JAVA层HOOK:
# -*- coding: utf-8 -*-
"""
Spyder Editor
This is a temporary script file.
JAVA层HOOK
"""
import frida, sys
#HOOK普通方法
"""
jscode =
Java.perform(function () {
var utils = Java.use('com.renren.mobile.utils.RSA');
utils.D.implementation = function (a, b,c) {
console.log("Hook Start...");
send(arguments[0]);
send(arguments[1]);
send(arguments[2]);
// send("Success!");
//var num=arguments[0]+arguments[1];
send("以上是返回值");
console.log(this.D(arguments[0],arguments[1],arguments[2]));
}
});
"""
#HOOK构造方法
jscode = """
Java.perform(function () {
var money = Java.use('com.sun.fridaapp.Money');
money.$init.implementation = function (a, b) {
console.log("Hook Start...");
send(arguments[0]);
send(arguments[1]);
send("Success!");
return this.$init(10000, "美元");
}
});
"""
#HOOK重载方法
"""
jscode =
Java.perform(function () {
var utils = Java.use('com.sun.fridaapp.Utils');
utils.test.overload("int").implementation = function (a) {
console.log("Hook Start...");
send(arguments[0]);
send("Success!");
return "sun";
}
});
"""
#HOOK构造对象参数
"""
jscode =
Java.perform(function () {
var utils = Java.use('com.sun.fridaapp.Utils');
var money = Java.use('com.sun.fridaapp.Money');
utils.test.overload().implementation = function () {
//send("Hook Start...");
var mon = money.$new(2000,'港币');
//send(mon.getInfo());
return this.test(800);
}
});
"""
#HOOK修改对象属性
"""
jscode =
Java.perform(function () {
var utils = Java.use('com.sun.fridaapp.Utils');
var money = Java.use('com.sun.fridaapp.Money');
var clazz = Java.use('java.lang.Class');
utils.test.overload().implementation = function () {
send("Hook Start...");
var mon = money.$new(200,'港币');
send(mon.getInfo());
var numid= Java.cast(mon.getClass(),clazz).getDeclaredField('num');
numid.setAccessible(true);
//send(numid.get(mon));
numid.setInt(mon, 1000);
send(mon.getInfo());
return this.test(800);
}
});
"""
def message(message, data):
if message["type"] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_remote_device().attach('com.sun.fridaapp')
script= process.create_script(jscode)
script.on("message", message)
script.load()
sys.stdin.read()
So层native HOOK:
import frida, sys
jscode = """
setImmediate(function () {
send("start");
//遍历模块找基址
Process.enumerateModules({
onMatch: function (exp) {
if (exp.name == 'libdemo.so') {
send('enumerateModules find');
send(exp.name + "|" + exp.base + "|" + exp.size + "|" + exp.path);
send(exp);
return 'stop';
}
},
onComplete: function () {
send('enumerateModules stop');
}
});
//hook导出函数
var exports = Module.enumerateExportsSync("libdemo.so");
for(var i=0;i<exports.length;i++){
send("name:"+exports[i].name+" address:"+exports[i].address);
}
//通过模块名直接查找基址
var baseSOFile = Module.findBaseAddress("libdemo.so");
Interceptor.attach(baseSOFile.add(0x00001270),{
onEnter: function(args) {
//console.log(Memory.readCString(args[0]));
//console.log(Memory.readUtf16String(args[3]));
console.log(args[2]);
console.log(args[3]);
console.log(args[4]);
},
onLeave: function(retval){
}
});
});
"""
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_usb_device().attach('com.sun.demo')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
