frida hook_RegisterNatives--使用frida打印so中动态注册的函数
Posted dirwang
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了frida hook_RegisterNatives--使用frida打印so中动态注册的函数相关的知识,希望对你有一定的参考价值。
原文地址:https://github.com/lasting-yang/frida_hook_libart
frida -U --no-pause -f package_name -l hook_RegisterNatives.jsvar ishook_libart = false; function hook_libart() { if (ishook_libart === true) { return; } var symbols = Module.enumerateSymbolsSync("libart.so"); var addrGetStringUTFChars = null; var addrNewStringUTF = null; var addrFindClass = null; var addrGetMethodID = null; var addrGetStaticMethodID = null; var addrGetFieldID = null; var addrGetStaticFieldID = null; var addrRegisterNatives = null; var addrAllocObject = null; var addrCallObjectMethod = null; var addrGetObjectClass = null; var addrReleaseStringUTFChars = null; for (var i = 0; i < symbols.length; i++) { var symbol = symbols[i]; if (symbol.name == "_ZN3art3JNI17GetStringUTFCharsEP7_JNIEnvP8_jstringPh") { addrGetStringUTFChars = symbol.address; console.log("GetStringUTFChars is at ", symbol.address, symbol.name); } else if (symbol.name == "_ZN3art3JNI12NewStringUTFEP7_JNIEnvPKc") { addrNewStringUTF = symbol.address; console.log("NewStringUTF is at ", symbol.address, symbol.name); } else if (symbol.name == "_ZN3art3JNI9FindClassEP7_JNIEnvPKc") { addrFindClass = symbol.address; console.log("FindClass is at ", symbol.address, symbol.name); } else if (symbol.name == "_ZN3art3JNI11GetMethodIDEP7_JNIEnvP7_jclassPKcS6_") { addrGetMethodID = symbol.address; console.log("GetMethodID is at ", symbol.address, symbol.name); } else if (symbol.name == "_ZN3art3JNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS6_") { addrGetStaticMethodID = symbol.address; console.log("GetStaticMethodID is at ", symbol.address, symbol.name); } else if (symbol.name == "_ZN3art3JNI10GetFieldIDEP7_JNIEnvP7_jclassPKcS6_") { addrGetFieldID = symbol.address; console.log("GetFieldID is at ", symbol.address, symbol.name); } else if (symbol.name == "_ZN3art3JNI16GetStaticFieldIDEP7_JNIEnvP7_jclassPKcS6_") { addrGetStaticFieldID = symbol.address; console.log("GetStaticFieldID is at ", symbol.address, symbol.name); } else if (symbol.name == "_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi") { addrRegisterNatives = symbol.address; console.log("RegisterNatives is at ", symbol.address, symbol.name); } else if (symbol.name.indexOf("_ZN3art3JNI11AllocObjectEP7_JNIEnvP7_jclass") >= 0) { addrAllocObject = symbol.address; console.log("AllocObject is at ", symbol.address, symbol.name); } else if (symbol.name.indexOf("_ZN3art3JNI16CallObjectMethodEP7_JNIEnvP8_jobjectP10_jmethodIDz") >= 0) { addrCallObjectMethod = symbol.address; console.log("CallObjectMethod is at ", symbol.address, symbol.name); } else if (symbol.name.indexOf("_ZN3art3JNI14GetObjectClassEP7_JNIEnvP8_jobject") >= 0) { addrGetObjectClass = symbol.address; console.log("GetObjectClass is at ", symbol.address, symbol.name); } else if (symbol.name.indexOf("_ZN3art3JNI21ReleaseStringUTFCharsEP7_JNIEnvP8_jstringPKc") >= 0) { addrReleaseStringUTFChars = symbol.address; console.log("ReleaseStringUTFChars is at ", symbol.address, symbol.name); } } if (addrRegisterNatives != null) { Interceptor.attach(addrRegisterNatives, { onEnter: function (args) { console.log("[RegisterNatives] method_count:", args[3]); var env = args[0]; var java_class = args[1]; var funcAllocObject = new NativeFunction(addrAllocObject, "pointer", ["pointer", "pointer"]); var funcGetMethodID = new NativeFunction(addrGetMethodID, "pointer", ["pointer", "pointer", "pointer", "pointer"]); var funcCallObjectMethod = new NativeFunction(addrCallObjectMethod, "pointer", ["pointer", "pointer", "pointer"]); var funcGetObjectClass = new NativeFunction(addrGetObjectClass, "pointer", ["pointer", "pointer"]); var funcGetStringUTFChars = new NativeFunction(addrGetStringUTFChars, "pointer", ["pointer", "pointer", "pointer"]); var funcReleaseStringUTFChars = new NativeFunction(addrReleaseStringUTFChars, "void", ["pointer", "pointer", "pointer"]); var clz_obj = funcAllocObject(env, java_class); var mid_getClass = funcGetMethodID(env, java_class, Memory.allocUtf8String("getClass"), Memory.allocUtf8String("()Ljava/lang/Class;")); var clz_obj2 = funcCallObjectMethod(env, clz_obj, mid_getClass); var cls = funcGetObjectClass(env, clz_obj2); var mid_getName = funcGetMethodID(env, cls, Memory.allocUtf8String("getName"), Memory.allocUtf8String("()Ljava/lang/String;")); var name_jstring = funcCallObjectMethod(env, clz_obj2, mid_getName); var name_pchar = funcGetStringUTFChars(env, name_jstring, ptr(0)); var class_name = ptr(name_pchar).readCString(); funcReleaseStringUTFChars(env, name_jstring, name_pchar); //console.log(class_name); var methods_ptr = ptr(args[2]); var method_count = parseInt(args[3]); for (var i = 0; i < method_count; i++) { var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3)); var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize)); var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2)); var name = Memory.readCString(name_ptr); var sig = Memory.readCString(sig_ptr); var find_module = Process.findModuleByAddress(fnPtr_ptr); console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", find_module.name, "module_base:", find_module.base, "offset:", ptr(fnPtr_ptr).sub(find_module.base)); } }, onLeave: function (retval) { } }); } ishook_libart = true; } hook_libart();
以上是关于frida hook_RegisterNatives--使用frida打印so中动态注册的函数的主要内容,如果未能解决你的问题,请参考以下文章
Android 逆向Frida 框架 ( 安装 frida 12.7.5 | 安装 frida-tools 5.1.0 | PC 端 frida 与 安卓模拟器端 frida-server )(代码片
Android 逆向Frida 框架 ( Frida 2 种运行模式 | Frida 12.7.5 版本相关工具下载地址 | 在 Android 模拟器上运行 Frida 远程服务程序 )
Android 逆向frida 框架安装 ( 设置 Python 3.7 版本 | 安装 frida 12.7.5 版本 | 安装 frida-tools 5.1.0 版本 )