Frida脚本汇总

  • 注入调用
import frida
import sys
import time
import sys

repeat = False

def on_message(message,data):
    if message.get("type") == "send":
        print(message["payload"])
    elif message.get("type") == "error":
        print(message)
    else:
        print(message)

def hook(target,jsf,*args):
    while True:
        try:
            session = frida.attach(target)
            break
        except Exception as ex:
            # print(ex.__cause__)
            time.sleep(0.2)
    print("[*] Hook进程成功")
    script_data = open(jsf,'r',encoding='utf-8').read()
    script = session.create_script(script_data % (args))
    script.on("message",on_message)
    script.load()
    while session.is_detached == False:
        time.sleep(2)
    if repeat:
        hook(target,jsf,*args)

if __name__ == "__main__":
    if sys.argv[1] == "-r":
        args = sys.argv[2:]
        repeat = True
    else:
        args = sys.argv[1:]
    if len(args) < 2:
        print("[*] 参数格式: [-r] target jsfile.js [...args]")
    else:
        hook(args[0],args[1],*args[2:])
  • 枚举类的方法(Objective-C)
const className = "%s";
const info = {}
const hookOwnMethods = ObjC.classes[className].$ownMethods;
const hookAllMethods = ObjC.classes[className].$methods;
const hookClasses = ObjC.classes;
info["ownMethods"] = hookOwnMethods;
//info["methods"] = hookAllMethods;
//info["allClasses"] = hookClasses;
console.log(JSON.stringify(info))
  • 枚举所有模块
// const st = Module.findExportByName('zzzalloc.so','__Z8zzzallocP12license_info');
// console.log(st);
var modules = Process.enumerateModules();
for(var i=0;i<modules.length;i++){
		console.log(`== Name: ${modules[i].name}  <${modules[i].base}>`);
}
  • hook指定方法输出调用信息(Objective-C)
const targetClass = ObjC.classes.%s;
let methodName = "%s";
Interceptor.attach(targetClass[methodName].implementation, {
    onEnter(args) {
        console.log("\n================================");
        const reciver = ObjC.Object(args[0]);
        console.log("Target class: " + reciver);
        console.log("Target class address: " + ptr(args[0]));
        let ivars = reciver.$ivars;
        for(let k in ivars){
            let v = ivars[k];
            console.log(`ivars:[${k}] -> [${v}]`);
        }
        console.log("Target superClass: " + reciver.$superClass);
        const sel = ObjC.selectorAsString(args[1]);
        console.log("Hooked the target method: " + sel);
        let index = 0;
        let arg_num = methodName.split(":").length - 1;
        if(arg_num > 0){
            while(index < arg_num){
                index = index + 1;
                let obj = ObjC.Object(args[index + 1]);
                console.log("Argument" + String(index) + ": " + obj.toString());
            }
        }
    },
    onLeave(retval) {
        const ob1 = ObjC.Object(retval);
        console.log("Retval: " + retval);
        console.log("ObjC Retval: " + ob1.toString());
        console.log("Type: " + ob1.$className);
        console.log("SuperClass: " + ob1.$superClass);
        console.log("");
    }
});
  • 根据模块和偏移hook方法
/**
* 根据module名字和目标方法的偏移地址获得方法的绝对地址
*/
function get_func_addr(module, offset) {
    // 根据名字获取module地址
    var base_addr = Module.findBaseAddress(module);
    console.log("base_addr: " + base_addr);
    console.log(hexdump(ptr(base_addr), {
              length: 16,
              header: true,
              ansi: true
    }));
    var func_addr = base_addr.add(offset);
    var return_addr;
    if (Process.arch == 'arm')
        return_addr = func_addr.add(1);  //如果是32位地址+1
    else
        return_addr = func_addr;
    console.log('func_addr: ' + return_addr);
    console.log(hexdump(ptr(return_addr), {
            length: 16,
            header: true,
            ansi: true
    }));
    return return_addr;
 }
let moduleName = "%s";
let offset = %s
// 获取目标函数的绝对地址
var func_addr = get_func_addr(moduleName, offset);
Interceptor.attach(ptr(func_addr), {
    onEnter: function(args) {
        console.log("====onEnter=====");
        let index = 0;
        for(let arg of args){
            console.log("arg" + String(index)+ ": " + arg);
        }
        // console.log("arg0: " + args[0]);
        // console.log(hexdump(ptr(args[0]), {
        //     length: 64,
        //     header: false,
        //     ansi: false
        // }))
        // console.log("arg1: " + args[1]);
        // console.log("arg2: " + args[2]);
    },
    onLeave: function(retval) {
        console.log("====onLeave=====");
        console.log("retval: " + retval);
        // console.log(hexdump(ptr(retval), {
        //     length: 64,
        //     header: true,
        //     ansi: true
        // }))
    }
});
  • 转换json字符串为Objective-C对象
var NSString = ObjC.classes.NSString;
var NSJSONSerialization = ObjC.classes.NSJSONSerialization;
function json_to_objc(data){
    let strData = NSString.stringWithString_(data).dataUsingEncoding_(0x4);
    return NSJSONSerialization.JSONObjectWithData_options_error_(strData,0x1,ptr(0x0));
}
console.log(json_to_objc('%s'));