记录frida hook native的笔记
整体代码如下
Java.perform(function() {
console.log("Inside-java-perform-function");
function jstring2Str(jstring) {
var ret;
Java.perform(function () {
var String = Java.use("java.lang.String");
ret = Java.cast(jstring, String);
});
return ret;
}
Interceptor.attach(Module.findExportByName("libnativetest.so", "Java_com_mc_nativetestlib_NativeLib_stringFromJNI"), {
onEnter: function (args) {
console.log("stringFromJNI onEnter...");
},
onLeave: function (retval) {
console.log("stringFromJNI onLeave...");
//step1: 获取返回值
console.log("stringFromJNI 函数返回old值:", jstring2Str(retval));
//step2: 修改返回值
var env = Java.vm.getEnv();
var jstringa = env.newStringUtf("new hello");
retval.replace(ptr(jstringa));
}
});
});
import subprocess
import sys
import time
import frida
from pip._vendor.distlib.compat import raw_input
def cmd(cmd):
subprocess.run(cmd, shell=True)
def my_message_handler(message , payload): #定义错误处理
print(message)
print(payload)
if __name__ == '__main__':
# cmd('adb shell "su -c /data/local/tmp/frida-server-15.2.2-android-arm64 &"') #开启手机端frida-server
pkg="com.mc.envircheck"
device = frida.get_usb_device()
pid = device.spawn(pkg)
print("pid-->" + str(pid))
device.resume(pid)
print("resume")
# time.sleep(1)
session = device.attach(pid)
print("attach")
with open('./hook_native_envircheck.js', 'r', encoding='utf-8') as file:
script_code = file.read()
script = session.create_script(script_code)
script.on("message", my_message_handler) # 调用错误处理
script.load()
# 脚本会持续运行等待输入
raw_input()
注意:最开始的时候,写的demo,一直不能hook,因为我在activity页面初始化的时候就调用so里面的方法了,后来我发现需要加一个按钮,然后点击按钮再去调用so里面的方法,这个时候就能hook了。
当前frida的版本是16.1.0