技术改变命运
分类: Android平台
2020-08-09 23:30:20
- setTimeout(function (){
- Java.perform(function (){
- console.log("n[*] enumerating classes...");
- console.log("Frida version:"+Frida.version);
- console.log("Frida heapsize:"+Frida.heapSize);
- console.log("Script runtime:"+Script.runtime);
- console.warn("warn");
- console.error("error");
- Java.choose("android.bluetooth.BluetoothDevice",{
- onMatch: function (instance){
- console.log("[*] "+" android.bluetooth.BluetoothDevice instance found"+" :=> '"+instance+"'");
- // console.log(Java.cast(instance,Java.use("android.bluetooth.BluetoothDevice") ).getName());
- console.log(instance.getName());
- // bluetoothDeviceInfo(instance);
- },
- onComplete: function() { console.log("[*] -----");}
- });
- });
- });
通过下面的命令运行程序
- frida -U -l hello.js android.process.media –debug --runtime=v8
在对console.log,console.warn,console.error进行了介绍,望文也可生义。 
Frida.version: property containing the current Frida version, as a string.
Frida.heapSize: dynamic property containing the current size of Frida’s private heap, shared by all scripts and Frida’s own runtime. This is useful for keeping an eye on how much memory your instrumentation is using out of the total consumed by the hosting process.
Script.runtime: string property containing the runtime being used. Either DUK or V8.
hexdump(target[, options]): generate a hexdump from the provided ArrayBuffer or NativePointer target, optionally with options for customizing the output.
添加如下的代码:
- var libc = Module.findBaseAddress('libc.so');
- console.log(hexdump(libc, {
- offset: 0,
- length: 64,
- header: true,
- ansi: true
- }));
运行: 
send(message[, data]): send the JavaScript object message to your Frida-based application (it must be serializable to JSON).
- # -*- coding: utf-8 -*-
- import frida
- import sys
- def on_message(message, data):
- if message['type'] == 'send':
- print("[*] {0}".format(message['payload']))
- else:
- print(message)
- jscode = """
- Java.perform(function ()
- {
- var jni_env = Java.vm.getEnv();
- console.log(jni_env);
- send(jni_env);
- });
- """
- process = frida.get_usb_device().attach('android.process.media')
- script = process.create_script(jscode)
- script.on('message', on_message)
- script.load()
- sys.stdin.read()
通过下面的结果可以看出,send输出的是json格式。 
| API | 含义 |
|---|---|
| new Int64(v) | create a new Int64 from v |
| new UInt64(v) | create a new UInt64 from v |
| NativePointer | creates a new NativePointer from the string s |
| wrap(address, size) | creates an ArrayBuffer backed by an existing memory region |
| new NativeFunction(address, returnType, argTypes[, abi]) | create a new NativeFunction to call the function at address |
| new NativeCallback(func, returnType, argTypes[, abi]) | create a new NativeCallback implemented by the JavaScript function func |
| new SystemFunction(address, returnType, argTypes[, abi]) | just like NativeFunction, but also provides a snapshot of the thread’s last error status |
| ptr(s) | short-hand for new NativePointer(s) |
| NULL | short-hand for ptr("0") |
添加如下代码:
- console.log("new Int64(1):"+new Int64(1));
- console.log("new UInt64(1):"+new UInt64(1));
- console.log("new NativePointer(0xEC644071):"+new NativePointer(0x123456));
- console.log("new ptr('0xEC644071'):"+new ptr(0x123456));
- console.log("null point:"+ptr('0'));
运行结果如下: 
对于 Int64一些简单的运算
- console.log("8888 + 1:"+new Int64("8888").add(1));
- //8888 - 1 = 8887
- console.log("8888 - 1:"+new Int64("8888").sub(1));
- //8888 << 1 = 4444
- console.log("8888 << 1:"+new Int64("8888").shr(1));
- //8888 == 22 = 1 1是false
- console.log("8888 == 22:"+new Int64("8888").compare(22));
- //转string
- console.log("8888 toString:"+new Int64("8888").toString());
注释写的很清楚了: 
Empty object that you can either replace or insert into to expose an RPC-style API to your application. The key specifies the method name and the value is your exported function.
- # -*- coding: utf-8 -*-
- import frida
- import sys
- def on_message(message, data):
- if message['type'] == 'send':
- print("[*] {0}".format(message['payload']))
- else:
- print(message)
- jscode = """
- Java.perform(function ()
- {
- var jni_env = Java.vm.getEnv();
- console.log(jni_env);
- send(jni_env);
- });
- rpc.exports = {
- add: function (a, b) {
- return a + b;
- },
- sub: function (a, b) {
- return new Promise(function (resolve) {
- setTimeout(function () {
- resolve(a - b);
- }, 100);
- });
- }
- };
- """
- process = frida.get_usb_device().attach('android.process.media')
- script = process.create_script(jscode)
- script.on('message', on_message)
- script.load()
- print(script.exports.sub(2, 3))
- process.detach()
script.on('message', on_message) is used to monitor for any messages from the injected process, JavaScript side. 
通过如下的代码获取进程相关信息:
- console.log("目标进程的PID:"+Process.id);
- console.log("调试器是否附加到目标进程:"+Process.isDebuggerAttached())
- //枚举进程加载的模块
- var process_Obj_Module_Arr = Process.enumerateModules();
- for(var i = 0; i < process_Obj_Module_Arr.length; i++) {
- console.log("",process_Obj_Module_Arr[i].name);
- }
- //枚举当前所有的线程
- var enumerateThreads = Process.enumerateThreads();
- for(var i = 0; i < enumerateThreads.length; i++) {
- console.log("");
- console.log("id:",enumerateThreads[i].id);
- console.log("state:",enumerateThreads[i].state);
- console.log("context:",JSON.stringify(enumerateThreads[i].context));
- }
- //this thread’s OS-specific id as a number
- console.log("this thread’s OS-specific id as a number:"+Process.getCurrentThreadId());
运行上面的程序,可以获取到进程相关的信息。 
这里说一下线程:
Process.enumerateThreads():枚举当前所有的线程,返回包含以下属性的对象数组:
- setTimeout(function (){
- Java.perform(function (){
- console.log("n[*] enumerating classes...");
- console.log("Frida version:"+Frida.version);
- console.log("Frida heapsize:"+Frida.heapSize);
- console.log("Script runtime:"+Script.runtime);
- console.warn("warn");
- console.error("error");
- Java.choose("android.bluetooth.BluetoothDevice",{
- onMatch: function (instance){
- console.log("[*] "+" android.bluetooth.BluetoothDevice instance found"+" :=> '"+instance+"'");
- // console.log(Java.cast(instance,Java.use("android.bluetooth.BluetoothDevice") ).getName());
- console.log(instance.getName());
- // bluetoothDeviceInfo(instance);
- },
- onComplete: function() { console.log("[*] -----");}
- });
- var libc = Module.findBaseAddress('libc.so');
- console.log(hexdump(libc, {
- offset: 0,
- length: 64,
- header: true,
- ansi: true
- }));
- console.log("");
- console.log("new Int64(1):"+new Int64(1));
- console.log("new UInt64(1):"+new UInt64(1));
- console.log("new NativePointer(0xEC644071):"+new NativePointer(0x123456));
- console.log("new ptr('0xEC644071'):"+new ptr(0x123456));
- console.log("null point:"+ptr('0'));
- console.log("");
- //8888 + 1 = 8889
- console.log("8888 + 1:"+new Int64("8888").add(1));
- //8888 - 1 = 8887
- console.log("8888 - 1:"+new Int64("8888").sub(1));
- //8888 << 1 = 4444
- console.log("8888 << 1:"+new Int64("8888").shr(1));
- //8888 == 22 = 1 1是false
- console.log("8888 == 22:"+new Int64("8888").compare(22));
- //转string
- console.log("8888 toString:"+new Int64("8888").toString());
- console.log("目标进程的PID:"+Process.id);
- console.log("调试器是否附加到目标进程:"+Process.isDebuggerAttached())
- //枚举进程加载的模块
- var process_Obj_Module_Arr = Process.enumerateModules();
- for(var i = 0; i < process_Obj_Module_Arr.length; i++) {
- console.log("",process_Obj_Module_Arr[i].name);
- }
- //枚举当前所有的线程
- var enumerateThreads = Process.enumerateThreads();
- for(var i = 0; i < enumerateThreads.length; i++) {
- console.log("");
- console.log("id:",enumerateThreads[i].id);
- console.log("state:",enumerateThreads[i].state);
- console.log("context:",JSON.stringify(enumerateThreads[i].context));
- }
- //this thread’s OS-specific id as a number
- console.log("this thread’s OS-specific id as a number:"+Process.getCurrentThreadId());
- });
- });
更多Frida相关内容,欢迎关注我的公众号:无情剑客。 
