"+arg2);
        send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        return data;
    }   
});

"""

import logging
import frida
import sys


def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)


rdev = frida.get_remote_device()

session = rdev.attach("com.oppo.market")  # app包名
print(session)
script = session.create_script(js_code)
print(script)


def show(message, data):
    print(message)


script.on("message", show)

# 加载脚本
script.load()
sys.stdin.read()

 

 

二. hook JSONObject

var JSONObject=Java.use('org.json.JSONObject');
JSONObject.toString.overload().implementation = function(){
    send("=================org.json.JSONObject.toString====================");
    send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
    var data=this.toString();
    send("org.json.JSONObject.toString result:"+data);
    return data;
}
for(var i = 0; i < JSONObject.put.overloads.length; i++){
    JSONObject.put.overloads[i].implementation = function(){
        send("=================org.json.JSONObject.put====================");
        if(arguments.length == 2){
            send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
            send("key:"+arguments[0]);
            send("value:"+arguments[1]);
            var data=this.put(arguments[0],arguments[1]);
            return data;
        }
    }
}
for(var i = 0; i < JSONObject.$init.overloads.length; i++){
    JSONObject.$init.overloads[i].implementation = function(){
        send("=================org.json.JSONObject.$init====================");
        send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
        if(arguments.length == 1){//只有1个string参数
            send("string:"+arguments[0]);
        }else if(arguments.length == 2){ //其他构造函数用到的时候可以继续添加
            
        }
    }
}

 

posted @ 2021-12-05 22:50  阿布_alone  阅读(3079)  评论(0编辑  收藏  举报
TOP