安装

实验环境:

python3.7
小米5(已ROOT)
Windows10

frida安装

pip install frida
pip install frida-tools

frida-server 安装运行

查看CPU架构

adb shell getprop ro.product.cpu.abi

Android逆向:Frida Hook基础_java

在​​这里下载​​对应架构的frida-server。

Android逆向:Frida Hook基础_apache_02

启动frida-server

# 从本地推送到手机
adb push frida-server /data/local/tmp

# 端口转发
adb forward tcp:27042 tcp:27042

# 运行
adb shell /data/local/tmp/frida-server

如果报错:

Unable to save SELinux policy to the kernel: Permission denied

这是因为没有权限,可以切换到root用户下运行:

adb shell  # 开启adb shell
id  # 查看当前用户为shell用户
su  # 切换到root用户
id # 查看当前用户为root用户
chmod 755 /data/local/tmp/frida-server  # 增加执行权限
/data/local/tmp/frida-server  # -D 可以设置为demon模式
ps -ef | grep frida  # 查看是否运行

查看安卓进程

frida-ps -U

Android逆向:Frida Hook基础_python_03

获取当前运行的APP

import frida
import sys
rdev = frida.get_remote_device()
front_app = rdev.get_frontmost_application()
print (front_app)

Android逆向:Frida Hook基础_android_04

打印所有进程

import frida
rdev = frida.get_remote_device()
processes = rdev.enumerate_processes()
for processe in processes:
    print (processe)

Android逆向:Frida Hook基础_apache_05

Python加载Javascript脚本

console.log("Script loaded successfully");
Java.perform(function() {
  Java.choose("com.lilongsy.MainActivity", {
    "onMatch": function(instance) {
      console.log("[*] Instance found: " + instance.toString());
    },
    "onComplete": function(){
      console.log("[*] Finished heap search");
    }
  });
});

1.js

import time
import frida
device = frida.get_usb_device()
pid = device.spawn(["com.lilongsy"])
device.resume(pid)
time.sleep(1)
session = device.attach(pid)
with open("1.js") as f:
    script = session.create_script(f.read())
script.load()
input()

main.py

Android逆向:Frida Hook基础_android_06

参考

​​