獲取類中的成員變量/方法
Java.perform(function(){ var hook = Java.use("com.xxx.xxx"); console.log("aa: ", hook) //獲取成員變量 //getFields():獲得某個類的所有的公共(public)的字段,包括父類中的字段。 //getDeclaredFields():獲得某個類的所有聲明的字段,即包括public、private和proteced,但是不包括父類的申明字段。 //同樣類似的還有getConstructors()和getDeclaredConstructors()、getMethods()和getDeclaredMethods(),這兩者分別表示獲取某個類的方法、構造函數 var members = hook.class.getDeclaredFields(); members.forEach(function(member) { // console.log("member: ", member); }); })
java層打印調用堆棧
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
java.use(com.xxx.xxx)
Java.perform(function(){ targetClass = "com.xxx.xxx" try { // 先用 java.use 如果找不到 在枚舉classload Java.use(targetClass); } catch (error) { Java.enumerateClassLoaders({ onMatch: function (loader) { try { if (loader.findClass(targetClass)) { console.log("loader find: " + loader); Java.classFactory.loader = loader; } } catch (error) { //console.log("classloader failed" + error); } }, onComplete: function () { } }); } var hook = Java.use(targetClass); })
frida 通過wifiadb實現群控
import frida import os import time app = "com.xxx.xxx"; deviceIds = []; devices = frida.enumerate_devices(); for device in devices : # print(device) ## 枚舉所有通過wifiadb 連的機器 if device.id.find(":") > 0: #print(device.id) deviceIds.append(device.id.replace("5555", "9999")) for id in deviceIds : print(id) device = frida.get_device_manager().add_remote_device(id) print(device) pid = device.spawn([app]) print(pid) device.resume(pid) time.sleep(1) session = device.attach(pid) with open("load_hook.js") as f: script = session.create_script(f.read()) script.load() input()