Hooks 两种方法分别使用了Android、python+JS作为开发语言进行hook。 APP这个APP是在学习frida的时候看到的,非常简单,有源码,有apk,用来作一个这种类型的文章最合适不过了。 先给出URL,再给出源码,不想实践的可以直接看文字。 URL: https://11x256.github.io/Frida-hooking-android-part-1/ - package com.example.a11x256.frida_test;
- import android.os.Bundle;
- import android.support.v7.app.AppCompatActivity;
- import android.util.Log;
- import android.util.Base64;
- import java.security.InvalidKeyException;
- import java.security.NoSuchAlgorithmException;
- import java.util.Random;
- import javax.crypto.BadPaddingException;
- import javax.crypto.Cipher;
- import javax.crypto.IllegalBlockSizeException;
- import javax.crypto.NoSuchPaddingException;
- import javax.crypto.SecretKey;
- import javax.crypto.spec.SecretKeySpec;
- public class my_activity extends AppCompatActivity {
- @Override
- protected void onCreate(Bundle savedInstanceState) {
- super.onCreate(savedInstanceState);
- setContentView(R.layout.activity_my_activity);
- while (true){
- try {
- Thread.sleep(1000);
- } catch (InterruptedException e) {
- e.printStackTrace();
- }
- fun(50,30);
- }
- }
- void fun(int x , int y ){
- Log.d("Sum" , String.valueOf(x+y));
- }
- }
复制代码安装完之后,运行起来,查看log可以看到 - $ adb logcat -c && adb logcat| grep -E "Sum"
- 12-05 10:54:01.222 21607 21607 D Sum : 80
- 12-05 10:54:02.223 21607 21607 D Sum : 80
- 12-05 10:54:03.223 21607 21607 D Sum : 80
- 12-05 10:54:04.224 21607 21607 D Sum : 80
- 12-05 10:54:05.225 21607 21607 D Sum : 80
- 12-05 10:54:06.226 21607 21607 D Sum : 80
复制代码本帖最后由 m0nst3r 于 2018-12-5 12:03 编辑
内容简单,大佬请自动忽略。
Hooks两种方法分别使用了Android、python+JS作为开发语言进行hook。 APP这个APP是在学习frida的时候看到的,非常简单,有源码,有apk,用来作一个这种类型的文章最合适不过了。 先给出URL,再给出源码,不想实践的可以直接看文字。 package com.example.a11x256.frida_test;import android.os.Bundle;import android.support.v7.app.AppCompatActivity;import android.util.Log;import android.util.Base64;import java.security.InvalidKeyException;import java.security.NoSuchAlgorithmException;import java.util.Random;import javax.crypto.BadPaddingException;import javax.crypto.Cipher;import javax.crypto.IllegalBlockSizeException;import javax.crypto.NoSuchPaddingException;import javax.crypto.SecretKey;import javax.crypto.spec.SecretKeySpec;public class my_activity extends AppCompatActivity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_my_activity); while (true){ try { Thread.sleep(1000); } catch (InterruptedException e) { e.printStackTrace(); } fun(50,30); } } void fun(int x , int y ){ Log.d("Sum" , String.valueOf(x+y)); }}安装完之后,运行起来,查看log可以看到: $ adb logcat -c && adb logcat| grep -E "Sum" 12-05 10:54:01.222 21607 21607 D Sum : 8012-05 10:54:02.223 21607 21607 D Sum : 8012-05 10:54:03.223 21607 21607 D Sum : 8012-05 10:54:04.224 21607 21607 D Sum : 8012-05 10:54:05.225 21607 21607 D Sum : 8012-05 10:54:06.226 21607 21607 D Sum : 80只是简单hook,我们分别使用三种方法让Sum变成100即可。 Xposed简介、环境就不说了,网上很多教程可以参考。 - 新建工程
- 编辑build.gradles
- 编辑AndroidManifest.xml
- 创建Hook类,此处为test
- 创建assets 及 xposed_init,并输入完整的test类名
- 编写hook代码
- Build APK
- 安装APK
- 在手机上启用刚刚安装的module
- 软重启手机
- 运行测试app
- 查看log
- package com.example.michael.xposed_1;
- import de.robv.android.xposed.IXposedHookLoadPackage;
- import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
- import de.robv.android.xposed.XC_MethodHook;
- import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;
- import android.util.Log;
- public class test implements IXposedHookLoadPackage {
- @Override
- public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable{
- if (lpparam.packageName.equals("com.example.a11x256.frida_test")) {
- findAndHookMethod("com.example.a11x256.frida_test.my_activity", lpparam.classLoader,"fun", int.class, int.class,
- new XC_MethodHook(){
- @Override
- protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
- Log.e("Xposed", "Xposed Hooked");
- Integer x = (Integer)param.args[0]; //可通过param.args[i]获取hook函数的第i个参数
- Integer y = (Integer)param.args[1];
- Log.e("Xposed", "Param[0]" + x);
- Log.e("Xposed", "Param[1]" + y);
- param.args[0] = 50;
- param.args[1] = 50;
- super.beforeHookedMethod(param);
- }
- @Override
- protected void afterHookedMethod(MethodHookParam param) throws Throwable {
- super.afterHookedMethod(param);
- }
- });
- }
- }
- }
复制代码 log- $ adb logcat -c && adb logcat| grep -E "Sum|Xposed"
- 12-05 10:59:36.972 25726 25726 E Xposed : Xposed Hooked
- 12-05 10:59:36.973 25726 25726 E Xposed : Param[0]50
- 12-05 10:59:36.973 25726 25726 E Xposed : Param[1]30
- 12-05 10:59:36.974 25726 25726 D Sum : 100
- 12-05 10:59:37.974 25726 25726 E Xposed : Xposed Hooked
- 12-05 10:59:37.975 25726 25726 E Xposed : Param[0]50
- 12-05 10:59:37.975 25726 25726 E Xposed : Param[1]30
- 12-05 10:59:37.976 25726 25726 D Sum : 100
- 12-05 10:59:38.977 25726 25726 E Xposed : Xposed Hooked
- 12-05 10:59:38.977 25726 25726 E Xposed : Param[0]50
- 12-05 10:59:38.978 25726 25726 E Xposed : Param[1]30
- 12-05 10:59:38.978 25726 25726 D Sum : 100
- 12-05 10:59:39.979 25726 25726 E Xposed : Xposed Hooked
- 12-05 10:59:39.979 25726 25726 E Xposed : Param[0]50
- 12-05 10:59:39.980 25726 25726 E Xposed : Param[1]30
- 12-05 10:59:39.980 25726 25726 D Sum : 100
复制代码本帖最后由 m0nst3r 于 2018-12-5 12:03 编辑
内容简单,大佬请自动忽略。
Hooks两种方法分别使用了Android、python+JS作为开发语言进行hook。 APP这个APP是在学习frida的时候看到的,非常简单,有源码,有apk,用来作一个这种类型的文章最合适不过了。 先给出URL,再给出源码,不想实践的可以直接看文字。 package com.example.a11x256.frida_test;import android.os.Bundle;import android.support.v7.app.AppCompatActivity;import android.util.Log;import android.util.Base64;import java.security.InvalidKeyException;import java.security.NoSuchAlgorithmException;import java.util.Random;import javax.crypto.BadPaddingException;import javax.crypto.Cipher;import javax.crypto.IllegalBlockSizeException;import javax.crypto.NoSuchPaddingException;import javax.crypto.SecretKey;import javax.crypto.spec.SecretKeySpec;public class my_activity extends AppCompatActivity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_my_activity); while (true){ try { Thread.sleep(1000); } catch (InterruptedException e) { e.printStackTrace(); } fun(50,30); } } void fun(int x , int y ){ Log.d("Sum" , String.valueOf(x+y)); }}安装完之后,运行起来,查看log可以看到: $ adb logcat -c && adb logcat| grep -E "Sum" 12-05 10:54:01.222 21607 21607 D Sum : 8012-05 10:54:02.223 21607 21607 D Sum : 8012-05 10:54:03.223 21607 21607 D Sum : 8012-05 10:54:04.224 21607 21607 D Sum : 8012-05 10:54:05.225 21607 21607 D Sum : 8012-05 10:54:06.226 21607 21607 D Sum : 80只是简单hook,我们分别使用三种方法让Sum变成100即可。 Xposed简介、环境就不说了,网上很多教程可以参考。 - 新建工程
- 编辑build.gradles
- 编辑AndroidManifest.xml
- 创建Hook类,此处为test
- 创建assets 及 xposed_init,并输入完整的test类名
- 编写hook代码
- Build APK
- 安装APK
- 在手机上启用刚刚安装的module
- 软重启手机
- 运行测试app
- 查看log
package com.example.michael.xposed_1;import de.robv.android.xposed.IXposedHookLoadPackage;import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;import de.robv.android.xposed.XC_MethodHook;import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;import android.util.Log;public class test implements IXposedHookLoadPackage { @Override public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable{ if (lpparam.packageName.equals("com.example.a11x256.frida_test")) { findAndHookMethod("com.example.a11x256.frida_test.my_activity", lpparam.classLoader,"fun", int.class, int.class, new XC_MethodHook(){ @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { Log.e("Xposed", "Xposed Hooked"); Integer x = (Integer)param.args[0]; //可通过param.args获取hook函数的第i个参数 Integer y = (Integer)param.args[1]; Log.e("Xposed", "Param[0]" + x); Log.e("Xposed", "Param[1]" + y); param.args[0] = 50; param.args[1] = 50; super.beforeHookedMethod(param); } @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { super.afterHookedMethod(param); } }); } }}Log信息 $ adb logcat -c && adb logcat| grep -E "Sum|Xposed"12-05 10:59:36.972 25726 25726 E Xposed : Xposed Hooked12-05 10:59:36.973 25726 25726 E Xposed : Param[0]5012-05 10:59:36.973 25726 25726 E Xposed : Param[1]3012-05 10:59:36.974 25726 25726 D Sum : 10012-05 10:59:37.974 25726 25726 E Xposed : Xposed Hooked12-05 10:59:37.975 25726 25726 E Xposed : Param[0]5012-05 10:59:37.975 25726 25726 E Xposed : Param[1]3012-05 10:59:37.976 25726 25726 D Sum : 10012-05 10:59:38.977 25726 25726 E Xposed : Xposed Hooked12-05 10:59:38.977 25726 25726 E Xposed : Param[0]5012-05 10:59:38.978 25726 25726 E Xposed : Param[1]3012-05 10:59:38.978 25726 25726 D Sum : 10012-05 10:59:39.979 25726 25726 E Xposed : Xposed Hooked12-05 10:59:39.979 25726 25726 E Xposed : Param[0]5012-05 10:59:39.980 25726 25726 E Xposed : Param[1]3012-05 10:59:39.980 25726 25726 D Sum : 100完成。 Frida这个好用,方便。安装的详细过程不再说。
|
|
- 编写用来hook的JS
- [编写一个py文件方便调用JS和交互]
- 执行脚本
- 查看结果
用来实现Hook的JS 脚本: - 'use strict'
- console.log("Script loaded successfully");
- Java.perform(function x() {
- console.log("Inside java perform function");
- var my_class = Java.use("com.example.a11x256.frida_test.my_activity"); //找到类
- my_class.fun.implementation = function(x,y) { //普通方法,直接hook
- console.log("original call: func(" + x + ", " + y + ")");
- var ret_value = this.fun(50,50);
- return ret_value;
- }
- });
复制代码 Python脚本:- #!/usr/bin/env python
- # -*- coding: utf-8 -*-
- import sys
- import struct
- import frida
- import IPython
- JS_FILE = "mys1.js" #这里指定上面的js文件名
- PACKAGE = "com.example.a11x256.frida_test" #这里指定要hook的包名
- frida_session = None
- global script
- script = None
- reload(sys)
- sys.setdefaultencoding('utf-8')
- def on_message(message, data):
- print(message)
- print(data)
- def load_script():
- global script
- if script is not None:
- script.unload()
- with open(JS_FILE, 'r') as rjs:
- hook_script = rjs.read()
- script = frida_session.create_script(hook_script)
- script.on('message', on_message)
- script.load()
- if __name__ == "__main__":
- device = frida.get_device_manager().enumerate_devices()[-1]
- resume = False
- try:
- frida_session = device.attach(PACKAGE)
- print "[Info] Attach success!"
- except:
- pid = device.spawn(PACKAGE)
- frida_session = device.attach(pid)
- resume = True
- print "[Info] Spawn and attach success!"
- load_script()
- if resume:
- device.resume(pid)
- IPython.embed()
- script.unload()
- exit(0)
复制代码 执行脚本:- $ python my-loader.py
- [Info] Attach success!
- Script loaded successfully
- Inside java perform function
- Class found
- Python 2.7.15 (default, Oct 2 2018, 11:47:18)
- Type "copyright", "credits" or "license" for more information.
- IPython 5.8.0 -- An enhanced Interactive Python.
- ? -> Introduction and overview of IPython's features.
- %quickref -> Quick reference.
- help -> Python's own help system.
- object? -> Details about 'object', use 'object??' for extra details.
- In [1]: original call: func(50, 30)
- original call: func(50, 30)
- original call: func(50, 30)
- original call: func(50, 30)
- original call: func(50, 30)
- original call: func(50, 30)
- original call: func(50, 30)
复制代码
|