Frida 逆向hook方法传参
Posted dounine
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Frida 逆向hook方法传参相关的知识,希望对你有一定的参考价值。
C++方法如下
main.cpp
#include <iostream>
#include <Windows.h>
void showAge(int age)
std::cout << age << std::endl;
int main()
SetConsoleTitle("Demo");
showAge(18);
std::cin.get();
return 0;
运行,用32dbg找到showAge方法的偏移地址为:0x128F
小知识点:push dword ptr [dbp+8]可转化16进制为0xff75(N)
main.ts
import log from "./logger.js";
let address = Process.findModuleByName("demo.exe");
let codeSize = Process.pageSize;
let imp: NativePointer = Memory.alloc(codeSize);
Memory.patchCode(imp, codeSize, code =>
let writer = new X86Writer(code, pc: imp);
writer.putPushReg("ebp"); //push ebp
writer.putMovRegReg("ebp", "esp"); //push ebp, esp
writer.putBytes(new Uint8Array([0xff, 0x75, 8]).buffer as ArrayBuffer); //push dword ptr ss:[ebp + 8]
writer.putCallAddress(address?.base.add(0x128F)!); //call 0xxxx128F
writer.putAddRegImm("esp", 4); //add esp, 4
writer.putMovRegReg("esp", "ebp"); //mov esp, ebp
writer.putPopReg("ebp"); //pop ebp
writer.putRet(); //ret
writer.flush();
);
let callMemFun = new NativeFunction(imp, 'void', ['int']);
let result = callMemFun(4);
运行
frida -l .\\_agent.js Demo.exe
以上是关于Frida 逆向hook方法传参的主要内容,如果未能解决你的问题,请参考以下文章