hook代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import frida
import sys

# hook代码,采用javascript编写
jscode = """
//javascript代码,重点
Java.perform(function () {
    var apkParseCompat = Java.use('com.hookandroid.apk.library.ApkParseCompat');

    // 打印日志工具
    console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));

    apkParseCompat.isExitPackage.implementation = function(packageName){
        send("hook start isExitPackage...");
        send("参数1:" + packageName);
        return true;
    }

});
"""
 
# 自定义回调函数
def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

# 重点的4行代码
process = frida.get_remote_device().attach('com.hookandroid.apk.sample')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

进入指定app内存
objection -g com.android.settings explore

内存中so
memory list modules

内存中so函数
memory list exports libssl.so

内存中activity
android hooking list activities

内存中所有类
android hooking list classes

观察内存类调用
android hooking watch class android.bluetooth.BluetoothDevice
1
2
3
4
5
6
7
8
启动应用进程
frida -U -f com.android.settings 

执行脚本
python hook.py

打开应用
%resume