1、hook native so的工具:frida_hook_libart
https://github.com/lasting-yang/frida_hook_libart
(1) hook native so
frida -U --no-pause -f package_name -l hook_RegisterNatives.js
(2) hook_art
frida -U --no-pause -f package_name -l hook_art.js
运行显示的结果类似于jnitrace
2、跟踪JNI API调用的工具: jnitrace,可以指定跟踪哪个so的JNI调用
https://github.com/chame1eon/jnitrace
使用方法:
jnitrace -l libnative-lib.so com.example.myapplication
或者,以spawn’或attach方式启动app
jnitrace -l libnative-lib.so -m spawn com.example.myapplication
jnitrace -l libnative-lib.so -m attach com.example.myapplication
从上可以看到,输出基于API调用线程进行着色。
3、插件FRIDA-DEXDump可以用来脱壳
https://github.com/hluwa/FRIDA-DEXDump
plugin load /root/Desktop/FRIDA-DEXDump
plugin dexdump search
plugin dexdump dump
然后到dex所在目录搜索相关Activity
grep -ril “MainActivity” *
