文章转载于安卓逆向菜鸟修炼记(微信公众号),个人感觉很实用,记录下来方便回顾,想看原文的请移步公众号。
1.JAVA层HOOK普通方法
import frida, sysjscode ="""Java.perform(function () {var utils = Java.use('com.renren.mobile.utils.RSA');//Java.use('类名') utils.D.implementation D为方法名utils.D.implementation = function (a, b,c) {console.log("Hook Start...");send(arguments[0]); //打印方法第一个参数 用send(a)也行send(arguments[1]); //打印方法第二个参数 用send(b)也行send(arguments[2]); //打印方法第三个参数 用send(c)也行// var num=arguments[0]+arguments[1];//send(num);}});"""def message(message, data):if message["type"] == 'send':print("[*] {0}".format(message['payload']))else:print(message)process = frida.get_remote_device().attach('com.renren.mobile.android') //apk包名script= process.create_script(jscode)script.on("message", message)script.load()sys.stdin.read()
2. JAVA层HOOK构造方法
jscode = """Java.perform(function () {var money = Java.use('com.qiang.fridaapp.Money');money.$init.implementation = function (a, b) {console.log("Hook Start...");send(arguments[0]);send(arguments[1]);send("Success!");return this.$init(10000, "美元");}});"""
3.JAVA层HOOK重载方法
jscode ="""Java.perform(function () {var utils = Java.use('com.qiang.fridaapp.Utils');utils.test.overload("int").implementation = function (a) {console.log("Hook Start...");send(arguments[0]);return "helloworld";}});"""
重载需要注意的点:
4.JAVA层HOOK构造对象参数
jscode = """Java.perform(function () {var utils = Java.use('com.qiang.fridaapp.Utils');var money = Java.use('com.qiang.fridaapp.Money');utils.test.overload().implementation = function () {//send("Hook Start...");var mon = money.$new(2000,'港币');//send(mon.getInfo());return this.test(800);}});"""
5. JAVA层HOOK修改对象属性
jscode = """Java.perform(function () {var utils = Java.use('com.qiang.fridaapp.Utils');var money = Java.use('com.qiang.fridaapp.Money');var clazz = Java.use('java.lang.Class');utils.test.overload().implementation = function () {send("Hook Start...");var mon = money.$new(200,"RMB");send(mon.getInfo());var num= Java.cast(mon.getClass(),clazz).getDeclaredField('num');num.setAccessible(true);num.setInt(mon, 2000);send(mon.getInfo());return this.test();}});"""
6.JAVA层HOOK匿名内部类
jscode = """Java.perform(function () {var login = Java.use('com.qiang.helloworld.LoginActivity$1');login.onClick.implementation = function (a) {send("Hook Start...");send("helloworld");}});"""
7.JAVA层HOOK打印堆栈信息
jscode = """Java.perform(function () {var login = Java.use('com.qiang.helloworld.LoginActivity$1');login.onClick.implementation = function (a) {send("Hook Start...");printStack();}function printStack(){var threadef = Java.use('java.lang.Thread');var threadinstance = threadef.$new();var stack = threadinstance.currentThread().getStackTrace();for(var i = 0;i<stack.length;i++){send("stack:" + stack[i].toString());}}});"""
8.JAVA层HOOK字符串转字节数组
jscode = """Java.perform(function () {var login = Java.use('com.qianyu.helloworld.LoginActivity$1');login.onClick.implementation = function (a) {send("Hook Start...");var bytes=stringToBytes("hello world!")send(bytes); }function stringToBytes(str) { var ch, st, re = []; for(var i = 0; i < str.length; i++ ) { ch = str.charCodeAt(i); st = []; do{ st.push( ch & 0xFF ); ch = ch >> 8;} while(ch); re = re.concat(st.reverse()); } return re; } });"""
9.JAVA层字节数组转字符串
jscode = """Java.perform(function () {var login = Java.use('com.qiang.helloworld.LoginActivity$1');login.onClick.implementation = function (a) {send("Hook Start...");var bytes=stringToBytes("hello world!")send(bytes); var str=byteToString(bytes)send(str);}function stringToBytes(str) { var ch, st, re = []; for(var i = 0; i < str.length; i++ ) { ch = str.charCodeAt(i); st = []; do{ st.push( ch & 0xFF ); ch = ch >> 8;} while(ch); re = re.concat(st.reverse()); } return re; } function byteToString(arr){ if(typeof arr === 'string'){ return arr; } var str='', _arr = arr; for(var i=0; i<_arr.length; i++) { var one =_arr[i].toString(2), v=one.match(/^1+?(?=0)/); if(v && one.length == 8){ var bytesLength = v[0].length; var store = _arr[i].toString(2).slice(7 - bytesLength); for(var st=1; st < bytesLength; st++) { store+=_arr[st + i].toString(2).slice(2); } str+=String.fromCharCode(parseInt(store, 2)); i+=bytesLength-1; } else { str+=String.fromCharCode(_arr[i]); } } return str; }});"""
10.Java层hook复杂参数
jscode = """Java.perform(function () {var md5 = Java.use('com.renren.mobile.utils.Md5');md5.toMD5.implementation = function (a) {console.log("================================"); //printStack();send(a);var res = this.toMD5(a);send(res);return res;}var info=Java.use('com.renren.mobile.android.service.ServiceProvider');info.a.overload('java.lang.String', 'java.lang.String', 'int', 'java.lang.String', 'java.lang.String', 'android.content.Context', 'com.renren.mobile.android.loginfree.LoginStatusListener').implementation = function(str1,str2,i,str3,str4,context,loginStatus){console.log("================================"); //printStack();send("=>"+str1);send("=>"+str2);send("=>"+i);send("=>"+str3);send("=>"+str4);send("=>"+context);send("=>"+loginStatus);}function printStack(){var threadef = Java.use('java.lang.Thread');var threadinstance = threadef.$new();var stack = threadinstance.currentThread().getStackTrace();for(var i = 0;i<stack.length;i++){send("stack:" + stack[i].toString());}}});"""
如果觉得《frida hook java层常用模板》对你有帮助,请点赞、收藏,并留下你的观点哦!
