Android hook方案调研

summer506hai commented 1 year ago

frida hook

Windows 安装 frida pip install frida pip install frida-tools
安卓安装 adb 连接后输入以下命令查看CPU型号 getprop ro.product.cpu.abi
https://github.com/frida/frida/releases 中下载对应型号且与电脑安装Frida版本一致的Frida-server版本
下载完成后将其解压出来，然后重命名为frida-server 然后通过adb将其上传到手机 adb push .\frida-server /data/local/tmp 然后再给其授予777权限 chmod 777 frida-server
在手机端启动(设备需root) ./frida-server
然后在windows上执行 Frida-ps -U 如下图所示，则表示安装成功
自己写一个apk
- MainActivity中，每隔5秒打印 50 + 30 的值

编写js hook掉 fun计算的结果
编写python脚本进行注入

import time
import frida

device = frida.get_usb_device()
pid = device.spawn(["com.example.myapplication"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)
with open("s1.js") as f:
    script = session.create_script(f.read())
script.load()

# prevent the python script from terminating
input()

ClickActivity中，点击button，弹出 toast提示

编写js hook掉 toast弹窗的内容

Java.perform(
    function () {
      // 获得Toast组件
        var Toast = Java.use('android.widget.Toast')
        var makeText = Toast.makeText
        var String = Java.use('java.lang.String')
        makeText.overload('android.content.Context', 'java.lang.CharSequence', 'int').implementation=function (context,content,time) {
            var hookContent = String.$new('hook hook')
            return this.makeText(context,hookContent,time)
        }
    }
)

编写python脚本进行注入

import time
import frida

device = frida.get_usb_device()
pid = device.spawn(["com.example.myapplication"])
device.resume(pid)
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)
with open("s3.js") as f:
    script = session.create_script(f.read())
script.load()

# prevent the python script from terminating
input()

summer506hai commented 1 year ago

virtual xposed

下载并安装VirtualXposed，下载地址：https://github.com/android-hacker/VirtualXposed/releases
adb install 安装
编写一个简单的，待hook的 apk，一个button，点击后，弹出toast弹窗；

import android.util.Log;
import android.view.View;

import android.widget.Button;

import android.widget.Toast;

public class MainActivity extends AppCompatActivity {
    private Button button;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        button = (Button) findViewById(R.id.button);
        Log.i("hnzhu2","MainActivity");
        button.setOnClickListener(new View.OnClickListener() {
            public void onClick(View v) {
                Toast.makeText(MainActivity.this, toastMessage(), Toast.LENGTH_SHORT).show();
            }
        });
    }
    public String toastMessage() {
        return "我未被劫持";
    }
}

运行该apk安装到设备上