frida安装

frida-12.7.24、frida-tools-5.3.0

1
2
pip install frida -i https://pypi.douban.com/simple --trusted-host pypi.douban.com
pip install frida-tools -i https://pypi.douban.com/simple --trusted-host pypi.douban.com

frida-server

https://github.com/frida/frida/releases

虚拟机

  • frida-server-12.7.24-android-x86

  • frida-server-12.7.24-android-x86_64

真机
  • frida-server-12.7.24-android-arm
  • frida-server-12.7.24-android-arm64

AndoridKiller

用于查看Android日志、进程、文件等等。

1575527906411

frida启动

启动frida-server

1
2
3
4
5
adb push frida-server-12.7.24-android-x86 /data/local/tmp/
adb shell
cd /data/local/tmp
chmod 777 frida-server-12.7.24-android-x86
./frida-server-12.7.24-android-x86

启动转发

1
2
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043

Androidkiller adb连接

1
2
3
4
5
6
7
8
> adb.exe devices
List of devices attached
127.0.0.1:62026 device

> adb.exe connect 127.0.0.1:62026
adb server version (32) doesn't match this client (36); killing...
* daemon started successfully *
connected to 127.0.0.1:62026

1575528331429

1575528424667

frida脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import time
import sys
import frida

js_code ='''
    console.log("Script loaded successfully ");
    Java.perform(function x() { //Silently fails without the sleep from the python code
    console.log("Inside java perform function");
    //get a wrapper for our class
    var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
    //replace the original implmenetation of the function `fun` with our custom function
    my_class.fun.implementation = function (x, y) {
        //print the original arguments
        console.log("original call: fun(" + x + ", " + y + ")");
        //call the original implementation of `fun` with args (2,5)
        var ret_value = this.fun(2, 5);
        return ret_value;
    }
});
'''

device = frida.get_remote_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)
script = session.create_script(js_code)
#with open("s1.js") as f:
#    script = session.create_script(f.read())
script.load()

# prevent the python script from terminating
sys.stdin.read()

  • sdevice.spawn(["com.example.a11x256.frida_test"]),要hook的进程包名com.yusakul.myapplicationget_remote_device()获取远程设备,如果是真机usb接入的话,可修改为函数get_usb_device()

  • script = session.create_script(js_code) script.load()

    创建加载js脚本。同时也可以通过外部js文件的方式加载

    1
    2
    with open("s1.js") as f:
        script = session.create_script(f.read())

  • js_code是hook脚本,为js脚本语言。

apk hook源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
package com.example.a11x256.frida_test;

import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.util.Log;

public class my_activity extends AppCompatActivity {
    /* Access modifiers changed, original: protected */
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView((int) R.layout.activity_my_activity);
        while (true) {
            try {
                Thread.sleep(1000);
            } catch (InterruptedException e) {
                e.printStackTrace();
            }
            fun(50, 30);
        }
    }

    /* Access modifiers changed, original: 0000 */
    public void fun(int x, int y) {
        Log.d("Sum", String.valueOf(x + y));
    }
}

此App实现简单的运算,计算50+30并在日志中进行输出。而hook脚本的作用是用于打印原始参数console.log( "original call: fun("+ x + ", " + y + ")");

并调用原函数,并传参2,5。将函数执行结果返回。

1
2
var ret_value = this.fun(2, 5);
return ret_value;

运行frida hook脚本

APP正常运行是输出50+30的结果。

1575532370131

运行hook脚本

1575533774787

日志输出为hook脚本的给的参数,并在脚本中输出原始参数值。