转载至于https://koz.io/using-frida-on-android-without-root/

Frida is a great toolkit by @oleavr, used to build tools for dynamic instrumentation of apps in userspace. It is often used, like Substrate, Xposed and similar frameworks, during security reviews of mobile applications.

Typically rooted Android devices are used during such reviews. There are several reasons for this, but the most important is that the frida-server binary, which executes on the device, requires root privileges to attach to (ptrace) the target application, in order to inject the Frida gadget library into the memory space of the process.

However, testing on a rooted device is not the only way! I am not sure why this technique is not more widely publicized, but Frida can also be used on non-rooted Android devices and non-jailbroken iPhones, without running frida-server at all. In this post I will focus on Android, however things are pretty similar on iOS - frida can also be used on jailed Apple devices.

A few advantages of using Frida on a non-rooted device:

  • Enables testing on devices you cannot or do not want to root (obviously).
  • Avoids some sideeffects due to application checks for ptracing/debugging or checks for tampered environment.

However:

  • This technique will trigger checks against repackaging (unless those are separately bypassed).

Adding frida-gadget to an Android application

The technique is simple, it can be described in short as “adding a shared library & repackaging the Android application”. Here it is, step by step:

  1. Get the the APK binary of te application you want to test, e.g. myapp.apk.

  2. Use apktool to decode the APK into it’s contents. Preferably its latest version.

    $ apktool d myapp.apk -o extractedFolder

  3. Add the frida native libraries (frida-gadget) into the APK’s /lib folder. The gadget libraries for each architecture can be found in Frida’s release page. Make sure to add the libraries for the correct architecture in a suitable folder under /lib, e.g. /lib/armeabi for 32bit ARM devices.

    $ apktool --version
    
2.2.2

$ apktool d -o out_dir original.apk
    
I: Using Apktool 2.2.2 on original.apk
    
I: Loading resource table...
    
I: Decoding AndroidManifest.xml with resources...
    
I: Loading resource table from file: ~/.local/share/apktool/framework/1.apk
    
I: Regular manifest package...
    
I: Decoding file-resources...
    
I: Decoding values XMLs...
    
I: Baksmaling classes.dex...
    
I: Copying assets and libs...
    
I: Copying unknown files...
    
I: Copying original files...

# download frida gadget - for 32bit ARM in this case
    
$ wget https://github.com/frida/frida/releases/download/9.1.26/frida-gadget-9.1.26-android-arm.so.xz
    
2017-04-11 10:48:45 (3.29 MB/s) - ‘frida-gadget-9.1.26-android-arm.so.xz’ saved [3680748/3680748]

# extract the compressed archive
    
$ unxz frida-gadget-9.1.26-android-arm.so.xz

$ ls
    
frida-gadget-9.1.26-android-arm.so

# copy frida gadget library in armeabi directory under lib
    
$ cp frida_libs/armeabi/frida-gadget-9.1.26-android-arm.so out_dir/lib/armeabi/libfrida-gadget.so

  4. Inject a System.loadLibrary("frida-gadget") call into the bytecode of the app, ideally before any other bytecode executes or any native code is loaded. A suitable place is typically the static initializer of the entry point classes of the app, e.g. the main application Activity, found via the manifest.

    An easy way to do this is to add the following smali code in a suitable function:

    const-string v0, "frida-gadget"
    
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

    Alternatively someone could create a script that injects the library into the process via ptrace; but this script would need to be packaged with the application (just like gdbserver).

  5. Add the Internet permission to the manifest if it’s not there already, so that Frida gadget can open a socket.

    <uses-permission android:name="android.permission.INTERNET" />

  6. Repackage the application:

    $ apktool b -o repackaged.apk out_dir/
    
I: Using Apktool 2.2.2
    
I: Checking whether sources has changed...
    
I: Smaling smali folder into classes.dex...
    
I: Checking whether resources has changed...
    
I: Building resources...
    
I: Copying libs... (/lib)
    
I: Building apk file...
    
I: Copying unknown files/dir...

  7. Sign the updated APK using your own keys and zipalign.

    # if you dont have a keystore already, here's how to create one
    
$ keytool -genkey -v -keystore custom.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000

# sign the APK
    
$ jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore mycustom.keystore -storepass mystorepass repackaged.apk mykeyaliasname

# verify the signature you just created
    
$ jarsigner -verify repackaged.apk

# zipalign the APK
    
$ zipalign 4 repackaged.apk repackaged-final.apk

  8. Install the updated APK to a device.

If this process seems complicated, the good news is that it can be automated. As part of the appmon hooking framework (based on Frida) @dpnishant released apk_builder, a script automating most of the above steps!

Using frida gadget

When you next start the application you are going to see an empty screen: The injected libfrida-gadget.solibrary has opened a tcp socket and waits for a connection from frida.

You should see a message similar to the following in logcat:

Frida: Listening on TCP port 27042

Running nestat on the device confirms the listening socket:

shell@flo:/ $ netstat -ln

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 127.0.0.1:27042         0.0.0.0:*

As you might expect, the next step is connecting to the listening socket: Most frida tools work as expected although there are a few issues that can be handled better, e.g. connecting to the library after initialization, not just during loading.

There is just one thing to keep in mind: The process name you are going to use in Frida tooling should be “Gadget” instead of the normal package name.

$ frida-ps -U

Waiting for USB device to appear...

  PID  Name

-----  ------

16071  Gadget

Examples!

$ frida -U Gadget

     ____

    / _  |   Frida 9.1.26 - A world-class dynamic instrumentation framework

   | (_| |

    > _  |   Commands:

   /_/ |_|       help      -> Displays the help system

   . . . .       object?   -> Display information about 'object'

   . . . .       exit/quit -> Exit

   . . . .

   . . . .   More info at http://www.frida.re/docs/home/

Waiting for USB device to appear...

[USB::Samsung SM-G925F::Gadget]-> Java.available

true

[USB::Samsung SM-G925F::Gadget]->

$ frida-trace -U -i open Gadget

Instrumenting functions...

open: Auto-generated handler at "/tmp/test/__handlers__/libc.so/open.js"

Started tracing 1 function. Press Ctrl+C to stop.

           /* TID 0x2df7 */

  4870 ms  open(pathname=0xa280b100, flags=0x241)

  4873 ms  open(pathname=0xb6d69df3, flags=0x2)

           /* TID 0x33d2 */

115198 ms  open(pathname=0xb6d69df3, flags=0x2)

115227 ms  open(pathname=0xb6d69df3, flags=0x2)

Enjoy!

hook框架frida添加至于安卓应用中的更多相关文章

  1. hook框架frida的安装以及简单实用案例

    1.下载地址 https://github.co/frida/frida/releases 2.另外两种安装方法 1.Install from prebuilt binaries This is th ...

  2. hook框架-frida使用-环境配置

    一.python安装模块 pip3 install frida pip3 install frida-tools 二.下载frida-server #下载链接 https://github.com/f ...

  3. hook框架-frida使用-APP在模拟器无法打开,用钩子去除限制

    app拿soul为例子 一.环境配置 #模拟器的frida服务为86 #frida-server-12.9.8-android-x86 adb push frida-server-12.9.8-and ...

  4. hook框架-frida简单使用模板以及frida相关接口

    一目录结构 ├── test.py #py脚本 └── test.js #js脚本 一.py脚本 test.py import frida import sys #连接设备app dev=frida. ...

  5. Android Hook框架adbi的分析(1)---注入工具hijack

    本文博客地址:http://blog.csdn.net/qq1084283172/article/details/74055505 一.Android Hook框架adbi的基本介绍 adbi是And ...

  6. Android 安全研究 hook 神器frida学习(一)

    在进行安卓安全研究时,hook技术是不可或缺的,常用的有Xposed:Java层的HOOK框架,由于要修改Zgote进程,需要Root,体验过Xposed,整个过程还是很繁琐的,并且无法hook,na ...

  7. 【转】Android Hook框架Xposed详解

    1 Introduction 1.1  概述 Xposed 是 GitHUB 上 rovo89 大大设计的一个针对 Android 平台的动态劫持项目,通过替换 /system/bin/app_pro ...

  8. Android中免root的hook框架Legend原理解析

    一.前言 Android中hook框架已经非常多了,最优秀的当属Xposed和Substrate了,这两个框架我在之前的文章都详细介绍过了,不了解的同学,可以转战这里:http://www.wjdia ...

  9. Android Hook框架Xposed详解

    1 Introduction 1.1  概述 Xposed 是 GitHUB 上 rovo89 大大设计的一个针对 Android 平台的动态劫持项目,通过替换 /system/bin/app_pro ...

随机推荐

  1. 01初步启动Hadoop服务

    1.rz命令将hadoop压缩包上传至Linux服务器中 2.tar -zxvf hadoop-2.7.7.tar.gz(解压即可用) 3.将解压出来的hadoop移到想要放的位置 mv hadoop ...

  2. 将一行很长的js代码格式化输出方便查看

    之前的一行js代码,有2万多字符,打开这个网址,粘贴到左边空白框,点下面格式化: 参考下面文章: 数千行的js代码变成了一行,如何复原,该换行的换行,该对齐的对齐_开发工具_小邯韩的博客-CSDN博客 ...

  3. Python之json库

    JSON简介 JSON (JavaScript Object Notation) 是一种用于表示结构化数据的流行数据格式. 常用于服务器和Web应用程序之间传输和接收数据. 在Python中,JSON ...

  4. Redis实战(20)Redis 如何从海量数据中查询出某一个 Key?

    序言 资料 https://www.cnblogs.com/vipstone/p/12373734.html

  5. 第3节 Scala中的模式匹配:1 - 5

    7.    模式匹配和样例类 Scala有一个十分强大的模式匹配机制,可以应用到很多场合:如switch语句.类型检查等.并且Scala还提供了样例类,对模式匹配进行了优化,可以快速进行匹配. 7.1 ...

  6. JavaWeb项目http请求报错:Error parsing HTTP request header

    详细报错信息如下图: 原因:一一排查后,发现是http的请求中,包含了  “ | ” 竖线特殊符号:而并不是网上说的请求url太长了的原因. 解决方法:把 | 替换为  @

  7. Linux centos7 linux任务计划cron、chkconfig工具、systemd管理服务、unit介绍、 target介绍

    一.linux任务计划cron crontab -u  -e -l -r 格式;分 时 日 月 周 user command 文件/var/spool/corn/username 分范围0-59,时范 ...

  8. PHP+Mysql实现网站顶和踩投票功能实例

    PHP+Mysql实现网站顶和踩投票功能实例,通过记录用户IP,判断用户的投票行为是否有效,该实例也可以扩展到投票系统中. 首先我们在页面上放置“顶”和“踩”的按钮,即#dig_up和#dig_dow ...

  9. django 模版内置的过滤器

    一.add 将传进来的参数添加到原来的值上面.这个过滤器会尝试将“值”和“参数”转换成整形然后进行相加.如果转换成整形过程中失败了,那么将会将“值”和“参数”进行拼接.如果是字符串,那么会拼接成字符串 ...

  10. mysql 获取刚插入行id汇总

    mysql 获取刚插入行id汇总 我们在写数据库程序的时候,经常会需要获取某个表中的最大序号数, 一般情况下获取刚插入的数据的id,使用select max(id) from table 是可以的.但 ...