hook in native
2021-01-07 本文已影响0人
渣空格
hook in native
-
找so的模块
var base_myjni = Module.findBaseAddress("libmyjni.so");返回的是地址 -
获取模块的导出函数
var n2 = Module.findExportByName("libmyjni.so", "n2"); -
thumb格式的地址需要+1
-
附加函数
Interceptor.attach -
打印so的内容
var module_libart = Process.findModuleByName("libart.so"); var symbols = module_libart.enumerateSymbols(); //枚举模块的符号 for (var i = 0; i < symbols.length; i++) { var name = symbols[i].name; }
-
将const char* 打印成string:
prt(value).readCString() -
hook libc的内容
function hook_libc() { //hook libc的函数 var strcmp = Module.findExportByName("libc.so", "strcmp"); console.log("strcmp:", strcmp); Interceptor.attach(strcmp, { onEnter: function (args) { var str_2 = ptr(args[1]).readCString(); if (str_2 == "EoPAoY62@ElRD") { console.log("strcmp:", ptr(args[0]).readCString(), ptr(args[1]).readCString()); } }, onLeave: function (retval) { } }); }
-
Frida api来写文件, 如果是要多次写的话 要先flush一下
function write_reg_dat() { //frida 的api来写文件 var file = new File("/sdcard/reg.dat", "w"); file.write("EoPAoY62@ElRD"); file.flush(); file.close(); }
-
把c函数定义为NativeFunction来写文件
function write_reg_dat2() { //把C函数定义为NativeFunction来写文件 var addr_fopen = Module.findExportByName("libc.so", "fopen"); var addr_fputs = Module.findExportByName("libc.so", "fputs"); var addr_fclose = Module.findExportByName("libc.so", "fclose"); console.log("addr_fopen:", addr_fopen, "addr_fputs:", addr_fputs, "addr_fclose:", addr_fclose); var fopen = new NativeFunction(addr_fopen, "pointer", ["pointer", "pointer"]); var fputs = new NativeFunction(addr_fputs, "int", ["pointer", "pointer"]); var fclose = new NativeFunction(addr_fclose, "int", ["pointer"]); var filename = Memory.allocUtf8String("/sdcard/reg.dat"); var open_mode = Memory.allocUtf8String("w+"); var file = fopen(filename, open_mode); console.log("fopen file:", file); var buffer = Memory.allocUtf8String("EoPAoY62@ElRD"); var ret = fputs(buffer, file); console.log("fputs ret:", ret); fclose(file); }
