1.Hook可以用来做什么
- 可以用来判断app执行某个操作的时候,是否经过我们的怀疑的这个函数
- 可以用来修改被hook函数的运行逻辑
- 可以用来在运行过程中,获取被hook的函数传入的具体的参数和返回值
- 可以用来主动调用app中的某些函数
2. Python3.8 64bit的下载和安装
https://www.python.org/downlo...
3.8 64bit的任意一个版本都行,不用管最后的小版本
3. Python虚拟环境的安装
安装virtualenvwrapper
pip install virtualenvwrap per-win
创建虚拟环境
mkvirtualenv --python=D:\soft\python386\python.exe xiaojianbang
配置虚拟环境变量
WORKON_HOME 这个环境变量用来指定虚拟环境默认保存目录
进入虚拟环境
workon xiaojianbang
4.frida版本、Android系统版本与Python版本
frida12.3.6 | Android5-6 | Python3.7 |
frida12.8.0 | Android7-8 | Python3.8 |
frida14+ | Android9+ | Python3.8 |
5.frida的安装
pip install frida
pip install frida-tools(装frida-tools时会自动安装frida)
在 virtualenvwrapper 的虚拟环境中安装frida,在以下路径会产生whl包,可用于以后离线安装该版本frida。用venv虚拟环境,并未产生该whl 包。
c:\users\administrator\appdata\local\pip\cache\wheels......
注意:异常情况
安装 frida-tools 时报错:
Running setup.py install for frida ... error
ERROR: Command errored out with exit status 1:
command: 'd:\env\py38\scripts\python.exe' -u -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pip-install-ifc0v5x3\\frida_3a5e10ced95444dea5aa4d085d415783\\setup.py'"'"'; __file__='"'"'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pip-install-ifc0v5x3\\frida_3a5e10ced95444dea5aa4d085d415783\\setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'C:\Users\ADMINI~1\AppData\Local\Temp\pip-record-4v9sovkz\install-record.txt' --single-version-externally-managed --compile --install-headers 'd:\env\py38\include\site\python3.7\frida'
cwd: C:\Users\ADMINI~1\AppData\Local\Temp\pip-install-ifc0v5x3\frida_3a5e10ced95444dea5aa4d085d415783\
Complete output (15 lines):
running install
running build
running build_py
creating build
creating build\lib.win-amd64-3.7
creating build\lib.win-amd64-3.7\frida
copying frida\core.py -> build\lib.win-amd64-3.7\frida
copying frida\__init__.py -> build\lib.win-amd64-3.7\frida
running build_ext
error: The read operation timed out
looking for prebuilt extension in home directory, i.e. C:\Users\Administrator/frida-15.1.14-py3.7-win-amd64.egg
prebuilt extension not found in home directory, will try downloading it
querying pypi for available prebuilds
downloading prebuilt extension from https://files.pythonhosted.org/packages/ed/7c/7140d954a93ff2a34c061dfaa32808e8fe39ab677f713e00f09a5f388a6a/frida-15.1.14-py3.8-win-amd64.egg
unable to download it within 120 seconds; please download it manually to C:\Users\Administrator/frida-15.1.14-py3.7-win-amd64.egg
----------------------------------------
ERROR: Command errored out with exit status 1: 'd:\env\py38\scripts\python.exe' -u -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pip-install-ifc0v5x3\\frida_3a5e10ced95444dea5aa4d085d415783\\setup.py'"'"'; __file__='"'"'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pip-install-ifc0v5x3\\frida_3a5e10ced95444dea5aa4d085d415783\\setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'C:\Users\ADMINI~1\AppData\Local\Temp\pip-record-4v9sovkz\install-record.txt' --single-version-externally-managed --compile --install-headers 'd:\env\py38\include\site\python3.7\frida' Check the logs for full command output.
解决方案:
官网下载文件:frida-12.11.17-py3.8-win-amd64.egg(查看你自己对应的版本)
官网:
https://pypi.org/project/frida/#files
将下载文件保存到C:\User\Adminstrator
重新执行pip安装
6.如何判断frida是否安装成功
cmd中执行frida --version,能打印出版本号说明frida-tools没有问题
cmd中执行python,进入控制台import frida,能成功导包,说明frida库没有问题
7.frida的卸载
pip uninstall frida
pip uninstall frida-tools
8.whl包的离线安装
pip install frida-14.2.18-cp38-cp38-win_amd64.whl
pip install frida_tools-9.2.5-py3-none-any.whl
9.frida安装指定版本
由于 frida-tools 的一个版本对应对个frida 版本,自动安装的frida版本不可控。因此先安装frida。
- 先安装指定版本frida
- 再安装指定版本frida-tools
frida-tools版本的查看
https://github.com/frida/frida/releases
https://github.com/frida/frida/releases/tag/12.3.6
10.frida代码提示的配置
npm i @types/frida-gum
11.frida-server 的配置
查看frida 对应版本
https://github.com/frida/frida/releases/tag/15.1.14
- 找到对应的Frida-server
- 找到对应的Frida-server
下载对应的xz 压缩包,下载后解压。并将解压文件推送到Android设备中。
adb push D:\android_enviro_apk\frida-server-15.1.14-android-x86\frida-server-15.1.14-android-x86 \data\local\tmp
运行adb shell,修改server 名称(否则无法运行)
adb shell cd /data/local/tmp mv frida-server-15.1.14-android-x86 fs15_1_14
5 修改增加权限,并运行
chmod 777 fs15_1_14 ./fs15
注意:如果出现如下情况,说明frida-server版本或者平台不匹配。应该安装对应平台或版本的frida-server
/system/bin/sh: .fs15_1_14: not found
在pc 端 使用frida-ps 命令查看进程
-U表示查看Usb接口的server,已经基本不用了frida-ps -U
效果如下:
- 7 备注:
新版本的frida不需要端口转发,老版本的需要转发
转发命令
adb forward tcp:27042 tcp:27042
注意:
- frida-server的运行平台要选对
- frida-server的版本与frida的版本要匹配
异常:
在adb shell里运行frida-server报错invalid address
sailfish:/data/local/tmp # ./fs15_1_14
报错:
{"type":"error","description":"Error: invalid address","stack":"Error: invalid address\n at Object.value [as patchCode] (frida/runtime/core.js:200:1)\n at qt (frida/node_modules/frida-java-bridge/lib/android.js:994:1)\n at Bt.activate (frida/node_modules/frida-java-bridge/lib/android.js:1047:1)\n at Ht.replace (frida/node_modules/frida-java-bridge/lib/android.js:1094:1)\n at Function.set [as implementation] (frida/node_modules/frida-java-bridge/lib/class-factory.js:1010:1)\n at Function.set [as implementation] (frida/node_modules/frida-java-bridge/lib/class-factory.js:925:1)\n at installLaunchTimeoutRemovalInstrumentation (/internal-agent.js:424:24)\n at init (/internal-agent.js:51:3)\n at c.perform (frida/node_modules/frida-java-bridge/lib/vm.js:11:1)\n at y._performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238:1)","fileName":"frida/runtime/core.js","lineNumber":200,"columnNumber":1}
解决方法
将adbshell模式转为Permissivem模式
查看当前shell模式
getenforce # Enforcing
将enforce模式转为Permissive模式
setenforce 0 getenforce # 显示如下: # Permissive
再次运行frida-server,此时正常
sailfish:/data/local/tmp # ./fs15_1_14