本文讲的是
安卓APP破解利器之FRIDA,
在我去年参加RadareCon大会的时候,我了解到了一个动态的二进制插桩框架——Frida。起初我觉得它似乎只有一丁点趣味,后来经过实践才发现它原来是如此的有趣。记得游戏里的上帝模式吗?这就是Frida操作本机应用程序的感觉。这是一篇关于专门使用Frida把玩Android应用程序的博客文章。而且,因为我们是在阐述这一点,所以我们也将在这篇文章的第二部分中进行一点Android APP的破解实战。
访问进程的内存 在应用程序运行时覆盖一些功能 从导入的类中调用函数 在堆上查找对象实例并使用这些对象实例 Hook,跟踪和拦截函数等等
pip install frida npm install frida
michael@sixtyseven:~$ adb devices List of devices attached emulator-5556 device
adb shell su cd /data/local/tmp chmod 755 frida-server ./frida-server
frida-ps -U
michael@sixtyseven:~$ frida-ps -U PID Name ---- -------------------------------------------------- 696 adbd 5828 android.ext.services 6188 android.process.acore 5210 audioserver 5211 cameraserver 8334 com.android.calendar 6685 com.android.chrome 6245 com.android.deskclock 5528 com.android.inputmethod.latin 6120 com.android.phone 6485 com.android.printspooler 8355 com.android.providers.calendar 5844 com.android.systemui 7944 com.google.android.apps.nexuslauncher 6416 com.google.android.gms [...]
frida-trace -i "open" -U com.android.chrome
michael@sixtyseven:~$ frida-trace -i open -U -f com.android.chrome Instrumenting functions... open: Loaded handler at "/home/michael/__handlers__/libc.so/open.js" Started tracing 1 function. Press Ctrl+C to stop. /* TID 0x2740 */ 282 ms open(pathname=0xa843ffc9, flags=0x80002) /* TID 0x2755 */ 299 ms open(pathname=0xa80d0c44, flags=0x2) /* TID 0x2756 */ 309 ms open(pathname=0xa80d0c44, flags=0x2) /* TID 0x2740 */ 341 ms open(pathname=0xa80d06f7, flags=0x2) 592 ms open(pathname=0xa77dd3bc, flags=0x0) 596 ms open(pathname=0xa80d06f7, flags=0x2) 699 ms open(pathname=0xa80d105e, flags=0x80000) 717 ms open(pathname=0x9aff0d70, flags=0x42) 742 ms open(pathname=0x9ceffda0, flags=0x0) 758 ms open(pathname=0xa63b04c0, flags=0x0)
[...] onEnter: function (log, args, state) { log("open(" + "pathname=" + args[0] + ", flags=" + args[1] + ")"); }, [...]
onEnter: function (log, args, state) { log("open(" + "pathname=" + Memory.readUtf8String(args[0])+ ", flags=" + args[1] + ")"); },
michael@sixtyseven:~$ frida-trace -i open -U -f com.android.chrome Instrumenting functions... open: Loaded handler at "/home/michael/__handlers__/libc.so/open.js" Started tracing 1 function. Press Ctrl+C to stop. /* TID 0x29bf */ 240 ms open(pathname=/dev/binder, flags=0x80002) /* TID 0x29d3 */ 259 ms open(pathname=/dev/ashmem, flags=0x2) /* TID 0x29d4 */ 269 ms open(pathname=/dev/ashmem, flags=0x2) /* TID 0x29bf */ 291 ms open(pathname=/sys/qemu_trace/process_name, flags=0x2) 453 ms open(pathname=/dev/alarm, flags=0x0) 456 ms open(pathname=/sys/qemu_trace/process_name, flags=0x2) 562 ms open(pathname=/proc/self/cmdline, flags=0x80000) 576 ms open(pathname=/data/dalvik-cache/arm/system@app@Chrome@Chrome.apk@classes.dex.flock, flags=0x42)
frida -U -f com.android.chrome
[USB::Android Emulator 5556::['com.android.chrome']]-> Java.androidVersion "7.1.1"
[USB::Android Emulator 5556::['com.android.chrome']]-> Java.perform(function(){Java.enumerateLoadedClasses({"onMatch":function(className){ console.log(className) },"onComplete":function(){}})}) org.apache.http.HttpEntityEnclosingRequest org.apache.http.ProtocolVersion org.apache.http.HttpResponse org.apache.http.impl.cookie.DateParseException org.apache.http.HeaderIterator
Java.enumerateLoadedClasses( { "onMatch": function(className){ console.log(className) }, "onComplete":function(){} } )
{ "onMatch":function(arg1, ...){ ... }, "onComplete":function(){ ... }, }
Java.perform(function () { var Activity = Java.use("android.app.Activity"); Activity.onResume.implementation = function () { console.log("[*] onResume() got called!"); this.onResume(); }; });
frida -U -l chrome.js com.android.chrome
[*] onResume() got called!
setImmediate(function() { console.log("[*] Starting script"); Java.perform(function () { Java.choose("android.view.View", { "onMatch":function(instance){ console.log("[*] Instance found"); }, "onComplete":function() { console.log("[*] Finished heap search") } }); }); });
[*] Starting script [*] Instance found [*] Instance found [*] Instance found [*] Instance found [*] Finished heap search
setImmediate(function() { console.log("[*] Starting script"); Java.perform(function () { Java.choose("android.view.View", { "onMatch":function(instance){ console.log("[*] Instance found: " + instance.toString()); }, "onComplete":function() { console.log("[*] Finished heap search") } }); }); });
[*] Starting script [*] Instance found: android.view.View{7ccea78 G.ED..... ......ID 0,0-0,0 #7f0c01fc app:id/action_bar_black_background} [*] Instance found: android.view.View{2809551 V.ED..... ........ 0,1731-0,1731 #7f0c01ff app:id/menu_anchor_stub} [*] Instance found: android.view.View{be471b6 G.ED..... ......I. 0,0-0,0 #7f0c01f5 app:id/location_bar_verbose_status_separator} [*] Instance found: android.view.View{3ae0eb7 V.ED..... ........ 0,0-1080,63 #102002f android:id/statusBarBackground} [*] Finished heap search
#!/usr/bin/python import frida # put your javascript-code here jscode= """ console.log("[*] Starting script"); Java.perform(function() { var Activity = Java.use("android.app.Activity"); Activity.onResume.implementation = function () { console.log("[*] onResume() got called!"); this.onResume(); }; }); """ # startup frida and attach to com.android.chrome process on a usb device session = frida.get_usb_device().attach("com.android.chrome") # create a script for frida of jsccode script = session.create_script(jscode) # and load the script script.load()
r2pm install r2frida
michael@sixtyseven:~$ frida-trace -i open -U -f com.android.chrome Instrumenting functions... open: Loaded handler at "/home/michael/__handlers__/libc.so/open.js" Started tracing 1 function. Press Ctrl+C to stop. /* TID 0x2740 */ 282 ms open(pathname=0xa843ffc9, flags=0x80002) /* TID 0x2755 */ [...]
root@sixtyseven:~# r2 frida://emulator-5556/com.android.chrome -- Enhance your graphs by increasing the size of the block and graph.depth eval variable. [0x00000000]> s 0xa843ffc9 [0xa843ffc9]> px - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0xa843ffc9 2f64 6576 2f62 696e 6465 7200 4269 6e64 /dev/binder.Bind 0xa843ffd9 6572 2069 6f63 746c 2074 6f20 6f62 7461 er ioctl to obta 0xa843ffe9 696e 2076 6572 7369 6f6e 2066 6169 6c65 in version faile 0xa843fff9 643a 2025 7300 4269 6e64 6572 2064 7269 d: %s.Binder dri [...]
r2 frida://DEVICE-ID/PROCESS
[0x00000000]> =!? r2frida commands available via =! ? Show this help ?V Show target Frida version /[x][j] <string|hexpairs> Search hex/string pattern in memory ranges (see search.in=?) /w[j] string Search wide string [...]
原文发布时间为:2017年4月14日
本文作者:丝绸之路
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。