当前位置：首页 > news >正文

Frida Hook Android Activity生命周期全方法监控方案

news 2025/8/21 9:18:19

本方案提供了一套完整的Frida脚本，用于动态监控和分析Android应用中Activity的所有生命周期方法。通过JavaScript注入技术，实时追踪onCreate、onStart、onResume、onPause、onStop、onDestroy、onRestart、onSaveInstanceState、onRestoreInstanceState等关键方法的调用时机和顺序。

脚本采用多版本适配设计，智能处理方法重载（Overload）情况，确保兼容不同Android版本和设备定制ROM。提供时间戳记录、调用堆栈追踪、包名过滤等实用功能，支持安全研究人员、逆向工程师和开发人员进行动态行为分析、性能调试和安全漏洞检测。

Java.perform(function () {console.log("🚀 Starting Activity Lifecycle Hooking...");const Activity = Java.use("android.app.Activity");// 获取当前时间戳的函数function getTimestamp() {return new Date().toISOString();}// Hook onCreate 方法（两个重载版本）Activity.onCreate.overload('android.os.Bundle').implementation = function (bundle) {const className = this.getClass().getName();console.log(`📌 [${getTimestamp()}] onCreate called: ${className}`);return this.onCreate(bundle);};Activity.onCreate.overload('android.os.Bundle', 'android.os.PersistableBundle').implementation = function (bundle, persistentState) {const className = this.getClass().getName();console.log(`📌 [${getTimestamp()}] onCreate (persistent) called: ${className}`);return this.onCreate(bundle, persistentState);};// Hook 其他生命周期方法const lifecycleMethods = [{ name: 'onStart', emoji: '▶️' },{ name: 'onResume', emoji: '🌟' },{ name: 'onPause', emoji: '⏸️' },{ name: 'onStop', emoji: '⏹️' },{ name: 'onDestroy', emoji: '💥' },{ name: 'onRestart', emoji: '🔁' }];lifecycleMethods.forEach(function(method) {if (Activity[method.name]) {Activity[method.name].implementation = function() {const className = this.getClass().getName();console.log(`${method.emoji} [${getTimestamp()}] ${method.name} called: ${className}`);return this[method.name].apply(this, arguments);};}});// 特殊处理有重载的方法// onSaveInstanceState 有两个重载版本Activity.onSaveInstanceState.overload('android.os.Bundle').implementation = function(bundle) {const className = this.getClass().getName();console.log(`💾 [${getTimestamp()}] onSaveInstanceState called: ${className}`);return this.onSaveInstanceState(bundle);};Activity.onSaveInstanceState.overload('android.os.Bundle', 'android.os.PersistableBundle').implementation = function(bundle, persistentState) {const className = this.getClass().getName();console.log(`💾 [${getTimestamp()}] onSaveInstanceState (persistent) called: ${className}`);return this.onSaveInstanceState(bundle, persistentState);};// onRestoreInstanceState 也有两个重载版本Activity.onRestoreInstanceState.overload('android.os.Bundle').implementation = function(bundle) {const className = this.getClass().getName();console.log(`📂 [${getTimestamp()}] onRestoreInstanceState called: ${className}`);return this.onRestoreInstanceState(bundle);};Activity.onRestoreInstanceState.overload('android.os.Bundle', 'android.os.PersistableBundle').implementation = function(bundle, persistentState) {const className = this.getClass().getName();console.log(`📂 [${getTimestamp()}] onRestoreInstanceState (persistent) called: ${className}`);return this.onRestoreInstanceState(bundle, persistentState);};console.log("✅ Activity lifecycle hooks installed successfully!");
});

更智能的版本（自动处理重载方法）

Java.perform(function () {console.log("🚀 Starting Smart Activity Lifecycle Hooking...");const Activity = Java.use("android.app.Activity");function getTimestamp() {return new Date().toISOString();}// 智能 Hook 函数，自动处理重载方法function smartHookMethod(className, methodName, emoji) {const targetClass = Java.use(className);if (!targetClass[methodName]) {console.log(`⚠️  Method ${methodName} not found in ${className}`);return;}const overloads = targetClass[methodName].overloads;overloads.forEach(function(overload, index) {overload.implementation = function() {const instanceClass = this.getClass().getName();const args = Array.prototype.slice.call(arguments);console.log(`${emoji} [${getTimestamp()}] ${methodName} called: ${instanceClass}`);console.log(`   📋 Overload ${index + 1}: ${overload.argumentTypes.map(t => t.className).join(', ')}`);return this[methodName].apply(this, arguments);};});}// Hook Activity 生命周期方法const methodsToHook = [{ name: 'onCreate', emoji: '📌' },{ name: 'onStart', emoji: '▶️' },{ name: 'onResume', emoji: '🌟' },{ name: 'onPause', emoji: '⏸️' },{ name: 'onStop', emoji: '⏹️' },{ name: 'onDestroy', emoji: '💥' },{ name: 'onRestart', emoji: '🔁' },{ name: 'onSaveInstanceState', emoji: '💾' },{ name: 'onRestoreInstanceState', emoji: '📂' }];methodsToHook.forEach(function(method) {smartHookMethod("android.app.Activity", method.name, method.emoji);});console.log("✅ Smart hooks installed successfully!");
});

使用过滤功能的版本

Java.perform(function () {console.log("🚀 Starting Filtered Activity Lifecycle Hooking...");const Activity = Java.use("android.app.Activity");const config = {targetPackage: "smartconnection.com.smartconnect", // 只监控目标包logArguments: false // 是否记录参数};function getTimestamp() {return new Date().toISOString();}function shouldLog(instance) {const className = instance.getClass().getName();return className.startsWith(config.targetPackage);}// Hook 主要生命周期方法const methods = ['onCreate', 'onStart', 'onResume', 'onPause', 'onStop', 'onDestroy', 'onRestart'];methods.forEach(function(methodName) {const method = Activity[methodName];if (method) {const overloads = method.overloads;overloads.forEach(function(overload) {overload.implementation = function() {if (shouldLog(this)) {const className = this.getClass().getName();const emoji = getEmoji(methodName);console.log(`${emoji} [${getTimestamp()}] ${methodName}: ${className}`);if (config.logArguments) {const args = Array.prototype.slice.call(arguments);console.log(`   🧩 Arguments: ${JSON.stringify(args)}`);}}return this[methodName].apply(this, arguments);};});}});function getEmoji(methodName) {const emojiMap = {'onCreate': '📌', 'onStart': '▶️', 'onResume': '🌟','onPause': '⏸️', 'onStop': '⏹️', 'onDestroy': '💥','onRestart': '🔁'};return emojiMap[methodName] || '🔵';}console.log(`✅ Filtered hooks installed! Monitoring package: ${config.targetPackage}`);
});