android逆向神器之firda
16lz
2021-01-23
这东西ios和android有部分相似
ios装插件,android是个原生的arm包,放进去运行一下。不过要端口转发如下:
echo hello world!!source ~/.bash_profileadb forward tcp:27042 tcp:27042adb forward tcp:27043 tcp:27043echo work
写成了脚本,没啥好说的。
花了些时间写了个挂钩脚本模版,留着以后用:
#!/usr/bin/env python# -*- coding: utf-8 -*-import fridaimport sysimport optparseimport reglobal sessiondef enume_proc(): global session rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") modules = session.enumerate_modules() for module in modules: print module export_funcs = module.enumerate_exports() print "\tfunc_name\tRVA" for export_func in export_funcs: print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))#枚举某个进程加载的所有模块def proc_module_show(): global session rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") #如果存在两个一样的进程名可以采用rdev.attach(pid)的方式 modules = session.enumerate_modules() for module in modules: print module export_funcs = module.enumerate_exports() print "\tfunc_name\tRVA" for export_func in export_funcs: print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address))#hook native函数def native_hook(name): global session rdev = frida.get_remote_device() session = rdev.attach(name) scr = """ Interceptor.attach(Module.findExportByName("libc.so" , "open"), { onEnter: function(args) { send("open("+Memory.readCString(args[0])+","+args[1]+")"); }, onLeave:function(retval){ } }); """ script = session.create_script(scr) script.on("message" , on_message) script.load() sys.stdin.read()'''如下代码为hook微信(测试版本为6.3.13,不同版本由于混淆名字的随机生成的原因或者代码改动导致名称不一样)com.tencent.mm.sdk.platformtools.ay类的随机数生成函数,让微信猜拳随机(tye=2),二摇色子总是为6点(type=5)'''def hook(name): global session print name rdev = frida.get_remote_device() session = rdev.attach(name) scr = """ Java.perform(function () { var ay = Java.use("com.sina.deviceidjnisdk.DeviceId"); DeviceId.getDeviceId.implementation = function(){ var type = arguments[0]; send("type="+type); var result=this.getDeviceId(); send("reuslt="+result) return result; }; }); """ script = session.create_script(scr) script.on("message" , on_message) script.load() sys.stdin.read()def on_message(message ,data): print message'''枚举手机进程'''def enume_proc(): rdev = frida.get_remote_device() processes = rdev.enumerate_processes() for process in processes: print processdef find_proc(name): rdev = frida.get_remote_device() processes = rdev.enumerate_processes() for process in processes: if process.name==name: return True return Falsedef main(): if len(sys.argv)>2: name=sys.argv[2] else: name="com.sina.weibo" if sys.argv[1]=='ps': enume_proc() elif sys.argv[1]=='hookjava': #等待程序启动,直接附加 print "please app waiting launched..." while True: if find_proc(name)==False: continue else: break print "find process" hook(name)if __name__ == "__main__": try: main() except KeyboardInterrupt: if session: session.detach() sys.exit() else: pass finally: pass
据说还可以注入dex没试,记录下:
'''通过friada向android进程注入dex'''def on_message2(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message)jscode = """Java.perform(function () { var currentApplication = Java.use("android.app.ActivityThread").currentApplication(); var context = currentApplication.getApplicationContext(); var pkgName = context.getPackageName(); var dexPath = "%s"; var entryClass = "%s"; Java.openClassFile(dexPath).load(); console.log("inject " + dexPath +" to " + pkgName + " successfully!") Java.use(entryClass).%s("%s"); console.log("call entry successfully!")});"""def checkRequiredArguments(opts, parser): missing_options = [] for option in parser.option_list: if re.match(r'^\[REQUIRED\]', option.help) and eval('opts.' + option.dest) == None: missing_options.extend(option._long_opts) if len(missing_options) > 0: parser.error('Missing REQUIRED parameters: ' + str(missing_options))if __name__ == "__main__": usage = "usage: python %prog [options] arg\n\n" \ "example: python %prog -p com.android.launcher " \ "-f /data/local/tmp/test.apk " \ "-e com.parker.test.DexMain/main " \ "\"hello fridex!\"" parser = optparse.OptionParser(usage) parser.add_option("-p", "--package", dest="pkg", type="string", help="[REQUIRED]package name of the app to be injected.") parser.add_option("-f", "--file", dest="dexPath", type="string", help="[REQUIRED]path of the dex") parser.add_option("-e", "--entry", dest="entry", type="string", help="[REQUIRED]the entry function Name.") (options, args) = parser.parse_args() checkRequiredArguments(options, parser) if len(args) == 0: arg = "" else: arg = args[0] pkgName = options.pkg dexPath = options.dexPath entry = options.entry.split("/") if len(entry) > 1: entryClass = entry[0] entryFunction = entry[1] else: entryClass = entry[0] entryFunction = "main" process = frida.get_usb_device(1).attach(pkgName) jscode = jscode%(dexPath, entryClass, entryFunction, arg) script = process.create_script(jscode) script.on('message', on_message2) print('[*] Running fridex') script.load() sys.stdin.read()
更多相关文章
- Android 多进程学习
- Android 依赖注入函数库Roboguice(一)
- Android init.rc脚本解析
- Android中关于外部存储的一些重要函数
- Android进程启动
- Android中嵌入lua脚本,初步进阶
- android中的进程与线程
- Android IPC(跨进程通信)之AIDL
- Android的进程回收