Question

我有一个示例应用，该应用在本机库中有一个{ "_source": { "id": 6, "channel_id": 1, "customer_id": 1, "shipping_address_id": 11, "billing_address_id": 12, "order_id": "1234", "reference_number": "1234", "status": "open", "received_at": "2020-02-24T18:03:21.000000Z", "ship_by": "2020-02-24T18:03:21.000000Z", "completed_at": null, "created_at": "2020-03-18T16:17:28.000000Z", "updated_at": "2020-03-18T16:17:28.000000Z", "channel": { "id": 1, "name": "Amazon", "identifier": "The", "created_at": "2020-03-18T16:17:28.000000Z", "updated_at": "2020-03-18T16:17:28.000000Z" }, "customer": { "id": 1, "name": "Nam Test", "email": "Nam@Test.com", "redacted": false, "created_at": "2020-03-18T16:17:28.000000Z", "updated_at": "2020-03-18T16:17:28.000000Z" }, "shipping_address": { "id": 11, "customer_id": 1, "name": "Nam Test", "email": "Nam@Test.COm", "company": "", "address1": "44", "address2": "AD CLOSE", "address3": "", "town": "KINGSTON UPON THAMES", "region": "", "post_code": "KT2 7AJ", "country_code": null, "phone": "213223123", "redacted": false, "created_at": "2020-03-18T16:17:28.000000Z", "updated_at": "2020-03-18T16:17:28.000000Z" }, "billing_address": { "id": 12, "customer_id": 1, "name": "Nam Test", "email": "Nam@Test.COm", "company": "", "address1": "44", "address2": "AD CLOSE", "address3": "", "town": "KINGSTON UPON THAMES", "region": "", "post_code": "KT2 7AJ", "country_code": null, "phone": "213223123", "redacted": false, "created_at": "2020-03-18T16:17:28.000000Z", "updated_at": "2020-03-18T16:17:28.000000Z" }, "order_items": [ { "id": 6, "order_id": 6, "sku": "10-2-sk-ue", "qty": 1, "created_at": "2020-03-18T16:17:28.000000Z", "updated_at": "2020-03-18T16:17:28.000000Z" } ] } }。

我使用以下代码钩住int add(int a,int b)方法：

add

我使用以下命令从中获取函数名称：

#!/usr/bin/env python3

import frida
import sys

package_name = "com.sample.hello"
apiname = "add"

def get_messages_from_js(message, data):
    if message['type'] == 'send':
        print(message['payload'])
    else:
        print(message)

def instrument_debugger_checks():
    hook_code = """
Interceptor.attach(Module.findExportByName(null, "%s"), {
    onEnter: function(args) {
        console.log("onEnter...");
        //send (Memory.readUtf8String (args [1]));     
    },
    onLeave: function(args) {
        console.log("onLeave...");
    }
});
"""%(apiname)
    return hook_code

process = frida.get_usb_device().attach(package_name)
script = process.create_script(instrument_debugger_checks())
script.on('message',get_messages_from_js)
script.load()
sys.stdin.read()

我尝试了所有这些名称，结果是相同的。

但是当我运行它时，出现以下错误：

$ nm -D libnative2.so |grep add

0000000000082504 T _ZNSt6__ndk114__shared_count12__add_sharedEv
0000000000082574 T _ZNSt6__ndk119__shared_weak_count10__add_weakEv
000000000008255c T _ZNSt6__ndk119__shared_weak_count12__add_sharedEv
0000000000042d8c T add

我的代码怎么了？

Answer 1

看起来您在计时方面有问题。尝试以下Frida脚本：


Java.perform(function() {
    const System = Java.use("java.lang.System");
    const Runtime = Java.use("java.lang.Runtime");
    const SystemLoad_2 = System.loadLibrary.overload("java.lang.String");
    const VMStack = Java.use("dalvik.system.VMStack");

    SystemLoad_2.implementation = function(library) {
        console.log("Loading dynamic library => " + library);
        try {
            const loaded =     Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library);
            if(library.includes("native2")) {
// here your hook
Interceptor.attach(Module.findExportByName("libnative2.so", "%s"), {
    onEnter: function(args) {
        console.log("onEnter...");
        //send (Memory.readUtf8String (args [1]));     
    },
    onLeave: function(args) {
        console.log("onLeave...");
    }
});


}
            return loaded;
        } catch(ex) {
            console.log(ex);
        }
    };
});

Frida-在Android-Q上挂钩本机方法失败

1 个答案: