wsy182/hook-frida
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: wsy182:8405b06e9ac891eed279e488e30cc1bc94d42059
Branches Tags
wsy182:master
...
compare: wsy182:master
Branches Tags
wsy182:master

27 Commits
8405b06e9a ... master

Author SHA1 Message Date
wangsiyuan
13d89b020d 更新 hookssl.js 2024-03-07 00:24:13 +08:00
wangsiyuan
34735c3e0e 创建 baidunetdisk.js 2024-03-07 00:24:09 +08:00
wangsiyuan
866701b499 更新 main.py 2024-03-07 00:24:06 +08:00
wangsiyuan
f47e9cb306 更新 main.py 2023-11-09 17:08:12 +08:00
wangsiyuan
8c4cd61081 更新 main.py 2023-11-07 14:18:03 +08:00
wangsiyuan
cfefd337b9 删除 url_request.js 2023-11-06 17:02:31 +08:00
wangsiyuan
af1a9e1859 更新 test.py 2023-11-06 17:02:29 +08:00
wangsiyuan
6c7278a064 删除 test.js 2023-11-06 17:02:27 +08:00
wangsiyuan
58c81f32e5 创建 url_request.js 2023-11-06 17:02:24 +08:00
wangsiyuan
67623951ce 创建 test.js 2023-11-06 17:02:22 +08:00
wangsiyuan
8960406388 创建 monitor_request.js 2023-11-06 17:02:18 +08:00
wangsiyuan
51bf1e5a6f 创建 hookssl.js 2023-11-06 17:02:16 +08:00
wangsiyuan
0e75201906 创建 hook_qqmusic.js 2023-11-06 17:02:14 +08:00
wangsiyuan
8aa5351ccc 创建 hook_conversions.js 2023-11-06 17:02:12 +08:00
wangsiyuan
1e80a8067b 删除 hookssl.js 2023-11-06 17:02:09 +08:00
wangsiyuan
df7b021ea0 删除 hook_qqmusic.js 2023-11-06 17:02:07 +08:00
wangsiyuan
86f1a339d0 删除 hook_conversions.js 2023-11-06 17:02:04 +08:00
wangsiyuan
b8e653e57d 更新 main.py 2023-11-06 17:01:58 +08:00
wangsiyuan
9ec56ced34 更新 main.py 2023-10-24 19:54:40 +08:00
wangsiyuan
e949fdc3e5 创建 hook_qqmusic.js 2023-10-24 19:54:38 +08:00
wangsiyuan
7167780f0f 创建 url_request.js 2023-10-19 11:26:26 +08:00
wangsiyuan
dd6a0f4018 创建 test.js 2023-10-19 11:26:24 +08:00
wangsiyuan
64e5f9c6d9 更新 main.py 2023-10-19 11:26:22 +08:00
wangsiyuan
f16dd8cae1 更新 hook_conversions.js 2023-10-19 11:26:18 +08:00
wangsiyuan
e358abc840 更新 files_utils.py 2023-10-18 15:13:04 +08:00
wangsiyuan
054d36b04d 更新 main.py 2023-10-18 15:13:01 +08:00
wangsiyuan
424ff95d2b 更新 hook_conversions.js 2023-10-18 15:12:58 +08:00
10 changed files with 258 additions and 37 deletions
Expand all files Collapse all files

19
main.py
View File

@@ -5,8 +5,12 @@ import sys
import time import time
FIRST_WRITE = True # 全局变量,用于跟踪是否是首次写入
def on_message(message, data): def on_message(message, data):
print(message) print(message)
# modules.files_utils.write_log(message)
# print(message)
# if message['type'] == 'send': # if message['type'] == 'send':
# print(message['payload']) # print(message['payload'])
@@ -21,11 +25,12 @@ def attach_method(is_spawn):
def main(package_name,script_path,is_spawn): def main(package_name,script_path,is_spawn):
# 从Python发送数据到Frida的JavaScript脚本
print(f"script_path: {script_path}") print(f"script_path: {script_path}")
js_code = modules.files_utils.read_javascript(script_path) js_code = modules.files_utils.read_javascript(script_path)
# print(js_code) # print(js_code)
modules.command.start_frida() modules.command.start_frida()
modules.command.clearCache(package_name) # modules.command.clearCache(package_name)
# 连接到USB设备 # 连接到USB设备
device = frida.get_usb_device() device = frida.get_usb_device()
print(device) print(device)
@@ -34,8 +39,10 @@ def main(package_name,script_path,is_spawn):
print(f"进程pid: {pid}") print(f"进程pid: {pid}")
process = device.attach(pid) process = device.attach(pid)
script = process.create_script(js_code) script = process.create_script(js_code)
script.on("message", on_message) # script.on("message", on_message)
script.load() script.load()
# data_to_send = {'data': 'Hello from Python!'}
# script.post({'type': 'input_data', 'payload': data_to_send})
device.resume(pid) # 加载完脚本后, 恢复进程运行 device.resume(pid) # 加载完脚本后, 恢复进程运行
sys.stdin.read() sys.stdin.read()
else: else:
@@ -60,10 +67,10 @@ if __name__ == '__main__':
# 是否以spawn模式运行 # 是否以spawn模式运行
is_spawn = True is_spawn = True
# 目标进程名 # 目标进程名
attach_process_name = "Navi" attach_process_name = "百度网盘"
# 目标包名 # 目标包名
package_name = "com.msf.angelmobile" package_name = "com.baidu.netdisk"
# 注入的脚本路径 # 注入的脚本路径
script_path = "./hook_conversions.js" # script_path = "scripts/hook_conversions.js"
# script_path = "./r0capture/script.js" script_path = "scripts/baidunetdisk.js"
main(package_name,script_path, is_spawn) main(package_name,script_path, is_spawn)

8
modules/files_utils.py
View File

@@ -13,3 +13,11 @@ def read_javascript(script_path):
with open(script_path, "r") as file: with open(script_path, "r") as file:
script_code = file.read() script_code = file.read()
return script_code return script_code
def write_log(messages):
global FIRST_WRITE
print(f"FIRST_WRITE: {FIRST_WRITE}")
with open("frida_log.log", "a") as log_file:
if FIRST_WRITE: # 如果是首次写入
log_file.write("\n\n\n") # 空出三行
FIRST_WRITE = False # 更新状态,表明已经写过了
log_file.write(str(messages) + "\n")

21
scripts/baidunetdisk.js Normal file
View File

@@ -0,0 +1,21 @@
console.log("Script loaded successfully");
Java.perform(function () {
var Request = Java.use("okhttp3.Request");
// Hook Request的toString方法
Request.toString.implementation = function () {
// 调用原始的toString方法并保存结果
var result = this.toString();
// 打印结果
console.log("Request.toString result: " + result);
// 返回原始方法调用的结果
return result;
};
});

65
hook_conversions.js → scripts/hook_conversions.js
View File

@@ -1,19 +1,11 @@
console.log("Script loaded successfully"); log_info("Script loaded successfully");
// hook_okhttp_client() // hook_okhttp_client()
if (Java.available) { if (Java.available) {
hook_json() hook_json()
Java.perform(function () { let class_name = "okhttp3.OkHttpClient"
try { if (check_class(class_name)){
var OkHttpClient = Java.use("okhttp3.OkHttpClient"); hook_okhttp_client()
console.log(OkHttpClient.toString()) }
if (OkHttpClient != null){
hook_okhttp_client();
log_info("OkHttp detected in the app");
}
} catch (e) {
log_info("OkHttp not detected in the app");
}
});
Java.perform(function () { Java.perform(function () {
log_info("start hook java.net.URL"); log_info("start hook java.net.URL");
var URL = Java.use('java.net.URL'); var URL = Java.use('java.net.URL');
@@ -49,10 +41,6 @@ function hook_okhttp_client() {
log_info("start hook_okhttp_client.") log_info("start hook_okhttp_client.")
try { try {
var OkHttpClient = Java.use("okhttp3.OkHttpClient"); var OkHttpClient = Java.use("okhttp3.OkHttpClient");
// log_info("OkHttpClient: " + OkHttpClient.toString());
var class_name = OkHttpClient.$className;
console.log(class_name+ "-------")
printMethods(OkHttpClient.toString());
OkHttpClient.newCall.overload('okhttp3.Request').implementation = function (request) { OkHttpClient.newCall.overload('okhttp3.Request').implementation = function (request) {
var requestUrl = request.url(); var requestUrl = request.url();
if (requestUrl) { if (requestUrl) {
@@ -60,12 +48,11 @@ function hook_okhttp_client() {
} else { } else {
console.log("OkHttp Request URL is not available"); console.log("OkHttp Request URL is not available");
} }
// console.log("OkHttp Request Headers: " + request.headers().toString()); console.log("OkHttp Request Headers: " + request.headers().toString());
// if (request.method() == "POST") {
// console.log("OkHttp Request Body: " + request.body().contentType().toString());
// }
if (request.method() == "POST") {
console.log("OkHttp Request Body: " + request.body().contentType().toString());
}
var call = this.newCall(request); var call = this.newCall(request);
var response = call.execute(); var response = call.execute();
console.log("OkHttp Response: " + response.body().string()); console.log("OkHttp Response: " + response.body().string());
@@ -158,8 +145,8 @@ function hook_json() {
var JSONObject = Java.use('org.json.JSONObject'); var JSONObject = Java.use('org.json.JSONObject');
JSONObject.toString.overload().implementation = function () { JSONObject.toString.overload().implementation = function () {
var result = this.toString.call(this); var result = this.toString.call(this);
// console.log("Serialized JSONObject: " + result); // get_conversions(result)
log_info("Serialized JSONObject: " + result) // log_info("Serialized JSONObject: " + result)
return result; return result;
}; };
}); });
@@ -179,4 +166,32 @@ function log_info(messages) {
const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`; const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
console.log(`${timestamp} - ${messages}`); console.log(`${timestamp} - ${messages}`);
} send(`${timestamp} - ${messages}`);
}
function check_class(class_name) {
var classFound = false; // 默认为未找到
Java.enumerateLoadedClasses({
onMatch: function(currentClassName) {
if (currentClassName === class_name) {
classFound = true; // 如果找到了类则设置为true
}
},
onComplete: function() {
if (classFound) {
log_info(class_name + " has been loaded!");
} else {
log_info(class_name + " has not been loaded yet.");
}
}
});
return classFound;
}
recv('input_data', function(payload) {
console.log(typeof(payload))
console.log(JSON.stringify(payload))
console.log('Received data from Python: ' + payload.payload.data);
});

40
scripts/hook_qqmusic.js Normal file
View File

@@ -0,0 +1,40 @@
log_info("Script loaded successfully");
if (Java.available) {
hook_json()
Java.perform(function () {
log_info("start hook java.net.URL");
var URL = Java.use('java.net.URL');
URL.$init.overload('java.lang.String').implementation = function (spec) {
log_info("URL request: " + spec)
return this.$init(spec);
};
});
}
function log_info(messages) {
const now = new Date();
const year = now.getFullYear();
const month = String(now.getMonth() + 1).padStart(2, '0'); // Months are 0-based
const day = String(now.getDate()).padStart(2, '0');
const hours = String(now.getHours()).padStart(2, '0');
const minutes = String(now.getMinutes()).padStart(2, '0');
const seconds = String(now.getSeconds()).padStart(2, '0');
const milliseconds = String(now.getMilliseconds()).padStart(3, '0');
const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
console.log(`${timestamp} - ${messages}`);
send(`${timestamp} - ${messages}`);
}
function hook_json() {
Java.perform(function () {
var JSONObject = Java.use('org.json.JSONObject');
JSONObject.toString.overload().implementation = function () {
var result = this.toString.call(this);
// get_conversions(result)
log_info("Serialized JSONObject: " + result)
return result;
};
});
}

6
hookssl.js → scripts/hookssl.js
View File

@@ -1,3 +1,4 @@
console.log("Script loaded successfully");
Java.perform(function() { Java.perform(function() {
/* /*
@@ -67,11 +68,6 @@ hook list:
} catch (e) { } catch (e) {
quiet_send("registerClass from X509TrustManager >>>>>>>> " + e.message); quiet_send("registerClass from X509TrustManager >>>>>>>> " + e.message);
} }
// Prepare the TrustManagers array to pass to SSLContext.init() // Prepare the TrustManagers array to pass to SSLContext.init()
var TrustManagers = [TrustManager.$new()]; var TrustManagers = [TrustManager.$new()];

32
scripts/monitor_request.js Normal file
View File

@@ -0,0 +1,32 @@
log_info("Script loaded successfully");
Java.perform(function () {
var OkHttpClient = Java.use('okhttp3.OkHttpClient');
var Request = Java.use('okhttp3.Request');
OkHttpClient.newCall.implementation = function (request) {
var url = request.url().toString();
var method = request.method();
var body = request.body();
var size = body != null ? body.contentLength() / 1024 : 0;
console.log("Method: " + method + "\nURL: " + url + "\nSize: " + size + " kb");
return this.newCall(request);
};
});
function log_info(messages) {
const now = new Date();
const year = now.getFullYear();
const month = String(now.getMonth() + 1).padStart(2, '0'); // Months are 0-based
const day = String(now.getDate()).padStart(2, '0');
const hours = String(now.getHours()).padStart(2, '0');
const minutes = String(now.getMinutes()).padStart(2, '0');
const seconds = String(now.getSeconds()).padStart(2, '0');
const milliseconds = String(now.getMilliseconds()).padStart(3, '0');
const timestamp = `${year}-${month}-${day} ${hours}:${minutes}:${seconds}:${milliseconds}`;
console.log(`${timestamp} - ${messages}`);
send(`${timestamp} - ${messages}`);
}

20
scripts/test.js Normal file
View File

@@ -0,0 +1,20 @@
Java.perform(function() {
var ByteArrayOutputStream = Java.use('java.io.ByteArrayOutputStream');
var HttpsURLConnection = Java.use('javax.net.ssl.HttpsURLConnection');
HttpsURLConnection.getOutputStream.implementation = function() {
var outputStream = this.getOutputStream();
// 创建一个新的 ByteArrayOutputStream 实例,以便于我们读取数据。
var byteArrayOutputStream = ByteArrayOutputStream.$new();
outputStream.write.overload('[B').implementation = function(buffer) {
byteArrayOutputStream.write(buffer);
console.log("[*] Data written to URL:", this.getURL().toString());
console.log("[*] Data:", byteArrayOutputStream.toString('UTF-8'));
return outputStream.write(buffer);
};
return outputStream;
};
});

82
scripts/url_request.js Normal file
View File

@@ -0,0 +1,82 @@
Java.perform(function() {
var URL = Java.use("java.net.URL");
var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
var HttpURLConnection = Java.use("java.net.HttpURLConnection");
var OutputStreamWriter = Java.use("java.io.OutputStreamWriter");
var BufferedReader = Java.use("java.io.BufferedReader");
var InputStreamReader = Java.use("java.io.InputStreamReader");
var OutputStream = Java.use('java.io.OutputStream');
var OkHttpClient = Java.use('okhttp3.OkHttpClient');
URL.$init.overload('java.lang.String').implementation = function(url) {
console.log("[*] URL init:", url.toString());
return this.$init(url);
};
HttpsURLConnection.setDoOutput.implementation = function(value) {
console.log("[*]HttpsURLConnection setDoOutput:", value);
return this.setDoOutput(value);
};
HttpsURLConnection.setRequestProperty.implementation = function(key, value) {
console.log("[*] setRequestProperty:", key, value);
return this.setRequestProperty(key, value);
};
HttpsURLConnection.getOutputStream.implementation = function() {
console.log("[*] getOutputStream");
return this.getOutputStream();
};
HttpURLConnection.setRequestProperty.implementation = function(key, value) {
console.log("[*] setRequestProperty:", key, value);
return this.setRequestProperty(key, value);
};
HttpURLConnection.setDoOutput.implementation = function(value) {
console.log("[*]HttpURLConnection setDoOutput:", value);
return this.setDoOutput(value);
};
// HttpURLConnection.getOutputStream.implementation = function() {
// console.log("[*] getOutputStream");
// var outputStream = this.getOutputStream();
//
// outputStream.write.overload('[B').implementation = function(buffer) {
// console.log("[*] Data written:", Java.array('byte', buffer).toString());
// return this.write(buffer);
// };
// return outputStream;
// };
// OutputStream.write.overload('[B').implementation = function(buffer) {
// console.log("[*] Data written:", Java.array('byte', buffer).toString());
// return this.write(buffer);
// };
BufferedReader.readLine.overload().implementation = function() {
var line = this.readLine();
// console.log("[*] BufferedReader.readLine:", line);
return line;
};
InputStreamReader.$init.overload('java.io.InputStream').implementation = function(stream) {
console.log("[*] InputStreamReader.init:", stream);
return this.$init(stream);
};
OkHttpClient.newCall.overload('okhttp3.Request').implementation = function(request) {
console.log("[*] Request URL:", request.url().toString());
console.log("[*] Request Headers:", request.headers().toString());
if (request.method() == "POST") {
console.log("[*] Request Body:", request.body().toString());
}
return this.newCall(request);
};
});

2
test.py
View File

@@ -1,7 +1,7 @@
import frida,sys import frida,sys
import modules.files_utils import modules.files_utils
js_code = modules.files_utils.read_javascript("./hook_conversions.js") js_code = modules.files_utils.read_javascript("scripts/hook_conversions.js")
device = frida.get_usb_device() device = frida.get_usb_device()
pid = device.spawn(["com.naviapp"]) # 以挂起方式创建进程 pid = device.spawn(["com.naviapp"]) # 以挂起方式创建进程
process = device.attach(pid) process = device.attach(pid)