Android hook方案调研 #4

summer506hai · 2023-01-26T03:53:56Z

frida hook

Windows 安装 frida
pip install frida
pip install frida-tools
安卓安装
adb 连接后输入以下命令查看CPU型号
getprop ro.product.cpu.abi
https://github.com/frida/frida/releases 中下载对应型号且与电脑安装Frida版本一致的Frida-server版本
下载完成后将其解压出来，然后重命名为frida-server
然后通过adb将其上传到手机 adb push .\frida-server /data/local/tmp
然后再给其授予777权限 chmod 777 frida-server
在手机端启动(设备需root) ./frida-server

然后在windows上执行 Frida-ps -U
如下图所示，则表示安装成功

自己写一个apk

MainActivity中，每隔5秒打印 50 + 30 的值
编写js hook掉 fun计算的结果
编写python脚本进行注入

import time
import frida

device = frida.get_usb_device()
pid = device.spawn(["com.example.myapplication"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)
with open("s1.js") as f:
    script = session.create_script(f.read())
script.load()

# prevent the python script from terminating
input()

ClickActivity中，点击button，弹出 toast提示

编写js hook掉 toast弹窗的内容

Java.perform(
    function () {
      // 获得Toast组件
        var Toast = Java.use('android.widget.Toast')
        var makeText = Toast.makeText
        var String = Java.use('java.lang.String')
        makeText.overload('android.content.Context', 'java.lang.CharSequence', 'int').implementation=function (context,content,time) {
            var hookContent = String.$new('hook hook')
            return this.makeText(context,hookContent,time)
        }
    }
)

编写python脚本进行注入

import time
import frida

device = frida.get_usb_device()
pid = device.spawn(["com.example.myapplication"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)
with open("s3.js") as f:
    script = session.create_script(f.read())
script.load()

# prevent the python script from terminating
input()

summer506hai · 2023-01-26T04:10:54Z

virtual xposed

下载并安装VirtualXposed，下载地址：https://github.com/android-hacker/VirtualXposed/releases
adb install 安装
编写一个简单的，待hook的 apk，一个button，点击后，弹出toast弹窗；

import android.util.Log;
import android.view.View;

import android.widget.Button;

import android.widget.Toast;

public class MainActivity extends AppCompatActivity {
    private Button button;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        button = (Button) findViewById(R.id.button);
        Log.i("hnzhu2","MainActivity");
        button.setOnClickListener(new View.OnClickListener() {
            public void onClick(View v) {
                Toast.makeText(MainActivity.this, toastMessage(), Toast.LENGTH_SHORT).show();
            }
        });
    }
    public String toastMessage() {
        return "我未被劫持";
    }
}

运行该apk安装到设备上

编写hook程序，新建一个项目 HookMyApplication ：

新建 HookTest类，并实现IXposedHookLoadPackage接口

在src/main下新建一个Assets Folder

在AndroidManifest.xml中指定模块的名称
利用VirtualXposed将待HOOK应用和编写的HOOK模块添加到VirtualXposed中

重启 VirtualXposed
打开 MyApplication，点击按钮，弹出，你已被劫持的弹窗

summer506hai · 2023-01-26T04:27:14Z

whale 框架

项目地址： https://github.com/asLody/whale

把whale项目里的java文件夹的代码复制到自己的项目中
复制 built/Android 下所需的abi到自己项目的src/main/jniLibs下

新建一个类Test，写一个测试的方法get，用于hook测试

新建一个hook的类，用于写hook的方法

将hook在程序启动的时候执行，在MainActivity的onCreate方法里执行，只能在app内进行hook，无法hook第三方应用

hook第三方应用

asLody/whale#36

summer506hai added the 技术调研 label Jan 26, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Android hook方案调研 #4

Android hook方案调研 #4

summer506hai commented Jan 26, 2023 •

edited

Loading

summer506hai commented Jan 26, 2023 •

edited

Loading

summer506hai commented Jan 26, 2023 •

edited

Loading

Android hook方案调研 #4

Android hook方案调研 #4

Comments

summer506hai commented Jan 26, 2023 • edited Loading

frida hook

summer506hai commented Jan 26, 2023 • edited Loading

virtual xposed

summer506hai commented Jan 26, 2023 • edited Loading

whale 框架

hook第三方应用

summer506hai commented Jan 26, 2023 •

edited

Loading

summer506hai commented Jan 26, 2023 •

edited

Loading

summer506hai commented Jan 26, 2023 •

edited

Loading