发帖
翼度科技»论坛 编程开发 python 查看内容

Frida-trace常用命令

快乐肥淞鼠

5

主题

5

帖子

15

积分

新手上路

Rank: 1

积分
15
显示全部楼层
转载:https://blog.csdn.net/tslx1020/article/details/128250777
1、spawn - 冷启动
  1. frida-trace -U -f com.apple.ExampleCode -m “+[NSURL URLWithString:]"
复制代码
2、attach - 热启动
  1. frida-trace -UF -m “+[NSURL URLWithString:]"
复制代码
3、Hook类方法
  1. frida-trace -UF -m “+[NSURL URLWithString:]"
复制代码
4、Hook实例方法
  1. frida-trace -UF -m “-[NSURL host]"
复制代码
5、Hook类的所有方法
  1. frida-trace -UF -m “*[NSURL *]"
复制代码
6、模糊Hook类的所有方法
  1. frida-trace -UF -m “*[service *]"
复制代码
7、模糊Hook所有类的特定方法
  1. frida-trace -UF -m “[ sign]"
复制代码
8、模糊Hook所有类的特定方法并忽略大小写

假设我们要hook所有类中包含getSign或getsign关键词的方法
  1. frida-trace -UF -m “[ get?ign]"
复制代码
9、模糊Hook所有类的特定方法并排除viewDidLoad方法
  1. frida-trace -UF -m “*[DetailViewController *]" -M “-[DetailViewController viewDidLoad]"
复制代码
10、Hook某个动态库
  1. frida-trace -UF -I “libcommonCrypto*"
复制代码
11、Hook get或post的接口地址
  1. frida-trace -UF -m "+[NSURL URLWithString:]"
复制代码
js例子
  1. {
  2.   onEnter(log, args, state) {
  3.     var args2 = new ObjC.Object(args[2]);
  4.     log(`-[NSURL URLWithString:${args2}]`);
  5.   },
  6.   onLeave(log, retval, state) {
  7.   }
  8. }
复制代码
12、Hook post的body
  1. frida-trace -UF -m “-[NSMutableURLRequest setHTTPBody:]”
复制代码
js例子
  1. {
  2.   onEnter(log, args, state) {
  3.     var args2 = new ObjC.Object(args[2]);
  4.     log(`-[NSMutableURLRequest setHTTPBody:${args2.bytes().readUtf8String(args2.length())}]`);
  5.   },
  6.   onLeave(log, retval, state) {
  7.   }
  8. }
复制代码
13、Hook即将显示页面
  1. frida-trace -UF -m “-[UINavigationController pushViewController:animated:]” -m “-[UIViewController presentViewController:animated:completion:]”
  4. pushViewController:animated:方法的js代码如下:
  5. {
  6.   onEnter(log, args, state) {
  7.     var args2 = new ObjC.Object(args[2]);
  8.     log(`-[UINavigationController pushViewController:${args2.$className} animated:${args[3]}]`);
  9.   },
  10.   onLeave(log, retval, state) {
  11.   }
  12. }
  14. presentViewController:animated:completion:
  15. {
  16.   onEnter(log, args, state) {
  17.     var args2 = new ObjC.Object(args[2]);
  18.     log(`-[UIViewController presentViewController:${args2.$className} animated:${args[3]} completion:${args[4]}]`);
  19.   },
  20.   onLeave(log, retval, state) {
  21.   }
  22. }
复制代码
14、Hook 通用加密算法

Md5
  1. frida-trace -UF -i “CC_MD5”
  4. #js
  5. {
  6.   onEnter(log, args, state) {
  7.     this.args0 = args[0];        // 入参
  8.     this.args2 = args[2];        // 返回值指针
  9.   },
  10.   onLeave(log, retval, state) {
  11.     var ByteArray = Memory.readByteArray(this.args2, 16);
  12.     var uint8Array = new Uint8Array(ByteArray);
  14.     var str = "";
  15.     for(var i = 0; i < uint8Array.length; i++) {
  16.         var hextemp = (uint8Array[i].toString(16))
  17.         if(hextemp.length == 1){
  18.             hextemp = "0" + hextemp
  19.         }
  20.         str += hextemp;
  21.     }
  22.     log(`CC_MD5(${this.args0.readUtf8String()})`);           // 入参
  23.     log(`CC_MD5()=${str}=`);        // 返回值
  24.   }
  25. }
复制代码
Base64编码方法
  1. frida-trace -UF -m “-[NSData base64EncodedStringWithOptions:]”
  3. #js
  4. {
  5.   onEnter(log, args, state) {
  6.     this.self = args[0];
  7.   },
  8.   onLeave(log, retval, state) {
  9.     var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.self, 4);
  10.     var after = new ObjC.Object(retval);
  11.     log(`-[NSData base64EncodedStringWithOptions:]before=${before}=`);
  12.     log(`-[NSData base64EncodedStringWithOptions:]after=${after}=`);
  13.   }
  14. }
复制代码
Base64解码
  1. frida-trace -UF -m “-[NSData initWithBase64EncodedData:options:]” -m “-[NSData initWithBase64EncodedString:options:]”
  3. initWithBase64EncodedData:options:方法对应的js代码如下:
  4. {
  5.   onEnter(log, args, state) {
  6.     this.arg2 = args[2];
  7.   },
  8.   onLeave(log, retval, state) {
  9.     var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.arg2, 4);
  10.     var after = ObjC.classes.NSString.alloc().initWithData_encoding_(retval, 4);
  11.     log(`-[NSData initWithBase64EncodedData:]before=${before}=`);
  12.     log(`-[NSData initWithBase64EncodedData:]after=${after}=`);
  13.   }
  14. }
  17. initWithBase64EncodedString:options:方法对应的js代码如下:
  18. {
  19.   onEnter(log, args, state) {
  20.     this.arg2 = args[2];
  21.   },
  22.   onLeave(log, retval, state) {
  23.     var before = new ObjC.Object(this.arg2);
  24.     var after = ObjC.classes.NSString.alloc().initWithData_encoding_(retval, 4);
  25.     log(`-[NSData initWithBase64EncodedString:]before=${before}=`);
  26.     log(`-[NSData initWithBase64EncodedString:]after=${after}=`);
  27.   }
  28. }
复制代码
加密函数AES、DES、3DES
  1. frida-trace -UF -i CCCrypt
  3. #js
  4. {
  5.         onEnter: function(log, args, state) {
  6.                 this.op = args[0]
  7.                 this.alg = args[1]
  8.                 this.options = args[2]
  9.                 this.key = args[3]
  10.                 this.keyLength = args[4]
  11.                 this.iv = args[5]
  12.                 this.dataIn = args[6]
  13.                 this.dataInLength = args[7]
  14.                 this.dataOut = args[8]
  15.                 this.dataOutAvailable = args[9]
  16.                 this.dataOutMoved = args[10]
  18.                 log('CCCrypt(' +
  19.                         'op: ' + this.op + '[0:加密,1:解密]' + ', ' +
  20.                         'alg: ' + this.alg + '[0:AES128,1:DES,2:3DES]' + ', ' +
  21.                         'options: ' + this.options + '[1:ECB,2:CBC,3:CFB]' + ', ' +
  22.                         'key: ' + this.key + ', ' +
  23.                         'keyLength: ' + this.keyLength + ', ' +
  24.                         'iv: ' + this.iv + ', ' +
  25.                         'dataIn: ' + this.dataIn + ', ' +
  26.                         'inLength: ' + this.inLength + ', ' +
  27.                         'dataOut: ' + this.dataOut + ', ' +
  28.                         'dataOutAvailable: ' + this.dataOutAvailable + ', ' +
  29.                         'dataOutMoved: ' + this.dataOutMoved + ')')
  31.                 if (this.op == 0) {
  32.                         log("dataIn:")
  33.                         log(hexdump(ptr(this.dataIn), {
  34.                                 length: this.dataInLength.toInt32(),
  35.                                 header: true,
  36.                                 ansi: true
  37.                         }))
  38.                         log("key: ")
  39.                         log(hexdump(ptr(this.key), {
  40.                                 length: this.keyLength.toInt32(),
  41.                                 header: true,
  42.                                 ansi: true
  43.                         }))
  44.                         log("iv: ")
  45.                         log(hexdump(ptr(this.iv), {
  46.                                 length: this.keyLength.toInt32(),
  47.                                 header: true,
  48.                                 ansi: true
  49.                         }))
  50.                 }
  51.         },
  52.         onLeave: function(log, retval, state) {
  53.                 if (this.op == 1) {
  54.                         log("dataOut:")
  55.                         log(hexdump(ptr(this.dataOut), {
  56.                                 length: Memory.readUInt(this.dataOutMoved),
  57.                                 header: true,
  58.                                 ansi: true
  59.                         }))
  60.                         log("key: ")
  61.                         log(hexdump(ptr(this.key), {
  62.                                 length: this.keyLength.toInt32(),
  63.                                 header: true,
  64.                                 ansi: true
  65.                         }))
  66.                         log("iv: ")
  67.                         log(hexdump(ptr(this.iv), {
  68.                                 length: this.keyLength.toInt32(),
  69.                                 header: true,
  70.                                 ansi: true
  71.                         }))
  72.                 } else {
  73.                         log("dataOut:")
  74.                         log(hexdump(ptr(this.dataOut), {
  75.                                 length: Memory.readUInt(this.dataOutMoved),
  76.                                 header: true,
  77.                                 ansi: true
  78.                         }))
  79.                 }
  80.                 log("CCCrypt did finish")
  81.         }
  82. }
复制代码
RSA
  1. frida-trace -UF -i “SecKeyEncrypt” -i “SecKeyRawSign”
  3. SecKeyEncrypt公钥加密函数对应的js代码如下:
  4. {
  5.   onEnter(log, args, state) {
  6.     // 由于同一条加密信息可能会多次调用该函数,故在这输出该函数的调用栈。可根据栈信息去分析上层函数
  7.     log(`SecKeyEncrypt()=${args[2].readCString()}=`);
  8.     log('SecKeyEncrypt called from:\n' +
  9.         Thread.backtrace(this.context, Backtracer.ACCURATE)
  10.         .map(DebugSymbol.fromAddress).join('\n') + '\n');
  11.   },
  12.   onLeave(log, retval, state) {
  13.   }
  14. }
  16. SecKeyRawSign私钥加密函数对应的js代码如下:
  17. {
  18.   onEnter(log, args, state) {
  19.     log(`SecKeyRawSign()=${args[2].readCString()}=`);
  20.     log('SecKeyRawSign called from:\n' +
  21.         Thread.backtrace(this.context, Backtracer.ACCURATE)
  22.         .map(DebugSymbol.fromAddress).join('\n') + '\n');
  23.   },
  24.   onLeave(log, retval, state) {
  25.   }
  26. }
复制代码
15.修改方法的入参
  1. frida-trace -UF -m “-[DetailViewController setObj:]”
  4. #js
  5. /*
  6. * Auto-generated by Frida. Please modify to match the signature of -[DetailViewController setObj:].
  7. * This stub is currently auto-generated from manpages when available.
  8. *
  9. * For full API reference, see: https://frida.re/docs/javascript-api/
  10. */
  12. {
  13.   /**
  14.    * Called synchronously when about to call -[DetailViewController setObj:].
  15.    *
  16.    * @this {object} - Object allowing you to store state for use in onLeave.
  17.    * @param {function} log - Call this function with a string to be presented to the user.
  18.    * @param {array} args - Function arguments represented as an array of NativePointer objects.
  19.    * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
  20.    * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
  21.    * @param {object} state - Object allowing you to keep state across function calls.
  22.    * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
  23.    * However, do not use this to store function arguments across onEnter/onLeave, but instead
  24.    * use "this" which is an object for keeping state local to an invocation.
  25.    */
  26.   onEnter(log, args, state) {
  27.     var self = new ObjC.Object(args[0]);  // 当前对象
  28.     var method = args[1].readUtf8String();  // 当前方法名
  29.     log(`[${self.$className} ${method}]`);
  31.     // 字符串
  32.     // var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
  33.     // args[2] = str  // 修改入参为字符串
  35.     // 数组
  36.     // var array = ObjC.classes.NSMutableArray.array();  // 对应的oc语法:NSMutableArray array = [NSMutablearray array];
  37.     // array.addObject_("item1");  // 对应的oc语法:[array addObject:@"item1"];
  38.     // array.addObject_("item2");  // 对应的oc语法:[array addObject:@"item2"];
  39.     // args[2] = array; // 修改入参为数组
  41.     // 字典
  42.     // var dictionary = ObjC.classes.NSMutableDictionary.dictionary(); // 对应的oc语法:NSMutableDictionary *dictionary = [NSMutableDictionary dictionary];
  43.     // dictionary.setObject_forKey_("value1", "key1"); // 对应的oc语法:[dictionary setObject:@"value1" forKey:@"key1"]
  44.     // dictionary.setObject_forKey_("value2", "key2"); // 对应的oc语法:[dictionary setObject:@"value2" forKey:@"key2"]
  45.     // args[2] = dictionary; // 修改入参为字典
  47.     // 字节
  48.     var data = ObjC.classes.NSMutableData.data(); // 对应的oc语法:NSMutableData *data = [NSMutableData data];
  49.     var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 获取一个字符串。 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
  50.     var subData = str.dataUsingEncoding_(4);  // 将str转换为data,编码为utf-8。对应的oc语法:NSData *subData = [str dataUsingEncoding:NSUTF8StringEncoding];
  51.     data.appendData_(subData);  // 将subData添加到data。对应的oc语法:[data appendData:subData];
  52.     args[2] = data; // 修改入参字段
  54.     // 更多数据类型:https://developer.apple.com/documentation/foundation
  55.   },
  57.   onLeave(log, retval, state) {
  59.   }
  60. }
复制代码
16、修改方法的返回值
  1. frida-trace -UF -m “-[DetailViewController Obj]”
  3. #js
  4. {
  5.   onEnter(log, args, state) {
  7.   },
  8.   onLeave(log, retval, state) {
  9.     // 字符串
  10.     var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
  11.     retval.replace(str)  // 修改返回值
  12.     var after = new ObjC.Object(retval); // 打印出来是个指针时,请用该方式转换后再打印
  13.     log(`before:=${retval}=`);
  14.     log(`after:=${after}=`);
  15.   }
  16. }
复制代码
17、打印字符串、数组、字典
  1. frida-trace -UF -m “-[DetailViewController setObj:]”
  3. {
  4.   onEnter(log, args, state) {
  5.     var self = new ObjC.Object(args[0]);  // 当前对象
  6.     var method = args[1].readUtf8String();  // 当前方法名
  7.     log(`[${self.$className} ${method}]`);
  9.     var before = args[2];
  10.     // 注意,日志输出请直接使用log函数。不要使用console.log()
  11.     var after = new ObjC.Object(args[2]); // 打印出来是个指针时,请用该方式转换后再打印
  12.     log(`before:=${before}=`);
  13.     log(`after:=${after}=`);
  14.   },
  15.   onLeave(log, retval, state) {
  17.   }
  18. }
复制代码
18、打印NSData
  1. frida-trace -UF -m “-[DetailViewController setObj:]”
  3. #js
  4. {
  5.   onEnter(log, args, state) {
  6.     var self = new ObjC.Object(args[0]);  // 当前对象
  7.     var method = args[1].readUtf8String();  // 当前方法名
  8.     log(`[${self.$className} ${method}]`);
  10.     var before = args[2];
  12.     // 注意,日志输出请直接使用log函数。不要使用console.log()
  13.    
  14.     var after = new ObjC.Object(args[2]); // 打印NSData
  15.     var outValue = after.bytes().readUtf8String(after.length()) // 将data转换为string
  16.     log(`before:=${before}=`);
  17.     log(`after:=${outValue}=`);
  18.   },
  19.   onLeave(log, retval, state) {
  21.   }
  22. }
复制代码
19、打印对象的所有属性和方法

[code]frida-trace -UF -m “-[DetailViewController setObj:]”#js{  onEnter(log, args, state) {    var self = new ObjC.Object(args[0]);  // 当前对象    var method = args[1].readUtf8String();  // 当前方法名    log(`[${self.$className} ${method}]`);    var customObj = new ObjC.Object(args[2]); // 自定义对象    // 打印该对象所有属性    var ivarList = customObj.$ivars;    for (key in ivarList) {       log(`key${key}=${ivarList[key]}=`);    }    // 打印该对象所有方法    var methodList = customObj.$methods;    for (var i=0; i

上一篇: pycharm下载安装与基本配置

下一篇: Python实现抽奖程序

发表于 2023-1-17 12:57:59

举报 回复 使用道具

返回列表 发新帖

Archiver|手机版|小黑屋|翼度科技

Copyright © 2001-2020, Tencent Cloud. Powered by Discuz! X3.4