frida补充篇_Memory


整个9月份几乎一点状态都没有,基本上文章都没有更新,感谢大家的持续关注。后续会慢慢恢复文章的更新频率,再次感谢大家的支持。

纠正一个错误

Frida API使用(1) 中对数据类型介绍的时候,代码有一处不完美的地方,对应的修改如下:

console.log("new Int64(1):"+new Int64(1));
 console.log("new UInt64(1):"+new UInt64(1));
 console.log("new NativePointer(0xEC644071):"+new NativePointer(0x123456));
 console.log("new ptr('0xEC644071'):"+ ptr(0x123456));
 console.log("null point:"+ptr('0'));

将其中的new ptr(0x123456)应修改为ptr(0x123456)。ptr is short-hand for new NativePointer

Frida基础补充

对象转数组

Java代码:

public static void  test(Object object){
            Log.d("无情剑客", "" + object);
    }

hook脚本:

Java.perform(function(){    
    console.log("buring");
    var mainActivity = Java.use("com.example.myapplication.MainActivity");
    mainActivity.test.overload("java.lang.Object").implementation = function (p1) {
        console.log(p1);
        var arr = object2Arr(p1);
        console.log("after:" + arr);
        this.test(p1);
    }

})

function object2Arr(object){
    var new_arr = new Array();
    var arr_class = Java.use("java.lang.reflect.Array");
    console.log("object2Arr:" + arr_class.getLength(object));
    for (var i = 0; i < arr_class.getLength(object); i++){
       // new_arr.push(arr_class.get(object, i));
       var ele = arr_class.get(object, i);
       new_arr.push(ele);
    }
    return new_arr;
}

停止scan

return ‘stop’; 枚举类的时候也可以使用.

Memory.scan(m.base, m.size, pattern, {
  onMatch(address, size) {
    console.log'Memory.scan() found match at', address,
        'with size', size);

    // Optionally stop scanning early:
    return 'stop';
  },
  onComplete() {
    console.log('Memory.scan() complete');
  }
});

ptrace_scope

对于Linux系统需要设置ptrace_scope的值,这是因为Frida会用到ptrace函数。

sysctl -w kernel.yama.ptrace_scope=0 #临时修改某个变量的当前值,即虚拟文件系统/proc下的值,重启失效

kernel.yama.ptrace_scope = 0

查看手机架构

对于Android平台,查看手机的架构构用途还是很大的。

adb shell getprop ro.product.cpu.abi

查看笔者手机的架构,是V8的。

frida补充篇_Memory_02

修改返回值

使用Radare2静态分析apk(2) 中通过重写Java层的stringFromJNI来修改返回值。这里通过Interceptor.attach中的onLeave来修改返回值。

onLeave(retval): callback function given one argument retval that is a NativePointer-derived object containing the raw return value. You may call retval.replace(1337) to replace the return value with the integer 1337, or retval.replace(ptr(“0x1234”)) to replace with a pointer. Note that this object is recycled across onLeave calls, so do not store and use it outside your callback. Make a deep copy if you need to store the contained value, e.g.: ptr(retval.toString()).

修改返回值:

onLeave: function (retval) {
   console.log("retval "+retval);
   var env = Java.vm.getEnv();
   var jstring = env.newStringUtf('无情剑客');
   retval.replace(jstring);
 }

打印Java调用栈

console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));