首页
社区
课程
招聘
[求助]如何在Frida中调用so库中的JNI函数
发表于: 2023-4-10 03:01 7139

[求助]如何在Frida中调用so库中的JNI函数

2023-4-10 03:01
7139

我有一个简单的Android JNI函数源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#include <jni.h>
#include <string>
 
extern "C" JNIEXPORT jstring JNICALL
Java_com_example_myapplication_MainActivity_stringFromJNI(
        JNIEnv* env,
        jobject /* this */,
        jstring inputStr) {
 
    // 获取字符串值
    const char *nativeInputStr = env->GetStringUTFChars(inputStr, nullptr);
 
    // 将字符串赋值给hello
    std::string hello = nativeInputStr;
 
    // 释放资源
    env->ReleaseStringUTFChars(inputStr, nativeInputStr);
 
    return env->NewStringUTF(hello.c_str());
}

现在我想在Frida脚本中主动调用这个函数并传参,我编写了如下的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
function checkLibraryLoaded() {
    const baseAddr = Module.findBaseAddress('libmyapplication.so');
    if (baseAddr) {
        console.log('loaded at address:', baseAddr);
        const libnative_name = "libmyapplication.so"; // 替换为你的.so库的名称
        const func_name = "Java_com_example_myapplication_MainActivity_stringFromJNI";
        // 检查是否附加到应用程序
        if (Java.available) {
            Java.perform(() => {
                // 获取模块基址
                const libnative_base = Process.findModuleByName(libnative_name).base;
 
                // 获取native方法地址
                const func_addr = Module.findExportByName(libnative_name, func_name);
 
                // 创建用于native方法调用的NativeFunction
                const nativeFunc = new NativeFunction(func_addr, 'pointer', ['pointer', 'pointer', 'pointer']);
 
                // 获取MainActivity类
                const MainActivity = Java.use('com.example.myapplication.MainActivity');
 
                // 在主线程上执行操作
                Java.scheduleOnMainThread(() => {
                    // 获取JNIEnv指针
                    const env = Java.vm.getEnv();
 
                    // 创建MainActivity实例
                    const mainActivityInstance = MainActivity.$new();
 
                    if (mainActivityInstance !== null) {
                        console.log("MainActivity instance created successfully.");
 
                        // 创建输入字符串
                        const inputStr = "Hello from Frida!";
 
                        // 将Java字符串转换为JNI jstring
                        const jniString = env.newStringUtf(inputStr);
 
                        // 转换为jobject
                        const jobjectInstance = Java.cast(mainActivityInstance, Java.use("java.lang.Object"));
 
                        // 调用native方法
                        const result = nativeFunc(env.handle, jobjectInstance.handle, jniString.handle);
 
                        // 将JNI jstring转换回Java字符串
                        const resultStr = env.stringFromJni(result);
 
                        console.log("Result: " + resultStr);
                    } else {
                        console.error("Failed to create MainActivity instance.");
                    }
                });
            });
        } else {
            console.error("Java not available");
        }
    }
}
 
//clearInterval(checkLibraryLoadedInterval);
const checkLibraryLoadedInterval = setInterval(checkLibraryLoaded, 2000);

但是会一直报错:Error: expected a pointer

 

env的构造方法应该是没有问题的,第一个参数JNIEnv应该是使用Java.vm.getEnv()能获取
没法想到如何正确构造jobject/jclass这参数,jobject/jclass的是分别指代了其所指代的类和对象


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (2)
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
没找到指针就是有一个地方指针是空值咯
2023-7-15 21:21
0
雪    币: 5782
活跃值: (3854)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
逐行加Log,看打印到哪行停止
2023-7-15 23:33
0
游客
登录 | 注册 方可回帖
返回
//