heibai2006/frida-snippets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
iddoeldor 2018-06-08 16:30:52 +03:00 committed by GitHub
parent 74439328c0
commit 811ace70a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -1,17 +1,24 @@
### learn-frida-the-hard-way # Contents
- [Enumerate loaded classes](#enumerate-loaded-classes)
- [Extract modules from APK](#extract-modules-from-apk)
- [Get methods from .so file](#get-methods-from-so-file)
- [SQLite hook example](#sqlite-hook-example)
- [Hook Java refelaction](#hook-refelaction)
- [Hook constructor](#hook-constructor)
* Enumerate loaded classes
#### Enumerate loaded classes
``` ```
$ frida -U com.pkg -qe 'Java.perform(function(){Java.enumerateLoadedClasses({"onMatch":function(c){console.log(c);}});});' -o pkg.classes $ frida -U com.pkg -qe 'Java.perform(function(){Java.enumerateLoadedClasses({"onMatch":function(c){console.log(c);}});});' -o pkg.classes
``` ```
* Extract modules from APK #### Extract modules from APK
``` ```
$ frida -Uq com.android. -e "Process.enumerateModules({onMatch: function(m){console.log('-' + m.name)},onComplete:function(){}})" $ frida -Uq com.android. -e "Process.enumerateModules({onMatch: function(m){console.log('-' + m.name)},onComplete:function(){}})"
.... ....
-libsqlite.so -libsqlite.so
``` ```
* get methods from .so file #### Get methods from so file
``` ```
$ adb pull /system/lib/libsqlite.so $ adb pull /system/lib/libsqlite.so
/system/lib/libsqlite.so: 1 file pulled. 19.7 MB/s (975019 bytes in 0.047s) /system/lib/libsqlite.so: 1 file pulled. 19.7 MB/s (975019 bytes in 0.047s)
@ -30,7 +37,7 @@ $ frida -U com.pkg -qe 'Java.perform(function(){Java.enumerateLoadedClasses({"on
24878 ms sqlite3_prepare16_v2() <<< this is the one that holds the SQL queries 24878 ms sqlite3_prepare16_v2() <<< this is the one that holds the SQL queries
24878 ms | sqlite3_free() 24878 ms | sqlite3_free()
``` ```
* SQLite hook example (+Native) #### SQLite hook
``` ```
Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2'), { Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2'), {
onEnter: function(args) { onEnter: function(args) {
@ -39,7 +46,8 @@ Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2
}); });
``` ```
* Hook example: `java.lang.reflect.Method#invoke(Object obj, Object... args, boolean bool)` #### Hook refelaction:
`java.lang.reflect.Method#invoke(Object obj, Object... args, boolean bool)`
``` ```
Java.use('java.lang.reflect.Method').invoke.overload('java.lang.Object', '[Ljava.lang.Object;', 'boolean').implementation = function(a,b,c) { Java.use('java.lang.reflect.Method').invoke.overload('java.lang.Object', '[Ljava.lang.Object;', 'boolean').implementation = function(a,b,c) {
console.log('hooked!', a, b, c); console.log('hooked!', a, b, c);
@ -47,7 +55,7 @@ Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2
}; };
``` ```
* Hook constructor #### Hook constructor
``` ```
Java.use('java.lang.StringBuilder').$init.overload('java.lang.String').implementation = function(stringArgument) { Java.use('java.lang.StringBuilder').$init.overload('java.lang.String').implementation = function(stringArgument) {
console.log("c'tor"); console.log("c'tor");
@ -82,7 +90,7 @@ Interceptor.attach(Module.findExportByName(null, "dlopen"), {
} }
}); });
``` ```
* print all runtime strings & stacktrace * Print all runtime strings & stacktrace
``` ```
Java.perform(function() { Java.perform(function() {
['java.lang.StringBuilder', 'java.lang.StringBuffer'].forEach(function(clazz, i) { ['java.lang.StringBuilder', 'java.lang.StringBuffer'].forEach(function(clazz, i) {