当前位置：首页 > news >正文

从 native 获取 AndroidId，Frida 获取 native 堆栈

news 来源：原创 2025/6/19 15:09:33

在这里插入图片描述

let enablePrintStackTrace = true
Java.perform(function x() {console.log('重新加载脚本');hookAndroidId();exportSoMethod("libart.so");
})function hookAndroidId() {var ANDROID_ID = "android_id"var Secure = Java.use("android.provider.Settings$Secure")Secure.getString.implementation = function (resolver, name) {var result = this.getString(resolver, name);if (ANDROID_ID == name) {console.log("getString 获取 androidID: " + result)log();}return result;}
}function exportSoMethod(module_name) {const module = Process.findModuleByName(module_name);const symbols = module.enumerateSymbols();symbols.forEach(sym => {//env->GetStaticMethodID(secureClass, "getString","(Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;");if (sym.name.includes("GetStaticMethodID")) {var address = sym.address;console.log(`[name]: ${sym.name} \n\t[address]: ${address}\n`);if (address) {Interceptor.attach(address, {onEnter: function (args) {const targetClass = args[1];const methodName = args[2].readCString();const methodSig = args[3].readCString();if (methodName === "getString") {console.log(`[targetClass]: ${targetClass} [methodName]: ${methodName} [methodSig]: ${methodSig}\n`);// Backtracer.ACCURATE 提供更详细的堆栈，但可能略慢// Backtracer.FUZZY 更快，但可能不那么准确const nativeStack = Thread.backtrace(this.context, Backtracer.FUZZY).map(DebugSymbol.fromAddress).join('\n');console.log(`[nativeStack]: ${nativeStack}\n`);}}})}}});}function log() {if (enablePrintStackTrace) {console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));}
}

日志输出示例：

[V2183A::com.dz.gslsz.honor ]-> 重新加载脚本
[name]: _ZN3art12_GLOBAL__N_18CheckJNI17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS7_.llvm.15913410659909574214[address]: 0x6ef284b390[name]: _ZN3art3JNIILb0EE17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS7_[address]: 0x6ef28a0fb0[name]: _ZN3art3JNIILb1EE17GetStaticMethodIDEP7_JNIEnvP7_jclassPKcS7_[address]: 0x6ef2904a30[V2183A::com.dz.gslsz.honor ]-> [targetClass]: 0xc5 [methodName]: getString [methodSig]: (Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;[nativeStack]: 0x6e3cd4860c libnative-lib.so!0x112960c
0x6e3cd64594 libnative-lib.so!0x1145594
0x6e7c3fc740
0x6e7c3fc754
0x6e7c48f0bc
0x6e7c48f084
0x6e7c479260
0x6ef2b59f14 libart.so!NterpGetStaticField+0x84
0x6ef2b5a5d8 libart.so!NterpGetInstanceFieldOffset+0x68
0x6e3cd50ccc libnative-lib.so!0x1131ccc
0x6e3cd50cb4 libnative-lib.so!0x1131cb4
0x6ef260a258 libart.so!nterp_helper+0xf58
0x71929184 boot-framework.oat!0x406184
0x6ef2610970 libart.so!art_quick_invoke_stub+0x230
0x6ef267bbbc libart.so!_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+0xbc
0x6ef2a2cf48 libart.so!_ZN3art35InvokeVirtualOrInterfaceWithVarArgsIPNS_9ArtMethodEEENS_6JValueERKNS_33ScopedObjectAccessAlreadyRunnableEP8_jobjectT_St9__va_list+0x1d8getString 获取 androidID: e3ab5e5a1d6e2063
java.lang.Throwableat android.provider.Settings$Secure.getString(Native Method)getString 获取 androidID: e3ab5e5a1d6e2063
java.lang.Throwableat android.provider.Settings$Secure.getString(Native Method)at com.umeng.commonsdk.statistics.common.DeviceConfig.getAndroidId(SourceFile:7)at com.umeng.commonsdk.statistics.idtracking.b.f(SourceFile:1)at com.umeng.commonsdk.statistics.idtracking.a.g(SourceFile:4)at com.umeng.commonsdk.statistics.idtracking.a.a(SourceFile:1)at com.umeng.commonsdk.statistics.idtracking.f.b(SourceFile:5)at com.umeng.commonsdk.statistics.b.a(SourceFile:40)at com.umeng.commonsdk.framework.UMEnvelopeBuild.buildEnvelopeWithExtHeader(SourceFile:18)at com.umeng.commonsdk.framework.UMEnvelopeBuild.buildEnvelopeWithExtHeader(SourceFile:3)at com.umeng.analytics.pro.q.j(SourceFile:6)at com.umeng.analytics.pro.q.a(SourceFile:136)at com.umeng.analytics.pro.q.c(SourceFile:3)at com.umeng.analytics.pro.q.a(SourceFile:76)at com.umeng.analytics.CoreProtocol.workEvent(SourceFile:1)at com.umeng.commonsdk.framework.UMWorkDispatch.handleEvent(SourceFile:5)at com.umeng.commonsdk.framework.UMWorkDispatch.access$000(SourceFile:1)at com.umeng.commonsdk.framework.UMWorkDispatch$1.handleMessage(SourceFile:5)at android.os.Handler.dispatchMessage(Handler.java:106)at android.os.Looper.loopOnce(Looper.java:223)at android.os.Looper.loop(Looper.java:324)at android.os.HandlerThread.run(HandlerThread.java:67)getString 获取 androidID: e3ab5e5a1d6e2063
java.lang.Throwableat android.provider.Settings$Secure.getString(Native Method)at com.reyun.tracking.a.a.c(Unknown Source:13)at com.reyun.tracking.a.h.a(Unknown Source:151)at com.reyun.tracking.a.h.a(Unknown Source:38)at com.reyun.tracking.sdk.Tracking.setStartupInternal(Unknown Source:19)at com.reyun.tracking.sdk.d.handleMessage(Unknown Source:139)at android.os.Handler.dispatchMessage(Handler.java:106)at android.os.Looper.loopOnce(Looper.java:223)at android.os.Looper.loop(Looper.java:324)at android.app.ActivityThread.main(ActivityThread.java:8524)at android.app.ActivityThread.main(ActivityThread.java:8524)at java.lang.reflect.Method.invoke(Native Method)at java.lang.reflect.Method.invoke(Native Method)at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:582)at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:582)at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1059)[targetClass]: 0x73da [methodName]: getString [methodSig]: (Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;
[targetClass]: 0x73da [methodName]: getString [methodSig]: (Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;[nativeStack]: 0x6e39cd4d44 libunity.so!0x9e4d44
0x71708098 boot-framework.oat!0x1e5098
0x6e66ba69a8 base.odex!0xe39a8
0x6e66f2d674 base.odex!0x46a674
0x6e66f2d674 base.odex!0x46a674
0x6e66db99f0 base.odex!0x2f69f0
0x71b3c788 boot-framework.oat!0x619788
0x71b3fe28 boot-framework.oat!0x61ce28
0x71b3f948 boot-framework.oat!0x61c948
0x71b3bf6c boot-framework.oat!0x618f6c
0x6e66dba488 base.odex!0x2f7488
0x6ef2a771a0 libart.so!_ZN3art6Thread25InstallImplicitProtectionEv+0x80
0x6ef2610970 libart.so!art_quick_invoke_stub+0x230
0x6ef267bbbc libart.so!_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+0xbc
0x6ef267bbbc libart.so!_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+0xbc
0x718ce51468 libc.so!scudo_malloc+0x28
0x718ce512a8 libc.so!_ZN5scudo9AllocatorINS_13AndroidConfigEXadL_Z21scudo_malloc_postinitEEE10deallocateEPvNS_5Chunk6OriginEmm+0xd8
0x6ef2a2caf0 libart.so!_ZN3art35InvokeVirtualOrInterfaceWithJValuesIPNS_9ArtMethodEEENS_6JValueERKNS_33ScopedObjectAccessAlreadyRunnableEP8_jobjectT_PK6jvalue+0x1d0getString 获取 androidID: e3ab5e5a1d6e2063
java.lang.Throwableat android.provider.Settings$Secure.getString(Native Method)at com.unity3d.player.UnityPlayer.nativeRender(Native Method)at com.unity3d.player.UnityPlayer.access$300(Unknown Source:0)at com.unity3d.player.UnityPlayer$e$1.handleMessage(Unknown Source:83)at android.os.Handler.dispatchMessage(Handler.java:102)at android.os.Looper.loopOnce(Looper.java:223)at android.os.Looper.loop(Looper.java:324)at com.unity3d.player.UnityPlayer$e.run(Unknown Source:20)[V2183A::com.dz.gslsz.honor ]->