frida绕过frida检测



function main(){
    Java.perform(function(){
        console.log("[*] I am  a hook function");
        var strStr = Module.findExportByName("libc.so", "strstr");
        console.log("[*] strstr addr: " + strStr);
        Interceptor.attach(strStr,{
            onEnter: function(args){
                console.log("[*] strstr hooked");
                var arg0= ptr(args[0]).readCString();
                var arg1= ptr(args[1]).readCString();
                if(arg1.indexOf(":5DBA")>=0){
                    console.log("[*] strstr hooked"+arg0+","+arg1+")");
                    this.dba=true
                
                }
                if(arg1.indexOf(":69A2")>=0){
                    console.log("[*] strstr hooked"+arg0+","+arg1+")");
                    this.a2=false
                }
                
                if(arg1.indexOf("LIBFRIDA")>=0){
                    console.log("[*] strstr hooked"+arg0+","+arg1+")");
                    this.LIBFRIDA = true;
                }
                if(arg1.indexOf("frida")>=0){
                    console.log("[*] strstr hooked"+arg0+","+arg1+")");
                    this.frida = true;

                }
            },
            onLeave: function(retval){
                if(this.a2){
                    console.log("[*] a2 hooked"+retval);
                    retval.replace(0x0);
                }
                if(this.dba){
                    console.log("[*] d8a hooked"+retval);
                    retval.replace(0x0);
                }
                if(this.LIBFRIDA){
                    console.log("[*] the LIBFRIDA result: "+retval);
                    retval.replace(0x0)
                }
                if(this.frida){
                    console.log("[*] the frida result: "+retval);
                    retval.replace(0x0)
                }
            }
        });

        })
}
posted @ 2022-03-25 11:20  公众号python学习开发  阅读(1462)  评论(0编辑  收藏  举报