查看cpu架构
adb shell getprop ro.product.cpu.abi 下载手机的frida服务:https://github.com/frida/frida/releases
adb push ./frida-server-15.1.14-android-arm64 /data/local/tmp
启动服务
adb shell
su //然后手机给root权限
cd /data/local/tmp
chmod 777 ./frida-server-15.1.14-android-arm64
./frida-server-15.1.14-android-arm64
端口转发
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
frida hook小例子
server版本15以后不是用包名了 是用进程名,这里要注意一下 不然会报错frida.ProcessNotFoundError:unable to find process with name
import frida,sys
def on_message(message, data):
if message['type'] == 'send':
print("???")
print("[*] {0}".format(message['payload']))
else:
print(message)
test = '''
Java.perform(
function (){
console.log("11111")
var MainActivity=Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity')
MainActivity.onClick.implementation=function (v){
this.onClick(v)
this.n.value=2
this.m.value=1
console.log("m",this.m.value)
console.log("n",this.n.value)
}
/*var TT=Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity$1')
TT.run.implementation=function (){
console.log("123123")
//this.this$0.value.m.value=1
//this.this$0.value.n.vlaue=2
this.run()
}*/
}
)
'''
fv= frida.get_usb_device(-1)
#获取在前台运行的APP 这样就不需要每次去改
front_app = fv.get_frontmost_application()
print("===正在运行的应用为:", front_app)
#
process =fv.attach(front_app.pid)#frida版本15之后 这里传进程名或者进程id
script = process.create_script(test_sig)
script.on('message', on_message)
script.load()
sys.stdin.read()
##启动方式2 spawn 重启APP 可以hook APP启动阶段
# device = frida.get_usb_device(-1)
# pid = device.spawn([front_app.identifier])#这里包名
# process = device.attach(pid)
# script = process.create_script(test_sig)
# script.on('message', on_message)
# script.load()
# device.resume(pid)
# sys.stdin.read()内部类访问外部类名写法:this.this$0.value."外部类名".vlaue=2
评论 (0)