frida 主动调用
主动调用:强制去调用函数执行
被动调用:由 app 主导,按照正常的执行顺序执行函数。函数执行完全依靠与用户交互完成从而间接的调用到关键函数
在 Java 中,类的函数可以分为两种:类函数与实例方法,也可以称之为静态方法和动态方法.
类函数使用关键字 static
修饰,与对应的类绑定,当然如果该类函数还被 public
修饰,则在外部就可以直接通过类去调用
实例方法没有被 staic
修饰,在外部只能通过实例化对应的类,在通过该实例调用对应的方法.
在 frida 中主动调用的类型会根据方法的类型区分开来,类函数的直接调用使用 Java.use
即可,实例方法则需要先找到对应的实例后对方法进行调用,通常使用 Java.choose
.
示例代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| setImmediate(function () { console.log('Script loaded successfully, start hook...'); Java.perform(function () { console.log('Inside java perform function...');
let class_name = Java.use('com.xxx.xxx.xxx'); let result1 = class_name.method();
Java.choose('com.xxx.xxx.xxx', { onMatch: function (instance) { console.log('instance found ', instance); let result2 = instance.method(); }, onComplete: function () { console.log('search complete'); } }); }); })
|
frida-rpc
通过 exports 将结果导出,以便于 python 结合 frida 模块直接调用.
js 脚本与 hook 脚本写法基本一致,示例代码如下所示
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
| function func1() { console.log('Script loaded successfully, start hook...'); var xxx_result = ''; Java.perform(function () { console.log('Inside java perform function...'); var class_name = Java.use('com.xxx.xxx.xxx'); xxx_result = class_name.method_name('参数'); }); return xxx_result; };
function func2() { console.log('Script loaded successfully, start hook...'); var xxx_result = ''; Java.perform(function () { console.log('Inside java perform function...'); Java.choose('com.xxx.xxx', { onMatch: function (instance) { xxx_result = class_name.method_name('参数'); }, onComplete: function () { console.log('search complete'); } }) }); return xxx_result; }
rpc.exports = { rpc_func1: func1, rpc_func2: func2 }
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
|
import sys import frida from loguru import logger
device = frida.get_usb_device() script_path = "HookScript/example.js"
def message_call_back(message, data): """ message call back :param message: :param data: :return: """ logger.info(message) logger.info(data)
def attach_hook(app_name): """ :param app_name: :return: """ process = device.attach(app_name) with open(script_path, 'r', encoding='utf-8') as f: script = process.create_script(f.read()) script.on('message', message_call_back) script.load() sys.stdin.read()
def spawn(package_name): """ :param package_name: :return: """ pid = device.spawn(package_name) process = device.attach(pid) with open(script_path, 'r', encoding='utf-8') as f: script = process.create_script(f.read()) script.on('message', message_call_back) script.load() device.resume(pid) sys.stdin.read()
if __name__ == '__main__': spawn('com.xxx.xxx')
|
v1.5.2