Frida API
提示
Frida API 根据李玺 LxTools (opens new window)、r0ysue AndroidSecurityStudy (opens new window) 以及官方文档 (opens new window)整理、修改而成。
# Hook 一般函数
var MyClass = Java.use('xx.xx.MainActivity');
MyClass.myMethod.implementation = function (arg) {
var ret = this.myMethod(arg);
console.log('Done:' + arg);
return ret;
}
1
2
3
4
5
6
2
3
4
5
6
# Hook 重载函数
myClass.myMethod.overload("java.lang.String").implementation = function(param1) {
console.log(param1);
}
myClass.myMethod.overload("[B","[B").implementation = function(param1,param2) {
const p1 = Java.use("java.lang.String").$new(param1);
const p2 = Java.use("java.lang.String").$new(param2);
}
myClass.myMethod.overload("android.context.Context", "boolean").implementation = function(param1, param2){
//do something
}
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
# Hook 构造函数
const StringBuilder = Java.use('java.lang.StringBuilder');
StringBuilder.$init.overload('java.lang.String').implementation = function (arg) {
var partial = "";
var result = this.$init(arg);
if (arg !== null) {
partial = arg.toString().slice(0,10);
}
console.log('new StringBuilder("' + partial + '");');
return result;
};
StringBuilder.$init.overload('[B', 'int').implementation = function (arg1,arg2) {
//do something
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Hook 成员方法
Java.perform(
function(){
var ba = Java.use("com.xx.xx.xx").$new();
if (ba != undefined) {
ba.mdthod.implementation = function (a1) {
//do something
}
}
}
)
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
# Hook 内部类
var inInnerClass = Java.use('ese.xposedtest.MainActivity$inInnerClass');
// 类路径$内部类名
inInnerClass.methodInclass.implementation = function(arguments){
var arg0 = arguments[0];
var arg1 = arguments[1];
send("params1: "+ arg0 +" params2: " + arg1);
return this.formInclass(1,"Frida");
}
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# Hook native 函数
function hookNativeFun(callback, funName, moduleName) {
var time = 1000;
var address = Module.findExportByName(moduleName, funName);
if (address == null) {
setTimeout(hookNativeFun, time, callback, funName, moduleName);
}
else {
console.log(funName + "hook result")
var nativePointer = new NativePointer(address);
Interceptor.attach(nativePointer, callback);
}
}
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
# 从内存中主动调用Java方法
Java.perform(
function(){
Java.choose("com.xx.xx.xx", {
onMatch: function (x) {
ba.signInternal.implementation = function (a1, a2) {
result = x.method(a1, a2);
}
},
onComplete: function () {}
})
}
)
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
# 获取所有已加载的类名
Java.perform(function() {
Java.enumerateLoadedClasses({
onMatch: function(className) {
send(className);},
onComplete:function() {
send("done");
}
});
});
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# 获取方法名
function getMethodName() {
var ret;
Java.perform(function() {
var Thread = Java.use("java.lang.Thread")
ret = Thread.currentThread().getStackTrace()[2].getMethodName();
});
return ret;
}
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# 打印堆栈信息
function showStacks() {
Java.perform(function() {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
});
}
1
2
3
4
5
2
3
4
5
# 打印类所有方法名
function enumMethods(targetClass) {
var ret;
Java.perform(function() {
var hook = Java.use(targetClass);
var ret = hook.class.getDeclaredMethods();
ret.forEach(function(s) {
console.log(s);
})
})
return ret;
}
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
# 构造 context
var current_application = Java.use('android.app.ActivityThread').currentApplication();
var context = current_application.getApplicationContext();
1
2
2
# Hook NO_Proxy
Java.perform(function() {
console.log("1 start hook");
try {
var URL = Java.use('java.net.URL')
URL.openConnection.overload('java.net.Proxy').implementation = function (arg1) {
return this.openConnection()
}
} catch (e) {
console.log('' + e)
}
try {
var Builder = Java.use('okhttp3.OkHttpClient$Builder')
var mybuilder = Builder.$new()
Builder.proxy.overload('java.net.Proxy').implementation = function (arg1) {
return mybuilder
}
} catch (e) {
console.log('' + e)
}
})
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Hook HashMap-put
var hashMap = Java.use("java.util.HashMap");
hashMap.put.implementation = function (a, b) {
// 不行可换 a.equals("username")
if (a=="username") {
console.log("hashMap.put: ", a, b);
printStacks();
}
return this.put(a, b);
}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# Hook ArrayList-add
var arrayList = Java.use("java.util.ArrayList");
arrayList.add.overload('java.lang.Object').implementation = function (a) {
if (a == "username") {
console.log("arrayList.add: ", a);
showStacks(); // 打印堆栈信息
}
//console.log("arrayList.add: ", a);
return this.add(a);
}
arrayList.add.overload('int', 'java.lang.Object').implementation = function (a, b) {
console.log("arrayList.add: ", a, b);
return this.add(a, b);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
# Hook TextUtils-isEmpty
// 判断输入框是否为空
var textUtils = Java.use("android.text.TextUtils");
textUtils.isEmpty.implementation = function (a) {
if (a == "TURJNk1EQTZNREE2TURBNk1EQTZNREE9") {
console.log("textUtils.isEmpty: ", a);
printStacks();
}
//console.log("textUtils.isEmpty: ", a);
return this.isEmpty(a);
}
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
# Hook Base64-encodeToString
var base64 = Java.use("android.util.Base64");
base64.encodeToString.overload('[B', 'int').implementation = function (a, b) {
console.log("base64.encodeToString: ", JSON.stringify(a));
var result = this.encodeToString(a, b);
console.log("base64.encodeToString result: ", result)
printStacks();
return result;
}
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# okhttp3 rpc
rpc.exports = {
request_url: function (url) {
return new Promise(function(resolve, reject) {
Java.perform(function () {
var OkHttpClient=Java.use("okhttp3.OkHttpClient");
var Builder=Java.use("okhttp3.Request$Builder");
var client = OkHttpClient.$new()
var request = Builder.$new().get().url(url).build()
var response = client.newCall(request).execute()
resolve(response.body().string())
});
});
}
};
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
# okhttp3 GET
function okhttp3_get(url, headers_str) {
let body = null;
Java.perform(() => {
const BuilderClazz = Java.use('okhttp3.Request$Builder');
const OkHttpClientClazz = Java.use('okhttp3.OkHttpClient');
try{
let builder = BuilderClazz.$new();
builder = builder.url(url);
if(headers_str != null && headers_str != ''){
let headers = JSON.parse(headers_str);
for(let key in headers){
builder = builder.addHeader(key, headers[key]);
}
}
let request = builder.build();
if(!okhttp3_client){
okhttp3_client = OkHttpClientClazz.$new();
}
let call = okhttp3_client.newCall(request);
let response = call.execute();
body = response.body().string();
}catch(e){
console.error(e);
}
});
return body;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# okhttp3 POST
function okhttp3_post(url, headers_str, media_type, body) {
let ret = null;
Java.perform(() => {
const BuilderClazz = Java.use('okhttp3.Request$Builder');
const OkHttpClientClazz = Java.use('okhttp3.OkHttpClient');
const MediaTypeClazz = Java.use('okhttp3.MediaType');
const RequestBodyClazz = Java.use('okhttp3.RequestBody');
try{
let builder = BuilderClazz.$new();
builder = builder.url(url);
if(headers_str != null && headers_str != ''){
let headers = JSON.parse(headers_str);
for(let key in headers){
builder = builder.addHeader(key, headers[key]);
}
}
let m_type = MediaTypeClazz.parse(media_type);
let request_body = RequestBodyClazz.create(m_type, body);
builder = builder.post(request_body);
let request = builder.build();
if(!okhttp3_client){
okhttp3_client = OkHttpClientClazz.$new();
}
let call = okhttp3_client.newCall(request);
let response = call.execute();
ret = response.body().string();
}catch(e){
console.error(e);
}
});
return ret;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Hook 只在指定函数内生效
function makeHookMethodInSpecifiedFunction(specifiedClass, specifiedMethod, className, methodName) {
Java.perform(function () {
// Hook指定函数
let specifiedClazz = Java.use(specifiedClass);
specifiedClazz[specifiedMethod].implementation = function () {
console.log("指定的Hook函数生效");
// Hook 要Hook的函数
let clazz = Java.use(className);
clazz[methodName].implementation = function () {
console.log("要Hook的函数生效");
return this[methodName](arguments);
}
// 关闭要Hook的函数
clazz[methodName].implementation = null;
return this[specifiedMethod](arguments);
}
});
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
帮助我们改善此页 (opens new window)
上次更新: 2024/10/17, 09:54:53
鄂ICP备19003281号-9
鄂公网安备42280202422959
Theme Vdoing
CloudBase