heibai2006/frida-snippets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

print all runtime strings

Browse Source
This commit is contained in:
Iddo 2018-06-05 00:29:50 +03:00 committed by GitHub
parent b9d147ec5b
commit 8bc9bfd8eb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 66 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
README.md
View File

@ -1,17 +1,18 @@
### learn-frida-the-hard-way ### learn-frida-the-hard-way
- Enumerate loaded classes * Enumerate loaded classes
```
$ frida -U com.pkg -qe 'Java.perform(function(){Java.enumerateLoadedClasses({"onMatch":function(c){console.log(c);}});});' -o pkg.classes $ frida -U com.pkg -qe 'Java.perform(function(){Java.enumerateLoadedClasses({"onMatch":function(c){console.log(c);}});});' -o pkg.classes
```
- Extract modules from APK * Extract modules from APK
```
$ frida -Uq com.android. -e "Process.enumerateModules({onMatch: function(m){console.log('-' + m.name)},onComplete:function(){}})" $ frida -Uq com.android. -e "Process.enumerateModules({onMatch: function(m){console.log('-' + m.name)},onComplete:function(){}})"
.... ....
-libsqlite.so -libsqlite.so
```
- get methods from .so file * get methods from .so file
```
$ adb pull /system/lib/libsqlite.so $ adb pull /system/lib/libsqlite.so
/system/lib/libsqlite.so: 1 file pulled. 19.7 MB/s (975019 bytes in 0.047s) /system/lib/libsqlite.so: 1 file pulled. 19.7 MB/s (975019 bytes in 0.047s)
$ nm -D libsqlite.so | cut -d' ' -f3 | grep sqlite3 $ nm -D libsqlite.so | cut -d' ' -f3 | grep sqlite3
@ -28,33 +29,31 @@
24878 ms sqlite3_clear_bindings() 24878 ms sqlite3_clear_bindings()
24878 ms sqlite3_prepare16_v2() <<< this is the one that holds the SQL queries 24878 ms sqlite3_prepare16_v2() <<< this is the one that holds the SQL queries
24878 ms | sqlite3_free() 24878 ms | sqlite3_free()
```
- SQLite hook example (+Native) * SQLite hook example (+Native)
```
Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2'), { Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2'), {
onEnter: function(args) { onEnter: function(args) {
console.log('DB: ' + Memory.readUtf16String(args[0]) + '\tSQL: ' + Memory.readUtf16String(args[1])); console.log('DB: ' + Memory.readUtf16String(args[0]) + '\tSQL: ' + Memory.readUtf16String(args[1]));
} }
}); });
```
* Hook example: `java.lang.reflect.Method#invoke(Object obj, Object... args, boolean bool)` * Hook example: `java.lang.reflect.Method#invoke(Object obj, Object... args, boolean bool)`
```
Java.use('java.lang.reflect.Method').invoke.overload('java.lang.Object', '[Ljava.lang.Object;', 'boolean').implementation = function(a,b,c) { Java.use('java.lang.reflect.Method').invoke.overload('java.lang.Object', '[Ljava.lang.Object;', 'boolean').implementation = function(a,b,c) {
console.log('hooked!', a, b, c); console.log('hooked!', a, b, c);
return this.invoke(a,b,c); return this.invoke(a,b,c);
}; };
```
* Hook constructor * Hook constructor
```
Java.use('java.lang.StringBuilder').$init.overload('java.lang.String').implementation = function(stringArgument) { Java.use('java.lang.StringBuilder').$init.overload('java.lang.String').implementation = function(stringArgument) {
console.log("c'tor"); console.log("c'tor");
return this(stringArgument); return this(stringArgument);
}; };
```
* Hook Native (JNI) * Hook Native (JNI)
``` ```
var moduleName = "libfoo.so"; var moduleName = "libfoo.so";
@ -83,7 +82,24 @@ Interceptor.attach(Module.findExportByName(null, "dlopen"), {
} }
}); });
``` ```
* print all runtime strings & stacktrace
```
Java.perform(function() {
['java.lang.StringBuilder', 'java.lang.StringBuffer'].forEach(function(clazz, i) {
console.log('[?] ' + i + ' = ' + clazz);
var func = 'toString';
Java.use(clazz)[func].implementation = function() {
var ret = this[func]();
send('[' + i + '] ' + ret);
// raising an exception to get stacktrace
Java.perform(function() {
send('[*] ' + Java.use('java.lang.Exception').$new().getStackTrace().toString().split(',')[1]);
});
}
return ret;
};
});
```
TODOs: TODOs:
- Add GIFs & docs - Add GIFs & docs