获取安卓敏感调用检测脚本
代码语言:javascript复制//hook常规的获取设备信息接口
//通过打印堆栈信息来看是什么sdk调用
function showjavastack(){
var javastack = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
//console.log(javastack);
}
function hook(){
Java.perform(function() {
var TelephonyManager = Java.use("android.telephony.TelephonyManager");
//IMEI hook
TelephonyManager.getDeviceId.overload().implementation = function () {
console.log("[*]Called - getDeviceId()");
var temp = this.getDeviceId();
console.log("real IMEI: " temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
};
// muti IMEI
TelephonyManager.getDeviceId.overload('int').implementation = function (p) {
console.log("[*]Called - getDeviceId(int) param is" p);
var temp = this.getDeviceId(p);
console.log("real IMEI " p ": " temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
};
//IMSI hook
TelephonyManager.getSimSerialNumber.overload().implementation = function () {
console.log("[*]Called - getSimSerialNumber(String)");
var temp = this.getSimSerialNumber();
console.log("real IMSI: " temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
};
//取出 IMEI 需要 api26以上
TelephonyManager.getImei.overload().implementation = function(){
console.log("[*]Called - getImei");
var temp = this.getImei();
console.log("real IMEI:" temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
}
TelephonyManager.getImei.overload('int').implementation = function(a){
console.log("[*]Called - getImei(int)");
var temp = this.getImei(a);
console.log("real IMEI(int):" temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
}
TelephonyManager.getSimOperatorName.overload().implementation = function(){
console.log("[*]Called - getSimOperatorName");
var temp = this.getSimOperatorName();
console.log("real 运营商:" temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
}
TelephonyManager.getSimOperatorName.overload('int').implementation = function(a){
console.log("[*]Called - getSimOperatorName(int)");
var temp = this.getSimOperatorName(a);
console.log("real 运营商:" temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
}
TelephonyManager.getLine1Number.overload().implementation = function(){
console.log("[*]Called - getLine1Number");
var temp = this.getLine1Number();
console.log("real MSISDN:" temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
}
TelephonyManager.getLine1Number.overload('int').implementation = function(a){
console.log("[*]Called - getLine1Number");
var temp = this.getLine1Number(a);
console.log("real MSISDN:" temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
}
//////////////////////////////////////
// hook MAC
var wifi = Java.use("android.net.wifi.WifiInfo");
wifi.getMacAddress.implementation = function () {
console.log("[*]Called - getMacAddress");
var tmp = this.getMacAddress();
console.log("[*]real MAC: " tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
var NetworkInterface = Java.use("java.net.NetworkInterface");
NetworkInterface.getHardwareAddress.implementation = function () {
console.log("[*]Called - getHardwareAddress");
var tmp = this.getHardwareAddress();
console.log("[*]real HardwareAddress: " tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
//ANDOID_ID hook
var Secure = Java.use("android.provider.Settings$Secure");
Secure.getString.implementation = function (p1,p2) {
if(p2.indexOf("android_id")<0) return this.getString(p1,p2);
console.log("[*]Called - get android_ID, param is:" p2);
var temp = this.getString(p1,p2);
console.log("real Android_ID: " temp);
showjavastack();
console.log("------------------------------------------------------");
return temp;
}
//android获取GPS
var LocationManager = Java.use("android.location.LocationManager");
LocationManager.getLastKnownLocation.implementation = function(a){
console.log("[*]Called - getLastKnownLocation");
var tmp = this.getLastKnownLocation(a);
console.log("调用getLastKnownLocation获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.app.PendingIntent').implementation = function(a,b){
console.log("[*]Called - requestLocationUpdates.overload('android.location.LocationRequest', 'android.app.PendingIntent')");
var tmp = this.requestLocationUpdates(a,b);
console.log("调用requestLocationUpdates获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper').implementation = function(a,b,c){
console.log("[*]Called - requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper')");
var tmp = this.requestLocationUpdates(a,b,c);
console.log("调用requestLocationUpdates获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper', 'android.app.PendingIntent').implementation = function(a,b,c,d){
console.log("[*]Called - requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper', 'android.app.PendingIntent')");
var tmp = this.requestLocationUpdates(a,b,c,d);
console.log("调用requestLocationUpdates获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
LocationManager.requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.app.PendingIntent').implementation = function(a,b,c,d){
console.log("[*]Called - requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.app.PendingIntent')");
var tmp = this.requestLocationUpdates(a,b,c,d);
console.log("调用requestLocationUpdates获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.app.PendingIntent').implementation = function(a,b,c,d){
console.log("[*]Called - requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.app.PendingIntent')");
var tmp = this.requestLocationUpdates(a,b,c,d);
console.log("调用requestLocationUpdates获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener').implementation = function(a,b,c,d){
console.log("[*]Called - requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener')");
var tmp = this.requestLocationUpdates(a,b,c,d);
console.log("调用requestLocationUpdates获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
LocationManager.requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.location.LocationListener', 'android.os.Looper').implementation = function(a,b,c,d,e){
console.log("[*]Called - requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.location.LocationListener', 'android.os.Looper')");
var tmp = this.requestLocationUpdates(a,b,c,d,e);
console.log("调用requestLocationUpdates获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener', 'android.os.Looper').implementation = function(a,b,c,d,e){
console.log("[*]Called - requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener', 'android.os.Looper')");
var tmp = this.requestLocationUpdates(a,b,c,d,e);
console.log("调用requestLocationUpdates获取了GPS地址" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
//获取应用列表
var Runtime = Java.use("java.lang.Runtime");
Runtime.exec.overload('java.lang.String').implementation = function(a){
console.log("[*]Called - exec(command)");
var tmp = this.exec(a);
console.log("执行exec的命令:" a);
if(a.indexOf("packages") != -1){
console.log("应用使用" a "收集应用列表");
showjavastack();
}
console.log("------------------------------------------------------");
return tmp;
}
var PackageManager = Java.use("android.content.pm.PackageManager");
PackageManager.getInstalledPackages.implementation = function(a){
console.log("[*]Called - getInstalledPackages");
var tmp = this.getInstalledPackages(a);
console.log("调用getInstalledPackages获取了应用列表" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
PackageManager.getInstalledApplications.implementation = function(a){
console.log("[*]Called - getInstalledApplications");
var tmp = this.getInstalledApplications(a);
console.log("调用getInstalledApplications获取了应用列表" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
PackageManager.queryIntentActivities.implementation = function(a,b){
console.log("[*]Called - queryIntentActivities");
var tmp = this.queryIntentActivities(a,b);
console.log("调用queryIntentActivities获取了应用列表" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
var ContextWrapper = Java.use("android.content.ContextWrapper");
ContextWrapper.getPackageManager.implementation = function(){
console.log("[*]Called - getPackageManager");
var tmp = this.getPackageManager();
console.log("调用getPackageManager获取了应用列表" tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
//android的hidden API,需要通过反射调用
var SP = Java.use("android.os.SystemProperties");
SP.get.overload('java.lang.String').implementation = function (p1) {
var tmp = this.get(p1);
console.log("[*]" p1 " : " tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
SP.get.overload('java.lang.String', 'java.lang.String').implementation = function (p1,p2) {
var tmp = this.get(p1,p2)
console.log("[*]" p1 "," p2 " : " tmp);
showjavastack();
console.log("------------------------------------------------------");
return tmp;
}
})
}
function main(){
hook();
}
setImmediate(main); ```
//新建一个命令行
adb shell
cd 保存frida_server的路径
./frida_server
//新建另一个命令行
//转发frida_server默认端口
adb forward tcp:27042 tcp:27042
frida -Uf packagename -l hook_privacy.js的绝对路径如果需要查看调用,讲hook_privacy.js中showjavastack注释去掉
再次执行frida -Uf packagename -l hook_privacy.js的绝对路径
