Frida高级逆向-Hook Native(Java So)
Frida Hook Native
Frida Hook Java Jni#
demo:
function hook_java() {
Java.perform(function () {
const myapp = Java.use('com.gdufs.xman.MyApp');
myapp.m.value = 1;
console.log('m=', myapp.m.value);
myapp.saveSN.implementation = function (s) {
let result = this.saveSN(s);
console.log('myapp.saveSN:', s, result);
return result;
}
})
}
获取模块基址,Hook导出函数#
demo:
function hook_native() {
// 获取模块基址
const my_jni = Module.findBaseAddress('libmyjni.so');
if (!my_jni) return;
// 查找 so 文件的 导出函数 地址
const addr_n2 = Module.findExportByName('libmyjni.so', 'n2');
console.log('my_jni: ', my_jni, 'addr_n2:', addr_n2);
// 对函数地址进行Hook
Interceptor.attach(addr_n2, {
onEnter: function (arg) {
console.log('addr_n2 onEnter :', arg[0], ptr(arg[1]).readCString(), ptr(arg[2]).readCString())
},
onLeave: function (retval) {
}
})
}
枚举模块的符号 Hook libart的一些函数#
demo:
function hook_art() {
// 查找模块
const lib_art = Process.findModuleByName('libart.so');
// 枚举模块的符号
const symbols = lib_art.enumerateSymbols();
for (let symbol of symbols) {
var name = symbol.name;
if (name.indexOf("art") >= 0) {
if ((name.indexOf("CheckJNI") == -1) && (name.indexOf("JNI") >= 0)) {
if (name.indexOf("GetStringUTFChars") >= 0) {
console.log('开始 HOOK libart ', symbol.name);
Interceptor.attach(symbol.address, {
onEnter: function (arg) {
// 打印调用栈
// console.log('GetStringUTFChars called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');
},
onLeave: function (retval) {
console.log('onLeave GetStringUTFChars:', ptr(retval).readCString())
}
})
} else if (name.indexOf("FindClass") >= 0) {
console.log('开始 HOOK libart ', symbol.name);
Interceptor.attach(symbol.address, {
onEnter: function (arg) {
console.log('onEnter FindClass:', ptr(arg[1]).readCString())
},
onLeave: function (retval) {
// console.log('onLeave FindClass:', ptr(retval).readCString())
}
})
} else if (name.indexOf("GetStaticFieldID") >= 0) {
console.log('开始 HOOK libart ', symbol.name);
Interceptor.attach(symbol.address, {
onEnter: function (arg) {
console.log('onEnter GetStaticFieldID:', ptr(arg[2]).readCString(), ptr(arg[3]).readCString())
},
onLeave: function (retval) {
// console.log('onLeave GetStaticFieldID:', ptr(retval).readCString())
}
})
} else if (name.indexOf("SetStaticIntField") >= 0) {
console.log('开始 HOOK libart ', symbol.name);
Interceptor.attach(symbol.address, {
onEnter: function (arg) {
console.log('onEnter SetStaticIntField:', arg[3])
},
onLeave: function (retval) {
// console.log('onLeave SetStaticIntField:', ptr(retval).readCString())
}
})
}
}
}
}
}
打印调用栈#
console.log('GetStringUTFChars called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');
Hook libc的函数#
demo:
function hook_libc() {
const strcmp = Module.findExportByName('libc.so', 'strcmp');
console.log('strcmp: ', strcmp);
Interceptor.attach(strcmp, {
onEnter: function (arg) {
let str2 = ptr(arg[1]).readCString();
if (str2 === 'EoPAoY62@ElRD') {
console.log('strcmp:', ptr(arg[0]).readCString(), str2);
}
},
onLeave: function (retval) {
}
})
}
Frida 的 File api 写文件#
function write_data() {
const file = new File('/sdcard/reg.dat', 'w');
file.write('EoPAoY62@ElRD');
file.flush();
file.close()
}
把C函数定义为NativaFunction来写文件#
demo:
// hook libc.so 的方式来写文件
function write_data_native() {
// 读取lic的导出函数地址
const addr_fopen = Module.findExportByName('libc.so', 'fopen');
const addr_fputs = Module.findExportByName('libc.so', 'fputs');
const addr_fclose = Module.findExportByName('libc.so', 'fclose');
console.log('fopen:', addr_fopen, 'fputs', addr_fputs, 'fclose', addr_fclose);
// 构建函数
const fopen = new NativeFunction(addr_fopen, 'pointer', ['pointer', 'pointer']);
const fputs = new NativeFunction(addr_fputs, 'int', ['pointer', 'pointer']);
const fclose = new NativeFunction(addr_fclose, 'int', ['pointer']);
// 申请内存空间
let file_name = Memory.allocUtf8String('/sdcard/reg.dat');
let model = Memory.allocUtf8String('w+');
let data = Memory.allocUtf8String('EoPAoY62@ElRD');
let file = fopen(file_name, model);
let ret = fputs(data, file);
console.log('fputs ret: ', ret);
fclose(file);
}
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探