一步一步配置用以安全測試的android手機

配置android測試環境，實現：動態調試、drozer、frida、界面劫持等

一、測試手機開啟開發者模式

　　手機型號為pixel2 ，android 10系統，已root。連續點擊版本號即可進入開發者選項。然后打開usb調試，使adb可以使用。

　　

二、部署gdb動態調試

　　1、復制gdbserver到手機/data/data/local/tmp/下

shellydeMacBook-Pro:~ shellyzhang$ adb push /Users/shellyzhang/1_codeing/android-sdk-macosx/ndk-bundle/prebuilt/android-arm/gdbserver/gdbserver /data/local/tmp
/Users/shellyzhang/1_codeing/android-sdk-macosx/ndk-bundle/p.../gdbserver: 1 file pushed. 8.0 MB/s (596448 bytes in 0.071s
shellydeMacBook-Pro:~ shellyzhang$ 

　　2、手機開啟gdbserver，並連接需要調試的進程

walleye:/data/local/tmp # ps -ef |grep com.android.chrome                                                                                   
u0_a138       8921   786 1 08:39:51 ?     00:00:13 com.android.chrome
u0_a138       8997   786 0 08:39:52 ?     00:00:00 com.android.chrome:privileged_process0
u0_i9003      9277   786 0 08:42:01 ?     00:00:00 com.android.chrome:sandboxed_process2:org.chromium.content.app.SandboxedProcessService2
root         11876 11699 2 09:01:06 pts/1 00:00:00 grep com.android.chrome
walleye:/data/local/tmp # 
walleye:/data/local/tmp # ./gdbserver :1234 --attach 8921                                                                                   
Attached; pid = 8921
Listening on port 1234

　　3、adb轉發手機端口到電腦上，電腦使用gdb進行調試

shellydeMacBook-Pro:~ shellyzhang$ adb forward tcp:1234 tcp:1234
shellydeMacBook-Pro:~ shellyzhang$ /Users/shellyzhang/1_codeing/android-sdk-macosx/ndk-bundle/prebuilt/darwin-x86_64/bin/gdb
GNU gdb (GDB) 7.11
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin14.5.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb)  target remote:1234
Remote debugging using :1234
Reading /system/bin/app_process32 from remote target...
(gdb)  info proc
process 8921
cmdline = 'com.android.chrome'
cwd = '/'
exe = '/system/bin/app_process32'
(gdb) info reg
r0             0xfffffffc    4294967292
r1             0xff8b6aa8    4287326888
r2             0x10    16
r3             0xffffffff    4294967295
r4             0x0    0
r5             0x8    8
r6             0xeeb0a260    4004553312
r7             0x15a    346
r8             0xdf43674c    3745736524
r9             0xdf436700    3745736448
r10            0x0    0
r11            0xffffffff    4294967295
r12            0xff8b6a58    4287326808
sp             0xff8b6a48    0xff8b6a48
lr             0xeeabcbb5    -290731083
pc             0xeeae9fa4    0xeeae9fa4 <__epoll_pwait+20>
cpsr           0x20010010    536936464
(gdb)  p*(int*)0xff8b6aa8
$1 = 0
(gdb) 

二、部署drozer

　　1、官網下載最新的apk包（https://labs.f-secure.com/tools/drozer/），並安裝到手機

　　目前drozer可能在androd10上無法使用

三、部署frida與objection

　　1、下載合適版本的frida（https://github.com/frida/frida/releases）到手機/data/data/local/tmp/下

walleye:/data/local/tmp # uname -a
Linux localhost 4.4.210-gae6d0ab37d61 #1 SMP PREEMPT Fri Apr 10 23:00:09 UTC 2020 aarch64

walleye:/data/local/tmp # chmod 777 frida-server-12.11.6-android-arm64                                                                  
walleye:/data/local/tmp # 
walleye:/data/local/tmp # ./frida-server-12.11.6-android-arm64                                                                              

　　2、電腦上安裝objection（https://github.com/sensepost/objection）

　　3、adb端口轉發使用的端口

shellydeMacBook-Pro:1_app shellyzhang$ adb forward tcp:27042 tcp:27042
shellydeMacBook-Pro:1_app shellyzhang$ adb forward tcp:27043 tcp:27043

　　4、查看手機上進程，並使用objection連接

shellydeMacBook-Pro:Downloads shellyzhang$ frida-ps -R |grep chr
  999  chre
16408  com.android.chrome
16503  com.android.chrome:privileged_process0
16455  com.android.chrome:sandboxed_process0:org.chromium.content.app.SandboxedProcessService0
shellydeMacBook-Pro:Downloads shellyzhang$ objection --gadget 'com.android.chrome' explore
Using USB device `Pixel 2`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.9.5

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.android.chrome on (google: 10) [usb] #  

　　5、查看一些基本信息

com.android.chrome on (google: 10) [usb] # ls                                                                                    
Type       Last Modified            Read    Write    Hidden    Size     Name
---------  -----------------------  ------  -------  --------  -------  ------
Directory  2020-08-03 09:42:32 GMT  True    True     False     4.0 KiB  images

Readable: True  Writable: True
com.android.chrome on (google: 10) [usb] # env                                                                                   

Name                    Path
----------------------  ---------------------------------------------------------
cacheDirectory          /data/user/0/com.android.chrome/cache
codeCacheDirectory      /data/user/0/com.android.chrome/code_cache
externalCacheDirectory  /storage/emulated/0/Android/data/com.android.chrome/cache
filesDirectory          /data/user/0/com.android.chrome/files
obbDir                  /storage/emulated/0/Android/obb/com.android.chrome
packageCodePath         /system/product/app/Chrome/Chrome.apk

　　6、關閉sslpinning

com.android.chrome on (google: 10) [usb] # android sslpinning disable                                                            
(agent) Custom TrustManager ready, overriding SSLContext.init()
(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.verifyChain()
(agent) Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.checkTrustedRecursive()
(agent) Registering job w9kke27rti9. Type: android-sslpinning-disable
com.android.chrome on (google: 10) [usb] #  

 

四、安裝界面劫持工具

　　1、安裝app

shellydeMacBook-Pro:1_app shellyzhang$ adb install BankActivityHijack.apk 
Success

　　2、輸入要劫持的app界面activity名稱，然后打開該app即可

　　

五、安裝so注入工具

　　1、復制hijack到手機/data/data/local/tmp/下

shellydeMacBook-Pro:so shellyzhang$ adb push libstrmon.so /data/local/tmp
libstrmon.so: 1 file pushed. 2.2 MB/s (25720 bytes in 0.011s)
shellydeMacBook-Pro:so shellyzhang$ adb push hijack /data/local/tmp
hijack: 1 file pushed. 2.4 MB/s (22164 bytes in 0.009s)

　　2、注入so文件到進程中，並查看日志文件中是否有記錄數據

walleye:/data/local/tmp # ps -ef |grep com.android.chrome                                                                                   
u0_a138      13269   786 1 09:32:24 ?     00:00:07 com.android.chrome
u0_a138      13345   786 0 09:32:24 ?     00:00:00 com.android.chrome:privileged_process0
u0_i9010     14106   786 8 09:45:56 ?     00:00:01 com.android.chrome:sandboxed_process5:org.chromium.content.app.SandboxedProcessService5
root         14146 13874 3 09:46:09 pts/4 00:00:00 grep com.android.chrome
walleye:/data/local/tmp # >/data/local/tmp/strmon.log
walleye:/data/local/tmp # chmod 777 strmon.log 
walleye:/data/local/tmp # ./hijack -d -p 13269 -l libstrmon.so                                                                              
mprotect: 0xeeaead4c
dlopen: 0xf1c13009
pc=eeae9fa4 lr=eeabcbb5 sp=ff8b6a48 fp=ffffffff
r0=fffffffc r1=ff8b6aa8
r2=10 r3=ffffffff
stack: 0xff0ba000-0xff8b9000 leng = 8384512
executing injection code at 0xff8b69f8
calling mprotect
library injection completed!
walleye:/data/local/tmp # cat strmon.log