一步一步配置用以安全测试的android手机

配置android测试环境，实现：动态调试、drozer、frida、界面劫持等

一、测试手机开启开发者模式

　　手机型号为pixel2 ，android 10系统，已root。连续点击版本号即可进入开发者选项。然后打开usb调试，使adb可以使用。

　　

二、部署gdb动态调试

　　1、复制gdbserver到手机/data/data/local/tmp/下

shellydeMacBook-Pro:~ shellyzhang$ adb push /Users/shellyzhang/1_codeing/android-sdk-macosx/ndk-bundle/prebuilt/android-arm/gdbserver/gdbserver /data/local/tmp
/Users/shellyzhang/1_codeing/android-sdk-macosx/ndk-bundle/p.../gdbserver: 1 file pushed. 8.0 MB/s (596448 bytes in 0.071s
shellydeMacBook-Pro:~ shellyzhang$ 

　　2、手机开启gdbserver，并连接需要调试的进程

walleye:/data/local/tmp # ps -ef |grep com.android.chrome                                                                                   
u0_a138       8921   786 1 08:39:51 ?     00:00:13 com.android.chrome
u0_a138       8997   786 0 08:39:52 ?     00:00:00 com.android.chrome:privileged_process0
u0_i9003      9277   786 0 08:42:01 ?     00:00:00 com.android.chrome:sandboxed_process2:org.chromium.content.app.SandboxedProcessService2
root         11876 11699 2 09:01:06 pts/1 00:00:00 grep com.android.chrome
walleye:/data/local/tmp # 
walleye:/data/local/tmp # ./gdbserver :1234 --attach 8921                                                                                   
Attached; pid = 8921
Listening on port 1234

　　3、adb转发手机端口到电脑上，电脑使用gdb进行调试

shellydeMacBook-Pro:~ shellyzhang$ adb forward tcp:1234 tcp:1234
shellydeMacBook-Pro:~ shellyzhang$ /Users/shellyzhang/1_codeing/android-sdk-macosx/ndk-bundle/prebuilt/darwin-x86_64/bin/gdb
GNU gdb (GDB) 7.11
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin14.5.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb)  target remote:1234
Remote debugging using :1234
Reading /system/bin/app_process32 from remote target...
(gdb)  info proc
process 8921
cmdline = 'com.android.chrome'
cwd = '/'
exe = '/system/bin/app_process32'
(gdb) info reg
r0             0xfffffffc    4294967292
r1             0xff8b6aa8    4287326888
r2             0x10    16
r3             0xffffffff    4294967295
r4             0x0    0
r5             0x8    8
r6             0xeeb0a260    4004553312
r7             0x15a    346
r8             0xdf43674c    3745736524
r9             0xdf436700    3745736448
r10            0x0    0
r11            0xffffffff    4294967295
r12            0xff8b6a58    4287326808
sp             0xff8b6a48    0xff8b6a48
lr             0xeeabcbb5    -290731083
pc             0xeeae9fa4    0xeeae9fa4 <__epoll_pwait+20>
cpsr           0x20010010    536936464
(gdb)  p*(int*)0xff8b6aa8
$1 = 0
(gdb) 

二、部署drozer

　　1、官网下载最新的apk包（https://labs.f-secure.com/tools/drozer/），并安装到手机

　　目前drozer可能在androd10上无法使用

三、部署frida与objection

　　1、下载合适版本的frida（https://github.com/frida/frida/releases）到手机/data/data/local/tmp/下

walleye:/data/local/tmp # uname -a
Linux localhost 4.4.210-gae6d0ab37d61 #1 SMP PREEMPT Fri Apr 10 23:00:09 UTC 2020 aarch64

walleye:/data/local/tmp # chmod 777 frida-server-12.11.6-android-arm64                                                                  
walleye:/data/local/tmp # 
walleye:/data/local/tmp # ./frida-server-12.11.6-android-arm64                                                                              

　　2、电脑上安装objection（https://github.com/sensepost/objection）

　　3、adb端口转发使用的端口

shellydeMacBook-Pro:1_app shellyzhang$ adb forward tcp:27042 tcp:27042
shellydeMacBook-Pro:1_app shellyzhang$ adb forward tcp:27043 tcp:27043

　　4、查看手机上进程，并使用objection连接

shellydeMacBook-Pro:Downloads shellyzhang$ frida-ps -R |grep chr
  999  chre
16408  com.android.chrome
16503  com.android.chrome:privileged_process0
16455  com.android.chrome:sandboxed_process0:org.chromium.content.app.SandboxedProcessService0
shellydeMacBook-Pro:Downloads shellyzhang$ objection --gadget 'com.android.chrome' explore
Using USB device `Pixel 2`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.9.5

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.android.chrome on (google: 10) [usb] #  

　　5、查看一些基本信息

com.android.chrome on (google: 10) [usb] # ls                                                                                    
Type       Last Modified            Read    Write    Hidden    Size     Name
---------  -----------------------  ------  -------  --------  -------  ------
Directory  2020-08-03 09:42:32 GMT  True    True     False     4.0 KiB  images

Readable: True  Writable: True
com.android.chrome on (google: 10) [usb] # env                                                                                   

Name                    Path
----------------------  ---------------------------------------------------------
cacheDirectory          /data/user/0/com.android.chrome/cache
codeCacheDirectory      /data/user/0/com.android.chrome/code_cache
externalCacheDirectory  /storage/emulated/0/Android/data/com.android.chrome/cache
filesDirectory          /data/user/0/com.android.chrome/files
obbDir                  /storage/emulated/0/Android/obb/com.android.chrome
packageCodePath         /system/product/app/Chrome/Chrome.apk

　　6、关闭sslpinning

com.android.chrome on (google: 10) [usb] # android sslpinning disable                                                            
(agent) Custom TrustManager ready, overriding SSLContext.init()
(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.verifyChain()
(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.checkTrustedRecursive()
(agent) Registering job w9kke27rti9. Type: android-sslpinning-disable
com.android.chrome on (google: 10) [usb] #  

四、安装界面劫持工具

　　1、安装app

shellydeMacBook-Pro:1_app shellyzhang$ adb install BankActivityHijack.apk 
Success

　　2、输入要劫持的app界面activity名称，然后打开该app即可

　　

五、安装so注入工具

　　1、复制hijack到手机/data/data/local/tmp/下

shellydeMacBook-Pro:so shellyzhang$ adb push libstrmon.so /data/local/tmp
libstrmon.so: 1 file pushed. 2.2 MB/s (25720 bytes in 0.011s)
shellydeMacBook-Pro:so shellyzhang$ adb push hijack /data/local/tmp
hijack: 1 file pushed. 2.4 MB/s (22164 bytes in 0.009s)

　　2、注入so文件到进程中，并查看日志文件中是否有记录数据

walleye:/data/local/tmp # ps -ef |grep com.android.chrome                                                                                   
u0_a138      13269   786 1 09:32:24 ?     00:00:07 com.android.chrome
u0_a138      13345   786 0 09:32:24 ?     00:00:00 com.android.chrome:privileged_process0
u0_i9010     14106   786 8 09:45:56 ?     00:00:01 com.android.chrome:sandboxed_process5:org.chromium.content.app.SandboxedProcessService5
root         14146 13874 3 09:46:09 pts/4 00:00:00 grep com.android.chrome
walleye:/data/local/tmp # >/data/local/tmp/strmon.log
walleye:/data/local/tmp # chmod 777 strmon.log 
walleye:/data/local/tmp # ./hijack -d -p 13269 -l libstrmon.so                                                                              
mprotect: 0xeeaead4c
dlopen: 0xf1c13009
pc=eeae9fa4 lr=eeabcbb5 sp=ff8b6a48 fp=ffffffff
r0=fffffffc r1=ff8b6aa8
r2=10 r3=ffffffff
stack: 0xff0ba000-0xff8b9000 leng = 8384512
executing injection code at 0xff8b69f8
calling mprotect
library injection completed!
walleye:/data/local/tmp # cat strmon.log