Frida JavaScript 使用举例
发布时间:2024年01月18日
如何加载脚本
frida -U -f [包名] g -l [脚本路径]
frida -U -f com.primer.gamecerter -l hookStartActivity.js
1、权限申请
Java.perform(function x() {
console.log('重新加载脚本');
var ActivityCompat = Java.use("android.app.Activity")
ActivityCompat.requestPermissions.overload("[Ljava.lang.String;", "int")
.implementation = function (permissions, requestCode) {
console.log("requestPermissions 2 requestCode = " + requestCode + " permissions = " + permissions)
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
this.requestPermissions(permissions, requestCode)
}
var Fragment = Java.use("android.app.Fragment")
Fragment.requestPermissions.implementation = function (permissions, code) {
console.log('权限申请 android permissions = ' + permissions + " code = " + code);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
this.requestPermissions(permissions,code)
}
var Fragmentx = Java.use("androidx.fragment.app.Fragment")
Fragmentx.requestPermissions.implementation = function (permissions, code) {
console.log('权限申请 androidx permissions = ' + permissions + " code = " + code);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
this.requestPermissions(permissions,code)
}
})
2、activity 启动
Java.perform(function () {
var Instrumentation = Java.use('android.app.Instrumentation');
//1
Instrumentation.execStartActivity
.overload(
'android.content.Context',
'android.os.IBinder',
'android.os.IBinder',
'android.app.Activity',
'android.content.Intent',
'int',
'android.os.Bundle')
.implementation =
function (
who, contextThread, token, target, intent, requestCode, options) {
console.log(
'【当前应用 1 Instrumentation】 启动 execStartActivity intent = ' +
intent);
var pkg = intent.getPackage()
console.log('pkg = ' + pkg)
if (pkg != undefined && pkg != NULL && pkg == 'com.xiaomi.market') {
intent.setPackage('com.heytap.market')
}
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return this.execStartActivity(
who, contextThread, token, target, intent, requestCode, options);
}
//2
Instrumentation.execStartActivity
.overload(
'android.content.Context',
'android.os.IBinder',
'android.os.IBinder',
"java.lang.String",
'android.content.Intent',
'int',
'android.os.Bundle')
.implementation =
function (
who, contextThread, token, target, intent, requestCode, options) {
console.log(
'【当前应用 2 Instrumentation】 启动 execStartActivity intent = ' +
intent);
var pkg = intent.getPackage()
console.log('pkg = ' + pkg)
if (pkg != undefined && pkg != NULL && pkg == 'com.xiaomi.market') {
intent.setPackage('com.heytap.market')
}
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return this.execStartActivity(
who, contextThread, token, target, intent, requestCode, options);
}
//3
Instrumentation.execStartActivity
.overload(
'android.content.Context',
'android.os.IBinder',
'android.os.IBinder',
"java.lang.String",
'android.content.Intent',
'int',
'android.os.Bundle',
"android.os.UserHandle"
)
.implementation =
function (
who, contextThread, token, resultWho, intent, requestCode, options, user) {
console.log(
'【当前应用 3 Instrumentation】 启动 execStartActivity intent = ' +
intent);
var pkg = intent.getPackage()
console.log('pkg = ' + pkg)
if (pkg != undefined && pkg != NULL && pkg == 'com.xiaomi.market') {
intent.setPackage('com.heytap.market')
}
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return this.execStartActivity(who, contextThread, token, resultWho, intent, requestCode, options, user)
}
Instrumentation.checkStartActivityResult.implementation = function (res, intent) {
console.log('【checkStartActivityResult 启动 intent = ' + intent);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return this.checkStartActivityResult(res, intent)
}
})
3、AndroidID、IMEI、Mac、oaid 获取
Java.perform(function x() {
console.log('重新加载脚本');
//androidid
var ANDROID_ID = "android_id"
var Secure = Java.use("android.provider.Settings$Secure")
Secure.getString.implementation = function (resolver, name) {
var result = this.getString(resolver, name);
console.log("getString name = " + name + " val =" + result)
if (ANDROID_ID == name) {
console.log("getString 获取 androidID")
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
}
return result;
}
var Secure = Java.use("android.provider.Settings$Secure")
Secure.getStringForUser.implementation = function (resolver, name, userHandle) {
var result = this.getStringForUser(resolver, name, userHandle);
console.log("getStringForUser name = " + name + " val =" + result)
if (ANDROID_ID == name) {
console.log("Secure getStringForUser 获取 androidID")
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
}
return result;
}
var Secure = Java.use("android.provider.Settings$System")
Secure.getStringForUser.implementation = function (resolver, name, userHandle) {
var result = this.getStringForUser(resolver, name, userHandle);
console.log("System getStringForUser name = " + name + " val =" + result)
if (ANDROID_ID == name) {
console.log("System getStringForUser 获取 androidID")
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
}
return result;
}
//获取 IMEI【卡槽】
var TelephonyManager = Java.use("android.telephony.TelephonyManager")
TelephonyManager.getDeviceId.overload("int").implementation = function (slotIndex) {
var iemi = this.getDeviceId(slotIndex)
console.log("TelephonyManager 获取 IMEI slotIndex = " + slotIndex + " iemi = " + iemi)
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return iemi;
}
//获取 IMEI
TelephonyManager.getDeviceId.overload().implementation = function () {
var iemi = this.getDeviceId()
console.log("TelephonyManager 获取 IMEI = " + iemi)
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return iemi;
}
//获取 Mac
var NetworkInterface = Java.use("java.net.NetworkInterface")
NetworkInterface.getHardwareAddress.implementation = function () {
var mac = this.getHardwareAddress()
console.log("NetworkInterface 获取 MAC = " + mac)
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return mac;
}
//OAID
var OAID_LIST = ["com.bun.supplier.IdSupplier",
"com.bun.miitmdid.provider.DefaultProvider",
"com.bun.miitmdid.supplier.IdSupplier",
"com.bun.miitmdid.interfaces.IdSupplier"]
for (let index in OAID_LIST) {
try {
var oaid = Java.use(OAID_LIST[index])
oaid.getOAID.implementation = function () {
var result = this.getOAID()
console.log('获取 oaid = ' + result);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
return result
}
} catch (e) {
}
}
})
4、Dialog 关闭
var Dialog = Java.use("android.app.Dialog")
Dialog.dismiss.implementation = function () {
console.log("Dialog dismiss");
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
this.dismiss()
}
5、so 加载
var System = Java.use("java.lang.System")
System.load.implementation = function (libname) {
console.log('【System load = ' + libname);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
this.load(libname)
}
System.loadLibrary.implementation = function (libname) {
console.log('【System loadLibrary = ' + libname);
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));
this.loadLibrary(libname)
}
待补充~~~
文章来源:https://blog.csdn.net/printf123scanf/article/details/135669746
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:chenni525@qq.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:chenni525@qq.com进行投诉反馈,一经查实,立即删除!
最新文章
- Python教程
- 深入理解 MySQL 中的 HAVING 关键字和聚合函数
- Qt之QChar编码(1)
- MyBatis入门基础篇
- 用Python脚本实现FFmpeg批量转换
- 【Vue3】2-9 : class样式与style样式的三种形态
- #8Jenkins(Windows)管理Vite+Vue3工程
- 生信学院|1月26日《SIMULIA动力电池结构仿真解决方案》
- IP组播地址
- java将word转换成pdf,并去除水印
- linux编译源码,安装valgrind
- dotdotdot插件快速实现多行文本的省略
- ssm500基于J2EE的仓库管理系统设计与开发论文
- 食品元宇宙:探索美食的无限可能
- 无心剑七绝《高斯黎曼》