frida导出函数任意调用

发表于 | 阅读次数:

除了hook外,frida提供了rpc接口,可以导出某一个指定的函数,实现随时对其进行调用。

1.js中指定导出的类和函数,并采用new方法创建一个实例,python文件中导入1.js,输入对应的参数调用即可。如果通过http的方式传递参数,就可以变为一个服务框架,例如salt写的Hrida。(https://github.com/5alt/hrida)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#coding:utf-8

import time,os
import frida


js_code = '''
rpc.exports = {
    myfunc: function(aa,bb,cc){
    	var result = null;
        Java.perform(function () {
            try{
                var classf = Java.use('com.alipay.android.phone.wallet.sharetoken.service.f');
                result = classf.a(aa,bb,cc);//a为static函数
                //f = Hrida.$new(); 非static函数需要new一个实例
                console.log("myfunc result: "+result);
               

            }catch(e){
                console.log(e)
            }
        });
        return result
    }
}
'''


def my_message_handler(message, payload):
    print message
    print payload


rdev = frida.get_usb_device()
session = rdev.attach("com.eg.android.AlipayGphone")


script = session.create_script(js_code)
script.on("message", my_message_handler)
script.load()

command = ""
while 1 == 1:
    command = raw_input("Enter command:\n9999: Exit\nothers: Call secret function\nchoice:")
    if command == "9999":
        break
    else:
    	a = "b54578ff9d5fcbf6d26ecefced9a2cf27ea6b88d07328f338a31e4437c5caf9fe0fc44cf068c9196bd81412c70ad7b0dfc4e2c91c4d729509ef61e3a669897181ade46ef836b2e3404193fbeb074065384a17620c05afa7d7426c27b804cd108"
        b = None
        c = "快来吱付寳,赐我富强福,一起集五福迎新春!丹昂达菏P辰霆3勾闲岔FUdldo"
        script.exports.myfunc(a,b,c)