-
-
[求助]关于frida hook动态加载的dex的问题
-
发表于:
2020-8-18 00:04
8619
-
[求助]关于frida hook动态加载的dex的问题
"androidpayload.stage.Meterpreter"这个类是通过DexClassLoader,loadClass动态加载进来的
我想去hook这个类里面的 start('java.io.DataInputStream', 'java.io.OutputStream', '[Ljava.lang.Object;') 方法,模仿了这篇文章 进阶Frida--Android逆向之动态加载dex Hook(三)(下篇) 写了如下代码:
Java.perform(function(){
var dexclassLoader = Java.use("dalvik.system.DexClassLoader");
dexclassLoader.loadClass.overload('java.lang.String').implementation = function(name){
var hookname = "androidpayload.stage.Meterpreter";
var result = this.loadClass(name,false);
if(name == hookname){
Java.classFactory.loader = this
var Meterpreter = Java.classFactory.use("androidpayload.stage.Meterpreter")
console.log("get class success")
Meterpreter.start.overload('java.io.DataInputStream', 'java.io.OutputStream', '[Ljava.lang.Object;').implementation=function(){
console.log("Meterpreter.start")
}
return result;
}
return result;
}
});
但是报错了
get class success
Process crashed: Trace/BPT trap
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/marlin/marlin:9/PQ3A.190801.002/5670241:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 26140, tid: 26166, name: Thread-3 >>> com.metasploit.stage <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'java_vm_ext.cc:542] JNI DETECTED ERROR IN APPLICATION: use of invalid jobject 0x779fd11244'
x0 0000000000000000 x1 0000000000006636 x2 0000000000000006 x3 0000000000000008
x4 fefeff773d926667 x5 fefeff773d926667 x6 fefeff773d926667 x7 7f7f7f7f7fff7f7f
x8 0000000000000083 x9 16ae7705053677cb x10 fffffff87ffffbdf x11 fffffffc7ffffbdf
x12 0000000000000018 x13 ffffffffffffffff x14 ffffffffff000000 x15 ffffffffffffffff
x16 000000783d4af2c8 x17 000000783d3ed358 x18 000000779fd0e880 x19 000000000000661c
x20 0000000000006636 x21 0000000000000083 x22 00000077b9fce000 x23 00000077afed1000
x24 0000000000000002 x25 00000000ffffffff x26 0000000000000012 x27 0000000000000005
x28 00000077b9ba62d7 x29 000000779fd0f5f0
sp 000000779fd0f5b0 lr 000000783d3e1c7c pc 000000783d3e1c9c
backtrace:
#00 pc 0000000000021c9c /system/lib64/libc.so (offset 0x21000) (abort+112)
#01 pc 0000000000000308 <anonymous:000000783b13c000>
***
不知道有没有了解怎么hook这些动态加载进来的类和方法的大佬,感激不尽
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课