轉載:https://www.dbhc-doman.club/archives/336/frida-hook-c-cpp-method/
目的:通過frida hook native方法,獲取到對應方法的參數:
c++ 代碼:
extern "C" JNIEXPORT jstring JNICALL Java_os_sdk_fridademo_MainActivity_stringFromJNI( JNIEnv *env, jobject /* this */) { std::string hello = "Hello from C++"; const char* key = "king"; jsb_set_key(key); return env->NewStringUTF(hello.c_str()); }
編譯完成之后,運行到設備,我這里用的是藍疊虛擬機:
在ida中打開對應的so庫,找到導出的方法名稱,
編寫frida js腳本:frida_native.js
將找到的方法名稱放入到下面的紅色部分:
setImmediate(function() { Interceptor.attach(Module.findExportByName("libnative-lib.so","_Z11jsb_set_keyPKc"),{ onEnter:function(args){ send("open called! args[0]",Memory.readByteArray(args[0],256)); }, onLeave:function(retval){ } }) });
編寫對應的python腳本:load_native.py
import frida,sys,time def on_msg(msg,data): print(msg) print(data) device = frida.get_device("emulator-5554") # pid = device.spawn(["packageName"]) # device.resume(pid) time.sleep(1) session = device.attach("packageName") with open("frida_native.js") as f: script = session.create_script(f.read()) script.on("message",on_msg) script.load() sys.stdin.read()
運行后
輕松搞定。
安利一波入門教程:
Android Application Security Study:https://github.com/r0ysue/AndroidSecurityStudy
官方文檔:https://frida.re/docs/javascript-api/