frida hook的一些东西记录

https://bbs.kanxue.com/thread-265160-1.htm

https://bbs.kanxue.com/thread-281761-1.htm

针对以上代码文档,没有做验证,后续需要验证,先记录下

目前遇到的一些app的检测方法基本都是通过某个so衍生的pthread_create线程,来检测frida,基本上名字都是:libmsaoaidsec.so
一种很明了的是,app未启动,就直接死掉,这种的 hook dlopen 查看so的加载,然后死掉前的那个so的可能性最大,后续调用hook_pthread_create,来查看衍生出来那些线程,一个一个测试做掉,不影响app运行

点击查看代码 
// 加载了什么so文件之后应用闪退
function hook_dlopen() {
    var dlopen = Module.findExportByName(null, "dlopen");
    var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
    Interceptor.attach(dlopen, {
        onEnter: function (args) {
            var path_ptr = args[0];
            var path = ptr(path_ptr).readCString();
            console.log("[dlopen:]", path);
            // if (path.indexOf("libsotweak.so") > -1) {
            //     hook_dlsym()
            // }
        },
        onLeave: function (retval) {
            console.log("onLeave--[dlopen:]", retval);
        }
    });

    Interceptor.attach(android_dlopen_ext, {
        onEnter: function (args) {
            var path_ptr = args[0];
            var path = ptr(path_ptr).readCString();
            console.log("[dlopen_ext:]", path);
            // if (path.indexOf("libsotweak.so") > -1) {
            //     hook_dlsym()
            // }
        },
        onLeave: function (retval) {
            console.log("onLeave--[dlopen_ext:]", retval);
        }
    });
}

function hook_pthread_create() { 
    var soAddr = null;
    var pthread_create_addr = Module.findExportByName(null, "pthread_create");
    Interceptor.attach(pthread_create_addr, {
        onEnter: function (args) { 
            var funcAddr = args[2];
            var soName = Process.findModuleByAddress(funcAddr).name;
            soAddr = Module.findBaseAddress(soName);
            if(soName.indexOf("libmsaoaidsec.so") >= 0 ){
                console.log(soName + " ==> " + soAddr);
                console.log("function Address ==> ", funcAddr);
                var offset = funcAddr.sub(soAddr);
                console.log("function Offset ==> ", offset);
                // if (offset==0x1a574) { 
                //   Interceptor.replace(funcAddr, new NativeCallback(function () {
                //       console.log(funcAddr + " replace");
                //   }, 'void', []));
                // }
                if (offset==0x1aee4) { 
                    Interceptor.replace(funcAddr, new NativeCallback(function () {
                        console.log(funcAddr + " replace");
                    }, 'void', []));
                }
            }
        },
        onLeave: function (retval) { 
  
        }
    })
  }

frida 打印hashmap或者转为json:

点击查看代码 
var HashMap = Java.use('java.util.HashMap');
console.log("map:" + Java.cast(map, HashMap).toString());
 
// 输出展示:map -> {onlyCanExchange=0, pageSize=5, pageNum=1}

var Gson = Java.use('com.google.gson.Gson').$new();
console.log("map -> " + Gson.toJsonTree(map).getAsJsonObject());
 
// 输出展示:map -> {"onlyCanExchange":0,"pageSize":"5","pageNum":"1"}
posted @ 2024-08-19 20:38  Wkeng  阅读(151)  评论(0)    收藏  举报