本篇介绍
frida利用js脚本就可以进行各种hook,而Objection就是整合了各种hook功能并以命令行形式提供出来,这样通过命令行就可以执行hook操作,本篇就介绍下这块内容。
Objection使用
首先安装Objection:
代码语言:javascript复制pip3 install -U objection执行objection --help 后输出如下:
-N, --network Connect using a network connection instead of USB.
-h, --host TEXT [default: 127.0.0.1]
-p, --port INTEGER [default: 27042]
-ah, --api-host TEXT [default: 127.0.0.1]
-ap, --api-port INTEGER [default: 8888]
-g, --gadget TEXT Name of the Frida Gadget/Process to connect to.
[default: Gadget]
-S, --serial TEXT A device serial to connect to.
-d, --debug Enable debug mode with verbose output. (Includes
agent source map in stack traces)
--help Show this message and exit.
Commands:
api Start the objection API server in headless mode.
device-type Get information about an attached device.
explore Start the objection exploration REPL.
patchapk Patch an APK with the frida-gadget.so.
patchipa Patch an IPA with the FridaGadget dylib.
run Run a single objection command.
signapk Zipalign and sign an APK with the objection key.
version Prints the current version and exists.可以看到objection 也可以通过patchapk命令给apk打包frida-gadget.so,这样就不需要手机root也可以hook了。 现hook下电话:
代码语言:javascript复制objection -g com.android.dialer explore这时候输出如下 :
代码语言:javascript复制Agent injected and responds ok!
_ _ _ _
___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_| _| _| | . | |
|___|___| |___|___|_| |_|___|_|_|
|___|(object)inject(ion) v1.11.0
Runtime Mobile Exploration
by: @leonjza from @sensepost
[tab] for command suggestions这里面 支持的命令比较多,按TAB就可以提示可用的命令:
image.png
比如查看下电话的服务:
代码语言:javascript复制com.android.dialer on (google: 11) [usb] # android hooking list services
com.android.dialer.app.calllog.CallLogNotificationsService
com.android.dialer.app.calllog.VoicemailNotificationJobService
com.android.dialer.calllog.CallLogConfig$PollingJob
com.android.dialer.calllog.config.CallLogConfigImpl$PollingJob
com.android.dialer.callrecord.impl.CallRecorderService
com.android.dialer.configprovider.SharedPrefConfigProvider$Service
com.android.dialer.interactions.ContactUpdateService
com.android.dialer.shortcuts.PeriodicJobService
com.android.dialer.simulator.impl.SimulatorConnectionService
com.android.dialer.simulator.service.SimulatorService
com.android.incallui.InCallServiceImpl
com.android.incallui.spam.SpamNotificationService
com.android.voicemail.impl.DeviceProvisionedJobService
com.android.voicemail.impl.OmtpService
com.android.voicemail.impl.StatusCheckJobService
com.android.voicemail.impl.scheduling.TaskSchedulerJobService
com.android.voicemail.impl.transcribe.TranscriptionBackfillService
com.android.voicemail.impl.transcribe.TranscriptionRatingService
com.android.voicemail.impl.transcribe.TranscriptionService被动函数hook
如果需要hook某个方法, 比如hook Activity的onCreate方法,那么就可以开始了:
代码语言:javascript复制android hooking watch class_method com.android.dialer.main.impl.MainActivity.onCreate --dump-return --dump-args
--dump-backtrace输出如下:
代码语言:javascript复制(agent) Attempting to watch class com.android.dialer.main.impl.MainActivity and method onCreate.
(agent) Hooking com.android.dialer.main.impl.MainActivity.onCreate(android.os.Bundle)
(agent) Registering job 342744. Type: watch-method for: com.android.dialer.main.impl.MainActivity.onCreate也可以通过命令jobs list查看:
com.android.dialer on (google: 11) [usb] # jobs list
Job ID Hooks Type
------ ----- --------------------------------------------------------------------
342744 1 watch-method for: com.android.dialer.main.impl.MainActivity.onCreate触发一下函数调用,这时候输出如下:
代码语言:javascript复制com.android.dialer on (google: 11) [usb] # (agent) [342744] Called com.android.dialer.main.impl.MainActivity.onCreate(android.os.Bundle)
(agent) [342744] Backtrace:
com.android.dialer.main.impl.MainActivity.onCreate(Native Method)
android.app.Activity.performCreate(Activity.java:7994)
android.app.Activity.performCreate(Activity.java:7978)
android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1309)
android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3404)
android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3595)
android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
android.app.ActivityThread$H.handleMessage(ActivityThread.java:2066)
android.os.Handler.dispatchMessage(Handler.java:106)
android.os.Looper.loop(Looper.java:223)
android.app.ActivityThread.main(ActivityThread.java:7664)
java.lang.reflect.Method.invoke(Native Method)
com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
(agent) [342744] Arguments com.android.dialer.main.impl.MainActivity.onCreate((none))
(agent) [342744] Return Value: (none)主动函数hook
前面介绍的hook是被动触发的,现在看下主动调用,这个操作在观察一个方法行为的时候很方便。 首先查看对象实例:
代码语言:javascript复制android heap search instances com.android.dialer.main.impl.MainActivity输出如下:
代码语言:javascript复制 Hashcode Class toString()
--------- ----------------------------------------- -------------------------------------------------
207450579 com.android.dialer.main.impl.MainActivity com.android.dialer.main.impl.MainActivity@c5d71d3
123622446 com.android.dialer.main.impl.MainActivity com.android.dialer.main.impl.MainActivity@75e542e前面的hashcode就是对象实例的标识符,如果要调用某个实例的方法,操作如下:
代码语言:javascript复制android heap execute 207450579 toString结果如下,可以看到输出一致:
代码语言:javascript复制Handle 207450579 is to class
com.android.dialer.main.impl.MainActivity
Executing method: toString()
com.android.dialer.main.impl.MainActivity@c5d71d3这时候主动和被动调用就有了,再结合JEB 就可以愉快地逆向目标apk了。
