一些常用的frida脚本

这里整理一些常用的frida脚本，和ghidra 一起食用风味更佳～

Trace RegisterNatives

let nativeMethods = {"methods":[]}
let addrRegisterNatives = null
var yeshen_module_base = undefinedconst OURLIB = "libEngineNative.so"                     // Replace with yoursProcess.enumerateModules().forEach(function (m) { Module.enumerateSymbolsSync(m.name).forEach(function (s) { if (s.name.includes("RegisterNatives") && (!s.name.includes("CheckJNI"))) { addrRegisterNatives = s.address} }) 
})Interceptor.attach(addrRegisterNatives, {// jint RegisterNatives(JNIEnv *env, jclass clazz, const JNINativeMethod *methods, jint nMethods);onEnter: function (args) {var calledFromLibnOffset = String(DebugSymbol.fromAddress(this.returnAddress))if(!calledFromLibnOffset.includes(OURLIB)){     // Filter out a few calls return}// console.log("\nenv->RegisterNatives()")var nMethods = parseInt(args[3]);// console.log("\tnMethods="+nMethods);var class_name = Java.vm.tryGetEnv().getClassName(args[1]);// console.log("\tclazz.name="+class_name)// console.log("\tmethods[]:");var methods_ptr = ptr(args[2]);for (var i = 0; i < nMethods; i++) {var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize*3));var methodName = Memory.readCString(name_ptr);var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize*3 + Process.pointerSize));var sig = Memory.readCString(sig_ptr);// console.log("\t\t"+methodName+"(), sig:", sig)var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize*3 + Process.pointerSize*2));var find_module = Process.findModuleByAddress(fnPtr_ptr);yeshen_module_base = find_module.base;var fnPtr_ptr_ghidra = ptr(fnPtr_ptr).sub(find_module.base).add(0x00100000)// console.log("\t\t\tfnPtr:", fnPtr_ptr,  " ghidraOffset:", fnPtr_ptr_ghidra);nativeMethods["methods"].push({ghidraOffset : fnPtr_ptr_ghidra,methodName : class_name+"."+methodName})}}
})// let the script run for a bit,
// then dump the "nativeMethods" object on the Frida interpreter 
// or uncomment the console.log statements to dump all invocations like below://  env->RegisterNatives()
// 	    nMethods=1
// 	    clazz.name=com.app.jni.PhoneControllerHelper
//  	methods[]:
// 	    	handleSendIM2Message(), sig: (Lcom/app/jni/MessageWrite;)Z
// 		    	fnPtr: 0x733a924280  ghidraOffset: 0x1d7280

Trace sprintf

注意到sprintf可能会把关键的信息拼接出来，所以挂一个，把目标so的这个函数调用打出来

var libyeshenbaseModule = "libyeshen.so"
const sprintfAddress = Module.findExportByName(libyeshenbaseModule, "sprintf");
Interceptor.attach(sprintfAddress, {onEnter: function (args) {this.args1 = args[0];var fnPtr_ptr_ghidra = ptr(this.returnAddress).sub(yeshen_module_base).add(0x00100000)var caller = DebugSymbol.fromAddress(this.returnAddress);this.args2 = "sprintf is called from: " + caller + ",ghidraOffset:" + fnPtr_ptr_ghidra;},onLeave: function (retval) {ALOGE("sprintf result: " + Memory.readUtf8String(this.args1) + "," + this.args2);}
});

Trace opendir

禁止目标so对opendir的访问和记录。

var libyeshenbaseModule = "libyeshen.so"
Interceptor.attach(Module.findExportByName(libyeshenbaseModule, 'opendir'), {onEnter: function (args) {var filename = Memory.readUtf8String(args[0]);if(filename.startsWith("/proc/self/net") || filename.startsWith("/sbin") || filename == "/"|| filename == "/sys/devices/system/cpu"){args[0] = ptr(0);ALOGE("opendir:" + filename + " forbidden.");}else{ALOGE("opendir:" + filename);}},onLeave: function (retval) {}
});

Trace readdir

Interceptor.attach(Module.findExportByName(libyeshenbaseModule, 'readdir'), {onEnter: function (args) {var filename = Memory.readUtf8String(args[0]);ALOGE("readdir:" + filename);},onLeave: function (retval) {}
});

Trace fread

Interceptor.attach(Module.findExportByName(libyeshenbaseModule, 'fread'), {onEnter: function (args) {var buffer = args[0];var size = args[1];var nmemb = args[2];var file = args[3];// var data = Memory.readUtf8String(buffer, size);ALOGE("fread:" + buffer + ", size: " + size + ", nmemb: " + nmemb + ", file: " + file );//+ ',data:' + data);// ALOGE("--fread end")},onLeave: function (retval) {}
});

Trace open & read

Interceptor.attach(Module.findExportByName(libyeshenbaseModule, 'open'), {onEnter: function (args) {var path = Memory.readUtf8String(args[0]);// if(path.startsWith("/proc")  && path.endsWith("/maps")){if (path == "/data" || path == "/data/app" || path == "/mnt" || path == "/system/framework" || path == "/sbin" || path == "/proc/cpuinfo" || path == "/proc/self/net" || path == "/proc/self/net/unix"){ALOGE("Access to " + path + " is denied"); args[0] = ptr("-1");// 修改返回值为 -1，表示打开文件失败}else if (path.startsWith("/proc") && (path.endsWith("/maps") || path.endsWith("/status") || path.endsWith("/cmdline") || path.endsWith("/meminfo") || path.endsWith("/stat"))) {ALOGE("Access to " + path + " is denied"); args[0] = ptr("-1");// 修改返回值为 -1，表示打开文件失败}else {ALOGE('open path:' + path);}}
});Interceptor.attach(Module.findExportByName(libyeshenbaseModule, 'read'), {onEnter: function (args) {var fd = args[0].toInt32();var buffer = args[1];var count = args[2].toInt32();var data = Memory.readUtf8String(buffer, count);ALOGE('---read fd:' + fd + ', count: ' + count + ',data:' + data);ALOGE("---read end")}
});

Trace custom address read in ghidra

var target_ptr_ghidra_1 = 0x001063e8;
var target_ptr_apply_1 = ptr(target_ptr_ghidra_1).sub(0x00100000).add(yeshen_module_base);
Interceptor.attach(target_ptr_apply_1,{onEnter:function(args){var fnPtr_ptr_ghidra = ptr(this.returnAddress).sub(yeshen_module_base).add(0x00100000)this.input = ",input:" + Memory.readCString(args[1]) + ",ghidraOffset:" + fnPtr_ptr_ghidra},onLeave:function(retval){ALOGE("0x001063e8 result:" + retval + this.input);// 0x001063e8 result:0x0,inputx86,ghidraOffset:0x11ab68retval.replace(0);}
});

Replace custom address‘s function to void

var target_ptr_ghidra_root = 0x11e7b0;
var target_ptr_apply_root = ptr(target_ptr_ghidra_root).sub(0x00100000).add(yeshen_module_base)
Interceptor.replace(target_ptr_apply_root, new NativeCallback(() => {// ALOGE("void 0x1e7b0 called")
}, 'void', []));