第一课时 Hook In Java
vscode中自动提示
npm i @types/froda-gum-
hook java层代码
function hook_java() { Java.perform(function() { var clazz = Java.use("java class") // Java.use 是java的类包装器 clazz.a.implementation = function(str, str2) { // a为函数 var result = this.a(str, str2); } }) }
开启frida
frida -U packageName -l hook.js-
调用函数,静态的能直接调用,非静态的要用Java.Choose来调用函数
function call_FridaActivity2() { //主动调用函数 Java.perform(function () { var FridaActivity2 = Java.use("com.example.androiddemo.Activity.FridaActivity2"); FridaActivity2.setStatic_bool_var(); //调用静态函数 // 非静态 要找到对象 Java.choose("com.example.androiddemo.Activity.FridaActivity2", { onMatch: function (instance) { instance.setBool_var(); }, onComplete: function () { } }); }); }
-
直接设置类中的变量,静态的值就直接修改即可,非静态的需要获取他的对象在修改,如果函数的名字和变量一样,就要在变量前面加个下划线。
function call_FridaActivity3() { Java.perform(function () { var FridaActivity3 = Java.use("com.example.androiddemo.Activity.FridaActivity3"); FridaActivity3.static_bool_var.value = true; //设置静态成员变量 console.log(FridaActivity3.static_bool_var.value); Java.choose("com.example.androiddemo.Activity.FridaActivity3", { onMatch: function (instance) { //设置非静态成员变量的值 instance.bool_var.value = true; //设置有相同函数名的成员变量的值 instance._same_name_bool_var.value = true; console.log(instance.bool_var.value, instance._same_name_bool_var.value); }, onComplete: function () { } }); }); }
-
内部类的函数
function hook_InnerClasses() { Java.perform(function () { //hook内部类 var InnerClasses = Java.use("com.example.androiddemo.Activity.FridaActivity4$InnerClasses"); console.log(InnerClasses); InnerClasses.check1.implementation = function () { return true; }; InnerClasses.check2.implementation = function () { return true; }; InnerClasses.check3.implementation = function () { return true; }; InnerClasses.check4.implementation = function () { return true; }; InnerClasses.check5.implementation = function () { return true; }; InnerClasses.check6.implementation = function () { return true; }; }); }
-
hook 多个函数的
function hook_mul_function() { Java.perform(function () { //hook 类的多个函数 var class_name = "com.example.androiddemo.Activity.FridaActivity4$InnerClasses"; var InnerClasses = Java.use(class_name); var all_methods = InnerClasses.class.getDeclaredMethods(); for (var i = 0; i < all_methods.length; i++) { var method = (all_methods[i]); var methodStr = method.toString(); var substring = methodStr.substr(methodStr.indexOf(class_name) + class_name.length + 1); var methodname = substring.substr(0, substring.indexOf("(")); console.log(methodname); InnerClasses[methodname].implementation = function () { console.log("hook_mul_function:", this); return true; } } }); }
-
hook 动态的dex,
unction hook_dyn_dex() { Java.perform(function () { var FridaActivity5 = Java.use("com.example.androiddemo.Activity.FridaActivity5"); Java.choose("com.example.androiddemo.Activity.FridaActivity5", { onMatch: function (instance) { console.log(instance.getDynamicDexCheck().$className); }, onComplete: function () { } }); //hook 动态加载的dex Java.enumerateClassLoaders({ onMatch: function (loader) { try { if (loader.findClass("com.example.androiddemo.Dynamic.DynamicCheck")) { console.log(loader); Java.classFactory.loader = loader; //切换classloader } } catch (error) { } }, onComplete: function () { } }); var DynamicCheck = Java.use("com.example.androiddemo.Dynamic.DynamicCheck"); console.log(DynamicCheck); DynamicCheck.check.implementation = function () { console.log("DynamicCheck.check"); return true; } }); }
