23
2023-6
今天距2024年191天
这是鸣谦安全第152次推文
本文1526字,阅读约需3分钟
objection可以查看到类,但是hook不到
这是因为没有切换 ClassLoader
模板如下:
1functionhook(){2Java.perform(function(){3console.log("start")4Java.enumerateClassLoaders({5onMatch:function(loader){6try{7if(loader.findClass("类名")) {8console.log("Successfully found loader")9console.log(loader);10Java.classFactory.loader = loader;11}12}13catch(error) {14console.log("find error:"+ error)15}16},17onComplete:function(){18console.log("end1")19}20})21Java.use("类名").count.implementation =function(参数){22returnthis.count(参数);2324}25})26}
遍历类的所有方法
遍历类的所有方法,用的就是反射的 getDeclaredMethod
1functiontraceClass(类名){2Java.perform(function(){3varhook = Java.use(类名);4varmethods = hook.class.getDeclaredMethods();5hook.$dispose;6methods.forEach(function(method){7console.log(method)8});9})10}
hook 类的重载方法
实现一次性 hook 所有重载方法
1functiontraceMethod(){23vartargetClass ="类名"4vartargetMethod ="重载方法名"5Java.perform(function(){6varhook = Java.use(targetClass);7// 获取重载的数量8varoverloadCount = hook[targetMethod].overloads.length;910console.log("Tracing "+ targetMethod +" ["+ overloadCount +" overload(s)]");1112for(vari =0; i < overloadCount; i++) {13// 进行 hook14hook[targetMethod].overloads[i].implementation =function(){15console.warn("n*** entered "+ targetMethod);16// 打印参数17for(varj =0; j <arguments.length; j++) {18console.log("arg["+ j +"]: "+arguments[j]);19}20// 打印调用栈21varbt = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());22console.log("nBacktrace:n"+ bt);2324// 打印返回值25varretval =this[targetMethod].apply(this,arguments);26console.log("nretval: "+ retval);27console.warn("n*** exiting "+ targetMethod);28returnretval;2930}31};32})33}
hook类的所有方法
将二三结合,就可以实现 hook 类的所有方法。
1functionuniqBy(array, key){2varseen = {};3returnarray.filter(function(item){4vark = key(item);5returnseen.hasOwnProperty(k) ?false: (seen[k] =true);6});7}89functiontraceMethod(targetClassMethod){10vardelim = targetClassMethod.lastIndexOf(".");11if(delim ===-1)return;12vartargetClass = targetClassMethod.slice(0, delim)13vartargetMethod = targetClassMethod.slice(delim +1, targetClassMethod.length)14Java.perform(function(){15varhook = Java.use(targetClass);16varoverloadCount = hook[targetMethod].overloads.length;1718console.log("Tracing "+ targetClassMethod +" ["+ overloadCount +" overload(s)]");1920for(vari =0; i < overloadCount; i++) {2122hook[targetMethod].overloads[i].implementation =function(){23console.warn("n*** entered "+ targetClassMethod);2425for(varj =0; j <arguments.length; j++) {26console.log("arg["+ j +"]: "+arguments[j]);27}2829varbt = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());30console.log("nBacktrace:n"+ bt);3132varretval =this[targetMethod].apply(this,arguments);33console.log("nretval: "+ retval);34console.warn("n*** exiting "+ targetClassMethod);35returnretval;36}37}38});3940}4142functiontraceClass(targetClass){43Java.perform(function(){44varhook = Java.use(targetClass);45varmethods = hook.class.getDeclaredMethods();46hook.$dispose;47varparsedMethods = [];48methods.forEach(function(method){49parsedMethods.push(method.toString().replace(targetClass +".","TOKEN").match(/sTOKEN(.*)(/)[1]);50});51vartargets = uniqBy(parsedMethods,JSON.stringify);52targets.forEach(function(targetMethod){53traceMethod(targetClass +"."+ targetMethod);54});55})56}
使用方法,进入 frida 后,输入 traceClass("类名")
参考链接:
https://github.com/r0ysue/AndroidFridaSeniorBook/blob/main/Chap05/hookXposed.js
原文始发于微信公众号(鸣谦安全):Frida遍历脚本整理
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论