主要內(nèi)容:

frida-inject工具使用及說明

內(nèi)置frida-inject工具到手機(jī)系統(tǒng)

1.frida-inject工具介紹

frida-inject是frida中提供的可以直接放到手機(jī)端執(zhí)行注入js腳本到App程序進(jìn)行hook的工具。也就是說使用frida-inject命令可以脫離PC端執(zhí)行注入了。

平時(shí)我們用frida進(jìn)行App注入的時(shí)候，多半都是PC端安裝frida工具，然后把frida-server放到手機(jī)端。手機(jī)端啟動(dòng)frida-server開啟端口監(jiān)聽，PC端的frida工具通過端口連接到frida-server然后相應(yīng)的命令去讓frida-server執(zhí)行相應(yīng)的操作。

2.frida-inject工具使用介紹

2.1 查看frida-inject命令說明

將frida-inject工具下載以后通過adb push命令放到手機(jī),比如放到路徑"/data/local/tmp/frida-inject"，以下是adb push執(zhí)行參考:

C:UsersQiang>adbpushE:workspace素材frida-inject-14.2.14-android-arm64/data/local/tmp/frida-inject
E:workspace.lepushed,0skipped.37.7MB/s(41616776bytesin1.052s)

C:UsersQiang>adbshellchmod777/data/local/tmp/frida-inject

C:UsersQiang>

可以執(zhí)行如下命令查看當(dāng)前frida-inject命令的幫助說明:

C:UsersQiang>adbshell
OnePlus3:/#cd/data/local/tmp
OnePlus3:/data/local/tmp#ls
d4484278-8615-41b0-9223-d849429bf888frida-injecttest.js
OnePlus3:/data/local/tmp#./frida-inject-h
Usage:
frida[OPTION?]

HelpOptions:
-h,--helpShowhelpoptions

ApplicationOptions:
-D,--device=IDconnecttodevicewiththegivenID
-f,--file=FILEspawnFILE
-p,--pid=PIDattachtoPID
-n,--name=NAMEattachtoNAME
-r,--realm=REALMattachinREALM
-s,--script=JAVASCRIPT_FILENAME
-R,--runtime=qjs|v8Scriptruntimetouse
-P,--parameters=PARAMETERS_JSONParametersasJSON,sameasGadget
-e,--eternalizeEternalizescriptandexit
-i,--interactiveInteractwithscriptthroughstdin
--developmentEnabledevelopmentmode
--versionOutputversioninformationandexit

OnePlus3:/data/local/tmp#

以下是使用frida-inject命令執(zhí)行App注入的簡(jiǎn)單測(cè)試，參考命令如下:

C:UsersQiang>adbshell
OnePlus3:/#cd/data/local/tmp
OnePlus3:/data/local/tmp#ls
OnePlus3:/data/local/tmp#./frida-inject-fcom.android.jnidemo01-s/data/local/tmp/test.js-e<
OnePlus3:/data/local/tmp?#

以上執(zhí)行的test.js腳本內(nèi)容如下，一個(gè)比較簡(jiǎn)單的打印HelloWorld代碼。

functionLog(info){
Java.perform(function(){
varLogCls=Java.use("android.util.Log");
LogCls.d("HelloWorld",info);
})
}
functionmain(){
Log("hellofrida-inject!");
Log("goodbyefrida-inject!");
}
setImmediate(main);

3.frida-inject下載

根據(jù)自己手機(jī)系統(tǒng)平臺(tái)選擇下載相應(yīng)的版本,下載地址:

https://github.com/frida/frida/releases

比如本篇中下載版本"frida-inject-14.2.14-android-arm64"。

4.內(nèi)置frida-inject到系統(tǒng)操作

4.1 創(chuàng)建模塊目錄myfridainject

在源碼根目錄創(chuàng)建模塊存儲(chǔ)目錄"frameworks/base/cmds/mycmds/fridainject"。參考如下:

qiang@ubuntu:~/lineageOs$mkdir-pframeworks/base/cmds/mycmds/fridainject
qiang@ubuntu:~/lineageOs$

4.2 創(chuàng)建模塊myfridainjectarm64

(1).將下載好的frida-inject程序拷貝到"myfridainject"目錄,并重命名為"myfridainjectarm64"，如下所示:

qiang@ubuntu:~/lineageOs/frameworks/base/cmds/mycmds/fridainject$ls-lamyfridainjectarm64
-rwxrw-rw-1qiangqiang416167764月318:54myfridainjectarm64
qiang@ubuntu:~/lineageOs/frameworks/base/cmds/mycmds/fridainject$
qiang@ubuntu:~/lineageOs/frameworks/base/cmds/mycmds/fridainject$

(2).在myfridainject目錄下面同時(shí)創(chuàng)建模塊配置文件Android.mk,并添加如下模塊配置內(nèi)容:

#///ADDSTART
#///ADDEND
LOCAL_PATH:=$(callmy-dir)
include$(CLEAR_VARS)
LOCAL_MODULE:=myfridainjectarm64
LOCAL_MODULE_CLASS:=EXECUTABLES
LOCAL_SRC_FILES:=myfridainjectarm64
include$(BUILD_PREBUILT)

4.3 添加模塊myfridainjectarm64到源碼編譯鏈中

以上創(chuàng)建模塊myfridainjectarm64之后如果直接編譯手機(jī)刷機(jī)鏡像是不會(huì)被編譯到手機(jī)系統(tǒng)里面去的。需要將模塊"myfridainjectarm64"加入到源碼模塊編譯鏈中才行。
安卓系統(tǒng)中添加模塊到編譯鏈需要在文件"buildmake argetproductase_system.mk"中將模塊追加進(jìn)去。添加myfridainjectarm64模塊之后的參考:

#///ADDSTART
#addfridaservertosystem
#kernellogdxkernellogdgettopactivity
#///ADDEND

#Basemodulesandsettingsforthesystempartition.
PRODUCT_PACKAGES+=
myfridainjectarm64
kernellogdx
...

5.編譯系統(tǒng)

執(zhí)行如下命令編譯手機(jī)刷機(jī)鏡像:

qiang@ubuntu:~/lineageOs$sourcebuild/envsetup.sh
qiang@ubuntu:~/lineageOs$breakfastoneplus3
qiang@ubuntu:~/lineageOs$brunchoneplus3

6.驗(yàn)證測(cè)試

執(zhí)行如下命令測(cè)試是否內(nèi)置成功(ubuntu下執(zhí)行的命令):

qiang@ubuntu:~/lineageOs$adbshell
OnePlus3:/#myfridainjectarm64--version
14.2.14
OnePlus3:/#

審核編輯：湯梓紅