android逆向神器之firda

这东西ios和android有部分相似
ios装插件，android是个原生的arm包，放进去运行一下。不过要端口转发如下：

echo hello world!!source ~/.bash_profileadb forward tcp:27042 tcp:27042adb forward tcp:27043 tcp:27043echo work

写成了脚本，没啥好说的。
花了些时间写了个挂钩脚本模版，留着以后用：

#!/usr/bin/env python# -*- coding: utf-8 -*-import fridaimport sysimport optparseimport reglobal sessiondef enume_proc():    global session    rdev = frida.get_remote_device()    session = rdev.attach("com.tencent.mm")      modules = session.enumerate_modules()    for module in modules:        print module        export_funcs = module.enumerate_exports()        print "\tfunc_name\tRVA"        for export_func in export_funcs:            print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))#枚举某个进程加载的所有模块def proc_module_show():    global session    rdev = frida.get_remote_device()    session = rdev.attach("com.tencent.mm")  #如果存在两个一样的进程名可以采用rdev.attach(pid)的方式    modules = session.enumerate_modules()    for module in modules:        print module        export_funcs = module.enumerate_exports()        print "\tfunc_name\tRVA"        for export_func in export_funcs:            print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))#hook native函数def native_hook(name):    global session    rdev = frida.get_remote_device()    session = rdev.attach(name)    scr = """    Interceptor.attach(Module.findExportByName("libc.so" , "open"), {        onEnter: function(args) {            send("open("+Memory.readCString(args[0])+","+args[1]+")");        },        onLeave:function(retval){        }    });    """    script = session.create_script(scr)    script.on("message" , on_message)    script.load()    sys.stdin.read()'''如下代码为hook微信（测试版本为6.3.13,不同版本由于混淆名字的随机生成的原因或者代码改动导致名称不一样）com.tencent.mm.sdk.platformtools.ay类的随机数生成函数，让微信猜拳随机（tye=2）,二摇色子总是为6点（type=5）'''def hook(name):    global session    print name    rdev = frida.get_remote_device()    session = rdev.attach(name)    scr = """    Java.perform(function () {    var ay = Java.use("com.sina.deviceidjnisdk.DeviceId");    DeviceId.getDeviceId.implementation = function(){        var type = arguments[0];        send("type="+type);        var result=this.getDeviceId();        send("reuslt="+result)        return result;    };    });    """    script = session.create_script(scr)    script.on("message" , on_message)    script.load()    sys.stdin.read()def on_message(message ,data):    print message'''枚举手机进程'''def enume_proc():    rdev = frida.get_remote_device()    processes = rdev.enumerate_processes()    for process in processes:        print processdef find_proc(name):    rdev = frida.get_remote_device()    processes = rdev.enumerate_processes()    for process in processes:        if process.name==name:            return True    return Falsedef main():    if len(sys.argv)>2:        name=sys.argv[2]    else:        name="com.sina.weibo"    if sys.argv[1]=='ps':        enume_proc()    elif sys.argv[1]=='hookjava':        #等待程序启动，直接附加        print "please app waiting launched..."        while True:            if find_proc(name)==False:                continue            else:                break        print "find process"        hook(name)if __name__ == "__main__":    try:        main()    except KeyboardInterrupt:        if session:            session.detach()        sys.exit()    else:        pass    finally:        pass

据说还可以注入dex没试，记录下：

'''通过friada向android进程注入dex'''def on_message2(message, data):    if message['type'] == 'send':        print("[*] {0}".format(message['payload']))    else:        print(message)jscode = """Java.perform(function () {    var currentApplication = Java.use("android.app.ActivityThread").currentApplication();    var context = currentApplication.getApplicationContext();    var pkgName = context.getPackageName();    var dexPath = "%s";    var entryClass = "%s";    Java.openClassFile(dexPath).load();    console.log("inject " + dexPath +" to " + pkgName + " successfully!")    Java.use(entryClass).%s("%s");    console.log("call entry successfully!")});"""def checkRequiredArguments(opts, parser):    missing_options = []    for option in parser.option_list:        if re.match(r'^\[REQUIRED\]', option.help) and eval('opts.' + option.dest) == None:            missing_options.extend(option._long_opts)    if len(missing_options) > 0:        parser.error('Missing REQUIRED parameters: ' + str(missing_options))if __name__ == "__main__":    usage = "usage: python %prog [options] arg\n\n" \            "example: python %prog -p com.android.launcher " \            "-f /data/local/tmp/test.apk " \            "-e com.parker.test.DexMain/main " \            "\"hello fridex!\""    parser = optparse.OptionParser(usage)    parser.add_option("-p", "--package", dest="pkg", type="string",                      help="[REQUIRED]package name of the app to be injected.")    parser.add_option("-f", "--file", dest="dexPath", type="string",                      help="[REQUIRED]path of the dex")    parser.add_option("-e", "--entry", dest="entry", type="string",                      help="[REQUIRED]the entry function Name.")    (options, args) = parser.parse_args()    checkRequiredArguments(options, parser)    if len(args) == 0:        arg = ""    else:        arg = args[0]    pkgName = options.pkg    dexPath = options.dexPath    entry = options.entry.split("/")    if len(entry) > 1:        entryClass = entry[0]        entryFunction = entry[1]    else:        entryClass = entry[0]        entryFunction = "main"    process = frida.get_usb_device(1).attach(pkgName)    jscode = jscode%(dexPath, entryClass, entryFunction, arg)    script = process.create_script(jscode)    script.on('message', on_message2)    print('[*] Running fridex')    script.load()    sys.stdin.read()

更多相关文章

随机推荐