frida框架的基本使用介绍
通过gadget注入目标进程
原来的直接spawn注入的方式因为mac的安全保护是不能用的,需要使用如下方式注入
seveniruby:~ seveniruby$ cp /bin/cat /tmp/cat
seveniruby:~ seveniruby$ DYLD_INSERT_LIBRARIES=/Users/seveniruby/Downloads/frida-gadget-12.11.6-macos-universal.dylib /tmp/cat
[Frida INFO] Listening on 127.0.0.1 TCP port 27042
这个时候会开启一个firda的server,监听端口等待指令
分析已经存在的frida-server
通过frida-ps -R 分析已经存在的frida server列表
seveniruby:~ seveniruby$ frida-ps -R
PID Name
----- ------
88717 Gadget
开始控制目标进程
通过frida-trace命令开始追踪一个api的执行,比如追踪read()函数的执行。
在原来的执行/tmp/cat的命令中,输入任意两行字符,就会截获到目标进程中read()函数的执行过程。
seveniruby:~ seveniruby$ frida-trace -R 88717 -i read
Instrumenting functions...
read: Loaded handler at "/Users/seveniruby/__handlers__/libsystem_asl.dylib/read.js"
read: Loaded handler at "/Users/seveniruby/__handlers__/dyld/read.js"
Started tracing 2 functions. Press Ctrl+C to stop.
/* TID 0x307 */
7854 ms read(d=0x0, buf=0x1081ab000, nbyte=0x20000, offset=0x7fff5e0b9f46)
23190 ms read(d=0x0, buf=0x1081ab000, nbyte=0x20000, offset=0x7fff5e0b9f46)
自定义hook
需要编写自定义的Python+nodejs的脚本进行控制了
import frida
import sys
def on_message(message, data):
print("[{}] => {}".format(message, data))
def main(target_process):
session = frida.attach(target_process)
script = session.create_script("""
var appWillFinishLaunching = ObjC.classes.NSApplicationDelegate['- applicationWillFinishLaunching:'];
Interceptor.attach(appWillFinishLaunching.implementation, {
onEnter: function (args) {
// As this is an Objective-C method, the arguments are as follows:
// 0. 'self'
// 1. The selector (applicationWillFinishLaunching:)
// 2. The first argument to this method
var notification = new ObjC.Object(args[2]);
// Convert it to a JS string and log it
var notificationStr = notification.absoluteString().toString();
console.log('Will finish launching with notification: ' + notificationStr);
}
});
""")
script.on("message", on_message)
script.load()
print("[!] Ctrl+D or Ctrl+Z to detach from instrumented program.\n\n")
sys.stdin.read()
session.detach()
if __name__ == "__main__":
main("Safari")
对应的javascript Api