Compare commits
29 Commits
7a34565a64
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 13d89b020d | |||
| 34735c3e0e | |||
| 866701b499 | |||
| f47e9cb306 | |||
| 8c4cd61081 | |||
| cfefd337b9 | |||
| af1a9e1859 | |||
| 6c7278a064 | |||
| 58c81f32e5 | |||
| 67623951ce | |||
| 8960406388 | |||
| 51bf1e5a6f | |||
| 0e75201906 | |||
| 8aa5351ccc | |||
| 1e80a8067b | |||
| df7b021ea0 | |||
| 86f1a339d0 | |||
| b8e653e57d | |||
| 9ec56ced34 | |||
| e949fdc3e5 | |||
| 7167780f0f | |||
| dd6a0f4018 | |||
| 64e5f9c6d9 | |||
| f16dd8cae1 | |||
| e358abc840 | |||
| 054d36b04d | |||
| 424ff95d2b | |||
| 8405b06e9a | |||
| 115626622b |
22
main.py
22
main.py
@@ -5,9 +5,14 @@ import sys
|
||||
import time
|
||||
|
||||
|
||||
FIRST_WRITE = True # 全局变量,用于跟踪是否是首次写入
|
||||
|
||||
def on_message(message, data):
|
||||
print(message)
|
||||
|
||||
# modules.files_utils.write_log(message)
|
||||
# print(message)
|
||||
# if message['type'] == 'send':
|
||||
# print(message['payload'])
|
||||
|
||||
def attach_method(is_spawn):
|
||||
if type(is_spawn) == bool:
|
||||
@@ -20,11 +25,12 @@ def attach_method(is_spawn):
|
||||
|
||||
|
||||
def main(package_name,script_path,is_spawn):
|
||||
# 从Python发送数据到Frida的JavaScript脚本
|
||||
print(f"script_path: {script_path}")
|
||||
js_code = modules.files_utils.read_javascript(script_path)
|
||||
# print(js_code)
|
||||
modules.command.start_frida()
|
||||
modules.command.clearCache(package_name)
|
||||
# modules.command.clearCache(package_name)
|
||||
# 连接到USB设备
|
||||
device = frida.get_usb_device()
|
||||
print(device)
|
||||
@@ -33,8 +39,10 @@ def main(package_name,script_path,is_spawn):
|
||||
print(f"进程pid: {pid}")
|
||||
process = device.attach(pid)
|
||||
script = process.create_script(js_code)
|
||||
script.on("message", on_message)
|
||||
# script.on("message", on_message)
|
||||
script.load()
|
||||
# data_to_send = {'data': 'Hello from Python!'}
|
||||
# script.post({'type': 'input_data', 'payload': data_to_send})
|
||||
device.resume(pid) # 加载完脚本后, 恢复进程运行
|
||||
sys.stdin.read()
|
||||
else:
|
||||
@@ -59,10 +67,10 @@ if __name__ == '__main__':
|
||||
# 是否以spawn模式运行
|
||||
is_spawn = True
|
||||
# 目标进程名
|
||||
attach_process_name = "Navi"
|
||||
attach_process_name = "百度网盘"
|
||||
# 目标包名
|
||||
package_name = "com.msf.angelmobile"
|
||||
package_name = "com.baidu.netdisk"
|
||||
# 注入的脚本路径
|
||||
script_path = "./hook_conversions.js"
|
||||
# script_path = "./r0capture/script.js"
|
||||
# script_path = "scripts/hook_conversions.js"
|
||||
script_path = "scripts/baidunetdisk.js"
|
||||
main(package_name,script_path, is_spawn)
|
||||
|
||||
@@ -13,3 +13,11 @@ def read_javascript(script_path):
|
||||
with open(script_path, "r") as file:
|
||||
script_code = file.read()
|
||||
return script_code
|
||||
def write_log(messages):
|
||||
global FIRST_WRITE
|
||||
print(f"FIRST_WRITE: {FIRST_WRITE}")
|
||||
with open("frida_log.log", "a") as log_file:
|
||||
if FIRST_WRITE: # 如果是首次写入
|
||||
log_file.write("\n\n\n") # 空出三行
|
||||
FIRST_WRITE = False # 更新状态,表明已经写过了
|
||||
log_file.write(str(messages) + "\n")
|
||||
21
scripts/baidunetdisk.js
Normal file
21
scripts/baidunetdisk.js
Normal file
@@ -0,0 +1,21 @@
|
||||
console.log("Script loaded successfully");
|
||||
|
||||
Java.perform(function () {
|
||||
var Request = Java.use("okhttp3.Request");
|
||||
|
||||
// Hook Request的toString方法
|
||||
Request.toString.implementation = function () {
|
||||
// 调用原始的toString方法并保存结果
|
||||
var result = this.toString();
|
||||
|
||||
// 打印结果
|
||||
console.log("Request.toString result: " + result);
|
||||
|
||||
// 返回原始方法调用的结果
|
||||
return result;
|
||||
};
|
||||
});
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,25 +1,22 @@
|
||||
console.log("Script loaded successfully");
|
||||
log_info("Script loaded successfully");
|
||||
// hook_okhttp_client()
|
||||
if (Java.available) {
|
||||
hook_json()
|
||||
// hook_okhttp3_client()
|
||||
let class_name = "okhttp3.OkHttpClient"
|
||||
if (check_class(class_name)){
|
||||
hook_okhttp_client()
|
||||
}
|
||||
Java.perform(function () {
|
||||
try {
|
||||
var OkHttpClient = Java.use("okhttp3.OkHttpClient");
|
||||
console.log("OkHttp detected in the app");
|
||||
} catch (e) {
|
||||
console.log("OkHttp not detected in the app");
|
||||
}
|
||||
});
|
||||
Java.perform(function () {
|
||||
console.log("start hook java.net.URL");
|
||||
log_info("start hook java.net.URL");
|
||||
var URL = Java.use('java.net.URL');
|
||||
URL.$init.overload('java.lang.String').implementation = function (spec) {
|
||||
// console.log("URL request:" + spec)
|
||||
log_info("URL request: " + spec)
|
||||
if (spec.includes("appsflyer")) {
|
||||
console.log("URL request: " + spec);
|
||||
// console.log("URL request: " + spec);
|
||||
if (spec.includes("conversions")) {
|
||||
var stackTrace = Java.use('java.lang.Exception').$new().getStackTrace().toString();
|
||||
console.log(stackTrace);
|
||||
// console.log(stackTrace);
|
||||
}
|
||||
}
|
||||
return this.$init(spec);
|
||||
@@ -28,36 +25,38 @@ if (Java.available) {
|
||||
}
|
||||
|
||||
function printMethods(className) {
|
||||
log_info("start print methods.")
|
||||
var jclass = Java.use(className);
|
||||
var methods = jclass.class.getDeclaredMethods();
|
||||
console.log("Printing methods of " + className + ":\n");
|
||||
methods.forEach(function (method) {
|
||||
console.log(method);
|
||||
// console.log(method);
|
||||
log_info("The methods under the class" + className + " are: " + method);
|
||||
});
|
||||
}
|
||||
|
||||
function hook_okhttp_client() {
|
||||
if (Java.available) {
|
||||
Java.perform(function () {
|
||||
log_info("start hook_okhttp_client.")
|
||||
try {
|
||||
var OkHttpClient = Java.use("okhttp3.OkHttpClient");
|
||||
|
||||
OkHttpClient.newCall.overload('okhttp3.Request').implementation = function (request) {
|
||||
console.log("OkHttp Request URL: " + request.url().toString());
|
||||
var requestUrl = request.url();
|
||||
if (requestUrl) {
|
||||
console.log("OkHttp Request URL: " + requestUrl.toString());
|
||||
} else {
|
||||
console.log("OkHttp Request URL is not available");
|
||||
}
|
||||
console.log("OkHttp Request Headers: " + request.headers().toString());
|
||||
|
||||
if (request.method() == "POST") {
|
||||
console.log("OkHttp Request Body: " + request.body().contentType().toString());
|
||||
// Here you can further extract the request body if needed.
|
||||
}
|
||||
|
||||
var response = this.newCall(request).execute();
|
||||
var call = this.newCall(request);
|
||||
var response = call.execute();
|
||||
console.log("OkHttp Response: " + response.body().string());
|
||||
|
||||
// Note: Calling response.body().string() consumes the response body.
|
||||
// You might need to recreate the response if the app expects to read it again.
|
||||
|
||||
return this.newCall(request);
|
||||
return call;
|
||||
};
|
||||
|
||||
} catch (e) {
|
||||
@@ -118,20 +117,6 @@ function hook_HttpURLConnection_stream() {
|
||||
|
||||
}
|
||||
|
||||
function hook_okhttp3_client() {
|
||||
Java.perform(function () {
|
||||
var OkHttpClient = Java.use("okhttp3.OkHttpClient");
|
||||
OkHttpClient.newCall.overload("okhttp3.Request").implementation = function (request) {
|
||||
console.log("okhttp3 Request -> " + request.url().toString());
|
||||
|
||||
var response = this.newCall(request).execute();
|
||||
|
||||
console.log("okhttp3 Response -> " + response.body().string());
|
||||
|
||||
return response;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
function hook_retrofit() {
|
||||
Java.perform(function () {
|
||||
@@ -160,8 +145,53 @@ function hook_json() {
|
||||
var JSONObject = Java.use('org.json.JSONObject');
|
||||
JSONObject.toString.overload().implementation = function () {
|
||||
var result = this.toString.call(this);
|
||||
console.log("Serialized JSONObject: " + result);
|
||||
// get_conversions(result)
|
||||
// log_info("Serialized JSONObject: " + result)
|
||||
return result;
|
||||
};
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
function log_info(messages) {
|
||||
const now = new Date();
|
||||
const year = now.getFullYear();
|
||||
const month = String(now.getMonth() + 1).padStart(2, '0'); // Months are 0-based
|
||||
const day = String(now.getDate()).padStart(2, '0');
|
||||
const hours = String(now.getHours()).padStart(2, '0');
|
||||
const minutes = String(now.getMinutes()).padStart(2, '0');
|
||||
const seconds = String(now.getSeconds()).padStart(2, '0');
|
||||
const milliseconds = String(now.getMilliseconds()).padStart(3, '0');
|
||||
|
||||
const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
|
||||
|
||||
console.log(`${timestamp} - ${messages}`);
|
||||
send(`${timestamp} - ${messages}`);
|
||||
}
|
||||
|
||||
function check_class(class_name) {
|
||||
var classFound = false; // 默认为未找到
|
||||
Java.enumerateLoadedClasses({
|
||||
onMatch: function(currentClassName) {
|
||||
if (currentClassName === class_name) {
|
||||
classFound = true; // 如果找到了类,则设置为true
|
||||
}
|
||||
},
|
||||
onComplete: function() {
|
||||
if (classFound) {
|
||||
log_info(class_name + " has been loaded!");
|
||||
} else {
|
||||
log_info(class_name + " has not been loaded yet.");
|
||||
}
|
||||
}
|
||||
});
|
||||
return classFound;
|
||||
}
|
||||
|
||||
recv('input_data', function(payload) {
|
||||
console.log(typeof(payload))
|
||||
|
||||
console.log(JSON.stringify(payload))
|
||||
console.log('Received data from Python: ' + payload.payload.data);
|
||||
});
|
||||
|
||||
40
scripts/hook_qqmusic.js
Normal file
40
scripts/hook_qqmusic.js
Normal file
@@ -0,0 +1,40 @@
|
||||
log_info("Script loaded successfully");
|
||||
if (Java.available) {
|
||||
hook_json()
|
||||
Java.perform(function () {
|
||||
log_info("start hook java.net.URL");
|
||||
var URL = Java.use('java.net.URL');
|
||||
URL.$init.overload('java.lang.String').implementation = function (spec) {
|
||||
log_info("URL request: " + spec)
|
||||
return this.$init(spec);
|
||||
};
|
||||
});
|
||||
}
|
||||
|
||||
function log_info(messages) {
|
||||
const now = new Date();
|
||||
const year = now.getFullYear();
|
||||
const month = String(now.getMonth() + 1).padStart(2, '0'); // Months are 0-based
|
||||
const day = String(now.getDate()).padStart(2, '0');
|
||||
const hours = String(now.getHours()).padStart(2, '0');
|
||||
const minutes = String(now.getMinutes()).padStart(2, '0');
|
||||
const seconds = String(now.getSeconds()).padStart(2, '0');
|
||||
const milliseconds = String(now.getMilliseconds()).padStart(3, '0');
|
||||
|
||||
const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
|
||||
|
||||
console.log(`${timestamp} - ${messages}`);
|
||||
send(`${timestamp} - ${messages}`);
|
||||
}
|
||||
|
||||
function hook_json() {
|
||||
Java.perform(function () {
|
||||
var JSONObject = Java.use('org.json.JSONObject');
|
||||
JSONObject.toString.overload().implementation = function () {
|
||||
var result = this.toString.call(this);
|
||||
// get_conversions(result)
|
||||
log_info("Serialized JSONObject: " + result)
|
||||
return result;
|
||||
};
|
||||
});
|
||||
}
|
||||
@@ -1,3 +1,4 @@
|
||||
console.log("Script loaded successfully");
|
||||
Java.perform(function() {
|
||||
|
||||
/*
|
||||
@@ -67,11 +68,6 @@ hook list:
|
||||
} catch (e) {
|
||||
quiet_send("registerClass from X509TrustManager >>>>>>>> " + e.message);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
// Prepare the TrustManagers array to pass to SSLContext.init()
|
||||
var TrustManagers = [TrustManager.$new()];
|
||||
|
||||
32
scripts/monitor_request.js
Normal file
32
scripts/monitor_request.js
Normal file
@@ -0,0 +1,32 @@
|
||||
log_info("Script loaded successfully");
|
||||
Java.perform(function () {
|
||||
var OkHttpClient = Java.use('okhttp3.OkHttpClient');
|
||||
var Request = Java.use('okhttp3.Request');
|
||||
|
||||
OkHttpClient.newCall.implementation = function (request) {
|
||||
var url = request.url().toString();
|
||||
var method = request.method();
|
||||
var body = request.body();
|
||||
var size = body != null ? body.contentLength() / 1024 : 0;
|
||||
console.log("Method: " + method + "\nURL: " + url + "\nSize: " + size + " kb");
|
||||
|
||||
return this.newCall(request);
|
||||
};
|
||||
});
|
||||
|
||||
|
||||
function log_info(messages) {
|
||||
const now = new Date();
|
||||
const year = now.getFullYear();
|
||||
const month = String(now.getMonth() + 1).padStart(2, '0'); // Months are 0-based
|
||||
const day = String(now.getDate()).padStart(2, '0');
|
||||
const hours = String(now.getHours()).padStart(2, '0');
|
||||
const minutes = String(now.getMinutes()).padStart(2, '0');
|
||||
const seconds = String(now.getSeconds()).padStart(2, '0');
|
||||
const milliseconds = String(now.getMilliseconds()).padStart(3, '0');
|
||||
|
||||
const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
|
||||
|
||||
console.log(`${timestamp} - ${messages}`);
|
||||
send(`${timestamp} - ${messages}`);
|
||||
}
|
||||
20
scripts/test.js
Normal file
20
scripts/test.js
Normal file
@@ -0,0 +1,20 @@
|
||||
Java.perform(function() {
|
||||
var ByteArrayOutputStream = Java.use('java.io.ByteArrayOutputStream');
|
||||
var HttpsURLConnection = Java.use('javax.net.ssl.HttpsURLConnection');
|
||||
|
||||
HttpsURLConnection.getOutputStream.implementation = function() {
|
||||
var outputStream = this.getOutputStream();
|
||||
|
||||
// 创建一个新的 ByteArrayOutputStream 实例,以便于我们读取数据。
|
||||
var byteArrayOutputStream = ByteArrayOutputStream.$new();
|
||||
|
||||
outputStream.write.overload('[B').implementation = function(buffer) {
|
||||
byteArrayOutputStream.write(buffer);
|
||||
console.log("[*] Data written to URL:", this.getURL().toString());
|
||||
console.log("[*] Data:", byteArrayOutputStream.toString('UTF-8'));
|
||||
return outputStream.write(buffer);
|
||||
};
|
||||
|
||||
return outputStream;
|
||||
};
|
||||
});
|
||||
82
scripts/url_request.js
Normal file
82
scripts/url_request.js
Normal file
@@ -0,0 +1,82 @@
|
||||
Java.perform(function() {
|
||||
var URL = Java.use("java.net.URL");
|
||||
var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
|
||||
var HttpURLConnection = Java.use("java.net.HttpURLConnection");
|
||||
var OutputStreamWriter = Java.use("java.io.OutputStreamWriter");
|
||||
var BufferedReader = Java.use("java.io.BufferedReader");
|
||||
var InputStreamReader = Java.use("java.io.InputStreamReader");
|
||||
var OutputStream = Java.use('java.io.OutputStream');
|
||||
var OkHttpClient = Java.use('okhttp3.OkHttpClient');
|
||||
|
||||
URL.$init.overload('java.lang.String').implementation = function(url) {
|
||||
console.log("[*] URL init:", url.toString());
|
||||
return this.$init(url);
|
||||
};
|
||||
|
||||
HttpsURLConnection.setDoOutput.implementation = function(value) {
|
||||
console.log("[*]HttpsURLConnection setDoOutput:", value);
|
||||
return this.setDoOutput(value);
|
||||
};
|
||||
|
||||
HttpsURLConnection.setRequestProperty.implementation = function(key, value) {
|
||||
console.log("[*] setRequestProperty:", key, value);
|
||||
return this.setRequestProperty(key, value);
|
||||
};
|
||||
|
||||
|
||||
HttpsURLConnection.getOutputStream.implementation = function() {
|
||||
console.log("[*] getOutputStream");
|
||||
return this.getOutputStream();
|
||||
};
|
||||
|
||||
|
||||
|
||||
HttpURLConnection.setRequestProperty.implementation = function(key, value) {
|
||||
console.log("[*] setRequestProperty:", key, value);
|
||||
return this.setRequestProperty(key, value);
|
||||
};
|
||||
|
||||
HttpURLConnection.setDoOutput.implementation = function(value) {
|
||||
console.log("[*]HttpURLConnection setDoOutput:", value);
|
||||
return this.setDoOutput(value);
|
||||
};
|
||||
|
||||
// HttpURLConnection.getOutputStream.implementation = function() {
|
||||
// console.log("[*] getOutputStream");
|
||||
// var outputStream = this.getOutputStream();
|
||||
//
|
||||
// outputStream.write.overload('[B').implementation = function(buffer) {
|
||||
// console.log("[*] Data written:", Java.array('byte', buffer).toString());
|
||||
// return this.write(buffer);
|
||||
// };
|
||||
// return outputStream;
|
||||
// };
|
||||
|
||||
// OutputStream.write.overload('[B').implementation = function(buffer) {
|
||||
// console.log("[*] Data written:", Java.array('byte', buffer).toString());
|
||||
// return this.write(buffer);
|
||||
// };
|
||||
|
||||
BufferedReader.readLine.overload().implementation = function() {
|
||||
var line = this.readLine();
|
||||
// console.log("[*] BufferedReader.readLine:", line);
|
||||
return line;
|
||||
};
|
||||
|
||||
InputStreamReader.$init.overload('java.io.InputStream').implementation = function(stream) {
|
||||
console.log("[*] InputStreamReader.init:", stream);
|
||||
return this.$init(stream);
|
||||
};
|
||||
|
||||
OkHttpClient.newCall.overload('okhttp3.Request').implementation = function(request) {
|
||||
console.log("[*] Request URL:", request.url().toString());
|
||||
console.log("[*] Request Headers:", request.headers().toString());
|
||||
|
||||
if (request.method() == "POST") {
|
||||
console.log("[*] Request Body:", request.body().toString());
|
||||
}
|
||||
|
||||
return this.newCall(request);
|
||||
};
|
||||
});
|
||||
|
||||
2
test.py
2
test.py
@@ -1,7 +1,7 @@
|
||||
import frida,sys
|
||||
import modules.files_utils
|
||||
|
||||
js_code = modules.files_utils.read_javascript("./hook_conversions.js")
|
||||
js_code = modules.files_utils.read_javascript("scripts/hook_conversions.js")
|
||||
device = frida.get_usb_device()
|
||||
pid = device.spawn(["com.naviapp"]) # 以挂起方式创建进程
|
||||
process = device.attach(pid)
|
||||
|
||||
Reference in New Issue
Block a user