当前位置: 首页 > news >正文

frida android quickstart

news 2025/10/17 6:56:16

在一些常用的frida脚本中,我之前hook过一波,那时候是使用其他同时配置好的环境。

现在没环境了,今天有空看了一下,重新弄了一个简单的环境。下文是我的一些操作记录。

https://frida.re/docs/quickstart/

# 安装
source ~/py3env/bin/activate
pip install frida-tools==13.7.1# 准备android环境
docker run -d --rm -p 6080:6080 -e EMULATOR_DEVICE="Samsung Galaxy S7" -e WEB_VNC=true --device /dev/kvm --name android-container_1 budtmo/docker-android:emulator_9.0
adb connect 172.17.0.2:5555# 准备android server
# https://github.com/frida/frida/releases
# 选中 frida-server-16.7.19-android-x86_64.xz 下载
unxz frida-server-16.7.19-android-x86_64.xz
adb push frida-server-16.7.19-android-x86_64 /data/local/tmp/frida-server# 启动android服务
adb shell
$ su
$ cd /data/local/tmp/ 
$ chmod 755 /data/local/tmp/frida-server
$ /data/local/tmp/frida-server &# 检查进程,运行测试脚本
frida-ps -U
python ctf.py

测试包:https://github.com/ctfs/write-ups-2015/tree/master/seccon-quals-ctf-2015/binary/reverse-engineering-android-apk-1
测试脚本:ctf.py

import frida, sysdef on_message(message, data):if message['type'] == 'send':print("[*] {0}".format(message['payload']))else:print(message)jscode = """
setTimeout(function() {Java.perform(() => {// Function to hook is defined hereconst MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');// Whenever button is clickedconst onClick = MainActivity.onClick;onClick.implementation = function (v) {// Show a message to know that the function got calledsend('onClick');// Call the original onClick handleronClick.call(this, v);// Set our values after running the original onClick handlerthis.m.value = 0;this.n.value = 1;this.cnt.value = 999;// Log to the console that it's done, and we should have the flag!console.log('Done:' + JSON.stringify(this.cnt));};});
}, 200);
console.log("running..");
"""process = frida.get_usb_device().attach('rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()

下面是我尝试的记录(可以忽略)

安装

source ~/py3env/bin/activate
pip install frida-tools

准备android环境

docker run -d --rm -p 6080:6080 -e EMULATOR_DEVICE="Samsung Galaxy S7" -e WEB_VNC=true --device /dev/kvm --name android-container_1 budtmo/docker-android:emulator_9.0
adb connect 172.17.0.2:5555# https://github.com/frida/frida/releases
# 选中 frida-server-17.4.0-android-x86_64.xz 下载
unxz frida-server-17.4.0-android-x86_64.xzadb push frida-server-17.4.0-android-x86_64 /data/local/tmp/frida-server

adb shellsu
cd /data/local/tmp/ 
chmod 755 /data/local/tmp/frida-server
/data/local/tmp/frida-server &

frida-ps -U
# 6271  rock_paper_scissors 
python ctf.py

试了一下frida提供的测试apk: https://github.com/ctfs/write-ups-2015/tree/master/seccon-quals-ctf-2015/binary/reverse-engineering-android-apk-1
测试脚本:https://frida.re/docs/examples/android/

cts.py

import frida, sysdef on_message(message, data):if message['type'] == 'send':print("[*] {0}".format(message['payload']))else:print(message)jscode = """
Java.perform(() => {// Function to hook is defined hereconst MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');// Whenever button is clickedconst onClick = MainActivity.onClick;onClick.implementation = function (v) {// Show a message to know that the function got calledsend('onClick');// Call the original onClick handleronClick.call(this, v);// Set our values after running the original onClick handlerthis.m.value = 0;this.n.value = 1;this.cnt.value = 999;// Log to the console that it's done, and we should have the flag!console.log('Done:' + JSON.stringify(this.cnt));};
});
"""process = frida.get_usb_device().attach('com.example.seccon2015.rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()

运行之后报错:

报错1

>>> process = frida.get_usb_device().attach('com.example.seccon2015.rock_paper_scissors')
Traceback (most recent call last):File "<stdin>", line 1, in <module>File "/home/yeshen/py3env/lib/python3.12/site-packages/frida/core.py", line 86, in wrapperreturn f(*args, **kwargs)^^^^^^^^^^^^^^^^^^File "/home/yeshen/py3env/lib/python3.12/site-packages/frida/core.py", line 1071, in attachreturn Session(self._impl.attach(self._pid_of(target), **kwargs))  # type: ignore^^^^^^^^^^^^^^^^^^^^File "/home/yeshen/py3env/lib/python3.12/site-packages/frida/core.py", line 1193, in _pid_ofreturn self.get_process(target).pid^^^^^^^^^^^^^^^^^^^^^^^^File "/home/yeshen/py3env/lib/python3.12/site-packages/frida/core.py", line 86, in wrapperreturn f(*args, **kwargs)^^^^^^^^^^^^^^^^^^File "/home/yeshen/py3env/lib/python3.12/site-packages/frida/core.py", line 969, in get_processraise _frida.ProcessNotFoundError(f"unable to find process with name '{process_name}'")
frida.ProcessNotFoundError: unable to find process with name 'com.example.seccon2015.rock_paper_scissors'

发现是名字错了,应该是 rock_paper_scissors, 如 frida-ps -U 列出。

报错2

{'type': 'error', 'description': "ReferenceError: 'Java' is not defined", 'stack': "ReferenceError: 'Java' is not defined\n    at <eval> (/script1.js:2)", 'fileName': '/script1.js', 'lineNumber': 2, 'columnNumber': 1}

https://github.com/frida/frida/issues/3473

看讨论是frida 17的新特性,导致以前的demo没办法运行,主动降低版本到16。

# https://github.com/frida/frida/releases
# 选中 frida-server-16.7.19-android-x86_64.xz 下载
unxz frida-server-16.7.19-android-x86_64.xz
adb push frida-server-16.7.19-android-x86_64 /data/local/tmp/frida-serverpip uninstall frida-tools
pip install frida-tools==13.7.1

import frida, sysdef on_message(message, data):if message['type'] == 'send':print("[*] {0}".format(message['payload']))else:print(message)jscode = """
setTimeout(function() {Java.perform(() => {// Function to hook is defined hereconst MainActivity = Java.use('com.example.seccon2015.rock_paper_scissors.MainActivity');// Whenever button is clickedconst onClick = MainActivity.onClick;onClick.implementation = function (v) {// Show a message to know that the function got calledsend('onClick');// Call the original onClick handleronClick.call(this, v);// Set our values after running the original onClick handlerthis.m.value = 0;this.n.value = 1;this.cnt.value = 999;// Log to the console that it's done, and we should have the flag!console.log('Done:' + JSON.stringify(this.cnt));};});
}, 200);
console.log("running..");
"""process = frida.get_usb_device().attach('rock_paper_scissors')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()
python ctf.py

参考连接

  1. https://blog.csdn.net/yeshennet/article/details/139563429
  2. https://frida.re/docs/android/
http://www.dtcms.com/a/490638.html

相关文章:

  • 作为测试工程师,我们该如何应用 AI?
  • 【Flutter】Flutter项目整体架构
  • 电子电气架构 --- 未来汽车软件架构
  • 怎么优化网站关键词辽宁省住房建设厅网站科技中心
  • 电力自动化新突破:Modbus如何变身Profinet?智能仪表连接的终极解决方案
  • cGVHD患者的血常规指标 生化指标 动态监测
  • 重庆网站建设师网站顶部布局
  • 【算法与数据结构】二叉树后序遍历非递归算法:保姆级教程(附具体实例+可运行代码)
  • AI-调查研究-105-具身智能 机器人学习数据采集:从示范视频到状态-动作对的流程解析
  • 基于 PyQt5 的多算法视频关键帧提取工具
  • 企业手机网站建设有wordpress download 插件
  • 【EE初阶 - 网络原理】应用层协议(上)
  • 2025国际集成电路展览会暨研讨会有那些新技术与亮点值得关注?
  • 【图片处理】✈️HTML转图片字体异常处理
  • Visual Studio 命令和属性的常用宏定义(macros for MSBuild commands and properties)
  • Android 中 gravity 与 layout_gravity 的深度解析:从概念到实践
  • 免费的招标网站有哪些wordpress编辑器上传图片
  • Spring初始
  • VB.Net循序渐进(第二版)
  • AI预判等离子体「暴走」,MIT等基于机器学习实现小样本下的等离子体动力学高精度预测
  • 网站链接推广工具网站提现功能怎么做
  • list的迭代器
  • 学会网站制作要多久网站建设最重要的是什么
  • 基于遗传算法优化BP神经网络(GA-BP)的数据时序预测
  • Mamba革命:图像增强的下一站,从CNN与Transformer到状态空间模型的跨
  • 利用Enterprise Architect的需求管理工具实现项目全程可追溯性
  • 我的个人云端革命:从依赖公有云到自建私有云的蜕变
  • Qi标准无线充调试记录
  • 数据结构5:线性表5-循环链表
  • 双生态城市:跨物种和谐共居的未来图景-光影交织的和谐之地