Objection使用

2022-10-25 16:48:46 浏览数 (2)

本篇介绍

frida利用js脚本就可以进行各种hook,而Objection就是整合了各种hook功能并以命令行形式提供出来,这样通过命令行就可以执行hook操作,本篇就介绍下这块内容。

Objection使用

首先安装Objection:

代码语言:javascript复制
pip3 install -U objection

执行objection --help 后输出如下:

代码语言:javascript复制
  -N, --network            Connect using a network connection instead of USB.
  -h, --host TEXT          [default: 127.0.0.1]
  -p, --port INTEGER       [default: 27042]
  -ah, --api-host TEXT     [default: 127.0.0.1]
  -ap, --api-port INTEGER  [default: 8888]
  -g, --gadget TEXT        Name of the Frida Gadget/Process to connect to.
                           [default: Gadget]
  -S, --serial TEXT        A device serial to connect to.
  -d, --debug              Enable debug mode with verbose output. (Includes
                           agent source map in stack traces)
  --help                   Show this message and exit.

Commands:
  api          Start the objection API server in headless mode.
  device-type  Get information about an attached device.
  explore      Start the objection exploration REPL.
  patchapk     Patch an APK with the frida-gadget.so.
  patchipa     Patch an IPA with the FridaGadget dylib.
  run          Run a single objection command.
  signapk      Zipalign and sign an APK with the objection key.
  version      Prints the current version and exists.

可以看到objection 也可以通过patchapk命令给apk打包frida-gadget.so,这样就不需要手机root也可以hook了。 现hook下电话:

代码语言:javascript复制
objection -g com.android.dialer explore

这时候输出如下 :

代码语言:javascript复制
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.11.0

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions

这里面 支持的命令比较多,按TAB就可以提示可用的命令:

image.png

比如查看下电话的服务:

代码语言:javascript复制
com.android.dialer on (google: 11) [usb] # android hooking list services
com.android.dialer.app.calllog.CallLogNotificationsService
com.android.dialer.app.calllog.VoicemailNotificationJobService
com.android.dialer.calllog.CallLogConfig$PollingJob
com.android.dialer.calllog.config.CallLogConfigImpl$PollingJob
com.android.dialer.callrecord.impl.CallRecorderService
com.android.dialer.configprovider.SharedPrefConfigProvider$Service
com.android.dialer.interactions.ContactUpdateService
com.android.dialer.shortcuts.PeriodicJobService
com.android.dialer.simulator.impl.SimulatorConnectionService
com.android.dialer.simulator.service.SimulatorService
com.android.incallui.InCallServiceImpl
com.android.incallui.spam.SpamNotificationService
com.android.voicemail.impl.DeviceProvisionedJobService
com.android.voicemail.impl.OmtpService
com.android.voicemail.impl.StatusCheckJobService
com.android.voicemail.impl.scheduling.TaskSchedulerJobService
com.android.voicemail.impl.transcribe.TranscriptionBackfillService
com.android.voicemail.impl.transcribe.TranscriptionRatingService
com.android.voicemail.impl.transcribe.TranscriptionService

被动函数hook

如果需要hook某个方法, 比如hook Activity的onCreate方法,那么就可以开始了:

代码语言:javascript复制
android hooking watch  class_method com.android.dialer.main.impl.MainActivity.onCreate   --dump-return --dump-args
 --dump-backtrace

输出如下:

代码语言:javascript复制
(agent) Attempting to watch class com.android.dialer.main.impl.MainActivity and method onCreate.
(agent) Hooking com.android.dialer.main.impl.MainActivity.onCreate(android.os.Bundle)
(agent) Registering job 342744. Type: watch-method for: com.android.dialer.main.impl.MainActivity.onCreate

也可以通过命令jobs list查看:

代码语言:javascript复制
com.android.dialer on (google: 11) [usb] # jobs list
Job ID  Hooks  Type
------  -----  --------------------------------------------------------------------
342744      1  watch-method for: com.android.dialer.main.impl.MainActivity.onCreate

触发一下函数调用,这时候输出如下:

代码语言:javascript复制
com.android.dialer on (google: 11) [usb] # (agent) [342744] Called com.android.dialer.main.impl.MainActivity.onCreate(android.os.Bundle)
(agent) [342744] Backtrace:
    com.android.dialer.main.impl.MainActivity.onCreate(Native Method)
        android.app.Activity.performCreate(Activity.java:7994)
    android.app.Activity.performCreate(Activity.java:7978)
    android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1309)
    android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3404)
    android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3595)
    android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
    android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
    android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
    android.app.ActivityThread$H.handleMessage(ActivityThread.java:2066)
    android.os.Handler.dispatchMessage(Handler.java:106)
    android.os.Looper.loop(Looper.java:223)
    android.app.ActivityThread.main(ActivityThread.java:7664)
    java.lang.reflect.Method.invoke(Native Method)
    com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
    com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)

(agent) [342744] Arguments com.android.dialer.main.impl.MainActivity.onCreate((none))
(agent) [342744] Return Value: (none)

主动函数hook

前面介绍的hook是被动触发的,现在看下主动调用,这个操作在观察一个方法行为的时候很方便。 首先查看对象实例:

代码语言:javascript复制
android heap search instances com.android.dialer.main.impl.MainActivity

输出如下:

代码语言:javascript复制
 Hashcode  Class                                      toString()
---------  -----------------------------------------  -------------------------------------------------
207450579  com.android.dialer.main.impl.MainActivity  com.android.dialer.main.impl.MainActivity@c5d71d3
123622446  com.android.dialer.main.impl.MainActivity  com.android.dialer.main.impl.MainActivity@75e542e

前面的hashcode就是对象实例的标识符,如果要调用某个实例的方法,操作如下:

代码语言:javascript复制
android heap execute 207450579 toString

结果如下,可以看到输出一致:

代码语言:javascript复制
Handle 207450579 is to class
        com.android.dialer.main.impl.MainActivity
Executing method: toString()
com.android.dialer.main.impl.MainActivity@c5d71d3

这时候主动和被动调用就有了,再结合JEB 就可以愉快地逆向目标apk了。

0 人点赞