未来网站发展方向,app生成链接,网站制作流程,培训学校网站使用Frida框架HOOK RegisterNatives函数#xff0c;获取动态注册的函数地址、名称、签名、class名称、所属的so文件名称、so文件加载基址、函数在so文件中的地址。
废话不多说#xff0c;上代码#xff1a;
运行命令#xff1a;frida -U -f in.****** -l RegisterNatives…使用Frida框架HOOK RegisterNatives函数获取动态注册的函数地址、名称、签名、class名称、所属的so文件名称、so文件加载基址、函数在so文件中的地址。
废话不多说上代码
运行命令frida -U -f in.****** -l RegisterNatives.js
function hook_native(){var module_libartProcess.findModuleByName(libart.so);console.log(module_libart info:module_libart);var symbolsmodule_libart.enumerateSymbols();var addr_RegisterNativesnull;for(var i0;isymbols.length;i){var namesymbols[i].name;if(name.indexOf(CheckJNI)-1name.indexOf(JNI)0){if(name.indexOf(RegisterNatives)0){console.log(RegisterNativesname\nRegisterNatives_Addresssymbols[i].address);addr_RegisterNativessymbols[i].address;}}}if(addr_RegisterNatives){Interceptor.attach(addr_RegisterNatives,{onEnter:function(args){var java_classJava.vm.tryGetEnv().getClassName(args[1]);var methodsargs[2];var method_countparseInt(args[3]);var module Process.findModuleByAddress(methods.add(Process.pointerSize*3Process.pointerSize).readPointer());var module_addr0;if(module){console.log(module so name:module.name);//打印所属模块名称module_addrProcess.findModuleByName(module.name).base;console.log(module.name address is:module_addr);}else{console.log(cannot find so name);//打印所属模块名称}console.log(addr_RegisterNatives Java Class Name:java_class);console.log(addr_RegisterNatives Java Class method count:method_count);for(var i0;imethod_count;i){var method_namemethods.add(i*Process.pointerSize*3).readPointer().readCString();var method_signmethods.add(i*Process.pointerSize*3Process.pointerSize).readPointer().readCString();var method_addrmethods.add(i*Process.pointerSize*3Process.pointerSize).readPointer();console.log(method name:method_name);//打印内存的函数console.log(method sign:method_sign);//打印函数签名console.log(method addr:method_addr);//打印函数地址if(module_addr0){var file_method_addrmethod_addr.sub(module_addr);console.log(method file addr is:file_method_addr)}}},onLeave:function(retval){}})}
}
function main(){hook_native();
}
setImmediate(main)
