frida hook相关安装使用说明
安装环境及平台
- Windows
- Android 模拟器
Windows下frida的安装
直接pip执行命令如下:
1
2pip install frida
pip install frida-tools安装完成后,命令行输入如下:
1
frida-ps
PID Name
13564 ApplicationFrameHost.exe
6628 ChsIME.exe
10356 ConEmu64.exe
13416 ConEmuC64.exe
6360 DesktopMgr64.exe
6336 Fiddler.exe
7876 Foxmail.exe
会显示对应进程信息等即表示安装成功Android下frida环境搭建
查看对应手机或模拟器的cpu信息
1
2cd /prop
cat cpuinfo由于使用的模拟器,默认是有root的,安卓版本4.4 下载的X86的server
下载对应版本的server到手机并赋予执行权限,具体操作如下:
1
2
3
4adb push D:\Download\frida-server-12.2.5-android-x86 /data/local/tmp
cd /data/local/tmp
chmod 755 xxxxx
./frida-server-12.2.5-android-x86运行后在pc端执行如下命令即可看到模拟器上的进程信息:
1
frida-ps -U
PID Name
277 adbd
884 android.process.acore
961 android.process.media
704 com.anddoes.launcher
1042 com.android.calendar
1075 com.android.deskclock
1092 com.android.email
1115 com.android.exchange
1008 com.android.onetimeinitializer
866 com.android.phone
946 com.android.providers.calendar
至此,所有的基本准备工作已经完成。Hook脚本的编写及功能实现
具体的可以参考官方的说明文档
示例:测试apk,一个猜拳游戏。
代码部分:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38import frida, sys
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
jscode = """
Java.perform(function () {
// Function to hook is defined here
var MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');
// Whenever button is clicked
MainActivity.onClick.implementation = function (v) {
// Show a message to know that the function got called
send('onClick');
// Call the original onClick handler
this.onClick(v);
// Set our values after running the original onClick handler
this.m.value = 0;
this.n.value = 1;
this.cnt.value = 999;
// Log to the console that it's done, and we should have the flag!
console.log('Done:' + JSON.stringify(this.cnt));
};
});
"""
process = frida.get_usb_device().attach('com.example.seccon2015.rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()运行上述脚本,结果报错:
1
2
3File "C:\Python27\lib\site-packages\frida\core.py", line 110, in attach
return Session(self._impl.attach(self._pid_of(target)))
frida.TransportError: the connection is closed1
Frida:ERROR:../../../frida-core/src/linux/frida-helper-service-glue.c:2987:frida_resolve_library_function: assertion failed (local_library_path == remote_library_path): ("/system/lib/libc.so" == "/system/lib/arm/libc.so")
最后搜索发现是不支持模拟器,本次使用的frida均是最新版12.2.5,有时间再后续折腾吧。
后续更换sdk为官方的sdk,并使用低版本的运行,没有报原来的错误了。但是又出现了新的错误如下:
1
2
3File "C:\Python27\lib\site-packages\frida\core.py", line 97, in attach
return Session(self._impl.attach(self._pid_of(target)))
frida.ProcessNotRespondingError: timed out while waiting for session to establish算了 懒的折腾了,后面还是等真机了再搞。
后续在实际使用中,frida 还是非常强大的,相对xposed等更为便捷。