def attach(packageName):
online_session = None
online_script = None
rdev = None
remoteDriver = run_env.getRemoteDriver() #ip:port
try:
if remoteDriver:
rdev = frida.get_device_manager().add_remote_device(remoteDriver)
elif platform.system().find("Windows") != -1:
warn("推荐使用linux或mac操作系统获得更好的兼容性.")
rdev = frida.get_remote_device()
else:
rdev = frida.get_usb_device(1000)
online_session = rdev.attach(packageName)
if online_session == None:
warn("attaching fail to " + packageName)
online_script = online_session.create_script(run_env.rpc_jscode)
online_script.on('message', on_message)
online_script.load()
checkRadarDex(packageName, online_script)
createHookingEnverment(packageName,
online_script.exports.mainactivity())
except Exception:
warn(traceback.format_exc())
return online_session, online_script
def attach_application(self, pid, frida_script, device):
self.frida_script = frida_script
if pid.isnumeric():
self.pid = int(pid)
else:
self.pid = pid
if device == 'remote':
self.device = frida.get_remote_device()
elif device == 'usb':
self.device = frida.get_usb_device()
else:
self.device = frida.get_local_device()
self.session = self.device.attach(self.pid)
with codecs.open(self.frida_script, 'r', 'utf-8') as f:
source = f.read()
self.script = self.session.create_script(source)
self.script.load()
return
def attach(self):
if self.project.pid != None:
target_process = self.project.pid
elif self.project.process_name != None:
target_process = self.project.process_name
else:
log.warn("No process specified with 'process_name' or 'pid'!")
return False
if self.project.remote_frida:
self.frida_session = frida.get_remote_device().attach(
target_process)
else:
self.frida_session = frida.attach(target_process)
self.loadScript()
pid = self.frida_script.exports.getpid()
log.info("Attached to pid %d!" % pid)
self.project.pid = pid
# Query the loaded modules from the target
self.getModuleMap()
# ... and create the module filter list
self.createModuleFilterList()
return True
def get_zuiyou_sign():
# 调用frida脚本
process = frida.get_remote_device().attach("cn.xiaochuankeji.tieba")
script = process.create_script(jsCode)
# print('[*] Running zuiyou')
script.load()
return script.exports
def connect_device():
try:
device = frida.get_usb_device()
except:
device = frida.get_remote_device()
return device
def show_packages():
global device
global remote
try:
remote = request.args.get('remote')
if device == None:
if len(remote) != 0:
# check remote ip address
try:
socket.inet_aton(remote)
print("adding remote device to device manager : ", remote)
device=frida.get_device_manager().add_remote_device(remote)
print("remote device : ", device)
except socket.error:
return render_template('intro.html')
else:
device = frida.get_remote_device()
# get list of apps
packages=device.enumerate_processes()
print(packages)
except frida.ServerNotRunningError :
return render_template('error.html',error="cannot connect to remote :(")
return render_template('packages_list.html',
packages=packages)
def set_device(self):
"""
Set's the target device to work with.
:return:
"""
if self.config.device_id is not None:
self.device = frida.get_device(self.config.device_id)
elif (self.config.host is not None) or (self.config.device_type
== 'remote'):
if self.config.host is None:
self.device = frida.get_remote_device()
else:
host = self.config.host
port = self.config.port
self.device = frida.get_device_manager() \
.add_remote_device(f'{host}:{port}' if host is not None else f'127.0.0.1:{port}')
elif self.config.device_type is not None:
for dev in frida.enumerate_devices():
if dev.type == self.config.device_type:
self.device = dev
else:
self.device = frida.get_local_device()
# surely we have a device by now?
if self.device is None:
raise Exception('Unable to find a device')
self.device.on('output', self.handlers.device_output)
self.device.on('lost', self.handlers.device_lost)
debug_print(f'device determined as: {self.device}')
def main(target_process):
dev = frida.get_remote_device()
session = dev.attach(target_process)
j = """
Process.enumerateModules({
onMatch: function(module){
console.log('Module name: ' + module.name + " - " + "Base Address: " + module.base.toString());
Module.enumerateImports("%s", {
onMatch: function(module){
console.log('Module type: ' + module.type + ' - Name: ' + module.name + ' - Module: ' + moudle.module + ' - Address: ' + module.address.toString());
},
onComplete: function(){}
});
},
onComplete: function(){}
});
"""
script = session.create_script(j)
script.on('message', on_message)
script.load()
raw_input(
'[!] Press <Enter> at any time to detach from instrumented program.\n\n'
)
session.detach()
def hook_by_method(activity,method_name):
pkg, ac = activity.split('/')
activity = activity.replace('/','')
js_code = """
Java.perform(
setTimeout(function(){
var hookClass = Java.use('%s')
console.log('HookClass',hookClass)
hookClass.%s.implementation = function(args){
send('crack successful',%s)
console.log('入参',args)
return this.%s(args)
}
},1000)
);
"""%(activity,method_name,method_name,method_name)
print(js_code)
process = frida.get_remote_device().attach(pkg)
script = process.create_script(js_code)
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
script.on('message', on_message)
print('开始hook')
script.load()
sys.stdin.read()
def connect_device(timeout=15):
try:
device = frida.get_usb_device(timeout=timeout)
except:
device = frida.get_remote_device()
return device
def main():
argv = sys.argv
process = None
so_name = None
func_name = None
arg_count = len(argv)
if arg_count < 2:
print "this.py (pid|pName) [soName [funcName]]"
return 1
else:
try:
process = int(argv[1])
except:
process = argv[1]
if arg_count > 2:
so_name = argv[2]
if arg_count > 3:
func_name = argv[3]
remote_dev = frida.get_remote_device()
session = remote_dev.attach(process)
modules = session.enumerate_modules()
for module in modules:
if so_name is None or so_name in module.name:
print module
export_funcs = module.enumerate_exports()
for export_func in export_funcs:
if func_name is None or func_name in export_func.name:
print "\t%s\t%s" % (export_func.name,
hex(export_func.absolute_address))
def start_hook():
device = frida.get_remote_device()
print(device)
# 应用包名
app_package_name = "com.luojilab.player" # dedao
try:
# pid = device.spawn([app_package_name])
# device.resume(pid)
# time.sleep(1) # 2
session = device.attach(app_package_name)
# session = device.attach(target=16803)
print("[*] start hook")
print(session)
# 加载脚本
with open("test.js", "r", encoding="utf-8") as file:
# with open("hook_dedao.js", "r", encoding="utf-8") as file:
js_code = file.read()
script = session.create_script(js_code)
script.on('message', on_message)
script.load()
# sys.stdin.read() # 等待程序触发,调试时打开
# print('script', script)
return script
except frida.NotSupportedError:
print("请检查包名的有效性.")
def attach(target):
packageName = target
if is_number(target): #pid
packageName = getPidMap()[target]
online_session = None
online_script = None
rdev = None
remoteDriver = run_env.getRemoteDriver() #ip:port
try:
if remoteDriver:
rdev = frida.get_device_manager().add_remote_device(remoteDriver)
elif platform.system().find("Windows") != -1:
warn("推荐使用linux或mac操作系统获得更好的兼容性.")
rdev = frida.get_remote_device()
else:
rdev = frida.get_usb_device(1000)
#print(f"attach {target}")
if is_number(target):
pid = int(target)
online_session = frida.core.Session(rdev._impl.attach(pid))
else:
online_session = rdev.attach(target)
if online_session == None:
warn("attaching fail to " + target)
online_script = online_session.create_script(run_env.rpc_jscode)
online_script.on('message', on_message)
online_script.load()
checkRadarDex(packageName, online_script)
createHookingEnverment(packageName,
online_script.exports.mainactivity())
except Exception:
warn(traceback.format_exc())
return online_session, online_script, packageName
def startHook(packageName, jsCode):
rdev = frida.get_remote_device()
session = rdev.attach(packageName)
script = session.create_script(jsCode)
script.on('message', on_message)
print(' Start attach')
script.load()
sys.stdin.read()
def test_frida():
rdev = frida.get_remote_device()
print rdev
front_app = rdev.get_frontmost_application()
print front_app
processes = rdev.enumerate_processes()
for process in processes:
print process
def spawn_remote_default(appname):
print("[*] Spawn process on remote machine (with frida-server)")
device = frida.get_remote_device()
pid = device.spawn([appname])
session = device.attach(pid)
device.resume(pid)
waitinterrupt()
def hooking(self):
print('【开始Hook】.....\n\n')
try:
process = frida.get_remote_device().attach(self.arg)
script = process.create_script(self.js_code)
script.on("message", self.message)
script.load()
sys.stdin.read()
except frida.ServerNotRunningError:
print('没有开启对应app, 或没有开启映射端口')
def get_session(self):
"""
Attempt to get a Frida session.
"""
if state_connection.get_comms_type() == state_connection.TYPE_USB:
return frida.get_usb_device().attach(state_connection.gadget_name)
if state_connection.get_comms_type() == state_connection.TYPE_REMOTE:
return frida.get_remote_device().attach(state_connection.gadget_name)
def main():
remote_dev = frida.get_remote_device()
session = remote_dev.attach("com.example.wechat01")
modules = session.enumerate_modules()
for module in modules:
print module
export_funcs = module.enumerate_exports()
for export_func in export_funcs:
if "strlen" == export_func.name:
print "\t%s\t%s" % (export_func.name,
hex(export_func.absolute_address))
def attach_spawn_target(args, user_script=None):
if not args.target and not args.device:
print('missing session type. use -t local|android|ios|remote to define the session type'
' or specify a device id with --device')
exit(0)
if args.any is None or args.any == '':
print('missing file or package name to attach')
exit(0)
device = None
try:
if args.device:
device = frida.get_device(id=args.device)
else:
session_type = args.target.lower()
if session_type == 'local':
device = frida.get_local_device()
elif session_type == 'android' or session_type == 'ios':
device = frida.get_usb_device(5)
elif session_type == 'remote':
device = frida.get_remote_device()
except Exception as e:
print('failed to get frida device')
print(e)
if device is not None:
try:
# parse target as pid
args.pid = int(args.any)
except ValueError:
args.pid = 0
if args.pid > 0:
print('* Trying to attach to {0}'.format(args.pid))
try:
attach(args, device)
print('* Dwarf attached to {0}'.format(args.pid))
except Exception as e: # pylint: disable=broad-except
print('-failed-')
print('Reason: ' + str(e))
print('Help: you can use -sp to force spawn')
exit(0)
else:
print('* Trying to spawn {0}'.format(args.any))
try:
_pid = spawn(args, device, user_script)
print('* Dwarf attached to {0}'.format(_pid))
except Exception as e: # pylint: disable=broad-except
print('-failed-')
print('Reason: ' + str(e))
exit(0)
sys.stdin.read()
def dump_pkg(pkg):
try:
print('Availlable devices:')
devices = frida.enumerate_devices()
i = 0
for dv in devices:
print('{}) {}'.format(i, dv))
i += 1
j = input('Enter the index of device to use:')
device = devices[int(j)]
except:
device = frida.get_remote_device()
bring_to_front = input(
'Bring the application you want to dump to the front and press enter.....\n'
)
target = device.get_frontmost_application()
pkg_name = pkg #target.identifier
print('---------' + pkg)
processes = get_all_process(device, pkg_name)
if len(processes) == 1:
target = processes[0]
else:
s_processes = ""
for index in range(len(processes)):
s_processes += "\t[{}] {}\n".format(index, str(processes[index]))
input_id = int(
input(
"[{}] has multiprocess: \n{}\nplease choose target process: ".
format(pkg_name, s_processes)))
target = processes[input_id]
try:
for index in range(len(processes)):
if index == input_id:
os.system("adb shell \"su -c 'kill -18 {}'\"".format(
processes[index].pid))
else:
os.system("adb shell \"su -c 'kill -19 {}'\"".format(
processes[index].pid))
except:
pass
logging.info("[DEXDump]: found target [{}] {}".format(
target.pid, pkg_name))
session = device.attach(target.pid)
path = '.' #os.path.dirname(save_path)
#path = path if path else "."
script = session.create_script(open(path + "/dexdump.js").read())
script.load()
dump(pkg_name, script.exports)
def connect():
global script
try:
process = frida.get_remote_device().attach(
'CT-Young+'
) #得到设备并劫持进程com.example.testfrida(该开始用get_usb_device函数用来获取设备,但是一直报错找不到设备,改用get_remote_device函数即可解决这个问题)
except frida.ServerNotRunningError:
adbforward()
try:
process = frida.get_remote_device().attach(
'CT-Young+'
) #得到设备并劫持进程com.example.testfrida(该开始用get_usb_device函数用来获取设备,但是一直报错找不到设备,改用get_remote_device函数即可解决这个问题)
except frida.TransportError:
device = frida.get_remote_device()
pid = device.spawn(["com.cndatacom.campus.cdccportalhainan"])
device.resume(pid)
process = device.attach(pid)
except frida.ProcessNotFoundError:
device = frida.get_remote_device()
pid = device.spawn(["com.cndatacom.campus.cdccportalhainan"])
device.resume(pid)
process = device.attach(pid)
except frida.ProcessNotRespondingError:
device = frida.get_remote_device()
pid = device.spawn(["com.cndatacom.campus.cdccportalhainan"])
device.resume(pid)
process = device.attach(pid)
except frida.TransportError:
adbforward()
device = frida.get_remote_device()
pid = device.spawn(["com.cndatacom.campus.cdccportalhainan"])
device.resume(pid)
process = device.attach(pid)
except frida.ProcessNotFoundError:
device = frida.get_remote_device()
pid = device.spawn(["com.cndatacom.campus.cdccportalhainan"])
device.resume(pid)
process = device.attach(pid)
except frida.ProcessNotRespondingError:
device = frida.get_remote_device()
pid = device.spawn(["com.cndatacom.campus.cdccportalhainan"])
device.resume(pid)
process = device.attach(pid)
jscode = open("C:\\Users\\qcnhy\\Documents\\py\\test.js",
encoding='utf-8').read()
#jscode = "var by = " + str(data) + ";\n" + jscode
script = process.create_script(jscode) #创建js脚本
#script.on('message',on_message) #加载回调函数,也就是js中执行send函数规定要执行的python函数
script.load() #加载脚本
time.sleep(2)
def startHook(packageName, jsCode):
rdev = frida.get_remote_device()
#脚本控制app启动
# pid = rdev.spawn(packageName)
# session = rdev.attach(pid)
# rdev.resume(pid)
session = rdev.attach(packageName)
script = session.create_script(jsCode)
script.on('message', on_message)
print(' Start attach')
script.load()
sys.stdin.read()
def gorgon_hook_prepare():
# host = '127.0.0.1:27042'
# process_name = "com.ss.android.ugc.aweme"
# manager = frida.get_device_manager()
# remote_device = manager.add_remote_device(host)
# process = remote_device.attach(process_name)
process = frida.get_remote_device().attach('com.ss.android.ugc.aweme')
script = process.create_script(hook_code)
script.on('message', on_message)
script.load()
return script.exports
def start_frida_script(network, adbpath):
# Would be better to use frida.get_usb_device().spawn to spawn the app
# But it seems that it is broken on some version so we use adb to spawn the game
os.system(
adbpath +
" shell monkey -p com.supercell.clashroyale -c android.intent.category.LAUNCHER 1"
)
time.sleep(0.5)
try:
if network:
device = frida.get_remote_device()
else:
device = frida.get_usb_device()
except Exception as exception:
print('[*] Can\'t connect to your device ({}) !'.format(
exception.__class__.__name__))
exit()
retry_count = 0
process = None
while not process:
try:
process = device.attach('com.supercell.clashroyale')
except Exception as exception:
if retry_count == MAX_FRIDA_RETRY:
print(
'[*] Can\'t attach frida to the game ({}) ! Start the frida server on your device'
.format(exception.__class__.__name__))
exit()
retry_count += 1
time.sleep(0.5)
print('[*] Frida attached !')
if os.path.isfile("urandom_hook.js"):
script = process.create_script(open("urandom_hook.js").read())
else:
print(
'[*] urandom_hook.js script is missing, cannot inject the script !'
)
exit()
script.load()
print('[*] Script injected !')
def injectJs2App_1(processname, jsFilename):
rdev = frida.get_remote_device()
print(rdev)
session = rdev.attach(processname)
print(session)
jsFile = open(jsFilename, "r")
src = jsFile.read()
script = session.create_script(src)
script.on("message", on_message)
script.load()
sys.stdin.read()
def Session(self):
print(self.App_Name)
try:
if self.USB:
self.session = frida.get_usb_device().attach(self.App_Name)
elif self.Remote:
self.session = frida.get_remote_device().attach(self.App_Name)
else:
self.session = frida.attach(self.App_Name)
except Exception as e:
print(
"Cant connect to application. Have you connected the device?")
logging.debug(str(e))
sys.exit()
def injectJs2App(pkgname, version):
rdev = frida.get_remote_device()
print(rdev)
session = rdev.attach(pkgname)
#pid = rdev.spawn(pkgname)
#print(pid)
print(session)
jsFilename = "module/"+pkgname+"/"+ version + ".js"
print(jsFilename)
jsFile = open(jsFilename, mode='r', encoding='UTF-8')
src = jsFile.read()
script = session.create_script(src)
script.on("message", on_message)
script.load()
sys.stdin.read()
def button_call_back():
global script
global script_sdk
if script != 0:
script.unload()
file_object = open('hook.js', encoding="utf-8")
text = file_object.read()
file_object.close()
device = frida.get_remote_device()
process = device.attach("com.tencent.mm")
if process:
script = process.create_script(text)
script.on('message', on_message)
script.load()
def get_data():
device = frida.get_remote_device()
session = device.attach("com.猿人学.onlinejudge2020")
jscode = """
Java.perform(function(){
var OnlineJudgeApp = Java.use("com.猿人学.onlinejudge2020.OnlineJudgeApp");
OnlineJudgeApp.getSign.implementation = function(i){
for(var j =0;j<=9999;j++){
var sign = this.getSign(j);
send(j + ":" + sign);
}
return this.getSign(i);
}
})
"""
script = session.create_script(jscode)
script.on("message", on_message)
script.load()
sys.stdin.read()
print data
print
except Exception, arg:
print "SSL_read Exception", arg
script_obj.post({'type': 'input', 'payload': None, 'num': None, "do": "ignore", "id": payload['id']})
if __name__ == "__main__":
print 'SSL hook tool'
check()
print 'check pass'
session = frida.get_remote_device().attach(package_name)
fp = open("main.js", "r")
script_context = fp.read()
fp.close()
script = session.create_script(script_context)
script_obj = script
script.on("message", on_message)
script.load()
print "Press Ctrl+C to stop logging."
try:
signal.pause()
except Exception as e:
print(message)
print(e)
if __name__ == '__main__':
try:
path = "hooks"
parser = OptionParser(usage="usage: %prog [options] <process_to_hook>",version="%prog 1.0")
parser.add_option("-A", "--attach", action="store_true", default=False,help="Attach to a running process")
parser.add_option("-S", "--spawn", action="store_true", default=False,help="Spawn a new process and attach")
(options, args) = parser.parse_args()
if (options.spawn):
print ("[*] Spawning "+ str(args[0]))
pid = frida.get_remote_device().spawn([args[0]])
session = frida.get_remote_device().attach(pid)
elif (options.attach):
print ("[*] Attaching to "+str(args[0]))
session = frida.get_remote_device().attach(str(args[0]))
else:
print ("Error")
print ("[X] Option not selected. View --help option.")
sys.exit(0)
for filename in os.listdir(path):
name, ext = os.path.splitext(filename)
if (ext == ".enabled"):
print "[*] Parsing hook: "+filename
hook = open(path+os.sep+filename, "r")
script = session.create_script(hook.read())
import frida
session = frida.get_remote_device().attach("com.android.settings")
modulesList = session.enumerate_modules()
for i in range(0, len(modulesList)):
if "libc.so" in modulesList[i].name:
print i
print modulesList[i]
print " "
# print([x.name for x in session.enumerate_modules()])
def init_session():
try:
session = None
if platform == 'ios' or platform == 'android':
try:
device = frida.get_usb_device(3) # added timeout to wait for 3 seconds
except Exception as e:
print colored(str(e), "red")
traceback.print_exc()
if platform == 'android':
print colored("Troubleshooting Help", "blue")
print colored("HINT: Is USB Debugging enabled?", "blue")
print colored("HINT: Is `frida-server` running on mobile device (with +x permissions)?", "blue")
print colored("HINT: Is `adb` daemon running?", "blue")
sys.exit(1)
elif platform == "ios":
print colored("Troubleshooting Help", "blue")
print colored("HINT: Have you installed `frida` module from Cydia?", "blue")
print colored("HINT: Have used `ipa_installer` to inject the `FridaGadget` shared lbrary?", "blue")
sys.exit(1)
elif platform == 'iossim':
try:
device = frida.get_remote_device()
except Exception as e:
# print traceback.print_exc()
print colored("Troubleshooting Help", "blue")
print colored("HINT: Have you successfully integrated the FridaGadget dylib with the XCode Project?", "blue")
print colored("HINT: Do you see a message similar to \"[Frida INFO] Listening on 127.0.0.1 TCP port 27042\" on XCode console logs?", "blue")
sys.exit(1)
elif platform == 'macos':
device = frida.get_local_device()
else:
print colored('[ERROR] Unsupported Platform', 'red')
sys.exit(1)
pid = None
if app_name:
try:
if platform == 'android' and spawn == 1:
print colored("Now Spawning %s" % app_name, "green")
pid = device.spawn([app_name])
#time.sleep(5)
session = device.attach(pid)
#time.sleep(5)
elif (platform == 'ios' or platform == 'macos') and spawn == 1:
bundleID = getBundleID(device, app_name, platform)
if bundleID:
print colored("Now Spawning %s" % bundleID, "green")
pid = device.spawn([bundleID])
#time.sleep(5)
session = device.attach(pid)
else:
print colored("[ERROR] Can't spawn %s" % app_name, "red")
traceback.print_exc()
sys.exit(1)
else:
arg_to_attach = app_name
if app_name.isdigit():
arg_to_attach = int(app_name)
session = device.attach(arg_to_attach)
except Exception as e:
print colored('[ERROR] ' + str(e), 'red')
traceback.print_exc()
if session:
print colored('[INFO] Attached to %s' % (app_name), 'yellow')
session.on('detached', on_detached)
except Exception as e:
print colored('[ERROR] ' + str(e), 'red')
traceback.print_exc()
sys.exit(1)
return device, session, pid
