frida hook常用函数

2023 年 12 月 22 日

246 次浏览

3161字数

## **1. 免写参数**

这是js中的方法调用,和call类似
call() 方法分别接受参数。
apply() 方法接受数组形式的参数

```js
// 函数原型 encodeRequest(int i, String str, String str2, String str3, String str4, String str5, byte[] bArr, int i2, int i3, String str6, byte b, byte b2, byte[] bArr2, boolean z)
  var CodecWarpper = Java.use("xx.CodecWarpper");
  CodecWarpper.encodeRequest.implementation = function() {
      var ret = this.encodeRequest.apply(this, arguments);
     //这里可以打印参数和返回值
      return ret;
  }
```

## **2.获取方法名**

```js
function getMethodName() {
    var ret;
    Java.perform(function() {
        var Thread = Java.use("java.lang.Thread")
        ret = Thread.currentThread().getStackTrace()[2].getMethodName();
    });
    return ret;
}
```

## **3.输出类所有方法名**

```js
function enumMethods(targetClass) {
    var ret;
    Java.perform(function() {
            var hook = Java.use(targetClass);
            var ret = hook.class.getDeclaredMethods();
            ret.forEach(function(s) {
                console.log(s);
            })
    })
    return ret;
}
```

## **4.hook 所有重载函数**

```js
function hookAllOverloads(targetClass, targetMethod) {
    Java.perform(function () {
         var targetClassMethod = targetClass + '.' + targetMethod;
         var hook = Java.use(targetClass);
         var overloadCount = hook[targetMethod].overloads.length;
         for (var i = 0; i < overloadCount; i++) {
                hook[targetMethod].overloads[i].implementation = function() {
                     var retval = this[targetMethod].apply(this, arguments);
                     //这里可以打印结果和参数
                     return retval;
                 }
              }
   });
 }
```

## **5.dump 地址**

```js
function dumpAddr(address, length) {
    length = length || 1024;
    console.log(hexdump(address, {
        offset: 0,
        length: length,
        header: true,
        ansi: false
    }));
}
```

## **6.获取类型**

```js
function getParamType(obj) {
    return obj == null ? String(obj) : Object.prototype.toString.call(obj).replace(/\[object\s+(\w+)\]/i, "$1") || "object";
}
```

**7.hook native 函数**

```js
function hookNativeFun(callback, funName, moduleName) {
    var time = 1000;
    moduleName = moduleName || null;
    if (!(callback && callback.onEnter && callback.onLeave)) {
        console.log("callback error");
        return
    }
    var address = Module.findExportByName(moduleName, funName);
    if (address == null) {
        setTimeout(hookNativeFun, time, callback, funName, moduleName);
    } else {
        console.log(funName + " hook ok")
        var nativePointer = new NativePointer(address);
        Interceptor.attach(nativePointer, callback);
    }
}
```

## 等待目标so加载_插入hook

```js
send("Start Run....");
function StartHook(){
    send("in start hook function..");
    var hook_base = Module.findBaseAddress("xxxxx.so");
    if(null == hook_base || hook_base < 0)
    {
        setTimeout(StartHook, 500);
        return;
    }
   
    send("base : "+hook_base);
// ..................
    }); 
}
setTimeout(StartHook, 0);
```

最后修改：2024 年 01 月 23 日