frida hook java层常用模板
生活随笔
收集整理的這篇文章主要介紹了
frida hook java层常用模板
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
文章轉載于 安卓逆向菜鳥修煉記(微信公眾號),個人感覺很實用,記錄下來方便回顧,想看原文的請移步公眾號。
1.JAVA層HOOK普通方法
import frida, sysjscode =""" Java.perform(function () {var utils = Java.use('com.renren.mobile.utils.RSA');//Java.use('類名') utils.D.implementation D為方法名utils.D.implementation = function (a, b,c) {console.log("Hook Start...");send(arguments[0]); //打印方法第一個參數 用send(a)也行send(arguments[1]); //打印方法第二個參數 用send(b)也行send(arguments[2]); //打印方法第三個參數 用send(c)也行// var num=arguments[0]+arguments[1];//send(num);} }); """def message(message, data):if message["type"] == 'send':print("[*] {0}".format(message['payload']))else:print(message)process = frida.get_remote_device().attach('com.renren.mobile.android') //apk包名 script= process.create_script(jscode) script.on("message", message) script.load() sys.stdin.read()2. JAVA層HOOK構造方法
jscode = """ Java.perform(function () {var money = Java.use('com.qiang.fridaapp.Money');money.$init.implementation = function (a, b) {console.log("Hook Start...");send(arguments[0]);send(arguments[1]);send("Success!");return this.$init(10000, "美元");} }); """3.JAVA層HOOK重載方法
jscode =""" Java.perform(function () {var utils = Java.use('com.qiang.fridaapp.Utils');utils.test.overload("int").implementation = function (a) {console.log("Hook Start...");send(arguments[0]);return "helloworld";} }); """重載需要注意的點:
| String | java.lang.String |
| int | int |
| map(hashmap) | java.util.Map |
| long | long |
| list | java.util.List |
| 字符串數組 | [Ljava.lang.String; |
| Object | java.lang.Object |
4.JAVA層HOOK構造對象參數
jscode = """ Java.perform(function () {var utils = Java.use('com.qiang.fridaapp.Utils');var money = Java.use('com.qiang.fridaapp.Money');utils.test.overload().implementation = function () {//send("Hook Start...");var mon = money.$new(2000,'港幣');//send(mon.getInfo());return this.test(800);} }); """5. JAVA層HOOK修改對象屬性
jscode = """ Java.perform(function () {var utils = Java.use('com.qiang.fridaapp.Utils');var money = Java.use('com.qiang.fridaapp.Money');var clazz = Java.use('java.lang.Class');utils.test.overload().implementation = function () {send("Hook Start...");var mon = money.$new(200,"RMB");send(mon.getInfo());var num= Java.cast(mon.getClass(),clazz).getDeclaredField('num');num.setAccessible(true);num.setInt(mon, 2000);send(mon.getInfo());return this.test();} }); """6.JAVA層HOOK匿名內部類
jscode = """ Java.perform(function () {var login = Java.use('com.qiang.helloworld.LoginActivity$1');login.onClick.implementation = function (a) {send("Hook Start...");send("helloworld");} }); """7.JAVA層HOOK打印堆棧信息
jscode = """ Java.perform(function () {var login = Java.use('com.qiang.helloworld.LoginActivity$1');login.onClick.implementation = function (a) {send("Hook Start...");printStack();}function printStack(){var threadef = Java.use('java.lang.Thread');var threadinstance = threadef.$new();var stack = threadinstance.currentThread().getStackTrace();for(var i = 0;i<stack.length;i++){send("stack:" + stack[i].toString());}} }); """8.JAVA層HOOK字符串轉字節數組
jscode = """ Java.perform(function () {var login = Java.use('com.qianyu.helloworld.LoginActivity$1');login.onClick.implementation = function (a) {send("Hook Start...");var bytes=stringToBytes("hello world!")send(bytes); }function stringToBytes(str) { var ch, st, re = []; for(var i = 0; i < str.length; i++ ) { ch = str.charCodeAt(i); st = []; do{ st.push( ch & 0xFF ); ch = ch >> 8; } while(ch); re = re.concat(st.reverse()); } return re; } }); """9.JAVA層字節數組轉字符串
jscode = """ Java.perform(function () {var login = Java.use('com.qiang.helloworld.LoginActivity$1');login.onClick.implementation = function (a) {send("Hook Start...");var bytes=stringToBytes("hello world!")send(bytes); var str=byteToString(bytes)send(str);}function stringToBytes(str) { var ch, st, re = []; for(var i = 0; i < str.length; i++ ) { ch = str.charCodeAt(i); st = []; do{ st.push( ch & 0xFF ); ch = ch >> 8; } while(ch); re = re.concat(st.reverse()); } return re; } function byteToString(arr){ if(typeof arr === 'string'){ return arr; } var str='', _arr = arr; for(var i=0; i<_arr.length; i++) { var one =_arr[i].toString(2), v=one.match(/^1+?(?=0)/); if(v && one.length == 8){ var bytesLength = v[0].length; var store = _arr[i].toString(2).slice(7 - bytesLength); for(var st=1; st < bytesLength; st++) { store+=_arr[st + i].toString(2).slice(2); } str+=String.fromCharCode(parseInt(store, 2)); i+=bytesLength-1; } else { str+=String.fromCharCode(_arr[i]); } } return str; } }); """10.Java層hook復雜參數
jscode = """ Java.perform(function () {var md5 = Java.use('com.renren.mobile.utils.Md5');md5.toMD5.implementation = function (a) {console.log("================================"); //printStack();send(a);var res = this.toMD5(a);send(res);return res;}var info=Java.use('com.renren.mobile.android.service.ServiceProvider');info.a.overload('java.lang.String', 'java.lang.String', 'int', 'java.lang.String', 'java.lang.String', 'android.content.Context', 'com.renren.mobile.android.loginfree.LoginStatusListener').implementation = function(str1,str2,i,str3,str4,context,loginStatus){console.log("================================"); //printStack();send("=>"+str1);send("=>"+str2);send("=>"+i);send("=>"+str3);send("=>"+str4);send("=>"+context);send("=>"+loginStatus);}function printStack(){var threadef = Java.use('java.lang.Thread');var threadinstance = threadef.$new();var stack = threadinstance.currentThread().getStackTrace();for(var i = 0;i<stack.length;i++){send("stack:" + stack[i].toString());}} }); """總結
以上是生活随笔為你收集整理的frida hook java层常用模板的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: frida 安装特定版本
- 下一篇: scrapy使用cookie的三种方式