Frida逆向与自动化:Objection环境、自动化分析和插件


Frida逆向与自动化:Objection环境、自动化分析和插件

安卓逆向交流QQ群: 348355266

文章目录

  • 1. objection与frida版本匹配安装
    • 1. 一般情况下的安装
    • 2. 指定版本安装
  • 2. objection 连接非标准端口
    • 1. Frida指定端口启动
    • 2. objection 指定端口连接
    • 3. 简单体验
  • 3. objection 内存漫游、hook、trace
    • 1. 内存漫游
      • 1. 获取基本信息
      • 2. 提取内存信息
      • 3. 内存堆搜索与执行
      • 4. 启动activity或service
    • 2. Frida hook anywhere
      • 1. objection (hook)
      • 2. objection (内存漫游)
  • 4. objection 插件体系:Wallbreaker
  • 5. objection + DEXDump 脱壳

1. objection与frida版本匹配安装

1. 一般情况下的安装

pip install objection

2. 指定版本安装

frida:https://github.com/frida/frida/releases

此时设定我们要安装frida == 14.1.2 以及对应的objection
pip install frida == 14.1.2
至于frida-tools 和 objection 我们选择Released相近的即可.
比如此时的frida 14.1.2 Released 是 Dec 2, 2020 ( https://pypi.org/project/frida/)
那么我们去看看frida-tools (https://pypi.org/project/frida-tools/#history)
最近的一个是 Dec 1,2020。 那么我们就使用
pip install frida-tools == 9.0.1
objection同理, 最新的是 Aug13,2020
pip install objection == 1.9.6

2. objection 连接非标准端口

我们先在命令行输入objection 看看.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Usage: objection [OPTIONS] COMMAND [ARGS]...

       _   _         _   _
   ___| |_|_|___ ___| |_|_|___ ___
  | . | . | | -_|  _|  _| | . |   |
  |___|___| |___|___|_| |_|___|_|_|
        |___|(object)inject(ion)

       Runtime Mobile Exploration
          by: @leonjza from @sensepost

  By default, communications will happen over USB, unless the --network
  option is provided.
  // 默认采用USB连接方式, 但我们可以选择网络连接

Options:
   // 使用网络连接
  -N, --network            Connect using a network connection instead of USB.
                           [default: False]
  // 指定host
  -h, --host TEXT          [default: 127.0.0.1]
  // 指定port
  -p, --port INTEGER       [default: 27042]
  -ah, --api-host TEXT     [default: 127.0.0.1]
  -ap, --api-port INTEGER  [default: 8888]
  -g, --gadget TEXT        Name of the Frida Gadget/Process to connect to.
                           [default: Gadget]

  -S, --serial TEXT        A device serial to connect to.

  // 进入调试模式
  -d, --debug              Enable debug mode with verbose output. (Includes
                           agent source map in stack traces)

  --help                   Show this message and exit.

Commands:
  api          Start the objection API server in headless mode.
  device-type  Get information about an attached device.
  explore      Start the objection exploration REPL.
  patchapk     Patch an APK with the frida-gadget.so.
  patchipa     Patch an IPA with the FridaGadget dylib.
  run          Run a single objection command.
  version      Prints the current version and exists.

1. Frida指定端口启动

指定端口8888启动frida
./frida-server -l 0.0.0.0:8888

2. objection 指定端口连接

连接主机为 192.168.1.30 端口为8888的frida-server
objection -N -h 192.168.1.30 -p 8888 -g com.android.settings explore

3. 简单体验

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@kali:~/Desktop/android-studio/bin# objection -N -h 192.168.1.30 -p 8888  -g com.android.settings explore
Using networked device @`192.168.1.30:8888`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.9.6

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.android.settings on (google: 8.1.0) [net] # frida
--------------------  -----------
Frida Version         12.11.17
Process Architecture  arm64
Process Platform      linux
Debugger Attached     False
Script Runtime        DUK
Script Filename       /script1.js
Frida Heap Size       13.5 MiB
--------------------  -----------
com.android.settings on (google: 8.1.0) [net] # env

Name                    Path
----------------------  -----------------------------------------------------------
cacheDirectory          /data/user_de/0/com.android.settings/cache
codeCacheDirectory      /data/user_de/0/com.android.settings/code_cache
externalCacheDirectory  /storage/emulated/0/Android/data/com.android.settings/cache
filesDirectory          /data/user_de/0/com.android.settings/files
obbDir                  /storage/emulated/0/Android/obb/com.android.settings
packageCodePath         /system/priv-app/SettingsGoogle/SettingsGoogle.apk

3. objection 内存漫游、hook、trace

实用FRIDA进阶:内存漫游、hook anywhere、抓包 : https://www.anquanke.com/post/id/197657

1. 内存漫游

Frida只是提供了各种API供我们调用,在此基础之上可以实现具体的功能,比如禁用证书绑定之类的脚本,就是使用Frida的各种API来组合编写而成。于是有大佬将各种常见、常用的功能整合进一个工具,供我们直接在命令行中使用,这个工具便是objection
objection功能强大,命令众多,而且不用写一行代码,便可实现诸如内存搜索、类和模块搜索、方法hook打印参数返回值调用栈等常用功能,是一个非常方便的,逆向必备、内存漫游神器。objection的界面及命令如下图所示。
在这里插入图片描述

1. 获取基本信息

首先介绍几个基本操作:

键入命令之后,回车执行;

  • help:不知道当前命令的效果是什么,在当前命令前加help比如,help env,回车之后会出现当前命令的解释信息;
  • 按空格:不知道输入什么就按空格,会有提示出来,上下选择之后再按空格选中,又会有新的提示出来;
  • jobs:作业系统很好用,建议一定要掌握,可以同时运行多项(hook)作业; 我们以安卓内置应用“设置”为例,来示范一下基本的用法。

在手机上启动frida-server,并且点击启动“设置”图标,手机进入设置的界面,首先查看一下“设置”应用的包名。

1
2
3
# frida-ps -U|grep -i setting
 7107  com.android.settings
 13370  com.google.android.settings.intelligence

再使用objection注入“设置”应用。

1
# objection -g com.android.settings explore

启动objection之后,会出现提示它的logo,这时候不知道输入啥命令的话,可以按下空格,有提示的命令及其功能出来;再按空格选中,又会有新的提示命令出来,这时候按回车就可以执行该命令,见下图执行的应用环境信息命令envfrida-server版本信息命令。
在这里插入图片描述

2. 提取内存信息

查看内存众加载的so库,运行命令memory list modules
在这里插入图片描述
查看so库的导出(export)函数,运行命令memory list exports libssl.so,效果如下所示

在这里插入图片描述
将结果保存到json文件中,结果太多,终端无法显示完整的时候, 可以把结果导出到json文件,然后用其他工具进行查看

1
2
3
# memory list exports libart.so --json /root/libart.json  
Writing exports as json to /root/libart.json...
Wrote exports to: /root/libart.json

在这里插入图片描述
提取整个(或部分)内存命令是memory dump all from_base
搜索整个内存命令是memory search --string --offsets-only

3. 内存堆搜索与执行

在堆上搜索实例我们查看AOSP源码关于设置里显示系统设置的部分,发现存在着DisplaySettings类,可以在堆上搜索是否存在着该类的实例。首先在手机上点击进入“显示”设置,然后运行以下命令,并得到相应的实例地址:

1
2
3
4
5
# android heap search instances com.android.settings.DisplaySettings                                                                                                                            
Class instance enumeration complete for com.android.settings.DisplaySettings
  Hashcode  Class                                 toString()
----------  ------------------------------------  -----------------------------------------
  45960675  com.android.settings.DisplaySettings  DisplaySettings{2bd4de3 #0 id=0x7f0a01db}

调用实例的方法查看源码得知com.android.settings.DisplaySettings类有着getPreferenceScreenResId()方法,这样就可以直接调用该实例的getPreferenceScreenResId()方法,用excute命令。

1
2
3
4
5
# android heap execute 0x2526 getPreferenceScreenResId                  
Handle 45960675 is to class
        com.android.settings.DisplaySettings
Executing method: getPreferenceScreenResId()
2132082743

可见结果被直接打印了出来。在实例上执行js代码.
也可以在找到的实例上直接编写js脚本,输入android heap evaluate 45960675命令后,会进入一个迷你编辑器环境,输入console.log("evaluate result:"+clazz.getPreferenceScreenResId())这串脚本,按ESC退出编辑器,然后按回车,即会开始执行这串脚本,输出结果。

1
2
3
4
5
6
7
8
9
10
# android heap evaluate 45960675
(The hashcode at `45960675` will be available as the `clazz` variable.)
 
console.log("evaluate result:"+clazz.getPreferenceScreenResId())
 
 
JavaScript capture complete. Evaluating...
Handle 45960675 is to class
        com.android.settings.DisplaySettings
evaluate result:2132082743

这个功能其实非常厉害,可以即时编写、出结果、即时调试自己的代码,不用再编写→注入→操作→看结果→再调整,而是直接出结果。

4. 启动activity或service

直接启动activity直接上代码,想要进入显示设置,可以在任意界面直接运行以下代码进入显示设置:

1
2
3
# android intent launch_activity com.android.settings.DisplaySettings
(agent) Starting activity com.android.settings.DisplaySettings...
(agent) Activity successfully asked to start.

查看当前可用的activity可以使用android hooking list命令来查看当前可用的activities,然后使用上述命令进行调起。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
#android hooking list activities
com.android.settings.ActivityPicker
com.android.settings.AirplaneModeVoiceActivity
com.android.settings.AllowBindAppWidgetActivity
com.android.settings.AppWidgetPickActivity
com.android.settings.BandMode
com.android.settings.ConfirmDeviceCredentialActivity
com.android.settings.CreateShortcut
com.android.settings.CredentialStorage
com.android.settings.CryptKeeper$FadeToBlack
com.android.settings.CryptKeeperConfirm$Blank
com.android.settings.DevelopmentSettings
com.android.settings.DeviceAdminAdd
com.android.settings.DeviceAdminSettings
com.android.settings.Display
com.android.settings.DisplaySettings
com.android.settings.EncryptionInterstitial
com.android.settings.FallbackHome
com.android.settings.HelpTrampoline
com.android.settings.LanguageSettings
com.android.settings.ManageApplications
com.android.settings.MonitoringCertInfoActivity
com.android.settings.RadioInfo
com.android.settings.RegulatoryInfoDisplayActivity
com.android.settings.RemoteBugreportActivity
com.android.settings.RunningServices
com.android.settings.SecuritySettings
com.android.settings.SetFullBackupPassword
com.android.settings.SetProfileOwner
com.android.settings.Settings
com.android.settings.Settings
com.android.settings.Settings$AccessibilityDaltonizerSettingsActivity
com.android.settings.Settings$AccessibilitySettingsActivity
com.android.settings.Settings$AccountSyncSettingsActivity
com.android.settings.Settings$AdvancedAppsActivity
com.android.settings.Settings$AllApplicationsActivity
com.android.settings.Settings$AmbientDisplayPickupSuggestionActivity
com.android.settings.Settings$AmbientDisplaySuggestionActivity
com.android.settings.Settings$AndroidBeamSettingsActivity
com.android.settings.Settings$ApnEditorActivity
com.android.settings.Settings$ApnSettingsActivity
com.android.settings.Settings$AppAndNotificationDashboardActivity
com.android.settings.Settings$AppDrawOverlaySettingsActivity
com.android.settings.Settings$AppMemoryUsageActivity
com.android.settings.Settings$AppNotificationSettingsActivity
com.android.settings.Settings$AppPictureInPictureSettingsActivity
com.android.settings.Settings$AppWriteSettingsActivity
com.android.settings.Settings$AssistGestureSettingsActivity
com.android.settings.Settings$AutomaticStorageManagerSettingsActivity
com.android.settings.Settings$AvailableVirtualKeyboardActivity
com.android.settings.Settings$BatterySaverSettingsActivity
com.android.settings.Settings$BluetoothSettingsActivity
com.android.settings.Settings$CaptioningSettingsActivity
com.android.settings.Settings$ChannelNotificationSettingsActivity
com.android.settings.Settings$ChooseAccountActivity
com.android.settings.Settings$ConfigureNotificationSettingsActivity
com.android.settings.Settings$ConfigureWifiSettingsActivity
com.android.settings.Settings$ConnectedDeviceDashboardActivity
com.android.settings.Settings$CryptKeeperSettingsActivity
com.android.settings.Settings$DataUsageSummaryActivity
com.android.settings.Settings$DateTimeSettingsActivity
com.android.settings.Settings$DevelopmentSettingsActivity
com.android.settings.Settings$DeviceAdminSettingsActivity
com.android.settings.Settings$DeviceInfoSettingsActivity
com.android.settings.Settings$DisplaySettingsActivity
com.android.settings.Settings$DoubleTapPowerSuggestionActivity
com.android.settings.Settings$DoubleTwistSuggestionActivity
com.android.settings.Settings$DreamSettingsActivity
com.android.settings.Settings$EnterprisePrivacySettingsActivity
com.android.settings.Settings$FactoryResetActivity
com.android.settings.Settings$FingerprintEnrollSuggestionActivity
com.android.settings.Settings$HighPowerApplicationsActivity
com.android.settings.Settings$IccLockSettingsActivity
com.android.settings.Settings$ImeiInformationActivity
com.android.settings.Settings$KeyboardLayoutPickerActivity
com.android.settings.Settings$LanguageAndInputSettingsActivity
com.android.settings.Settings$LegacySupportActivity
com.android.settings.Settings$LocalePickerActivity
com.android.settings.Settings$LocationSettingsActivity
com.android.settings.Settings$ManageAppExternalSourcesActivity
com.android.settings.Settings$ManageApplicationsActivity
com.android.settings.Settings$ManageAssistActivity
com.android.settings.Settings$ManageDomainUrlsActivity
com.android.settings.Settings$ManageExternalSourcesActivity
com.android.settings.Settings$ManagedProfileSettingsActivity
com.android.settings.Settings$MemorySettingsActivity
com.android.settings.Settings$MobileDataUsageListActivity
com.android.settings.Settings$NetworkDashboardActivity
com.android.settings.Settings$NightDisplaySettingsActivity
com.android.settings.Settings$NightDisplaySuggestionActivity
com.android.settings.Settings$NotificationAccessSettingsActivity
com.android.settings.Settings$NotificationAppListActivity
com.android.settings.Settings$NotificationStationActivity
com.android.settings.Settings$OverlaySettingsActivity
com.android.settings.Settings$PaymentSettingsActivity
com.android.settings.Settings$PhysicalKeyboardActivity
com.android.settings.Settings$PictureInPictureSettingsActivity
com.android.settings.Settings$PowerUsageSummaryActivity
com.android.settings.Settings$PrintJobSettingsActivity
com.android.settings.Settings$PrintSettingsActivity
com.android.settings.Settings$PrivacySettingsActivity
com.android.settings.Settings$PrivateVolumeForgetActivity
com.android.settings.Settings$PrivateVolumeSettingsActivity
com.android.settings.Settings$PublicVolumeSettingsActivity
com.android.settings.Settings$RunningServicesActivity
com.android.settings.Settings$SavedAccessPointsSettingsActivity
com.android.settings.Settings$ScreenLockSuggestionActivity
com.android.settings.Settings$SecuritySettingsActivity
com.android.settings.Settings$SimStatusActivity
com.android.settings.Settings$SoundSettingsActivity
com.android.settings.Settings$SpecialAccessSettingsActivity
com.android.settings.Settings$SpellCheckersSettingsActivity
com.android.settings.Settings$StatusActivity
com.android.settings.Settings$StorageDashboardActivity
com.android.settings.Settings$StorageUseActivity
com.android.settings.Settings$SwipeToNotificationSuggestionActivity
com.android.settings.Settings$SystemDashboardActivity
com.android.settings.Settings$TestingSettingsActivity
com.android.settings.Settings$TetherSettingsActivity
com.android.settings.Settings$TextToSpeechSettingsActivity
com.android.settings.Settings$TrustedCredentialsSettingsActivity
com.android.settings.Settings$UsageAccessSettingsActivity
com.android.settings.Settings$UserAndAccountDashboardActivity
com.android.settings.Settings$UserDictionarySettingsActivity
com.android.settings.Settings$UserSettingsActivity
com.android.settings.Settings$VpnSettingsActivity
com.android.settings.Settings$VrListenersSettingsActivity
com.android.settings.Settings$WallpaperSettingsActivity
com.android.settings.Settings$WebViewAppPickerActivity
com.android.settings.Settings$WifiAPITestActivity
com.android.settings.Settings$WifiCallingSettingsActivity
com.android.settings.Settings$WifiCallingSuggestionActivity
com.android.settings.Settings$WifiDisplaySettingsActivity
com.android.settings.Settings$WifiInfoActivity
com.android.settings.Settings$WifiP2pSettingsActivity
com.android.settings.Settings$WifiSettingsActivity
com.android.settings.Settings$WriteSettingsActivity
com.android.settings.Settings$ZenAccessSettingsActivity
com.android.settings.Settings$ZenModeEventRuleSettingsActivity
com.android.settings.Settings$ZenModeExternalRuleSettingsActivity
com.android.settings.Settings$ZenModePrioritySettingsActivity
com.android.settings.Settings$ZenModeScheduleRuleSettingsActivity
com.android.settings.Settings$ZenModeSettingsActivity
com.android.settings.Settings$ZenModeVisualInterruptionSettingsActivity
com.android.settings.SettingsLicenseActivity
com.android.settings.SetupEncryptionInterstitial
com.android.settings.ShowAdminSupportDetailsDialog
com.android.settings.SmsDefaultDialog
com.android.settings.SoundSettings
com.android.settings.SubSettings
com.android.settings.TetherProvisioningActivity
com.android.settings.TetherSettings
com.android.settings.UsageStatsActivity
com.android.settings.UsbSettings
com.android.settings.UserDictionarySettings
com.android.settings.WebViewImplementation
com.android.settings.accessibility.AccessibilitySettingsForSetupWizardActivity
com.android.settings.accounts.AddAccountSettings
com.android.settings.applications.InstalledAppDetails
com.android.settings.applications.InstalledAppDetailsTop
com.android.settings.applications.ManageApplications
com.android.settings.applications.StorageUse
com.android.settings.applications.autofill.AutofillPickerActivity
com.android.settings.applications.autofill.AutofillPickerTrampolineActivity
com.android.settings.backup.BackupSettingsActivity
com.android.settings.bluetooth.BluetoothPairingDialog
com.android.settings.bluetooth.BluetoothPermissionActivity
com.android.settings.bluetooth.BluetoothSettings
com.android.settings.bluetooth.DevicePickerActivity
com.android.settings.bluetooth.RequestPermissionActivity
com.android.settings.bluetooth.RequestPermissionHelperActivity
com.android.settings.datausage.AppDataUsageActivity
com.android.settings.development.AppPicker
com.android.settings.development.DevelopmentSettingsDisabledActivity
com.android.settings.deviceinfo.StorageWizardFormatConfirm
com.android.settings.deviceinfo.StorageWizardFormatProgress
com.android.settings.deviceinfo.StorageWizardInit
com.android.settings.deviceinfo.StorageWizardMigrate
com.android.settings.deviceinfo.StorageWizardMigrateConfirm
com.android.settings.deviceinfo.StorageWizardMigrateProgress
com.android.settings.deviceinfo.StorageWizardMoveConfirm
com.android.settings.deviceinfo.StorageWizardMoveProgress
com.android.settings.deviceinfo.StorageWizardReady
com.android.settings.deviceinfo.UsbModeChooserActivity
com.android.settings.fingerprint.FingerprintEnrollEnrolling
com.android.settings.fingerprint.FingerprintEnrollFindSensor
com.android.settings.fingerprint.FingerprintEnrollFinish
com.android.settings.fingerprint.FingerprintEnrollIntroduction
com.android.settings.fingerprint.FingerprintSettings
com.android.settings.fingerprint.FingerprintSuggestionActivity
com.android.settings.fingerprint.SetupFingerprintEnrollEnrolling
com.android.settings.fingerprint.SetupFingerprintEnrollFindSensor
com.android.settings.fingerprint.SetupFingerprintEnrollFinish
com.android.settings.fingerprint.SetupFingerprintEnrollIntroduction
com.android.settings.fuelgauge.BatterySaverModeVoiceActivity
com.android.settings.fuelgauge.PowerUsageSummary
com.android.settings.fuelgauge.RequestIgnoreBatteryOptimizations
com.android.settings.inputmethod.InputMethodAndSubtypeEnablerActivity
com.android.settings.inputmethod.UserDictionaryAddWordActivity
com.android.settings.nfc.HowItWorks
com.android.settings.nfc.PaymentDefaultDialog
com.android.settings.notification.NotificationAccessConfirmationActivity
com.android.settings.notification.RedactionInterstitial
com.android.settings.notification.RedactionSettingsStandalone
com.android.settings.notification.ZenModeVoiceActivity
com.android.settings.password.ChooseLockGeneric
com.android.settings.password.ChooseLockGeneric$InternalActivity
com.android.settings.password.ChooseLockPassword
com.android.settings.password.ChooseLockPattern
com.android.settings.password.ConfirmDeviceCredentialActivity
com.android.settings.password.ConfirmDeviceCredentialActivity$InternalActivity
com.android.settings.password.ConfirmLockPassword
com.android.settings.password.ConfirmLockPassword$InternalActivity
com.android.settings.password.ConfirmLockPattern
com.android.settings.password.ConfirmLockPattern$InternalActivity
com.android.settings.password.SetNewPasswordActivity
com.android.settings.password.SetupChooseLockGeneric
com.android.settings.password.SetupChooseLockPassword
com.android.settings.password.SetupChooseLockPattern
com.android.settings.qstile.DevelopmentTileConfigActivity
com.android.settings.search.SearchActivity
com.android.settings.sim.SimDialogActivity
com.android.settings.sim.SimPreferenceDialog
com.android.settings.support.NewDeviceIntroSuggestionActivity
com.android.settings.support.SupportDashboardActivity
com.android.settings.wallpaper.WallpaperSuggestionActivity
com.android.settings.wifi.RequestToggleWiFiActivity
com.android.settings.wifi.WifiConfigInfo
com.android.settings.wifi.WifiDialogActivity
com.android.settings.wifi.WifiNoInternetDialog
com.android.settings.wifi.WifiPickerActivity
com.android.settings.wifi.WifiScanModeActivity
com.android.settings.wifi.WifiSettings
com.android.settings.wifi.WifiStatusTest
com.google.android.libraries.hats20.SurveyPromptActivity
com.google.android.settings.backup.BackupSuggestionActivity
com.google.android.settings.external.ExternalSettingsTrampoline
com.google.android.settings.gestures.AssistGestureSuggestion
com.google.android.settings.gestures.assist.AssistGestureTrainingEnrollingActivity
com.google.android.settings.gestures.assist.AssistGestureTrainingFinishedActivity
com.google.android.settings.gestures.assist.AssistGestureTrainingIntroActivity
com.google.android.settings.gestures.assist.bubble.AssistGestureBubbleActivity

Found 241 classes

直接启动service也可以先使用android hooking list services查看可供开启的服务,然后使用android intent launch_service com.android.settings.bluetooth.BluetoothPairingService命令来开启服务。

2. Frida hook anywhere

1. objection (hook)

查找包含某些关键词的类命令是android hooking search classes 关键字

1
2
3
4
5
6
7
8
9
10
# android hooking search classes displaysettings
com.android.settings.DisplaySettings
com.android.settings.DisplaySettings$1
com.android.settings.Settings$DisplaySettingsActivity
com.android.settings.Settings$NightDisplaySettingsActivity
com.android.settings.Settings$WifiDisplaySettingsActivity
com.android.settings.display.NightDisplaySettings
com.android.settings.wfd.WifiDisplaySettings

Found 7 classes

通过类名遍历类中所有方法命令是android hooking watch class com.android.settings.DisplaySettings

1
2
3
4
5
6
7
8
9
10
11
12
13
# android hooking watch class com.android.settings.DisplaySettings
(agent) Hooking com.android.settings.DisplaySettings.-wrap0(android.content.Context, com.android.settingslib.core.lifecycle.Lifecycle)
(agent) Hooking com.android.settings.DisplaySettings.buildPreferenceControllers(android.content.Context, com.android.settingslib.core.lifecycle.Lifecycle)                                                                                                                                    
(agent) Hooking com.android.settings.DisplaySettings.getHelpResource()
(agent) Hooking com.android.settings.DisplaySettings.getLogTag()
(agent) Hooking com.android.settings.DisplaySettings.getMetricsCategory()
(agent) Hooking com.android.settings.DisplaySettings.getPreferenceControllers(android.content.Context)
(agent) Hooking com.android.settings.DisplaySettings.getPreferenceScreenResId()
(agent) Hooking com.android.settings.DisplaySettings.onAttach(android.content.Context)
(agent) Registering job 8528686833285. Type: watch-class for: com.android.settings.DisplaySettings
com.android.settings on (google: 8.1.0) [usb] # (agent) [8528686833285] Called com.android.settings.DisplaySettings.getMetricsCategory()
(agent) [8528686833285] Called com.android.settings.DisplaySettings.getMetricsCategory()
(agent) [8528686833285] Called com.android.settings.DisplaySettings.getMetricsCategory()

通过完整的方法命打印参数 命令是android hooking watch class_method com.android.settings.DisplaySettings.getPreferenceScreenResI d --dump-args --dump-return
其中 下面三个参数是可选参数
· --dump-args 打印参数
· --dump-return 打印返回值
· --dump-backtrace 打印堆栈

1
2
3
4
# android hooking watch class_method com.android.settings.DisplaySettings.getPreferenceScreenResId --dump-args --dump-return

(agent) [8179527189977] Called com.android.settings.DisplaySettings.getPreferenceScreenResId()
(agent) [8179527189977] Return Value: 2132082743

2. objection (内存漫游)

列出内存中所有的类

1
2
3
4
5
6
7
8
9
10
11
12
13
# android hooking list classes

sun.util.logging.LoggingSupport
sun.util.logging.LoggingSupport$1
sun.util.logging.LoggingSupport$2
sun.util.logging.PlatformLogger
sun.util.logging.PlatformLogger$1
sun.util.logging.PlatformLogger$JavaLoggerProxy
sun.util.logging.PlatformLogger$Level
sun.util.logging.PlatformLogger$LoggerProxy
void

Found 11885 classes

内存中搜索所有的类在内存中所有已加载的类中搜索包含特定关键词的类。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# android hooking search classes display                                                                                                                                                        
[Landroid.hardware.display.WifiDisplay;
[Landroid.icu.impl.ICUCurrencyDisplayInfoProvider$ICUCurrencyDisplayInfo$CurrencySink$EntrypointTable;
[Landroid.icu.impl.LocaleDisplayNamesImpl$CapitalizationContextUsage;
[Landroid.icu.impl.LocaleDisplayNamesImpl$DataTableType;
[Landroid.icu.number.NumberFormatter$DecimalSeparatorDisplay;
[Landroid.icu.number.NumberFormatter$SignDisplay;
[Landroid.icu.text.DisplayContext$Type;
[Landroid.icu.text.DisplayContext;
[Landroid.icu.text.LocaleDisplayNames$DialectHandling;
[Landroid.view.Display$Mode;
[Landroid.view.Display;
android.app.Vr2dDisplayProperties
android.hardware.display.AmbientBrightnessDayStats
android.hardware.display.AmbientBrightnessDayStats$1
android.hardware.display.BrightnessChangeEvent
com.android.settings.wfd.WifiDisplaySettings$SummaryProvider
com.android.settings.wfd.WifiDisplaySettings$SummaryProvider$1
com.android.settingslib.display.BrightnessUtils
com.android.settingslib.display.DisplayDensityUtils
com.google.android.gles_jni.EGLDisplayImpl
javax.microedition.khronos.egl.EGLDisplay

Found 144 classes

内存中搜索所有的方法在内存中所有已加载的类的方法中搜索包含特定关键词的方法,上文中可以发现,内存中已加载的类就已经高达11885个了,那么他们的方法一定是类的个数的数倍,整个过程会相当庞大和耗时

1
# android hooking search methods display

在这里插入图片描述

列出类的所有方法 当搜索到了比较关心的类之后,就可以直接查看它有哪些方法,比如我们想要查看com.android.settings.DisplaySettings类有哪些方法:

1
2
3
4
5
6
7
8
9
10
# android hooking list class_methods com.android.settings.DisplaySettings                                                                                                                        
private static java.util.List<com.android.settingslib.core.AbstractPreferenceController> com.android.settings.DisplaySettings.buildPreferenceControllers(android.content.Context,com.android.settingslib.core.lifecycle.Lifecycle)
protected int com.android.settings.DisplaySettings.getPreferenceScreenResId()
protected java.lang.String com.android.settings.DisplaySettings.getLogTag()
protected java.util.List<com.android.settingslib.core.AbstractPreferenceController> com.android.settings.DisplaySettings.createPreferenceControllers(android.content.Context)
public int com.android.settings.DisplaySettings.getHelpResource()
public int com.android.settings.DisplaySettings.getMetricsCategory()
static java.util.List com.android.settings.DisplaySettings.access$000(android.content.Context,com.android.settingslib.core.lifecycle.Lifecycle)

Found 7 method(s)

直接生成hook代码 上文中在列出类的方法时,还直接把参数也提供了,也就是说我们可以直接动手写hook了,既然上述写hook的要素已经全部都有了,objection这个“自动化”工具,当然可以直接生成代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# android hooking generate  simple  com.android.settings.DisplaySettings                                                                                                                        

Java.perform(function() {
    var clazz = Java.use('com.android.settings.DisplaySettings');
    clazz.getHelpResource.implementation = function() {

        //

        return clazz.getHelpResource.apply(this, arguments);
    }
});


Java.perform(function() {
    var clazz = Java.use('com.android.settings.DisplaySettings');
    clazz.getLogTag.implementation = function() {

        //

        return clazz.getLogTag.apply(this, arguments);
    }
});


Java.perform(function() {
    var clazz = Java.use('com.android.settings.DisplaySettings');
    clazz.getPreferenceScreenResId.implementation = function() {

        //

        return clazz.getPreferenceScreenResId.apply(this, arguments);
    }
});

生成的代码大部分要素都有了,只是参数貌似没有填上,还是需要我们后续补充一些,看来还是无法做到完美。

4. objection 插件体系:Wallbreaker
5. objection + DEXDump 脱壳