frida在mac下的用法

frida框架的基本使用介绍

通过gadget注入目标进程

原来的直接spawn注入的方式因为mac的安全保护是不能用的，需要使用如下方式注入

seveniruby:~ seveniruby$ cp /bin/cat  /tmp/cat
seveniruby:~ seveniruby$ DYLD_INSERT_LIBRARIES=/Users/seveniruby/Downloads/frida-gadget-12.11.6-macos-universal.dylib /tmp/cat
[Frida INFO] Listening on 127.0.0.1 TCP port 27042

这个时候会开启一个firda的server，监听端口等待指令

分析已经存在的frida-server

通过frida-ps -R 分析已经存在的frida server列表

seveniruby:~ seveniruby$ frida-ps -R
  PID  Name
-----  ------
88717  Gadget

开始控制目标进程

通过frida-trace命令开始追踪一个api的执行，比如追踪read()函数的执行。
在原来的执行/tmp/cat的命令中，输入任意两行字符，就会截获到目标进程中read()函数的执行过程。

seveniruby:~ seveniruby$ frida-trace -R 88717 -i read
Instrumenting functions...
read: Loaded handler at "/Users/seveniruby/__handlers__/libsystem_asl.dylib/read.js"
read: Loaded handler at "/Users/seveniruby/__handlers__/dyld/read.js"
Started tracing 2 functions. Press Ctrl+C to stop.
           /* TID 0x307 */
  7854 ms  read(d=0x0, buf=0x1081ab000, nbyte=0x20000, offset=0x7fff5e0b9f46)
 23190 ms  read(d=0x0, buf=0x1081ab000, nbyte=0x20000, offset=0x7fff5e0b9f46)

自定义hook

需要编写自定义的Python+nodejs的脚本进行控制了

import frida
import sys

def on_message(message, data):
    print("[{}] => {}".format(message, data))

def main(target_process):
    session = frida.attach(target_process)

    script = session.create_script("""
        var appWillFinishLaunching = ObjC.classes.NSApplicationDelegate['- applicationWillFinishLaunching:'];
        Interceptor.attach(appWillFinishLaunching.implementation, {
          onEnter: function (args) {
            // As this is an Objective-C method, the arguments are as follows:
            // 0. 'self'
            // 1. The selector (applicationWillFinishLaunching:)
            // 2. The first argument to this method
            var notification = new ObjC.Object(args[2]);

            // Convert it to a JS string and log it
            var notificationStr = notification.absoluteString().toString();
            console.log('Will finish launching with notification: ' + notificationStr);
          }
        });
    """)
    script.on("message", on_message)
    script.load()
    print("[!] Ctrl+D or Ctrl+Z to detach from instrumented program.\n\n")
    sys.stdin.read()
    session.detach()


if __name__ == "__main__":
    main("Safari")

对应的javascript Api