整理了下frida关于so的一些基本应用常用的方法。因为大多数人应该和我一样,都是逆向界的小白,还有就是做爬虫的,平时逆向的也不多,时间久了,很多知识就忘记了,所以归纳总结了下,用到的时候,简单看下。
通过枚举的方式来获取模块列表,再通过筛选的方式,来大概定位我们需要的模块信息。这里通过包名的过滤,从几百个module里面找到了2条,其中一条就是我们需要的。
在so文件开发的过程中,不可避免的会使用到系统函数。
举例:得到libart.so中的RegisterNatives的内存地址,代码如下:
想要对so函数进行hook必须先到到函数的内存地址。
获取导出函数的内存地址,除了枚举的方式,还有findExportByName和 getExportByName。获取到函数的地址之后(NativePointer)就可以使用Interceptor attach 进行hook
在so文件中,获取到函数的内存地址,即可hook。而内存地址除了通过frida提供的API获取,还可以自己计算。
计算公式 : so文件基址 + 函数相对偏移地址[+1]
对于数值参数的修改,不能将参数直接等于100,比如args[1]=100,在C里面参数传递的都是指针形式的,那么100就不能直接传递了。可以通过 ptr(100)传递或者直接将100写入寄存器中。返回值retval也是一样的,修改的话用 replace
注意:不能将字符串直接传入ptr中,ptr虽然可以接收string参数,但是必须是能转换成数值的。
writeByteArray用于从指定的地址写入内存数据。
在内存中申请空间,写入字符串后,将空间地址赋给参数。Memory的alloc方法可以用来申请指定的字节数的内存,会以NativePointer的形式返回这段内存的首地址。再通过NativePointer的writeByteArray写入字节数据。allocUtf8String这个函数内部封装了 直接用就行。
function hook_module1() {
Java.perform(function () {
var module_list = Process.enumerateModules();
for (var index = 0; index < module_list.length; index++) {
var module_one = module_list[index];
if (module_one.path.indexOf("com.gdufs.xman") != -1) {
console.log("module_one ", JSON.stringify(module_one))
}
}
})
}
module_one {"name":"base.odex","base":"0xde48c000","size":2760704,"path":"/data/app/com.gdufs.xman-ezNKFeRbVjUuHuaB1LWSdQ==/oat/arm/base.odex"}
module_one {"name":"libmyjni.so","base":"0xde359000","size":24576,"path":"/data/app/com.gdufs.xman-ezNKFeRbVjUuHuaB1LWSdQ==/lib/arm/libmyjni.so"}
function hook_module1() {
Java.perform(function () {
var module_list = Process.enumerateModules();
for (var index = 0; index < module_list.length; index++) {
var module_one = module_list[index];
if (module_one.path.indexOf("com.gdufs.xman") != -1) {
console.log("module_one ", JSON.stringify(module_one))
}
}
})
}
module_one {"name":"base.odex","base":"0xde48c000","size":2760704,"path":"/data/app/com.gdufs.xman-ezNKFeRbVjUuHuaB1LWSdQ==/oat/arm/base.odex"}
module_one {"name":"libmyjni.so","base":"0xde359000","size":24576,"path":"/data/app/com.gdufs.xman-ezNKFeRbVjUuHuaB1LWSdQ==/lib/arm/libmyjni.so"}
function hook_module2() {
Java.perform(function () {
var module_data = Process.getModuleByName("libmyjni.so");
console.log(JSON.stringify(module_data));
var module_base = module_data.base;
console.log("module_base : ", module_base);
})
}
{"name":"libmyjni.so","base":"0xde359000","size":24576,"path":"/data/app/com.gdufs.xman-ezNKFeRbVjUuHuaB1LWSdQ==/lib/arm/libmyjni.so"}
function hook_module2() {
Java.perform(function () {
var module_data = Process.getModuleByName("libmyjni.so");
console.log(JSON.stringify(module_data));
var module_base = module_data.base;
console.log("module_base : ", module_base);
})
}
{"name":"libmyjni.so","base":"0xde359000","size":24576,"path":"/data/app/com.gdufs.xman-ezNKFeRbVjUuHuaB1LWSdQ==/lib/arm/libmyjni.so"}
function hook_module3() {
Java.perform(function () {
var module_data_addr = Process.getModuleByAddress(0xde359000);
console.log("module_data_addr : ", JSON.stringify(module_data_addr));
})
}
{"name":"libmyjni.so","base":"0xde359000","size":24576,"path":"/data/app/com.gdufs.xman-ezNKFeRbVjUuHuaB1LWSdQ==/lib/arm/libmyjni.so"}
function hook_module3() {
Java.perform(function () {
var module_data_addr = Process.getModuleByAddress(0xde359000);
console.log("module_data_addr : ", JSON.stringify(module_data_addr));
})
}
{"name":"libmyjni.so","base":"0xde359000","size":24576,"path":"/data/app/com.gdufs.xman-ezNKFeRbVjUuHuaB1LWSdQ==/lib/arm/libmyjni.so"}
function hook_so_1() {
Java.perform(function () {
var imports_data = Process.getModuleByName("libmyjni.so").enumerateImports();
for (var index = 0; index < imports_data.length; index++) {
const import_data = imports_data[index];
console.log(JSON.stringify(import_data))
}
})
}
{"type":"function","name":"__cxa_atexit","module":"/system/lib/libc.so","address":"0xf486c721"}
{"type":"function","name":"fopen","module":"/system/lib/libc.so","address":"0xf48647f1"}
{"type":"function","name":"__android_log_print","module":"/system/lib/liblog.so","address":"0xf4929b59"}
{"type":"function","name":"strlen","module":"/system/lib/libc.so","address":"0xf4821d85"}
{"type":"function","name":"fputs","module":"/system/lib/libc.so","address":"0xf486598d"}
function hook_so_1() {
Java.perform(function () {
var imports_data = Process.getModuleByName("libmyjni.so").enumerateImports();
for (var index = 0; index < imports_data.length; index++) {
const import_data = imports_data[index];
console.log(JSON.stringify(import_data))
}
})
}
{"type":"function","name":"__cxa_atexit","module":"/system/lib/libc.so","address":"0xf486c721"}
{"type":"function","name":"fopen","module":"/system/lib/libc.so","address":"0xf48647f1"}
{"type":"function","name":"__android_log_print","module":"/system/lib/liblog.so","address":"0xf4929b59"}
{"type":"function","name":"strlen","module":"/system/lib/libc.so","address":"0xf4821d85"}
{"type":"function","name":"fputs","module":"/system/lib/libc.so","address":"0xf486598d"}
function hook_so_2() {
Java.perform(function () {
var exports_data = Process.getModuleByName("libmyjni.so").enumerateExports();
for (var index = 0; index < exports_data.length; index++) {
const export_data = exports_data[index];
console.log(JSON.stringify(export_data))
}
})
}
{"type":"function","name":"getValue","address":"0xde35a321"}
{"type":"function","name":"setValue","address":"0xde35a365"}
{"type":"function","name":"callWork","address":"0xde35a445"}
{"type":"function","name":"JNI_OnLoad","address":"0xde35a509"}
function hook_so_2() {
Java.perform(function () {
var exports_data = Process.getModuleByName("libmyjni.so").enumerateExports();
for (var index = 0; index < exports_data.length; index++) {
const export_data = exports_data[index];
console.log(JSON.stringify(export_data))
}
})
}
{"type":"function","name":"getValue","address":"0xde35a321"}
{"type":"function","name":"setValue","address":"0xde35a365"}
{"type":"function","name":"callWork","address":"0xde35a445"}
{"type":"function","name":"JNI_OnLoad","address":"0xde35a509"}
function hook_so_3() {
Java.perform(function () {
var symbols_data = Process.getModuleByName("libart.so").enumerateSymbols();
var RegisterNatives_addr = NULL;
for (var index = 0; index < symbols_data.length; index++) {
const symbol_data = symbols_data[index];
if(symbol_data.name.indexOf("CheckJNI") ==-1 && symbol_data.name.indexOf("RegisterNatives") != -1){
console.log(JSON.stringify(symbol_data))
RegisterNatives_addr = symbol_data.address;
}
}
console.log("RegisterNatives_addr : ",RegisterNatives_addr)
})
}
{"isGlobal":false,"type":"function","name":"_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi","address":"0xf24ac1fd","size":4632}
RegisterNatives_addr : 0xf24ac1fd
function hook_so_3() {
Java.perform(function () {
var symbols_data = Process.getModuleByName("libart.so").enumerateSymbols();
var RegisterNatives_addr = NULL;
for (var index = 0; index < symbols_data.length; index++) {
const symbol_data = symbols_data[index];
if(symbol_data.name.indexOf("CheckJNI") ==-1 && symbol_data.name.indexOf("RegisterNatives") != -1){
console.log(JSON.stringify(symbol_data))
RegisterNatives_addr = symbol_data.address;
}
}
console.log("RegisterNatives_addr : ",RegisterNatives_addr)
})
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
还是要看懂伪c代码才行
