heibai2006/frida-snippets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
frida示例代码仓库
20 Commits 2 Branches 0 Tags 6.8 MiB
JavaScript 73%
Python 25.2%
Shell 1.8%
bddd05d878
Go to file
Iddo bddd05d878
Rename how2_access_inner_class_static_field.MD to how_to_access_inner_class_static_field.md
2018-05-31 11:43:47 +03:00
check_for_native_calls.py get stack trace for native invokes 2018-04-23 19:06:53 +03:00
dump_dynamically_created_files.py dump dynamically created files to local 2018-04-23 19:00:54 +03:00
how_to_access_inner_class_static_field.md Rename how2_access_inner_class_static_field.MD to how_to_access_inner_class_static_field.md 2018-05-31 11:43:47 +03:00
install_frida_server.sh install frida server 2018-05-23 10:57:31 +03:00
log_string_builders_and_string_compare.js log strings 2018-04-23 19:22:44 +03:00
README.md nm long flags 2018-05-30 18:47:02 +03:00

README.md

learn-frida-the-hard-way

TODOs:

  • Add GIFs & docs

  • Enumerate loaded classes

    $ frida -U com.pkg -qe 'Java.perform(function(){Java.enumerateLoadedClasses({"onMatch":function(c){console.log(c);}});});' -o pkg.classes

  • Extract modules from APK

      $ frida -Uq com.android. -e "Process.enumerateModules({onMatch: function(m){console.log('-' + m.name)},onComplete:function(){}})"
  ....
  -libsqlite.so

  • get methods from .so file

      $ adb pull /system/lib/libsqlite.so
   /system/lib/libsqlite.so: 1 file pulled. 19.7 MB/s (975019 bytes in 0.047s)
  $ nm -D libsqlite.so | cut -d' ' -f3 | grep sqlite3
  sqlite3_aggregate_context
  sqlite3_aggregate_count
  ....

  $ frida-trace -U -i "sqlite*" com.android.
  ...
   24878 ms  sqlite3_changes()
   24878 ms  sqlite3_reset()
   24878 ms     | sqlite3_free()
   24878 ms     | sqlite3_free()
   24878 ms  sqlite3_clear_bindings()
   24878 ms  sqlite3_prepare16_v2()  <<< this is the one that holds the SQL queries
   24878 ms     | sqlite3_free()

  • SQLite hook example (+Native)

      Interceptor.attach(Module.findExportByName('libsqlite.so', 'sqlite3_prepare16_v2'), {
      onEnter: function(args) {
          console.log('DB: ' + Memory.readUtf16String(args[0]) + '\tSQL: ' + Memory.readUtf16String(args[1]));
      }
  });

  • Hook example: java.lang.reflect.Method#invoke(Object obj, Object... args, boolean bool)

      Java.use('java.lang.reflect.Method').invoke.overload('java.lang.Object', '[Ljava.lang.Object;', 'boolean').implementation = function(a,b,c) {
      console.log('hooked!', a, b, c);
      return this.invoke(a,b,c);
  };

  • Hook constructor

      Java.use('java.lang.StringBuilder').$init.overload('java.lang.String').implementation = function(stringArgument) {
      console.log("c'tor");
      return this(stringArgument);
  };

  • Hook Native (JNI)

Interceptor.attach(Module.findExportByName(null, "dlopen"), {
    onEnter: function(args) {
        var lib = Memory.readUtf8String(args[0]);
        console.log("dlopen called with: " + lib);
        this.lib = lib; // pass argument to onLeave
    },
    onLeave: function(retval) {
        console.log("dlopen called exit with: " + this.lib);
        if (this.lib.endsWith("libfoo.so")) {
            console.log("ret: " + retval);
            var funcAddr = 0x0021e5b4; // find function address with $ nm --demangle --dynamic libfoo.so | grep "SomeClass::someFunction"
            var offset = Module.findBaseAddress("libfoo.so"); // Process.findModuleByName("libfoo.so").base) will also work     
            Interceptor.attach(offset.add(funcAddr), {
                onEnter: function(args) {
                    console.log('hooked !');
                }
            });
        }
    }
});

References overview:

https://techblog.mediaservice.net/2017/09/tracing-arbitrary-methods-and-function-calls-on-android-and-ios/