Frida脚本汇总
import frida
import sys
import time
import sys
repeat = False
def on_message(message,data):
if message.get("type") == "send":
print(message["payload"])
elif message.get("type") == "error":
print(message)
else:
print(message)
def hook(target,jsf,*args):
while True:
try:
session = frida.attach(target)
break
except Exception as ex:
# print(ex.__cause__)
time.sleep(0.2)
print("[*] Hook进程成功")
script_data = open(jsf,'r',encoding='utf-8').read()
script = session.create_script(script_data % (args))
script.on("message",on_message)
script.load()
while session.is_detached == False:
time.sleep(2)
if repeat:
hook(target,jsf,*args)
if __name__ == "__main__":
if sys.argv[1] == "-r":
args = sys.argv[2:]
repeat = True
else:
args = sys.argv[1:]
if len(args) < 2:
print("[*] 参数格式: [-r] target jsfile.js [...args]")
else:
hook(args[0],args[1],*args[2:])
const className = "%s";
const info = {}
const hookOwnMethods = ObjC.classes[className].$ownMethods;
const hookAllMethods = ObjC.classes[className].$methods;
const hookClasses = ObjC.classes;
info["ownMethods"] = hookOwnMethods;
//info["methods"] = hookAllMethods;
//info["allClasses"] = hookClasses;
console.log(JSON.stringify(info))
// const st = Module.findExportByName('zzzalloc.so','__Z8zzzallocP12license_info');
// console.log(st);
var modules = Process.enumerateModules();
for(var i=0;i<modules.length;i++){
console.log(`== Name: ${modules[i].name} <${modules[i].base}>`);
}
- hook指定方法输出调用信息(Objective-C)
const targetClass = ObjC.classes.%s;
let methodName = "%s";
Interceptor.attach(targetClass[methodName].implementation, {
onEnter(args) {
console.log("\n================================");
const reciver = ObjC.Object(args[0]);
console.log("Target class: " + reciver);
console.log("Target class address: " + ptr(args[0]));
let ivars = reciver.$ivars;
for(let k in ivars){
let v = ivars[k];
console.log(`ivars:[${k}] -> [${v}]`);
}
console.log("Target superClass: " + reciver.$superClass);
const sel = ObjC.selectorAsString(args[1]);
console.log("Hooked the target method: " + sel);
let index = 0;
let arg_num = methodName.split(":").length - 1;
if(arg_num > 0){
while(index < arg_num){
index = index + 1;
let obj = ObjC.Object(args[index + 1]);
console.log("Argument" + String(index) + ": " + obj.toString());
}
}
},
onLeave(retval) {
const ob1 = ObjC.Object(retval);
console.log("Retval: " + retval);
console.log("ObjC Retval: " + ob1.toString());
console.log("Type: " + ob1.$className);
console.log("SuperClass: " + ob1.$superClass);
console.log("");
}
});
/**
* 根据module名字和目标方法的偏移地址获得方法的绝对地址
*/
function get_func_addr(module, offset) {
// 根据名字获取module地址
var base_addr = Module.findBaseAddress(module);
console.log("base_addr: " + base_addr);
console.log(hexdump(ptr(base_addr), {
length: 16,
header: true,
ansi: true
}));
var func_addr = base_addr.add(offset);
var return_addr;
if (Process.arch == 'arm')
return_addr = func_addr.add(1); //如果是32位地址+1
else
return_addr = func_addr;
console.log('func_addr: ' + return_addr);
console.log(hexdump(ptr(return_addr), {
length: 16,
header: true,
ansi: true
}));
return return_addr;
}
let moduleName = "%s";
let offset = %s
// 获取目标函数的绝对地址
var func_addr = get_func_addr(moduleName, offset);
Interceptor.attach(ptr(func_addr), {
onEnter: function(args) {
console.log("====onEnter=====");
let index = 0;
for(let arg of args){
console.log("arg" + String(index)+ ": " + arg);
}
// console.log("arg0: " + args[0]);
// console.log(hexdump(ptr(args[0]), {
// length: 64,
// header: false,
// ansi: false
// }))
// console.log("arg1: " + args[1]);
// console.log("arg2: " + args[2]);
},
onLeave: function(retval) {
console.log("====onLeave=====");
console.log("retval: " + retval);
// console.log(hexdump(ptr(retval), {
// length: 64,
// header: true,
// ansi: true
// }))
}
});
var NSString = ObjC.classes.NSString;
var NSJSONSerialization = ObjC.classes.NSJSONSerialization;
function json_to_objc(data){
let strData = NSString.stringWithString_(data).dataUsingEncoding_(0x4);
return NSJSONSerialization.JSONObjectWithData_options_error_(strData,0x1,ptr(0x0));
}
console.log(json_to_objc('%s'));