使用APK进行Frida注入,免电脑联机麻烦,批量解决更新脚本或frida麻烦
作者:互联网
代码来源于,本文记录其实现过程
https://github.com/iGio90/FridaAndroidInjector
我们平时测试最多的是使用android端的server + 电脑端的frida-tools结合使用注入脚本到进程,这是开发最方便的。
使用frida-inject可以直接脱离frida-tools或者python绑定,注入脚本到进程。
如下图,看下help参数。
而server参数是通过socket端口监听与frida-tools通讯的。
参数如下:
摘取apk端重要注入代码如下
ApplicationInfo ownAi = fridaAgent.getPackageManager().getApplicationInfo(
fridaAgent.getPackageName(), 0);
String ownApk = ownAi.publicSourceDir;
ApplicationInfo targetAi = fridaAgent.getPackageManager().getApplicationInfo(packageName, 0);
String targetPath = new File(targetAi.publicSourceDir).getPath().substring(0,
targetAi.publicSourceDir.lastIndexOf("/"));
if (targetPath.startsWith("/system/")) {
RootManager.getInstance().remount("/system", "rw");
}
RootManager.getInstance().runCommand("cp " + ownApk + " " + targetPath + "/xd.apk");
RootManager.getInstance().runCommand("chmod 644 " + targetPath + "/xd.apk");
Log.w("Frida", "cp " + ownApk + " " + targetPath + "/xd.apk");
if (targetPath.startsWith("/system/")) {
RootManager.getInstance().runCommand("chown root:root " + targetPath + "/xd.apk");
RootManager.getInstance().remount("/system", "ro");
} else {
RootManager.getInstance().runCommand("chown system:system " + targetPath + "/xd.apk");
Log.w("Frida", "chown system:system " + targetPath + "/xd.apk");
}
private void inject(String packageName, String agentPath) {
RootManager.getInstance().runCommand(mInjector.getPath() + " -n " + packageName +
" -s " + agentPath + " --runtime=v8 -e");
}
注入脚本如下
// 所有log重定向到安卓日志,使用电脑端的python发回python
console.log = function () {
var args = arguments;
Java.performNow(function () {
for (var i = 0; i < args.length; i++) {
Java.use("android.util.Log").e("FridaAndroidInject", args[i].toString());
}
});
};
// 通过广播传送消息到控制端
Java["send"] = function (data) {
Java.performNow(function () {
var Intent = Java.use("android.content.Intent");
var ActivityThread = Java.use("android.app.ActivityThread");
var Context = Java.use("android.content.Context");
var ctx = Java.cast(
ActivityThread.currentApplication().getApplicationContext(),
Context
);
var intent = Intent.$new("com.frida.injector.SEND");
intent.putExtra("data", JSON.stringify(data));
ctx.sendBroadcast(intent);
});
};
// 测试代码 》》》(把测试代码换成我们要的业务代码即可)
function log(what) {
Java.performNow(function () {
Java.use("android.util.Log").e("FridaAndroidInject", what.toString());
});
}
Java.performNow(function () {
var TextView = Java.use("android.widget.TextView");
TextView.setText.overloads[0].implementation = function () {
arguments[0] = Java.use("java.lang.String").$new("It works!");
return this.setText.apply(this, arguments);
};
});
// 测试代码 《《《
setTimeout(function () {
Java.perform(function () {
// 调用注入端的JAVA函数
var app = Java.use("android.app.Activity");
app.onResume.overloads[0].implementation = function () {
this.onResume.apply(this, arguments);
// activityInterface 是注入的函数
Java.activityInterface(Java.cast(this, app), "otherArg1", "otherArg2");
};
});
}, 2000);
setTimeout(function () {
Java.send({ pid: Process.id });
}, 5 * 1000);
Java.performNow(function () {
var app = Java.use("android.app.ActivityThread").currentApplication();
var context = app.getApplicationContext();
var pm = context.getPackageManager();
var ai = pm.getApplicationInfo(context.getPackageName(), 0);
var apkPath = ai.publicSourceDir.value;
apkPath = apkPath.substring(0, apkPath.lastIndexOf("/")) + "/xd.apk";
var cl = Java.use("dalvik.system.DexClassLoader").$new(
apkPath,
context.getCacheDir().getAbsolutePath(),
null,
context.getClass().getClassLoader()
);
// xd_loader 是随便起的名字,js是动态语言可随便给类增加属性
Java.classFactory["xd_loader"] = cl;
});
Java["activityInterface"] = function () {
// 暂时替换下frida当前的默认类加载器
var defaultClassLoader = Java.classFactory.loader;
Java.classFactory.loader = Java.classFactory["xd_loader"];
var clazz = Java.use(
"com.igio90.fridainjectorexample.Interfaces$ActivityInterface"
).$new();
var args = [];
for (var i = 0; i < arguments.length; i++) {
args[i] = arguments[i];
}
clazz.call(Java.array("java.lang.Object", args));
// 替换回去,不然hook不了目标程序包的代码
Java.classFactory.loader = defaultClassLoader;
};
标签:function,use,Java,system,xd,APK,麻烦,var,Frida 来源: https://blog.csdn.net/chifu5720/article/details/114971476