10月份课时2
objection hook一般是用Java.choose实现
- 内存漫游
根据文件启动时批量执行命令:
objection -g 包名 explore explore -c “文件”
文件如:android hooking watch class 类名1
android hooking watch class 类名2
10月份课时3
trace:批量hook
- hook类打印调用栈
https://github.com/hluwa/ZenTracer
运行ZenTracer.py-》action-》match regex-》E:java.io.File会hook以这个开头的所有类和子类
hook类过多app会闪退
10月份课时4
- RPC
https://github.com/frida/frida-python
10月份课时5
主动调用并暴露到公网
- 配置
启动frida:./frida-x64 -l 0.0.0.0:9999function hook01(){var res=nullJava.perform(function () {res=Java.use("com.wzyk.zgyjb.utils.FhfxUtil").createSign('sss','aaaaaa','s3')//console.log(res)})return res;}function hook02(){var res=nullJava.perform(function () {Java.use("com.wzyk.zgyjb.utils.FhfxUtil").createSign.implementation = function(s1,s2,s3) {res=this.createSign(s1,s2,s3)console.log('hook02:'+res)return res}})return res;}console.log('hook01:'+hook01())hook02()//暴露方法到公网rpc.exports={hook01:hook01,hook02:hook02,}
启动脚本:frida -H “192.168.31.77:9999” -F -l D:\pythonProject\app\jinjie\test.js
python脚本方式启动 ```python import os
import frida, sys
def on_message(message, data): if message[‘type’] == ‘send’: print(“[*] {0}”.format(message[‘payload’])) else: print(message)
jscode=open(‘./test.js’,’r’,encoding=’utf-8’).read()
jscode=open(‘./test.js’,encoding=’utf-8’).read()
process = frida.get_remote_device().attach(‘com.example.seccon2015.rock_paper_scissors’)
os.system(“adb forward tcp:27042 tcp:27042”) os.system(“adb forward tcp:27043 tcp:27043”)
通过ip获取设备,有多个可以用列表放多个
device=frida.get_device_manager().add_remote_device(‘192.168.31.77:9999’)
device=frida.get_remote_device()
获取pid
pid=device.get_frontmost_application().pid
根据pid获取进程
session=device.attach(pid)
加载脚本
script = session.create_script(jscode) print(‘开始’)
打印日志
script.on(‘message’, on_message)
执行脚本
script.load()
脚本执行完不直接结束
sys.stdin.read()
objection方式启动:objection -N -h 192.168.31.77 -p 9999 -g com.wzyk.zgyjb explore2. flask暴露到公网```pythonimport osimport fridaimport jsonfrom flask import Flask, jsonify, requestimport frida, sysdef on_message(message, data):if message['type'] == 'send':print("[*] {0}".format(message['payload']))else:print(message)jscode=open('./test.js','r',encoding='utf-8').read()# jscode=open('./test.js',encoding='utf-8').read()# process = frida.get_remote_device().attach('com.example.seccon2015.rock_paper_scissors')os.system("adb forward tcp:27042 tcp:27042")os.system("adb forward tcp:27043 tcp:27043")# 通过ip获取设备device=frida.get_device_manager().add_remote_device('192.168.31.77:9999')# device=frida.get_remote_device()# 获取pidpid=device.get_frontmost_application().pid# 根据pid获取进程session=device.attach(pid)# 加载脚本script = session.create_script(jscode)print('开始')# 打印日志script.on('message', on_message)# 执行脚本script.load()# print(script.exports.hook01('aaaaaaa'))# 脚本执行完不直接结束# sys.stdin.read()app = Flask(__name__)# 访问地址@app.route('/decrypt', methods=['POST']) # data解密def decrypt_class():data = request.get_data()json_data = json.loads(data.decode("utf-8"))postdata = json_data.get("data")res = script.exports.hook01(postdata)return resif __name__ == '__main__':app.run()
postman调用:http://127.0.0.1:5000/decrypt,body:{“data”:”fff”}
10月份课时6
- 主动调用测试
so函数得到的参数是地址,转字符串:Java.vm.getEnv().getStringUtfChars(args[0],null).readCString()
args[0]:第一个参数
var aes_addr = Module.findExportByName('libwtf.so','Java_com_sichuanol_cbgc_util_SignManager_getSign');console.log("aes_addr:",aes_addr);// pointer:对应string类型//创建新函数,参数1:函数地址,参数2:返回值类型,参数3:函数参数类型var get_sign = new NativeFunction(aes_addr , 'pointer', ['pointer', 'pointer', 'pointer']);var text = Memory.allocUtf8String("aaaabbbb");//创建字符串console.log("The result is: ",Memory.readCString(get_sign(text,text,text)));//调用函数
脱离app单独调用so,如果so反射调用java将无法使用
// 加载so,需要放在手机目录下var so=Module.load("/data/local/so/libwtf.so")console.log(so);// 获取函数地址var fun1=so.findExportByName("getSign")//创建新函数,参数1:函数地址,参数2:返回值类型,参数3:函数参数类型var get_sign = new NativeFunction(fun1 , 'pointer', ['pointer', 'pointer', 'pointer']);var text = Memory.allocUtf8String("aaaabbbb");//创建字符串console.log("The result is: ",Memory.readCString(get_sign(text,text,text)));//调用函数
11月课时1
环境
xposed本质就是app
xposed网上教程:https://www.freebuf.com/articles/terminal/189021.html
过滤子进程:loadPackageParam.processName
- Xposed Hook打印调用堆栈
https://blog.csdn.net/QQ1084283172/article/details/79378374
可以在xposed日志下查看模块打印
把xposed日志输出到Android studio:logcat下会自动打印输出
- hook修改
beforeHookedMethod:方法执行前函数,一般用于修改参数
MethodHookParam.args:参数,根据下标获取从0开始
afterHookedMethod:方法执行后函数,用于修改返回值
// 添加对应参数需要在方法名后面加参数列表XposedHelpers.findAndHookMethod(clazz, "toastMessage",String.class, new XC_MethodHook() {protected void beforeHookedMethod(MethodHookParam param) throws Throwable {// 打印参数,从0开始XposedBridge.log("param:"+ param.args[0]);// 修改参数param.args[0]="你已被劫持";super.beforeHookedMethod(param);}}
// 方法执行后执行的方法protected void afterHookedMethod(MethodHookParam param) throws Throwable {// 获取返回值Log.d("返回值:",(String) param.getResult());// 修改返回值param.setResult("你已被劫持");}
- GravityBox
https://github.com/GravityBox/GravityBox
如果项目导入报:ERROR: This version of the Android Support plugin for IntelliJ IDEA (or Android Studio) cannot open this project, please retry with version 4.1 or newer.,需要更新android studio版本
11月课时2
xposed api:https://api.xposed.info/reference/de/robv/android/xposed/XposedHelpers.html
- java反射
getClasses():返回一个数组,获得包含类信息的类对象
getClassLoader():获得类加载器
11月份课时3
frida枚举指定的所有类
Java.enumerateLoadedClasses({onMatch:function(className){if(className.indexOf("java.lang")!=-1){console.log("找到:"+className.toString())}},onComplete:function(){console.log("ok...")}})
12月份课时3
- 环境
(1)aosp
aosp源码地址:https://pan.baidu.com/s/1zAYliYbkagdUUsykww_L4g 提取码:vv5u
aosp目录下,aosp810r1的4个文件全下载
(2)openjdk
openjdk8下载地址:https://pan.baidu.com/s/1viksn3y3zfGqiYpS3TWHCw 提取码: urhd
(3)下载对应手机驱动
https://developers.google.cn/android/drivers#sailfishopm1.171019.011
pixel 1对应:Pixel binaries for Android 8.1.0 (OPM1.171019.012),第一个link
若有收获,就点个赞吧
0 人点赞
