credittone / hooker Goto Github PK
View Code? Open in Web Editor NEW🔥🔥hooker是一个基于frida实现的逆向工具包。为逆向开发人员提供统一化的脚本包管理方式、通杀脚本、自动化生成hook脚本、内存漫游探测activity和service、firda版JustTrustMe、disable ssl pinning
License: Apache License 2.0
🔥🔥hooker是一个基于frida实现的逆向工具包。为逆向开发人员提供统一化的脚本包管理方式、通杀脚本、自动化生成hook脚本、内存漫游探测activity和service、firda版JustTrustMe、disable ssl pinning
License: Apache License 2.0
报错,找不到这个文件
ju人重新编译去敏感特征frida-server的其他版本哪里下载
Mac os 10.15.6
手机nexus 5,Android 6.0.1,已经root,已安装xposed。
Python 3.7.x
按照GitHub上面的流程,clone了项目,push了文件夹,和sh启动了deploy脚本。
./hooker启动后,输入了其中一个包名,比如wx的。然后手机重启了。
重试了几次,都重启了手机。
Please enter e, s, j, c or ex command.
a: Discovering activities.
b: Discovering services.
c: Discovering object. eg:'c {objectId}'
d: Object2Explain. eg:'d {objectId}'
v: Discovering view. eg:'v {viewId}'
e: Determines whether a class exists. eg:'e android.app.Application'
s: Discovering classes by a class'regex. eg:'s com.tencent.mm.Message.*'
t: Discovering offspring classes by a class'name. eg:'t com.tencent.mm.BasicActivity'
j: Generating hooked js. eg:'j okhttp3.Request$Builder:build'
k: Generating hooked the string generation js with a keyword. eg:'k {YourKeyword}'
l: Generating hooked the param generation js with a param keyword. eg:'l {YourKeyword}'
m: Discovering so module.
ex: Exit to the upper layer. eg:'ex'
:
这个时候app已经死掉了
--------下面是原因
--------- beginning of crash
05-07 09:55:29.427 28006-28425/? A/libc: Fatal signal 11 (SIGSEGV), code 0, fault addr 0x6d66 in tid 28425 (Thread-2014)
05-07 09:55:29.487 459-459/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
05-07 09:55:29.488 459-459/? A/DEBUG: Build fingerprint: 'google/shamu/shamu:6.0.1/MMB29K/2419427:user/release-keys'
05-07 09:55:29.488 459-459/? A/DEBUG: Revision: '0'
05-07 09:55:29.488 459-459/? A/DEBUG: ABI: 'arm'
05-07 09:55:29.488 459-459/? A/DEBUG: pid: 28006, tid: 28425, name: Thread-2014 >>> com.lilithgames.afk.aligames <<<
05-07 09:55:29.488 459-459/? A/DEBUG: signal 11 (SIGSEGV), code 0 (SI_USER), fault addr 0x9c
05-07 09:55:29.499 459-459/? W/debuggerd: type=1400 audit(0.0:304982): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.499 459-459/? W/debuggerd: type=1400 audit(0.0:304983): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.509 459-459/? W/debuggerd: type=1400 audit(0.0:304984): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.529 459-459/? W/debuggerd: type=1400 audit(0.0:304985): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.529 459-459/? W/debuggerd: type=1400 audit(0.0:304986): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.529 459-459/? W/debuggerd: type=1400 audit(0.0:304987): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.529 459-459/? W/debuggerd: type=1400 audit(0.0:304988): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.539 459-459/? W/debuggerd: type=1400 audit(0.0:304989): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.539 459-459/? W/debuggerd: type=1400 audit(0.0:304990): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304991): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304992): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304993): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304994): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.549 459-459/? W/debuggerd: type=1400 audit(0.0:304995): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.559 459-459/? W/debuggerd: type=1400 audit(0.0:304996): avc: denied { search } for name="com.lilithgames.afk.aligames" dev="dm-0" ino=587545 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
05-07 09:55:29.610 459-459/? A/DEBUG: Abort message: 'art/runtime/thread.cc:1237] Native thread exited without calling
------问下怎么看到js log----
[('-p', 'com.android.settings'), ('-b', 'true')]
injecting radar.dex failure.
radar注入失败
是mac系统,提示frida已经安装完成,frida-tools也安装好了,命令行就是没有frida。其它的电脑不用配置就有frida相应的命令的
a: Discovering activities.
b: Discovering services.
c: Discovering object. eg:'c {objectId}'
return Session(self._impl.attach(self._pid_of(target), *args, **kwargs))
frida.ProcessNotRespondingError: process with pid 14550 either refused to load frida-agent, or terminated during injection
File "hooker.py", line 241, in printActivitys
info(online_script.exports.activitys())
AttributeError: 'NoneType' object has no attribute 'exports'
➜ hooker git:(2022074_first_use) ✗ ./hooker
./hooker: line 6: frida-ps: command not found
Enter the need to attach package.
:
It's that you have attached app.
Traceback (most recent call last):
File "/Users/xxx/Desktop/hooker/hooker.py", line 6, in <module>
import frida, sys
ModuleNotFoundError: No module named 'frida'
已经安装了frida和frida-tools,为什么运行.hooker
会提示如下报错?
作者你好
步骤:
在使用hook工具时,
1、首先输入报名com.mediatek.ppl
2、再输入a扫描activity时提示找到两个相同的进程,
问题:
frida官方说是指定进程号来处理,当前hooker框架好像没有指定进程号的方式来处理
如果这种有两个相同进程名的应用要怎么处理?
错误日志如下:
ex: Exit to the upper layer. eg:'ex'
: a
Traceback (most recent call last):
File "/Users/tato/hook/git/hooker/hooker.py", line 60, in attach
online_session = rdev.attach(packageName)
File "/usr/local/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/frida/core.py", line 156, in attach
return Session(self._impl.attach(self._pid_of(target), *args, **kwargs))
File "/usr/local/lib/python3.9/site-packages/frida/core.py", line 180, in _pid_of
return self.get_process(target).pid
File "/usr/local/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/frida/core.py", line 110, in get_process
raise _frida.ProcessNotFoundError("ambiguous name; it matches: %s" % ", ".join(["%s (pid: %d)" % (process.name, process.pid) for process in matching]))
frida.ProcessNotFoundError: ambiguous name; it matches: com.mediatek.ppl (pid: 13221), com.mediatek.ppl (pid: 14430)
双向认证进行./spawn keystore_dump.js,出现报错
Error: java.lang.ClassNotFoundException: Didn't find class "[java.security.cert.X509Certificate" on path: DexPathList[[zip file "/data/app/com.yuanrenxue.match2022-VRPl2zHSsrdhlLZsuj2BSg==/base.apk"],nativeLibraryDirectories=[/data/app/com.yuanrenxue.match2022-VRPl2zHSsrdhlLZsuj2BSg==/lib/arm64, /data/app/com.yuanrenxue.match2022-VRPl2zHSsrdhlLZsuj2BSg==/base.apk!/lib/arm64-v8a, /system/lib64, /vendor/lib64]]
建议大佬加一个可以指定端口参数
有些app会检测端口
好多模拟器Tantan不能启动。
Hi,
Could you check the following error.
➜ hooker git:(master) ./hooker
PID Name Identifier
---- -------------------- --------------------------------
3370 Chrome com.android.chrome
1594 Google Play Store com.android.vending
4325 Messaging com.android.messaging
1307 Phone com.android.dialer
1234 Test test.dede.dede
- Amaze com.amaze.filemanager
- Calendar com.android.calendar
- Camera com.android.camera2
- Clock com.android.deskclock
- Contacts com.android.contacts
- Custom Locale com.android.customlocale2
- Development Settings com.android.development_settings
- Email com.android.email
- Files com.android.documentsui
- Gallery com.android.gallery3d
- Search com.android.quicksearchbox
- Settings com.android.settings
- Superuser com.genymotion.superuser
- WebView Shell org.chromium.webview_shell
- drozer Agent com.mwr.dz
Enter the need to attach package.
: test.dede.dede
It's test.dede.dede that you have attached app.
Traceback (most recent call last):
File "/Users/test/hooker/hooker.py", line 100, in attach
createHookingEnverment(packageName, online_script.exports.mainactivity())
File "/usr/local/lib/python3.9/site-packages/frida/core.py", line 468, in method
return script._rpc_request('call', js_name, args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/frida/core.py", line 400, in _rpc_request
raise result[2]
frida.InvalidOperationError: script has been destroyed
--------------------------------------------------
Please enter e, s, j, c or ex command.
a: Discovering activities.
b: Discovering services.
c: Discovering object. eg:'c {objectId}'
d: Object2Explain. eg:'d {objectId}'
v: Discovering view. eg:'v {viewId}'
e: Determines whether a class exists. eg:'e android.app.Application'
s: Discovering classes by a class'regex. eg:'s com.tencent.mm.Message.*'
t: Discovering offspring classes by a class'name. eg:'t com.tencent.mm.BasicActivity'
j: Generating hooked js. eg:'j okhttp3.Request$Builder:build'
k: Generating hooked the string generation js with a keyword. eg:'k {YourKeyword}'
l: Generating hooked the param generation js with a param keyword. eg:'l {YourKeyword}'
m: Discovering so module.
ex: Exit to the upper layer. eg:'ex'
通过click.js hook到被点击View的真实VClass是android.support.v7.widget.AppCompatTextView,这个系统类,以及堆栈里都是系统类,对分析毫无帮助啊,我该怎么办?
ViewClz: android.support.v7.widget.AppCompatTextView
ViewId: 2131296475
------------startFlag:6fq79b4f,objectHash:obj:873346533,thread(id:1,name:main),timestamp:1619427614290---------------
public boolean android.view.View.performClick()
at android.view.View.performClick(Native Method)
at android.view.View$PerformClick.run(View.java:19866)
at android.os.Handler.handleCallback(Handler.java:739)
at android.os.Handler.dispatchMessage(Handler.java:95)
at android.os.Looper.loop(Looper.java:135)
at android.app.ActivityThread.main(ActivityThread.java:5254)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:905)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:700)
------------endFlag:6fq79b4f,usedtime:8---------------
环境正常配置,但是只要在手机端进行操作,设备就会重启,请问这个是哪类情况,需要我怎样进行设置呢?
型号:一加五
安卓版本:6.0.1
PID Name Identifier
----- ---------------------------- ---------------------------------------------
7313 AirDroid com.sand.airdroid
8263 Calendar com.samsung.android.calendar
7572 Contacts com.samsung.android.contacts
7572 Contacts com.samsung.android.contacts
26770 Dergilik com.arneca.dergilik.main3x
5384 Google com.google.android.googlequicksearchbox
5384 Google com.google.android.googlequicksearchbox
6258 Google Play Store com.android.vending
26635 Instagram Lite com.instagram.lite
6180 Lite com.facebook.lite
6831 Magisk com.topjohnwu.magisk
26939 Official TWRP App me.twrp.twrpapp
25921 S Voice com.samsung.voiceserviceplatform
26081 Samsung Music com.sec.android.app.music
19360 TikTok com.zhiliaoapp.musically
27067 TikTok Lite com.zhiliaoapp.musically.go
3608 抖音 com.ss.android.ugc.aweme
Enter the need to attach package.
: com.ss.android.ugc.aweme
It's com.ss.android.ugc.aweme that you have attached app.
Traceback (most recent call last):
File "/Users/selcukakbulut/temp/andro/hooker/hooker.py", line 93, in attach
online_session = rdev.attach(target)
File "/opt/homebrew/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/opt/homebrew/lib/python3.9/site-packages/frida/core.py", line 165, in attach
return Session(self._impl.attach(self._pid_of(target), *args, **kwargs))
File "/opt/homebrew/lib/python3.9/site-packages/frida/core.py", line 193, in _pid_of
return self.get_process(target).pid
File "/opt/homebrew/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/opt/homebrew/lib/python3.9/site-packages/frida/core.py", line 121, in get_process
raise _frida.ProcessNotFoundError("unable to find process with name '%s'" % process_name)
frida.ProcessNotFoundError: unable to find process with name 'com.ss.android.ugc.aweme'
--------------------------------------------------
运行Deploy.sh后,华为手机无法连接adb了
packageName is None: but there are packageName exist when i use order=frida-ps -U
复现过程如下:
1.华为 手机
2. ./hooker
com.alibaba.taurus.xxxs
j cch
提示都是正常的,能够正确生成cch.js
3. ./hooking cch.js
./hooking cch.js
2021年 6月 5日 星期六 09时43分36秒 CST
____
/ _ | Frida 14.2.18 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
Attaching...
TypeError: not a function
at Bt (frida/node_modules/frida-java-bridge/lib/android.js:1158)
at replace (frida/node_modules/frida-java-bridge/lib/android.js:1003)
at set (frida/node_modules/frida-java-bridge/lib/class-factory.js:1010)
at <anonymous> (/cch.js:156)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)
at <anonymous> (frida/node_modules/frida-java-bridge/index.js:213)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:232)
at perform (frida/node_modules/frida-java-bridge/index.js:192)
at <eval> (/cch.js:270)
[HUAWEI MT7 CL00::com.alibaba.taurus.xxxs]->
5.1.1
ls: /data/local/tmp//re.frida.server: Permission denied
这是什么错误
好吧,我刚刚做安卓逆向,看你软件用起来挺方便的,我每次手动搞挺麻烦的,自己写一套没几个月写不下了,有机会在合作
---原始邮件---
发件人: "来自牛逼的爬虫工程师"[email protected]
发送时间: 2020年9月19日(周六) 中午12:43
收件人: "dorry"[email protected];
主题: 回复:咨询爬虫软件
这个暂时不卖哈
发自我的iPhone
------------------ 原始邮件 ------------------
发件人: dorry [email protected]
发送时间: 2020年9月19日 12:42
收件人: 来自牛逼的爬虫工程师 [email protected]
主题: 回复:咨询爬虫软件
HOOKER PRO
---原始邮件---
发件人: "来自牛逼的爬虫工程师"[email protected]
发送时间: 2020年9月19日(周六) 中午12:41
收件人: "dorry"[email protected];
主题: 回复:咨询爬虫软件
需要买什么?
发自我的iPhone
------------------ 原始邮件 ------------------
发件人: dorry [email protected]
发送时间: 2020年9月19日 12:41
收件人: 1273568669 [email protected]
主题: 回复:咨询爬虫软件
你好,咨询一下软件怎么卖
可以看 header 或者data cookies信息不
public static Activity getGlobleActivity() throws ClassNotFoundException, IllegalArgumentException, SecurityException, IllegalAccessException,
InvocationTargetException, NoSuchMethodException, NoSuchFieldException
{
Class activityThreadClass = Class.forName("android.app.ActivityThread");
Object activityThread = activityThreadClass.getMethod("currentActivityThread").invoke(null);
Field activitiesField = activityThreadClass.getDeclaredField("mActivities");
activitiesField.setAccessible(true);
Map activities = (Map) activitiesField.get(activityThread);
for(Object activityRecord:activities.values())
{
Class activityRecordClass = activityRecord.getClass();
Field pausedField = activityRecordClass.getDeclaredField("paused");
pausedField.setAccessible(true);
if(!pausedField.getBoolean(activityRecord))
{
Field activityField = activityRecordClass.getDeclaredField("activity");
activityField.setAccessible(true);
Activity activity = (Activity) activityField.get(activityRecord);
return activity;
}
}
return null;
}
设备需要root吗
hluda-server去哪里下载了?没有搜到可下载的地方,能给提供一下嘛?
涉及js:keystore_dump.js
设备:小米8屏幕指纹版
安卓版本:9
miui版本:miui10.2
dump出p12文件的时候一直报错说Permission denied,不知道需要给哪个东西权限?frida-server已经chmod 777了,已经给了APP读写手机存储权限.
有需要别的截图或者附件联系我,我一直在线
2022年 04月 15日 星期五 15:37:52 CST
____
/ _ | Frida 14.2.2 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://www.frida.re/docs/home/
Attaching...
[Remote::com.tencent.mobileqq]-> Process terminated
Thank you for using Frida!
Fatal Python error: _enter_buffered_busy: could not acquire lock for <_io.BufferedReader name=''> at interpreter shutdown, possibly due to daemon threads
Python runtime state: finalizing (tstate=0x000055ad4daefe80)
Current thread 0x00007fb1da861740 (most recent call first):
打开App进行跳转以后会闪退然后就报错
stephen@ubuntu:~/hooker/com.yaotong.crackme$ ./objection
A newer version of objection is available!
You have v1.10.1 and v1.10.2 is ready for download.
Upgrade with: pip3 install objection --upgrade
For more information, please see: https://github.com/sensepost/objection/wiki/Updating
Traceback (most recent call last):
File "/home/stephen/.pyenv/versions/3.9.0/bin/objection", line 33, in
sys.exit(load_entry_point('objection==1.10.1', 'console_scripts', 'objection')())
File "/home/stephen/.pyenv/versions/3.9.0/bin/objection", line 25, in importlib_load_entry_point
return next(matches).load()
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/importlib/metadata.py", line 77, in load
module = import_module(match.group('module'))
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/importlib/init.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1030, in _gcd_import
File "", line 1007, in _find_and_load
File "", line 986, in _find_and_load_unlocked
File "", line 680, in _load_unlocked
File "", line 790, in exec_module
File "", line 228, in _call_with_frames_removed
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/site-packages/objection/console/cli.py", line 8, in
from .repl import Repl
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/site-packages/objection/console/repl.py", line 15, in
from .commands import COMMANDS
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/site-packages/objection/console/commands.py", line 10, in
from ..commands import sqlite
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/site-packages/objection/commands/sqlite.py", line 7, in
from litecli.main import LiteCli
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/site-packages/litecli/main.py", line 13, in
from sqlite3 import OperationalError
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/sqlite3/init.py", line 23, in
from sqlite3.dbapi2 import *
File "/home/stephen/.pyenv/versions/3.9.0/lib/python3.9/sqlite3/dbapi2.py", line 27, in
from _sqlite3 import *
ModuleNotFoundError: No module named '_sqlite3'
stephen@ubuntu:~/hooker/com.yaotong.crackme$
在主Feed的For you界面,点击头像之后,./hooking android_ui.js
viewTree()返回的是MainActivity的view tree,而不是当前HostActivity的。
猜测是MainActivity没有paused导致的。
另外请求开源radar.dex,为了加入一个点击坐标的click的函数,自己兜了大圈。向上面这个问题也不好处理。
例如方法:
class a{
public double d(){}
public void d(){}
}
生成的脚本只会hook其中一个.
遇到一个app孵化了一个子进程,然后子进程又对父进程进行了trace。导致frida无法附加上去。
第一步:直接输入进程名发现,有两个相同的进程。(失败)
Enter the need to attach package.
: com.gome.eshopnew
It's com.gome.eshopnew that you have attached app.
Traceback (most recent call last):
File "hooker.py", line 93, in attach
online_session = rdev.attach(target)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/frida/core.py", line 156, in attach
return Session(self._impl.attach(self._pid_of(target)))
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/frida/core.py", line 180, in _pid_of
return self.get_process(target).pid
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/frida/core.py", line 110, in get_process
raise _frida.ProcessNotFoundError("ambiguous name; it matches: %s" % ", ".join(["%s (pid: %d)" % (process.name, process.pid) for process in matching]))
frida.ProcessNotFoundError: ambiguous name; it matches: com.gome.eshopnew (pid: 7661), com.gome.eshopnew (pid: 7743)
第二步:尝试通过进程号attach(失败)
Enter the need to attach package.
: 7661
It's 7661 that you have attached app.
Traceback (most recent call last):
File "hooker.py", line 91, in attach
online_session = frida.core.Session(rdev._impl.attach(pid))
frida.PermissionDeniedError: unable to access process with pid 7661 due to system restrictions; try sudo sysctl kernel.yama.ptrace_scope=0
, or run Frida as root
思考:仔细一想可能主进程已经被traceing了........
第三步:验证猜想
~/hooker/com.gome.eshopnew$ adb shell
1|oxygen: su
1|oxygen: cat /proc/7661/status
Name: m.gome.eshopnew
State: S (sleeping)
Tgid: 7661
Pid: 7661
PPid: 744
TracerPid: 7743
Uid: 10122 10122 10122 10122
Gid: 10122 10122 10122 10122
Ngid: 0
FDSize: 256
Groups: 3001 3002 3003 9997 50122
VmPeak: 2304804 kB
VmSize: 2253688 kB
TracerPid果然是非0。这种情况需要想办法把孵化的那个子进程干掉,或者找到做ptrace的那个so硬改nop重打包安装。其他暂时没想到
如题
Redmi Note 9 运行Deploy.sh后,执行hooker命令,进程不会出现提示frida-ps 未找到命令
夜神模拟器最新版,安卓7.1.2
win电脑安装夜神模拟器,vm虚拟机安装Ubuntu 18
tcpforward已开启
Failed to spawn: ambiguous name; it matches: com.ss.android.ugc.aweme (pid: 29644), com.ss.android.ugc.aweme (pid: 30187)
很感兴趣,想学习一下
@CreditTone 你好,这个是什么问题?
打算再次扩展AndroidUI ,写一些自动化脚本,不知能否将radar.dex 开源。多谢
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.