主要内容:
-
frida-inject工具使用及说明
-
内置frida-inject工具到手机系统
1.frida-inject工具介绍
frida-inject是frida中提供的可以直接放到手机端执行注入js脚本到App程序进行hook的工具。也就是说使用frida-inject命令可以脱离PC端执行注入了。
平时我们用frida进行App注入的时候,多半都是PC端安装frida工具,然后把frida-server放到手机端。手机端启动frida-server开启端口监听,PC端的frida工具通过端口连接到frida-server然后相应的命令去让frida-server执行相应的操作。
2.frida-inject工具使用介绍
2.1 查看frida-inject命令说明
将frida-inject工具下载以后通过adb push命令放到手机,比如放到路径"/data/local/tmp/frida-inject",以下是adb push执行参考:
C:UsersQiang>adb push E:workspace素材frida-inject-14.2.14-android-arm64 /data/local/tmp/frida-inject
E:workspace.le pushed, 0 skipped. 37.7 MB/s (41616776 bytes in 1.052s)
C:UsersQiang>adb shell chmod 777 /data/local/tmp/frida-inject
C:UsersQiang>
可以执行如下命令查看当前frida-inject命令的帮助说明:
C:UsersQiang>adb shell
OnePlus3:/ # cd /data/local/tmp
OnePlus3:/data/local/tmp # ls
d4484278-8615-41b0-9223-d849429bf888 frida-inject test.js
OnePlus3:/data/local/tmp # ./frida-inject -h
Usage:
frida [OPTION?]
Help Options:
-h, --help Show help options
Application Options:
-D, --device=ID connect to device with the given ID
-f, --file=FILE spawn FILE
-p, --pid=PID attach to PID
-n, --name=NAME attach to NAME
-r, --realm=REALM attach in REALM
-s, --script=JAVASCRIPT_FILENAME
-R, --runtime=qjs|v8 Script runtime to use
-P, --parameters=PARAMETERS_JSON Parameters as JSON, same as Gadget
-e, --eternalize Eternalize script and exit
-i, --interactive Interact with script through stdin
--development Enable development mode
--version Output version information and exit
OnePlus3:/data/local/tmp #
以下是使用frida-inject命令执行App注入的简单测试,参考命令如下:
C:UsersQiang>adb shell
OnePlus3:/ # cd /data/local/tmp
OnePlus3:/data/local/tmp # ls
OnePlus3:/data/local/tmp #./frida-inject -f com.android.jnidemo01 -s /data/local/tmp/test.js -e <
OnePlus3:/data/local/tmp #
以上执行的test.js脚本内容如下,一个比较简单的打印HelloWorld代码。
function Log(info) {
Java.perform(function () {
var LogCls = Java.use("android.util.Log");
LogCls.d("HelloWorld", info);
})
}
function main() {
Log("hello frida-inject!");
Log("goodbye frida-inject!");
}
setImmediate(main);
3.frida-inject下载
根据自己手机系统平台选择下载相应的版本,下载地址:
https://github.com/frida/frida/releases
比如本篇中下载版本"frida-inject-14.2.14-android-arm64"。
4.内置frida-inject到系统操作
4.1 创建模块目录myfridainject
在源码根目录创建模块存储目录"frameworks/base/cmds/mycmds/fridainject"。参考如下:
qiang@ubuntu:~/lineageOs$ mkdir -p frameworks/base/cmds/mycmds/fridainject
qiang@ubuntu:~/lineageOs$
4.2 创建模块myfridainjectarm64
(1).将下载好的frida-inject程序拷贝到"myfridainject"目录,并重命名为"myfridainjectarm64",如下所示:
qiang@ubuntu:~/lineageOs/frameworks/base/cmds/mycmds/fridainject$ ls -la myfridainjectarm64
-rwxrw-rw- 1 qiang qiang 41616776 4月 3 18:54 myfridainjectarm64
qiang@ubuntu:~/lineageOs/frameworks/base/cmds/mycmds/fridainject$
qiang@ubuntu:~/lineageOs/frameworks/base/cmds/mycmds/fridainject$
(2).在myfridainject目录下面同时创建模块配置文件Android.mk,并添加如下模块配置内容:
#///ADD START
#///ADD END
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := myfridainjectarm64
LOCAL_MODULE_CLASS := EXECUTABLES
LOCAL_SRC_FILES := myfridainjectarm64
include $(BUILD_PREBUILT)
4.3 添加模块myfridainjectarm64到源码编译链中
以上创建模块myfridainjectarm64之后如果直接编译手机刷机镜像是不会被编译到手机系统里面去的。需要将模块"myfridainjectarm64"加入到源码模块编译链中才行。
安卓系统中添加模块到编译链需要在文件"buildmaketargetproductbase_system.mk"中将模块追加进去。添加myfridainjectarm64模块之后的参考:
#///ADD START
# add frida server to system
# kernellogdx kernellogd gettopactivity
#///ADD END
# Base modules and settings for the system partition.
PRODUCT_PACKAGES +=
myfridainjectarm64
kernellogdx
...
5.编译系统
执行如下命令编译手机刷机镜像:
qiang@ubuntu:~/lineageOs$ source build/envsetup.sh
qiang@ubuntu:~/lineageOs$ breakfast oneplus3
qiang@ubuntu:~/lineageOs$ brunch oneplus3
6.验证测试
执行如下命令测试是否内置成功(ubuntu下执行的命令):
qiang@ubuntu:~/lineageOs$ adb shell
OnePlus3:/ # myfridainjectarm64 --version
14.2.14
OnePlus3:/ # 
原文始发于微信公众号(哆啦安全):内置frida-inject工具到手机系统
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论