在我们开始之前,请确保你的Android设备已经完成root操作。我们大部分的实验操作都是在Android4.4版本上进行的,但是Frida本身是支持从4.2到6.0的版本的,但是目前来说对Art的支持还是有限的,所以我们建议最后还是用使用Dalvik虚拟机的系统设备或者模拟器来进行尝试。
设备信息
1
2
| 手机:Nexus5 android4.4.4 root
Dalvik 运行环境(设置-开发者选项-选择运行环境-使用Dalvik)
|
安装
1
2
| pip install frida-tools
|
查看手机cpu
1
| adb shell getprop ro.product.cpu.abi
|
下载对应frida-server
frida
frida-server-12.6.6-android-arm.xz
frida需要在root权限运行
1
2
3
4
5
| adb root
adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "data/local/tmp/frida-server &"
|
设备是否连接正常
1
| frida-trace -U -i open com.android.chrome #监控app
|
1
| frida -U -l example.js com.example.dlive #向app注入js
|
js脚本注入 java
MainActivity.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
findViewById(R.id.mBtnTest).setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
helloAndroid();
test1();
test2(123);
test3("str");
test4("str",true);
((Button)findViewById(R.id.mBtnTest)).setText(test5());
}
});
}
private void helloAndroid() {
System.out.println("helloAndroid");
}
private void test1() {
System.out.println("test1()");
}
private void test2(int i) {
System.out.println("test2(int)"+i);
}
private void test3(String s) {
System.out.println("test3(String)"+s);
}
private void test4(String s,boolean b) {
System.out.println("test4(String,boolean)"+s+","+b);
}
private String test5() {
return "error";
}
}
|
activity_main.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| <?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:app="http://schemas.android.com/apk/res-auto"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
tools:context=".MainActivity">
<Button
android:id="@+id/mBtnTest"
android:layout_width="wrap_content"
android:layout_height="wrap_content" />
</LinearLayout>
|
frida.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| console.log("[*] Starting script");
Java.perform(function () {
var MainActivity = Java.use("com.demo.android_frida.MainActivity");
MainActivity.helloAndroid.implementation = function () {
console.log("helloAndroid()");
// this.private_func();
};
MainActivity.test1.overload().implementation = function () {
console.log("test1()");
// this.private_func();
};
MainActivity.test2.overload("int").implementation = function (i) {
console.log("test2(int): " + i);
// this.private_func(i);
};
MainActivity.test3.overload("java.lang.String").implementation = function () {
console.log("test3(String): " + arguments[0]);
// this.private_func(arguments[0]);
};
//输出
MainActivity.test4.overload("java.lang.String", "boolean").implementation = function (s, b) {
console.log("test4(String,boolean): " + s + ", " + b);
// this.private_func(s, b);
};
// 修改返回值
MainActivity.test5.overload().implementation= function(){
console.log("test5");
// return this.test5()+"llll";
return "ffff";
}
});
|
注入
1
2
3
4
5
6
7
8
9
10
11
12
| frida -U -l frida.js com.demo.android_frida
____
/ _ | Frida 12.4.8 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
Attaching...
|
点击按钮
1
2
3
4
5
6
7
| [*] Starting script
[LGE Nexus 5::com.demo.android_frida]-> helloAndroid()
test1()
test2(int): 123
test3(String): str
test4(String,boolean): str, true
test5
|
按钮文字改成ffff
LINKS
使用Frida简化Android端应用安全测试
Android逆向之旅—Hook神器家族的Frida工具使用详解
如何使用FRIDA搞定Android加壳应用
[原创]Frida从入门到入门—安卓逆向菜鸟的frida食用说明
Author:
tea9
Permalink:
http://tea9.github.io/post/739255443.html
License:
Copyright (c) 2017-2025 CC-BY-NC-4.0 LICENSE
Slogan:
Do you believe in DESTINY?