The installation of hook framework frida and a simple practical case

1. Download address https://github.co/frida/frida/releases ...
1. Download address
2. Two other installation methods
3. Simple and practical

2. Two other installation methods

1.Install from prebuilt binaries

This is the recommended way to get started. All you need to do is:

pip install frida-tools # CLI tools pip install frida # Python bindings npm install frida # Node.js bindings

You may also download pre-built binaries for various operating systems from Frida's releases page on GitHub.

2.Build your own binaries

Dependencies

For running the Frida CLI tools, i.e. frida, frida-ls-devices, frida-ps, frida-kill, frida-trace, and frida-discover, you need Python plus a few packages:

pip3 install colorama prompt-toolkit pygments

Linux

make

macOS and iOS

First make a trusted code-signing certificate. You can use the guide at https://sourceware.org/gdb/wiki/PermissionsDarwin in the sections "Create a certificate in the System Keychain" and "Trust the certificate for code signing". You can use the name frida-cert instead of gdb-cert if you'd like.

Next export the name of the created certificate to the environment variables MAC_CERTID and IOS_CERTID, and run make:

export MAC_CERTID=frida-cert export IOS_CERTID=frida-cert make

To ensure that macOS accepts the newly created certificate, restart the taskgated daemon:

sudo killall taskgated

Windows

frida.sln

(Requires Visual Studio 2017.)

3. Simple and practical

Get the current process of the front-end Activity of android phone

get_front_app.py

The content of get "front" app.py is as follows:

import frida rdev = frida.get_remote_device() front_app = rdev.get_frontmost_application() print front_app 12341234

Enumerate all processes of android phone

enum_process.py

The content of enum? Process.py is as follows:

import frida rdev = frida.get_remote_device() processes = rdev.enumerate_processes() for process in processes: print process 1234512345

Enumerates all modules loaded by a process and the exported functions in the modules

import frida rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") #If there are two identical process names, rdev.attach(pid) can be used modules = session.enumerate_modules() for module in modules: print module export_funcs = module.enumerate_exports() print "\tfunc_name\tRVA" for export_func in export_funcs: print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address)) 1234567891012345678910

The native function of hook android

import frida import sys rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") scr = """ Interceptor.attach(Module.findExportByName("libc.so" , "open"), { onEnter: function(args) { send("open("+Memory.readCString(args[0])+","+args[1]+")"); }, onLeave:function(retval){ } }); """ script = session.create_script(scr) def on_message(message ,data): print message script.on("message" , on_message) script.load() sys.stdin.read() 12345678910111213141516171819201234567891011121314151617181920

java layer functions of hook android

The following code is hook wechat (test version is 6.3.13, different versions have different class names due to random generation of confusing names or code changes)
The random number generating function of com.tencent.mm.sdk.platformtools.ay class makes wechat guessing random (type=2), while the color shaker is always 6 points (type=5)

import frida import sys rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") scr = """ Java.perform(function () { var ay = Java.use("com.tencent.mm.sdk.platformtools.ay"); ay.pu.implementation = function(){ var type = arguments[0]; send("type="+type); if (type == 2) { return this.pu(type); } else { return 5; } }; }); """ script = session.create_script(scr) def on_message(message ,data): print message script.on("message" , on_message) script.load() sys.stdin.read() 123456789101112131415161718192021222324252627282930123456789101112131415161718192021222324252627282930

Inject dex into android process through frida

import frida, sys, optparse, re def on_message(message, data): if message['type'] == 'send': print("[*] ".format(message['payload'])) else: print(message) jscode = """ Java.perform(function () { var currentApplication = Java.use("android.app.ActivityThread").currentApplication(); var context = currentApplication.getApplicationContext(); var pkgName = context.getPackageName(); var dexPath = "%s"; var entryClass = "%s"; Java.openClassFile(dexPath).load(); console.log("inject " + dexPath +" to " + pkgName + " successfully!") Java.use(entryClass).%s("%s"); console.log("call entry successfully!") }); """ def checkRequiredArguments(opts, parser): missing_options = [] for option in parser.option_list: if re.match(r'^\[REQUIRED\]', option.help) and eval('opts.' + option.dest) == None: missing_options.extend(option._long_opts) if len(missing_options) > 0: parser.error('Missing REQUIRED parameters: ' + str(missing_options)) if __name__ == "__main__": usage = "usage: python %prog [options] arg\n\n" \ "example: python %prog -p com.android.launcher " \ "-f /data/local/tmp/test.apk " \ "-e com.parker.test.DexMain/main " \ "\"hello fridex!\"" parser = optparse.OptionParser(usage) parser.add_option("-p", "--package", dest="pkg", type="string", help="[REQUIRED]package name of the app to be injected.") parser.add_option("-f", "--file", dest="dexPath", type="string", help="[REQUIRED]path of the dex") parser.add_option("-e", "--entry", dest="entry", type="string", help="[REQUIRED]the entry function Name.") (options, args) = parser.parse_args() checkRequiredArguments(options, parser) if len(args) == 0: arg = "" else: arg = args[0] pkgName = options.pkg dexPath = options.dexPath entry = options.entry.split("/") if len(entry) > 1: entryClass = entry[0] entryFunction = entry[1] else: entryClass = entry[0] entryFunction = "main" process = frida.get_usb_device(1).attach(pkgName) jscode = jscode%(dexPath, entryClass, entryFunction, arg) script = process.create_script(jscode) script.on('message', on_message) print('[*] Running fridex') script.load() sys.stdin.read() 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666712345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667

Implementation of trace program call stack by injecting and throwing exception code

In the eighth chapter of the book, it is introduced to write exception code through repackaging for stack trace, but it is more troublesome and more convenient to use frida injection.

3 February 2020, 10:16 | Views: 2934

Add new comment

For adding a comment, please log in
or create account

0 comments