frida用法小汇总

根据cpu版本去下载相应frida-server 运行./frida-sever &

frida官网:https://frida.re/docs/javascript-api/

1.hook静态函数

当函数内部有相同的函数名，即重载时，hook时就必须指定函数类型

function hook_java() {

    Java.perform(function () {

        var LoginActivity = Java.use("com.example.androiddemo.Activity.LoginActivity");

        console.log(LoginActivity);

        LoginActivity.a.overload('java.lang.String', 'java.lang.String').implementation = function (str, str2) {

            var result = this.a(str, str2);   

            //result = '';

            console.log("LoginActivity.a:", str, str2, result);

            return result;

        };

        //当函数有重载时，错误写法，当函数没重载时，可以这样写

          LoginActivity.a.implementation = function (str1, str2) {

            var result = this.a(str1, str2);     //调用原来的函数

            console.log("LoginActivity.a:", str1, str2, result);

            return result;

        };

}

修改函数返回值和成员变量

(1)修改返回值

function hook_java() {

    Java.perform(function () {

        var FridaActivity1 = Java.use("com.example.androiddemo.Activity.FridaActivity1");

        // FridaActivity1.a.implementation = function (barr) {

        //     console.log("FridaActivity1.a");

        //     // return "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";

        //     var result = this.a(barr);

        //     console.log("FridaActivity1.a result:", result);

        //     return result;

            

        // };

        // 第二种写法

        FridaActivity1.a.overload('[B').implementation = function (barr) {

            console.log("FridaActivity1.a");

            var result = this.a(barr);

            console.log("FridaActivity1.a 修改前返回值:", result);

            result = "R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL=";

            console.log("FridaActivity1.a 修改后返回值:", result);

            return result;

            

        };

        console.log("hook_java");

    });

}

(2)修改成员变量

function call_FridaActivity3() {

    Java.perform(function () {

        var FridaActivity3 = Java.use("com.example.androiddemo.Activity.FridaActivity3");

        FridaActivity3.$new

        FridaActivity3.static_bool_var.value = true;        //设置静态成员变量



        console.log(FridaActivity3.static_bool_var.value);

        

        Java.choose("com.example.androiddemo.Activity.FridaActivity3", {

            onMatch: function (instance) {

                //设置非静态成员变量的值

                instance.bool_var.value = true;

                //设置有相同函数名的成员变量的值

                instance._same_name_bool_var.value = true;

                console.log(instance.bool_var.value, instance._same_name_bool_var.value);

            },

            onComplete: function () {



            }

        });

    });

}

2.hook内部类

第一种写法

function hook_InnerClasses() {

    Java.perform(function () {

        //hook内部类

        var InnerClasses = Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses");

        console.log(InnerClasses);

        InnerClasses.check1.implementation = function () {

            return true;

        };

        InnerClasses.check2.implementation = function () {

            return true;

        };

        InnerClasses.check3.implementation = function () {

            return true;

        };

        InnerClasses.check4.implementation = function () {

            return true;

        };

        InnerClasses.check5.implementation = function () {

            return true;

        };

        InnerClasses.check6.implementation = function () {

            return true;

        };

    });

}



第二种写法

function hook_mul_function() {

    Java.perform(function () {

        //hook 类的多个函数

        var class_name = "com.example.androiddemo.Activity.FridaActivity4$InnerClasses";

        var InnerClasses = Java.use(class_name);

        var all_methods = InnerClasses.class.getDeclaredMethods();

        for (var i = 0; i < all_methods.length; i++) {

            var method = (all_methods[i]);

            var methodStr = method.toString();

            var substring = methodStr.substr(methodStr.indexOf(class_name) + class_name.length + 1);

            var methodname = substring.substr(0, substring.indexOf("("));

            console.log(methodname);

            InnerClasses[methodname].implementation = function () {

                console.log("hook_mul_function:", this);

                return true;

            }



        }



    });

}

3.hook动态dex

function hook_dyn_dex() {

    Java.perform(function () {

        //hook 动态加载的dex  （注意点:牛轧糖版本之上）

        Java.enumerateClassLoaders({

            onMatch: function (loader) {

                try {

                    if (loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")) {

                        console.log(loader);

                        // Java.classFactory.loader = loader;      //切换classloader

                    }

                } catch (error) {



                }



            }, onComplete: function () {



            }

        });



        // var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck");

        // console.log(DynamicCheck);

        // DynamicCheck.check.implementation = function () {

        //     console.log("DynamicCheck.check");

        //     return true;

        // }

    });

}

4.frida加载动态dex

function hook_java() {

    //var ddex = Java.openClassFile("/data/local/tmp/ddex.dex");

    //frida动态加载了dex

    /*

    jar -cvf ddex.jar com/example/androiddemo/DecodeUtils.class

    /Users/yang/Library/Android/sdk/build-tools/28.0.3/dx --dex --output=ddex.dex ddex.jar

    */

    var ddex2 = Java.openClassFile("/data/local/tmp/ddex2.dex");



    Java.perform(function () {

        //frida动态加载了dex

        ddex2.load();

        var DecodeUtils = Java.use("com.example.androiddemo.DecodeUtils");

        console.log("DecodeUtils.decode_p:", DecodeUtils.decode_p());

    });

}