frida-trace命令大全
1、spawn - 冷启动frida-trace -U -f com.apple.ExampleCode -m "+"
2、attach - 热启动
frida-trace -UF -m "+"
3、Hook类方法
frida-trace -UF -m "+"
4、Hook实例方法
frida-trace -UF -m "-"
5、Hook类的所有方法
frida-trace -UF -m "*"
6、模糊Hook类的所有方法
frida-trace -UF -m "*[*service* *]"
7、模糊Hook所有类的特定方法
frida-trace -UF -m "*[* *sign*]"
8、模糊Hook所有类的特定方法并忽略大小写
假设我们要hook所有类中包含getSign或getsign关键词的方法
frida-trace -UF -m "*[* get?ign]"
9、模糊Hook所有类的特定方法并排除viewDidLoad方法
frida-trace -UF -m "*" -M "-"
10、Hook某个动态库
frida-trace -UF -I "libcommonCrypto*"
11、Hook get或post的接口地址
frida-trace -UF -m "+"
js代码如下:
{
onEnter(log, args, state) {
var args2 = new ObjC.Object(args);
log(`-`);
},
onLeave(log, retval, state) {
}
}
12、Hook post的body
js代码如下:
frida-trace -UF -m "-"
{
onEnter(log, args, state) {
var args2 = new ObjC.Object(args);
log(`-`);
},
onLeave(log, retval, state) {
}
}1、Hook即将显示页面
frida-trace -UF -m "-" -m "-"
pushViewController:animated:方法的js代码如下:
{
onEnter(log, args, state) {
var args2 = new ObjC.Object(args);
log(`-}]`);
},
onLeave(log, retval, state) {
}
}
presentViewController:animated:completion:方法对应的js代码如下:
{
onEnter(log, args, state) {
var args2 = new ObjC.Object(args);
log(`-} completion:${args}]`);
},
onLeave(log, retval, state) {
}
}2、Hook MD5函数
frida-trace -UF -i "CC_MD5"
js代码如下:
{
onEnter(log, args, state) {
this.args0 = args;// 入参
this.args2 = args;// 返回值指针
},
onLeave(log, retval, state) {
var ByteArray = Memory.readByteArray(this.args2, 16);
var uint8Array = new Uint8Array(ByteArray);
var str = "";
for(var i = 0; i < uint8Array.length; i++) {
var hextemp = (uint8Array.toString(16))
if(hextemp.length == 1){
hextemp = "0" + hextemp
}
str += hextemp;
}
log(`CC_MD5(${this.args0.readUtf8String()})`); // 入参
log(`CC_MD5()=${str}=`); // 返回值
}
}Hook Base64编码方法
frida-trace -UF -m "-"
js代码如下:
{
onEnter(log, args, state) {
this.self = args;
},
onLeave(log, retval, state) {
var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.self, 4);
var after = new ObjC.Object(retval);
log(`-before=${before}=`);
log(`-after=${after}=`);
}
}4、Hook Base64解码方法
frida-trace -UF -m "-" -m "-"
initWithBase64EncodedData:options:方法对应的js代码如下:
{
onEnter(log, args, state) {
this.arg2 = args;
},
onLeave(log, retval, state) {
var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.arg2, 4);
var after = ObjC.classes.NSString.alloc().initWithData_encoding_(retval, 4);
log(`-before=${before}=`);
log(`-after=${after}=`);
}
}
initWithBase64EncodedString:options:方法对应的js代码如下:
{
onEnter(log, args, state) {
this.arg2 = args;
},
onLeave(log, retval, state) {
var before = new ObjC.Object(this.arg2);
var after = ObjC.classes.NSString.alloc().initWithData_encoding_(retval, 4);
log(`-before=${before}=`);
log(`-after=${after}=`);
}
}5、Hook加密函数AES、DES、3DES
frida-trace -UF -i CCCrypt
js代码如下:
{
onEnter: function(log, args, state) {
this.op = args
this.alg = args
this.options = args
this.key = args
this.keyLength = args
this.iv = args
this.dataIn = args
this.dataInLength = args
this.dataOut = args
this.dataOutAvailable = args
this.dataOutMoved = args
log('CCCrypt(' +
'op: ' + this.op + '' + ', ' +
'alg: ' + this.alg + '' + ', ' +
'options: ' + this.options + '' + ', ' +
'key: ' + this.key + ', ' +
'keyLength: ' + this.keyLength + ', ' +
'iv: ' + this.iv + ', ' +
'dataIn: ' + this.dataIn + ', ' +
'inLength: ' + this.inLength + ', ' +
'dataOut: ' + this.dataOut + ', ' +
'dataOutAvailable: ' + this.dataOutAvailable + ', ' +
'dataOutMoved: ' + this.dataOutMoved + ')')
if (this.op == 0) {
log("dataIn:")
log(hexdump(ptr(this.dataIn), {
length: this.dataInLength.toInt32(),
header: true,
ansi: true
}))
log("key: ")
log(hexdump(ptr(this.key), {
length: this.keyLength.toInt32(),
header: true,
ansi: true
}))
log("iv: ")
log(hexdump(ptr(this.iv), {
length: this.keyLength.toInt32(),
header: true,
ansi: true
}))
}
},
onLeave: function(log, retval, state) {
if (this.op == 1) {
log("dataOut:")
log(hexdump(ptr(this.dataOut), {
length: Memory.readUInt(this.dataOutMoved),
header: true,
ansi: true
}))
log("key: ")
log(hexdump(ptr(this.key), {
length: this.keyLength.toInt32(),
header: true,
ansi: true
}))
log("iv: ")
log(hexdump(ptr(this.iv), {
length: this.keyLength.toInt32(),
header: true,
ansi: true
}))
} else {
log("dataOut:")
log(hexdump(ptr(this.dataOut), {
length: Memory.readUInt(this.dataOutMoved),
header: true,
ansi: true
}))
}
log("CCCrypt did finish")
}
}6、Hook加密函数RSA
rsa加密有公钥加密和私钥加密两种方式
frida-trace -UF -i "SecKeyEncrypt" -i "SecKeyRawSign"
SecKeyEncrypt公钥加密函数对应的js代码如下:
{
onEnter(log, args, state) {
// 由于同一条加密信息可能会多次调用该函数,故在这输出该函数的调用栈。可根据栈信息去分析上层函数
log(`SecKeyEncrypt()=${args.readCString()}=`);
log('SecKeyEncrypt called from:\n' +
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
},
onLeave(log, retval, state) {
}
}
SecKeyRawSign私钥加密函数对应的js代码如下:
{
onEnter(log, args, state) {
log(`SecKeyRawSign()=${args.readCString()}=`);
log('SecKeyRawSign called from:\n' +
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
},
onLeave(log, retval, state) {
}
}7、修改方法的入参
frida-trace -UF -m "-"
js代码如下:
{
onEnter(log, args, state) {
var self = new ObjC.Object(args);// 当前对象
var method = args.readUtf8String();// 当前方法名
log(`[${self.$className} ${method}]`);
// 字符串
// var str = ObjC.classes.NSString.stringWithString_("hi wit!")// 对应的oc语法:NSString *str = ;
// args = str// 修改入参为字符串
// 数组
// var array = ObjC.classes.NSMutableArray.array();// 对应的oc语法:NSMutableArray array = ;
// array.addObject_("item1");// 对应的oc语法:;
// array.addObject_("item2");// 对应的oc语法:;
// args = array; // 修改入参为数组
// 字典
// var dictionary = ObjC.classes.NSMutableDictionary.dictionary(); // 对应的oc语法:NSMutableDictionary *dictionary = ;
// dictionary.setObject_forKey_("value1", "key1"); // 对应的oc语法:
// dictionary.setObject_forKey_("value2", "key2"); // 对应的oc语法:
// args = dictionary; // 修改入参为字典
// 字节
var data = ObjC.classes.NSMutableData.data(); // 对应的oc语法:NSMutableData *data = ;
var str = ObjC.classes.NSString.stringWithString_("hi wit!")// 获取一个字符串。 对应的oc语法:NSString *str = ;
var subData = str.dataUsingEncoding_(4);// 将str转换为data,编码为utf-8。对应的oc语法:NSData *subData = ;
data.appendData_(subData);// 将subData添加到data。对应的oc语法:;
args = data; // 修改入参字段
// 更多数据类型:https://developer.apple.com/documentation/foundation
},
onLeave(log, retval, state) {
}
}8、修改方法的返回值
frida-trace -UF -m "-"
js代码如下:
{
onEnter(log, args, state) {
},
onLeave(log, retval, state) {
// 字符串
var str = ObjC.classes.NSString.stringWithString_("hi wit!")// 对应的oc语法:NSString *str = ;
retval.replace(str)// 修改返回值
var after = new ObjC.Object(retval); // 打印出来是个指针时,请用该方式转换后再打印
log(`before:=${retval}=`);
log(`after:=${after}=`);
}
}9、打印字符串、数组、字典
frida-trace -UF -m "-"
js代码如下:
{
onEnter(log, args, state) {
var self = new ObjC.Object(args);// 当前对象
var method = args.readUtf8String();// 当前方法名
log(`[${self.$className} ${method}]`);
var before = args;
// 注意,日志输出请直接使用log函数。不要使用console.log()
var after = new ObjC.Object(args); // 打印出来是个指针时,请用该方式转换后再打印
log(`before:=${before}=`);
log(`after:=${after}=`);
},
onLeave(log, retval, state) {
}
}10、打印NSData
frida-trace -UF -m "-"'代码解读运行运行js代码如下:
{
onEnter(log, args, state) {
var self = new ObjC.Object(args);// 当前对象
var method = args.readUtf8String();// 当前方法名
log(`[${self.$className} ${method}]`);
var before = args;
// 注意,日志输出请直接使用log函数。不要使用console.log()
var after = new ObjC.Object(args); // 打印NSData
var outValue = after.bytes().readUtf8String(after.length()) // 将data转换为string
log(`before:=${before}=`);
log(`after:=${outValue}=`);
},
onLeave(log, retval, state) {
}
}11、打印对象的所有属性和方法
frida-trace -UF -m "-"
js代码如下:
{
onEnter(log, args, state) {
var self = new ObjC.Object(args);// 当前对象
var method = args.readUtf8String();// 当前方法名
log(`[${self.$className} ${method}]`);
var customObj = new ObjC.Object(args); // 自定义对象
// 打印该对象所有属性
var ivarList = customObj.$ivars;
for (key in ivarList) {
log(`key${key}=${ivarList}=`);
}
// 打印该对象所有方法
var methodList = customObj.$methods;
for (var i=0; i<methodList.length; i++) {
log(`method=${methodList}=`);
}
},
onLeave(log, retval, state) {
}
}12、打印调用栈
frida-trace -UF -m "+"
js代码如下:
{
onEnter(log, args, state) {
var url = new ObjC.Object(args);
log(`+`);
log('NSURL URLWithString: called from:\n' +
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
},
onLeave(log, retval, state) {
}
}13、日志输出到文件
frida-trace -UF -m "+" -o run.log'代码解读运行运行
14、更多数据类型
/**
* Converts to a signed 32-bit integer.
*/
toInt32(): number;
/**
* Converts to an unsigned 32-bit integer.
*/
toUInt32(): number;
/**
* Converts to a “0x”-prefixed hexadecimal string, unless a `radix`
* is specified.
*/
toString(radix?: number): string;
/**
* Converts to a JSON-serializable value. Same as `toString()`.
*/
toJSON(): string;
/**
* Returns a string containing a `Memory#scan()`-compatible match pattern for this pointer’s raw value.
*/
toMatchPattern(): string;
readPointer(): NativePointer;
readS8(): number;
readU8(): number;
readS16(): number;
readU16(): number;
readS32(): number;
readU32(): number;
readS64(): Int64;
readU64(): UInt64;
readShort(): number;
readUShort(): number;
readInt(): number;
readUInt(): number;
readLong(): number | Int64;
readULong(): number | UInt64;
readFloat(): number;
readDouble(): number;
readByteArray(length: number): ArrayBuffer | null;
readCString(size?: number): string | null;
readUtf8String(size?: number): string | null;
readUtf16String(length?: number): string | null;
页:
[1]