1.Hook可以用来做什么

  • 可以用来判断app执行某个操作的时候,是否经过我们的怀疑的这个函数
  • 可以用来修改被hook函数的运行逻辑
  • 可以用来在运行过程中,获取被hook的函数传入的具体的参数和返回值
  • 可以用来主动调用app中的某些函数

2. Python3.8 64bit的下载和安装

https://www.python.org/downlo...
3.8 64bit的任意一个版本都行,不用管最后的小版本

3. Python虚拟环境的安装

安装virtualenvwrapper

pip install virtualenvwrap per-win

创建虚拟环境

mkvirtualenv --python=D:\soft\python386\python.exe xiaojianbang

配置虚拟环境变量

WORKON_HOME 这个环境变量用来指定虚拟环境默认保存目录

进入虚拟环境

workon xiaojianbang

4.frida版本、Android系统版本与Python版本

frida12.3.6Android5-6Python3.7
frida12.8.0Android7-8Python3.8
frida14+Android9+Python3.8

5.frida的安装

pip install frida
pip install frida-tools(装frida-tools时会自动安装frida)

在 virtualenvwrapper 的虚拟环境中安装frida,在以下路径会产生whl包,可用于以后离线安装该版本frida。用venv虚拟环境,并未产生该whl 包。

c:\users\administrator\appdata\local\pip\cache\wheels......

注意:异常情况
安装 frida-tools 时报错:

Running setup.py install for frida ... error
    ERROR: Command errored out with exit status 1:
     command: 'd:\env\py38\scripts\python.exe' -u -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pip-install-ifc0v5x3\\frida_3a5e10ced95444dea5aa4d085d415783\\setup.py'"'"'; __file__='"'"'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pip-install-ifc0v5x3\\frida_3a5e10ced95444dea5aa4d085d415783\\setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'C:\Users\ADMINI~1\AppData\Local\Temp\pip-record-4v9sovkz\install-record.txt' --single-version-externally-managed --compile --install-headers 'd:\env\py38\include\site\python3.7\frida'
         cwd: C:\Users\ADMINI~1\AppData\Local\Temp\pip-install-ifc0v5x3\frida_3a5e10ced95444dea5aa4d085d415783\
    Complete output (15 lines):
    running install
    running build
    running build_py
    creating build
    creating build\lib.win-amd64-3.7
    creating build\lib.win-amd64-3.7\frida
    copying frida\core.py -> build\lib.win-amd64-3.7\frida
    copying frida\__init__.py -> build\lib.win-amd64-3.7\frida
    running build_ext
    error: The read operation timed out
    looking for prebuilt extension in home directory, i.e. C:\Users\Administrator/frida-15.1.14-py3.7-win-amd64.egg
    prebuilt extension not found in home directory, will try downloading it
    querying pypi for available prebuilds
    downloading prebuilt extension from https://files.pythonhosted.org/packages/ed/7c/7140d954a93ff2a34c061dfaa32808e8fe39ab677f713e00f09a5f388a6a/frida-15.1.14-py3.8-win-amd64.egg
    unable to download it within 120 seconds; please download it manually to C:\Users\Administrator/frida-15.1.14-py3.7-win-amd64.egg
    ----------------------------------------
ERROR: Command errored out with exit status 1: 'd:\env\py38\scripts\python.exe' -u -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pip-install-ifc0v5x3\\frida_3a5e10ced95444dea5aa4d085d415783\\setup.py'"'"'; __file__='"'"'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\pip-install-ifc0v5x3\\frida_3a5e10ced95444dea5aa4d085d415783\\setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'C:\Users\ADMINI~1\AppData\Local\Temp\pip-record-4v9sovkz\install-record.txt' --single-version-externally-managed --compile --install-headers 'd:\env\py38\include\site\python3.7\frida' Check the logs for full command output.

解决方案:
官网下载文件:frida-12.11.17-py3.8-win-amd64.egg(查看你自己对应的版本)
官网:

https://pypi.org/project/frida/#files

将下载文件保存到C:\User\Adminstrator

重新执行pip安装

6.如何判断frida是否安装成功

cmd中执行frida --version,能打印出版本号说明frida-tools没有问题
cmd中执行python,进入控制台import frida,能成功导包,说明frida库没有问题

7.frida的卸载

pip uninstall frida
pip uninstall frida-tools

8.whl包的离线安装

pip install frida-14.2.18-cp38-cp38-win_amd64.whl
pip install frida_tools-9.2.5-py3-none-any.whl

9.frida安装指定版本

由于 frida-tools 的一个版本对应对个frida 版本,自动安装的frida版本不可控。因此先安装frida。

  • 先安装指定版本frida
  • 再安装指定版本frida-tools

frida-tools版本的查看

https://github.com/frida/frida/releases
https://github.com/frida/frida/releases/tag/12.3.6

10.frida代码提示的配置

npm i @types/frida-gum

11.frida-server 的配置

    1. 查看frida 对应版本

      https://github.com/frida/frida/releases/tag/15.1.14
    1. 找到对应的Frida-server
    1. 下载对应的xz 压缩包,下载后解压。并将解压文件推送到Android设备中。

      adb push D:\android_enviro_apk\frida-server-15.1.14-android-x86\frida-server-15.1.14-android-x86 \data\local\tmp
    1. 运行adb shell,修改server 名称(否则无法运行)

      adb shell
      cd  /data/local/tmp
      mv  frida-server-15.1.14-android-x86  fs15_1_14
  • 5 修改增加权限,并运行

    chmod 777 fs15_1_14
    ./fs15

    注意:如果出现如下情况,说明frida-server版本或者平台不匹配。应该安装对应平台或版本的frida-server

    /system/bin/sh: .fs15_1_14: not found
    1. 在pc 端 使用frida-ps 命令查看进程
      -U表示查看Usb接口的server,已经基本不用了

      frida-ps -U 

      效果如下:

  • 7 备注:
    新版本的frida不需要端口转发,老版本的需要转发

转发命令

adb forward tcp:27042 tcp:27042

注意:

  • frida-server的运行平台要选对
  • frida-server的版本与frida的版本要匹配

异常:

  • 在adb shell里运行frida-server报错invalid address

    sailfish:/data/local/tmp # ./fs15_1_14

    报错:

    {"type":"error","description":"Error: invalid address","stack":"Error: invalid address\n    at Object.value [as patchCode] (frida/runtime/core.js:200:1)\n    at qt (frida/node_modules/frida-java-bridge/lib/android.js:994:1)\n    at Bt.activate (frida/node_modules/frida-java-bridge/lib/android.js:1047:1)\n    at Ht.replace (frida/node_modules/frida-java-bridge/lib/android.js:1094:1)\n    at Function.set [as implementation] (frida/node_modules/frida-java-bridge/lib/class-factory.js:1010:1)\n    at Function.set [as implementation] (frida/node_modules/frida-java-bridge/lib/class-factory.js:925:1)\n    at installLaunchTimeoutRemovalInstrumentation (/internal-agent.js:424:24)\n    at init (/internal-agent.js:51:3)\n    at c.perform (frida/node_modules/frida-java-bridge/lib/vm.js:11:1)\n    at y._performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238:1)","fileName":"frida/runtime/core.js","lineNumber":200,"columnNumber":1}
  • 解决方法

    将adbshell模式转为Permissivem模式

    查看当前shell模式

    getenforce
    # Enforcing

    将enforce模式转为Permissive模式

    setenforce 0
    getenforce
    # 显示如下:
    # Permissive

    再次运行frida-server,此时正常

    sailfish:/data/local/tmp # ./fs15_1_14
03-05 20:30