lasting-yang / frida_hook_libart Goto Github PK
View Code? Open in Web Editor NEWFrida hook some jni functions
License: MIT License
frida_hook_libart's Introduction
frida_hook_libart's People
Contributors
Stargazers
Watchers
Forkers
yuknight koflfy chago pancts shiqwang beordle shuixi2013 fengjixuchui barryhippo brucehe1026 svengong huvuqu jimmyjones97 q251995379 crackercat zekn breathleas xmhwws sweetink woozoo86 mayl8822 bl382137136 super-keys 35099644 jtduan ghostrong1983 hu0097 hisygg lancechung8888 jacobi2017 kingking888 bingwin mockybang whhqhy alienwarehe killvxk wdnmd-rushb pxx199181 0xffc2 damnya flewsea w-wenzhong doself fathui widy28 stjack stantoxt frank13810055034 cydianyu yincs 309746069 beyondmark dev-bobbie skye1989 wyu0hop windseason666 liujianying cqkyn yukar1z0e netstu akshayjaing shad0wxp yangbo637829 brinedfish zbx911 jackjosnlv guuzeing onegithuber vgyg zuiliu ilovehairtail whitegl0ves zjwhy waylandgod xianghu tututu-patch qiang lu-dashuai xwangkai tigerwood lzh110686 xiaoran-xr supperspiderman lemniscate317 gallonyin tangxuesong6 darksand marming19 pkm1118 flyingheart binge1993 kuniao dxcyber409 gitwk86 fwb7014 arryboom zhyfff seraphn piowind lr-zhaofrida_hook_libart's Issues
Process crashed: Bad access due to invalid address
frida -U -f com.app--pause --exit-on-error --kill-on-exit -l .\hook_artmethod.js
____
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to SM-G960N (id=127.0.0.1:5565)
Spawning `com.app`...
android_dlopen_ext: 0xc7f2d8f0 dlopen: 0xc7f2d9f0
_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc
...
...
...
ArtMethod Invoke:sun.nio.ch.FileChannelImpl.write called from:
0xc32a85b7 libart.so!_ZN3art11interpreter34ArtInterpreterToCompiledCodeBridgeEPNS_6ThreadEPNS_9ArtMethodEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0x127
0xc32a0458 libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x268
0xc36082af libart.so!MterpInvokeVirtual+0x2cf
0xc30869a2 libart.so!ExecuteMterpImpl+0x37a2
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1
0xc32a043c libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x24c
0xc3609f7f libart.so!MterpInvokeStatic+0x19f
0xc3086b22 libart.so!ExecuteMterpImpl+0x3922
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1
0xc32a043c libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x24c
0xc3609f7f libart.so!MterpInvokeStatic+0x19f
0xc3086b22 libart.so!ExecuteMterpImpl+0x3922
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1
Process crashed: Bad access due to invalid address
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/android_x86/x86:7.1.2/N2G48B/327:user/release-keys'
Revision: '0'
ABI: 'x86'
pid: 3574, tid: 3599, name: .15(596040118)) >>> **com.app<<<**
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4
eax 00000000 ebx 00000df6 ecx 00000e0f edx 0000000b
esi 95980c4c edi 959809f0
xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
eip c7f28c10 ebp 95980a70 esp 95980988 flags 00000296
backtrace:
#00 pc 00000c10 [vdso:c7f28000] (__kernel_vsyscall+16)
#01 pc 0007ac08 /system/bin/linker (offset 0x5000)
***
对于动态加载的so,无法找到模块
360加固自己实现了类似linker的so加载,这样加载出来的so无法被被识别为module,find_module为null
cannot read property 'base' of null
[RegisterNatives] method_count: 0x1
TypeError: cannot read property 'base' of null
at onEnter (/hook_RegisterNatives.js:42)
[RegisterNatives] method_count: 0xc
[RegisterNatives] method_count: 0x9
TypeError: cannot read property 'base' of null
at onEnter (/hook_RegisterNatives.js:42)
TypeError: cannot read property 'base' of null
at onEnter (/hook_RegisterNatives.js:42)
这个错误是因为模拟器导致的吗?
你好, 我使用这个工具hook xhs时出现Error: abort was called at /repl1.js:77 Process crashed: Trace/BPT trap
建议加个so过滤
native 调用jni function 太多,可以考虑加个过滤机制,减小日志大小
请问registerNative第一个参数class怎么用frida打印出名字呢。
想输出注册的是哪个类。
Process crashed: Trace/BPT trap
frida -U --no-pause -f com.cubic.xxx -l hook_RegisterNatives.js
报一下问题,是什么原因呢?
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: b sig: (Landroid/content/Context;Landroid/app/Application;)V fnPtr: 0xcec98a15 fnOffset: 0xcec98a15 libDexHelper.so!0x17a15 callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: c sig: ()V fnPtr: 0xcec9aa65 fnOffset: 0xcec9aa65 libDexHelper.so!0x19a65 callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: d sig: (Ljava/lang/String;)Ljava/lang/String; fnPtr: 0xceca0639 fnOffset: 0xceca0639 libDexHelper.so!0x1f639 callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: e sig: (Ljava/lang/Object;Ljava/util/List;Ljava/lang/String;)[Ljava/lang/Object; fnPtr: 0xceca1175 fnOffset: 0xceca1175 libDexHelper.so!0x20175 callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: bb sig: (Landroid/content/Context;Landroid/app/Application;Landroid/app/Application;)V fnPtr: 0xcec98dfd fnOffset: 0xcec98dfd libDexHelper.so!0x17dfd callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: o sig: (Landroid/content/Context;)I fnPtr: 0xceca960d fnOffset: 0xceca960d libDexHelper.so!0x2860d callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: p sig: ()V fnPtr: 0xcec9383d fnOffset: 0xcec9383d libDexHelper.so!0x1283d callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: q sig: ()I fnPtr: 0xcec96e5d fnOffset: 0xcec96e5d libDexHelper.so!0x15e5d callee: 0xcec986f3 libDexHelper.so!0x176f3
[RegisterNatives] java_class: com.secneo.apkwrapper.H name: mu sig: ()I fnPtr: 0xcec96f5d fnOffset: 0xcec96f5d libDexHelper.so!0x15f5d callee: 0xcec986f3 libDexHelper.so!0x176f3
Process crashed: Trace/BPT trap
hook_RegisterNatives Android11无法正常输出打印
机型:pixle3
系统:安卓11
其他:安装面具已经获得root 安装LSposed
执行 frida -U --no-pause -f com.ss.android.ugc.aweme -l hook_RegisterNatives.js
只能打印两行注册地址:
RegisterNatives is at ···
RegisterNatives is at ···
切换到安卓8的手机之后恢复正常
大佬们,那个hook出来的 fnOffset: 0xbc6b4 就是函数的偏移地址吗
cant work hook_art
wxxdeMacBook-Pro:frida_hook_libart-master wxx$ frida -U -f com.xingin.xhs -l hook_art.js
____
/ _ | Frida 15.1.23 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to ONEPLUS A3010 (id=f3f66c2c)
Failed to spawn: command failed: 99
hook_art.js
使用 hook_art.js 会爆Failed to load script: script(line 2): SyntaxError: parse error 这个错误呀
模拟器无法hook无效
hello,大佬,模拟器是不是不支持,注入js文件之后没打印任何东西。
您好,麻烦问个问题。我在使用 frida -U --no-pause -f com.xingin.xhs -l ./hook_art.js 命令后 app会启动,但是模拟器会重启,用的是逍遥模拟器。
我截个图,麻烦帮忙看下,多谢。
resuming main thread
as i hook the registernatives,it suddenly
stop and prompt that resuming main thread with only the "RegisterNatives is at 0x777e602380 _ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi" outputs.
it seemly havent attach in
hook_Registernatives.js fnoffset计算的问题
commit c42bb2e0beb00f51b13a9482641fbeda0e2c4dba里
把上一条修改fnOffset的地方回退了
" fnOffset:", ptr(fnPtr_ptr).sub(find_module.base)
现在:
" fnOffset:", symbol,
建议加个指定so名字的参数
建议加个指定so名字的参数,栈回溯一下,如果返回地址在某个so代码段范围则监控。
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.