frida获取so层动态注册函数

谢谢大佬的无私奉献https://github.com/lasting-yang/frida_hook_libart

一.js模板一



function hook_RegisterNatives() {

    var symbols = Module.enumerateSymbolsSync("libart.so");

    var addrRegisterNatives = null;

    for (var i = 0; i < symbols.length; i++) {

        var symbol = symbols[i];

        //_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi

        if (symbol.name.indexOf("art") >= 0 &&

                symbol.name.indexOf("JNI") >= 0 &&

                symbol.name.indexOf("RegisterNatives") >= 0 &&

                symbol.name.indexOf("CheckJNI") < 0) {

            addrRegisterNatives = symbol.address;

            console.log("RegisterNatives is at ", symbol.address, symbol.name);

        }

    }

    if (addrRegisterNatives != null) {

        Interceptor.attach(addrRegisterNatives, {

            onEnter: function (args) {

                console.log("[RegisterNatives] method_count:", args[3]);

                var env = args[0];

                var java_class = args[1];

                var class_name = Java.vm.tryGetEnv().getClassName(java_class);

                //console.log(class_name);

                var methods_ptr = ptr(args[2]);

                var method_count = parseInt(args[3]);

                for (var i = 0; i < method_count; i++) {

                    var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3));

                    var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize));

                    var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2));

                    var name = Memory.readCString(name_ptr);

                    var sig = Memory.readCString(sig_ptr);

                    var find_module = Process.findModuleByAddress(fnPtr_ptr);

                    console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", find_module.name, "module_base:", find_module.base, "offset:", ptr(fnPtr_ptr).sub(find_module.base));

                }

            }

        });

    }

}

setImmediate(hook_RegisterNatives);

二.js模板二

var ishook_libart = false;

function hook_libart() {

    if (ishook_libart === true) {

        return;

    }

    var symbols = Module.enumerateSymbolsSync("libart.so");

    var addrGetStringUTFChars = null;

    var addrNewStringUTF = null;

    var addrFindClass = null;

    var addrGetMethodID = null;

    var addrGetStaticMethodID = null;

    var addrGetFieldID = null;

    var addrGetStaticFieldID = null;

    var addrRegisterNatives = null;

    var addrAllocObject = null;

    var addrCallObjectMethod = null;

    var addrGetObjectClass = null;

    var addrReleaseStringUTFChars = null;

    for (var i = 0; i < symbols.length; i++) {

        var symbol = symbols[i];

        if (symbol.name == "_ZN3art3JNI17GetStringUTFCharsEP7_JNIEnvP8_jstringPh") {

            addrGetStringUTFChars = symbol.address;

            console.log("GetStringUTFChars is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI12NewStringUTFEP7_JNIEnvPKc") {

            addrNewStringUTF = symbol.address;

            console.log("NewStringUTF is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI9FindClassEP7_JNIEnvPKc") {

            addrFindClass = symbol.address;

            console.log("FindClass is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI11GetMethodIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetMethodID = symbol.address;

            console.log("GetMethodID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetStaticMethodID = symbol.address;

            console.log("GetStaticMethodID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI10GetFieldIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetFieldID = symbol.address;

            console.log("GetFieldID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI16GetStaticFieldIDEP7_JNIEnvP7_jclassPKcS6_") {

            addrGetStaticFieldID = symbol.address;

            console.log("GetStaticFieldID is at ", symbol.address, symbol.name);

        } else if (symbol.name == "_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi") {

            addrRegisterNatives = symbol.address;

            console.log("RegisterNatives is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI11AllocObjectEP7_JNIEnvP7_jclass") >= 0) {

            addrAllocObject = symbol.address;

            console.log("AllocObject is at ", symbol.address, symbol.name);

        }  else if (symbol.name.indexOf("_ZN3art3JNI16CallObjectMethodEP7_JNIEnvP8_jobjectP10_jmethodIDz") >= 0) {

            addrCallObjectMethod = symbol.address;

            console.log("CallObjectMethod is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI14GetObjectClassEP7_JNIEnvP8_jobject") >= 0) {

            addrGetObjectClass = symbol.address;

            console.log("GetObjectClass is at ", symbol.address, symbol.name);

        } else if (symbol.name.indexOf("_ZN3art3JNI21ReleaseStringUTFCharsEP7_JNIEnvP8_jstringPKc") >= 0) {

            addrReleaseStringUTFChars = symbol.address;

            console.log("ReleaseStringUTFChars is at ", symbol.address, symbol.name);

        }

    }

    if (addrRegisterNatives != null) {

        Interceptor.attach(addrRegisterNatives, {

            onEnter: function (args) {

                console.log("[RegisterNatives] method_count:", args[3]);

                var env = args[0];

                var java_class = args[1];

                var funcAllocObject = new NativeFunction(addrAllocObject, "pointer", ["pointer", "pointer"]);

                var funcGetMethodID = new NativeFunction(addrGetMethodID, "pointer", ["pointer", "pointer", "pointer", "pointer"]);

                var funcCallObjectMethod = new NativeFunction(addrCallObjectMethod, "pointer", ["pointer", "pointer", "pointer"]);

                var funcGetObjectClass = new NativeFunction(addrGetObjectClass, "pointer", ["pointer", "pointer"]);

                var funcGetStringUTFChars = new NativeFunction(addrGetStringUTFChars, "pointer", ["pointer", "pointer", "pointer"]);

                var funcReleaseStringUTFChars = new NativeFunction(addrReleaseStringUTFChars, "void", ["pointer", "pointer", "pointer"]);

                var clz_obj = funcAllocObject(env, java_class);

                var mid_getClass = funcGetMethodID(env, java_class, Memory.allocUtf8String("getClass"), Memory.allocUtf8String("()Ljava/lang/Class;"));

                var clz_obj2 = funcCallObjectMethod(env, clz_obj, mid_getClass);

                var cls = funcGetObjectClass(env, clz_obj2);

                var mid_getName = funcGetMethodID(env, cls, Memory.allocUtf8String("getName"), Memory.allocUtf8String("()Ljava/lang/String;"));

                var name_jstring = funcCallObjectMethod(env, clz_obj2, mid_getName);

                var name_pchar = funcGetStringUTFChars(env, name_jstring, ptr(0));

                var class_name = ptr(name_pchar).readCString();

                funcReleaseStringUTFChars(env, name_jstring, name_pchar);

                //console.log(class_name);

                var methods_ptr = ptr(args[2]);

                var method_count = parseInt(args[3]);

                for (var i = 0; i < method_count; i++) {

                    var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3));

                    var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize));

                    var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2));

                    var name = Memory.readCString(name_ptr);

                    var sig = Memory.readCString(sig_ptr);

                    var find_module = Process.findModuleByAddress(fnPtr_ptr);

                    console.log("[RegisterNatives] java_class:", class_name, "name:", name, "sig:", sig, "fnPtr:", fnPtr_ptr, "module_name:", find_module.name, "module_base:", find_module.base, "offset:", ptr(fnPtr_ptr).sub(find_module.base));

                }

            },

            onLeave: function (retval) { }

        });

    }

    ishook_libart = true;

}

hook_libart();

三.运行代码

我们要在APP启动前运行代码

frida -U -f 包名 --no-pause -l hook.js

frida- registernatives获取so层动态注册函数的更多相关文章

  1. 彩贝网app破解登入参数(涉及app脱壳,反编译java层,so层动态注册,反编译so层)

    一.涉及知识点 app脱壳 java层 so层动态注册 二.抓包信息 POST /user/login.html HTTP/1.1 x-app-session: 1603177116420 x-app ...

  2. ndk学习20: jni之OnLoad动态注册函数

    一.原理 当在系统中调用System.loadLibrary函数时,该函数会找到对应的动态库, 然后首先试图找到"JNI_OnLoad"函数,如果该函数存在,则调用它 JNI_On ...

  3. Android 动态注册JNI函数

    1.JNI函数注册方式 在Android开发中,由于种种原因我们需要调用C/C++代码,在这个时候我们就需要使用jni了, jni在使用时要对定义的函数进行注册,这样java才能通过native关键字 ...

  4. SpringBoot27 JDK动态代理详解、获取指定的类类型、动态注册Bean、接口调用框架

    1 JDK动态代理详解 静态代理.JDK动态代理.Cglib动态代理的简单实现方式和区别请参见我的另外一篇博文. 1.1 JDK代理的基本步骤 >通过实现InvocationHandler接口来 ...

  5. 使用Spring容器动态注册和获取Bean

    有时候需要在运行时动态注册Bean到Spring容器,并根据名称获取注册的Bean.比如我们自己的SAAS架构的系统需要调用ThingsBoard API和Thingsboard交互,就可以通过Thi ...

  6. JNI动态注册native方法及JNI数据使用

    前言 或许你知道了jni的简单调用,其实不算什么百度谷歌一大把,虽然这些jni绝大多数情况下都不会让我们安卓工程师来弄,毕竟还是有点难,但是我们还是得打破砂锅知道为什么这样干吧,至少也让我们知道调用流 ...

  7. Android开发4: Notification编程基础、Broadcast的使用及其静态注册、动态注册方式

    前言 啦啦啦~(博主每次开篇都要卖个萌,大家是不是都厌倦了呢~) 本篇博文希望帮助大家掌握 Broadcast 编程基础,实现动态注册 Broadcast 和静态注册 Broadcast 的方式以及学 ...

  8. Android Studio NDK JNI动态注册本地方法

    概述 可能大家觉得javah生成的函数名又臭又长,不太好看.这里可以提供另外一种方法来动态注册c++函数,让其根Java中的native方法关联起来. 实现 这里通过JNIEnv的Resisterna ...

  9. JNI原理与静态、动态注册

    前言 JNI不仅仅在NDK开发中应用,它更是Android系统中Java与Native交互的桥梁,不理解JNI的话,你就只能停留在Java Framework层.这一个系列我们来一起深入学习JNI. ...

随机推荐

  1. Unit2:活动

    1.基本用法 1.创建活动 Generate LayoutFile 创建布局文件 Launcher Activity 自动注册为主活动 编写顺序 活动Activity 注册.xml 界面res.xx ...

  2. Springboot定时任务@Scheduled注解形式,参数详解

    参数详解 1.占位符 1 秒 是 0-59 , - * / 2 分 是 0-59 , - * / 3 时 是 0-23 , - * / 4 日 是 1-31 , - * ? / L W 5 月 是 1 ...

  3. 关于弹性布局flex

    什么时候使用flex布局? 当页面排版涉及左右浮动.垂直居中等时,应使用flex布局来避免传统的盒式布局带来的一些Bug. 如何使用flex布局? 在目标元素的父元素设置csss属性.display: ...

  4. spring 之BeanPostProcessor&BeanFactoryPostProcessor

    http://www.cnblogs.com/sishang/p/6576665.html https://www.cnblogs.com/sishang/p/6588542.html

  5. Orchard Core创建CMS/Blog站点

    安装.NET Core SDK 下载并安装当前最新版本.NET Core SDK 3.1: https://dotnet.microsoft.com/download 安装visual studio ...

  6. 刷题[WUSTCTF2020]朴实无华

    解题思路 打开是一个这样的页面,查看源码发现什么人间极乐bot,试试是不是robots.txt,查看发现类似flag文件,查看发现是假的flag,但是burp抓包后发现,返回的头部有信息 源码出来了, ...

  7. 朴素贝叶斯分类器Naive Bayes

    优点Naive Bayes classifiers tend to perform especially well in one of the following situations: When t ...

  8. 为啥你用@JsonFormat注解时,LocalDateTime会反序列化失败?

    写在前面 最近,有个小伙伴问我:我在SpringBoot项目中,使用@JsonFormat注解标注LocalDateTime类型的字段时,LocalDateTime反序列化失败,这个我该怎么处理呢?别 ...

  9. ESD(静电释放)上半部分

    ESD(静电释放)上半部分 ESD:Electro-Static discharge静电释放 1.ESD静电释放的模式 1.1 人体放电模式(human body mode) 人体会释放静电,那么人体 ...

  10. list_for_eacy_entry图解

    .