我爱代码 - 专业游戏安全与逆向论坛

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 44|回复: 0

frida-trace命令大全

[复制链接]

2382

主题

53

回帖

9151

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
9151
QQ
发表于 3 天前 | 显示全部楼层 |阅读模式

想要查看内容赶紧注册登陆吧!

您需要 登录 才可以下载或查看,没有账号?立即注册

x
  1. 1、spawn - 冷启动
  2. frida-trace -U -f com.apple.ExampleCode -m "+[NSURL URLWithString:]"


  3. 2、attach - 热启动
  4. frida-trace -UF -m "+[NSURL URLWithString:]"

  5. 3、Hook类方法
  6. frida-trace -UF -m "+[NSURL URLWithString:]"


  7. 4、Hook实例方法
  8. frida-trace -UF -m "-[NSURL host]"

  9. 5、Hook类的所有方法
  10. frida-trace -UF -m "*[NSURL *]"

  11. 6、模糊Hook类的所有方法
  12. frida-trace -UF -m "*[*service* *]"

  13. 7、模糊Hook所有类的特定方法
  14. frida-trace -UF -m "*[* *sign*]"

  15. 8、模糊Hook所有类的特定方法并忽略大小写
  16. 假设我们要hook所有类中包含getSign或getsign关键词的方法
  17. frida-trace -UF -m "*[* get?ign]"


  18. 9、模糊Hook所有类的特定方法并排除viewDidLoad方法
  19. frida-trace -UF -m "*[DetailViewController *]" -M "-[DetailViewController viewDidLoad]"

  20. 10、Hook某个动态库
  21. frida-trace -UF -I "libcommonCrypto*"

  22. 11、Hook get或post的接口地址
  23. frida-trace -UF -m "+[NSURL URLWithString:]"
  24. js代码如下:

  25. {
  26.   onEnter(log, args, state) {
  27.     var args2 = new ObjC.Object(args[2]);
  28.     log(`-[NSURL URLWithString:${args2}]`);
  29.   },
  30.   onLeave(log, retval, state) {
  31.   }
  32. }


  33. 12、Hook post的body
  34. js代码如下:

  35. frida-trace -UF -m "-[NSMutableURLRequest setHTTPBody:]"
  36. {
  37.   onEnter(log, args, state) {
  38.     var args2 = new ObjC.Object(args[2]);
  39.     log(`-[NSMutableURLRequest setHTTPBody:${args2.bytes().readUtf8String(args2.length())}]`);
  40.   },
  41.   onLeave(log, retval, state) {
  42.   }
  43. }
复制代码
1、Hook即将显示页面
  1. frida-trace -UF -m "-[UINavigationController pushViewController:animated:]" -m "-[UIViewController presentViewController:animated:completion:]"


  2. pushViewController:animated:方法的js代码如下:

  3. {
  4.   onEnter(log, args, state) {
  5.     var args2 = new ObjC.Object(args[2]);
  6.     log(`-[UINavigationController pushViewController:${args2.$className} animated:${args[3]}]`);
  7.   },
  8.   onLeave(log, retval, state) {
  9.   }
  10. }


  11. presentViewController:animated:completion:方法对应的js代码如下:

  12. {
  13.   onEnter(log, args, state) {
  14.     var args2 = new ObjC.Object(args[2]);
  15.     log(`-[UIViewController presentViewController:${args2.$className} animated:${args[3]} completion:${args[4]}]`);
  16.   },
  17.   onLeave(log, retval, state) {
  18.   }
  19. }
复制代码
2、Hook MD5函数
  1. frida-trace -UF -i "CC_MD5"

  2. js代码如下:

  3. {
  4.   onEnter(log, args, state) {
  5.     this.args0 = args[0];  // 入参
  6.     this.args2 = args[2];  // 返回值指针
  7.   },
  8.   onLeave(log, retval, state) {
  9.     var ByteArray = Memory.readByteArray(this.args2, 16);
  10.     var uint8Array = new Uint8Array(ByteArray);

  11.     var str = "";
  12.     for(var i = 0; i < uint8Array.length; i++) {
  13.         var hextemp = (uint8Array[i].toString(16))
  14.         if(hextemp.length == 1){
  15.             hextemp = "0" + hextemp
  16.         }
  17.         str += hextemp;
  18.     }
  19.     log(`CC_MD5(${this.args0.readUtf8String()})`);     // 入参
  20.     log(`CC_MD5()=${str}=`);                          // 返回值
  21.   }
  22. }
复制代码
Hook Base64编码方法
  1. frida-trace -UF -m "-[NSData base64EncodedStringWithOptions:]"
  2. js代码如下:


  3. {
  4.   onEnter(log, args, state) {
  5.     this.self = args[0];
  6.   },
  7.   onLeave(log, retval, state) {
  8.     var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.self, 4);
  9.     var after = new ObjC.Object(retval);
  10.     log(`-[NSData base64EncodedStringWithOptions:]before=${before}=`);
  11.     log(`-[NSData base64EncodedStringWithOptions:]after=${after}=`);
  12.   }
  13. }
复制代码
4、Hook Base64解码方法
  1. frida-trace -UF -m "-[NSData initWithBase64EncodedData:options:]" -m "-[NSData initWithBase64EncodedString:options:]"

  2. initWithBase64EncodedData:options:方法对应的js代码如下:


  3. {
  4.   onEnter(log, args, state) {
  5.     this.arg2 = args[2];
  6.   },
  7.   onLeave(log, retval, state) {
  8.     var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.arg2, 4);
  9.     var after = ObjC.classes.NSString.alloc().initWithData_encoding_(retval, 4);
  10.     log(`-[NSData initWithBase64EncodedData:]before=${before}=`);
  11.     log(`-[NSData initWithBase64EncodedData:]after=${after}=`);
  12.   }
  13. }


  14. initWithBase64EncodedString:options:方法对应的js代码如下:

  15. {
  16.   onEnter(log, args, state) {
  17.     this.arg2 = args[2];
  18.   },
  19.   onLeave(log, retval, state) {
  20.     var before = new ObjC.Object(this.arg2);
  21.     var after = ObjC.classes.NSString.alloc().initWithData_encoding_(retval, 4);
  22.     log(`-[NSData initWithBase64EncodedString:]before=${before}=`);
  23.     log(`-[NSData initWithBase64EncodedString:]after=${after}=`);
  24.   }
  25. }
复制代码
5、Hook加密函数AES、DES、3DES
  1. frida-trace -UF -i CCCrypt

  2. js代码如下:

  3. {
  4.   onEnter: function(log, args, state) {
  5.     this.op = args[0]
  6.     this.alg = args[1]
  7.     this.options = args[2]
  8.     this.key = args[3]
  9.     this.keyLength = args[4]
  10.     this.iv = args[5]
  11.     this.dataIn = args[6]
  12.     this.dataInLength = args[7]
  13.     this.dataOut = args[8]
  14.     this.dataOutAvailable = args[9]
  15.     this.dataOutMoved = args[10]

  16.     log('CCCrypt(' +
  17.       'op: ' + this.op + '[0:加密,1:解密]' + ', ' +
  18.       'alg: ' + this.alg + '[0:AES128,1:DES,2:3DES]' + ', ' +
  19.       'options: ' + this.options + '[1:ECB,2:CBC,3:CFB]' + ', ' +
  20.       'key: ' + this.key + ', ' +
  21.       'keyLength: ' + this.keyLength + ', ' +
  22.       'iv: ' + this.iv + ', ' +
  23.       'dataIn: ' + this.dataIn + ', ' +
  24.       'inLength: ' + this.inLength + ', ' +
  25.       'dataOut: ' + this.dataOut + ', ' +
  26.       'dataOutAvailable: ' + this.dataOutAvailable + ', ' +
  27.       'dataOutMoved: ' + this.dataOutMoved + ')')

  28.     if (this.op == 0) {
  29.       log("dataIn:")
  30.       log(hexdump(ptr(this.dataIn), {
  31.         length: this.dataInLength.toInt32(),
  32.         header: true,
  33.         ansi: true
  34.       }))
  35.       log("key: ")
  36.       log(hexdump(ptr(this.key), {
  37.         length: this.keyLength.toInt32(),
  38.         header: true,
  39.         ansi: true
  40.       }))
  41.       log("iv: ")
  42.       log(hexdump(ptr(this.iv), {
  43.         length: this.keyLength.toInt32(),
  44.         header: true,
  45.         ansi: true
  46.       }))
  47.     }
  48.   },
  49.   onLeave: function(log, retval, state) {
  50.     if (this.op == 1) {
  51.       log("dataOut:")
  52.       log(hexdump(ptr(this.dataOut), {
  53.         length: Memory.readUInt(this.dataOutMoved),
  54.         header: true,
  55.         ansi: true
  56.       }))
  57.       log("key: ")
  58.       log(hexdump(ptr(this.key), {
  59.         length: this.keyLength.toInt32(),
  60.         header: true,
  61.         ansi: true
  62.       }))
  63.       log("iv: ")
  64.       log(hexdump(ptr(this.iv), {
  65.         length: this.keyLength.toInt32(),
  66.         header: true,
  67.         ansi: true
  68.       }))
  69.     } else {
  70.       log("dataOut:")
  71.       log(hexdump(ptr(this.dataOut), {
  72.         length: Memory.readUInt(this.dataOutMoved),
  73.         header: true,
  74.         ansi: true
  75.       }))
  76.     }
  77.     log("CCCrypt did finish")
  78.   }
  79. }
复制代码
6、Hook加密函数RSA
  1. rsa加密有公钥加密和私钥加密两种方式
  2. frida-trace -UF -i "SecKeyEncrypt" -i "SecKeyRawSign"

  3. SecKeyEncrypt公钥加密函数对应的js代码如下:

  4. {
  5.   onEnter(log, args, state) {
  6.     // 由于同一条加密信息可能会多次调用该函数,故在这输出该函数的调用栈。可根据栈信息去分析上层函数
  7.     log(`SecKeyEncrypt()=${args[2].readCString()}=`);
  8.     log('SecKeyEncrypt called from:\n' +
  9.         Thread.backtrace(this.context, Backtracer.ACCURATE)
  10.         .map(DebugSymbol.fromAddress).join('\n') + '\n');
  11.   },
  12.   onLeave(log, retval, state) {
  13.   }
  14. }

  15. SecKeyRawSign私钥加密函数对应的js代码如下:

  16. {
  17.   onEnter(log, args, state) {
  18.     log(`SecKeyRawSign()=${args[2].readCString()}=`);
  19.     log('SecKeyRawSign called from:\n' +
  20.         Thread.backtrace(this.context, Backtracer.ACCURATE)
  21.         .map(DebugSymbol.fromAddress).join('\n') + '\n');
  22.   },
  23.   onLeave(log, retval, state) {
  24.   }
  25. }
复制代码
7、修改方法的入参
  1. frida-trace -UF -m "-[DetailViewController setObj:]"

  2. js代码如下:
  3. {
  4.   onEnter(log, args, state) {
  5.     var self = new ObjC.Object(args[0]);  // 当前对象
  6.     var method = args[1].readUtf8String();  // 当前方法名
  7.     log(`[${self.$className} ${method}]`);

  8.     // 字符串
  9.     // var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
  10.     // args[2] = str  // 修改入参为字符串

  11.     // 数组
  12.     // var array = ObjC.classes.NSMutableArray.array();  // 对应的oc语法:NSMutableArray array = [NSMutablearray array];
  13.     // array.addObject_("item1");  // 对应的oc语法:[array addObject:@"item1"];
  14.     // array.addObject_("item2");  // 对应的oc语法:[array addObject:@"item2"];
  15.     // args[2] = array; // 修改入参为数组

  16.     // 字典
  17.     // var dictionary = ObjC.classes.NSMutableDictionary.dictionary(); // 对应的oc语法:NSMutableDictionary *dictionary = [NSMutableDictionary dictionary];
  18.     // dictionary.setObject_forKey_("value1", "key1"); // 对应的oc语法:[dictionary setObject:@"value1" forKey:@"key1"]
  19.     // dictionary.setObject_forKey_("value2", "key2"); // 对应的oc语法:[dictionary setObject:@"value2" forKey:@"key2"]
  20.     // args[2] = dictionary; // 修改入参为字典

  21.     // 字节
  22.     var data = ObjC.classes.NSMutableData.data(); // 对应的oc语法:NSMutableData *data = [NSMutableData data];
  23.     var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 获取一个字符串。 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
  24.     var subData = str.dataUsingEncoding_(4);  // 将str转换为data,编码为utf-8。对应的oc语法:NSData *subData = [str dataUsingEncoding:NSUTF8StringEncoding];
  25.     data.appendData_(subData);  // 将subData添加到data。对应的oc语法:[data appendData:subData];
  26.     args[2] = data; // 修改入参字段

  27.     // 更多数据类型:https://developer.apple.com/documentation/foundation
  28.   },

  29.   onLeave(log, retval, state) {

  30.   }
  31. }
复制代码
8、修改方法的返回值
  1. frida-trace -UF -m "-[DetailViewController Obj]"

  2. js代码如下:
  3. {
  4.   onEnter(log, args, state) {

  5.   },
  6.   onLeave(log, retval, state) {
  7.     // 字符串
  8.     var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
  9.     retval.replace(str)  // 修改返回值
  10.     var after = new ObjC.Object(retval); // 打印出来是个指针时,请用该方式转换后再打印
  11.     log(`before:=${retval}=`);
  12.     log(`after:=${after}=`);
  13.   }
  14. }
复制代码
9、打印字符串、数组、字典
  1. frida-trace -UF -m "-[DetailViewController setObj:]"

  2. js代码如下:
  3. {
  4.   onEnter(log, args, state) {
  5.     var self = new ObjC.Object(args[0]);  // 当前对象
  6.     var method = args[1].readUtf8String();  // 当前方法名
  7.     log(`[${self.$className} ${method}]`);

  8.     var before = args[2];
  9.     // 注意,日志输出请直接使用log函数。不要使用console.log()
  10.     var after = new ObjC.Object(args[2]); // 打印出来是个指针时,请用该方式转换后再打印
  11.     log(`before:=${before}=`);
  12.     log(`after:=${after}=`);
  13.   },
  14.   onLeave(log, retval, state) {

  15.   }
  16. }
复制代码
10、打印NSData
  1. frida-trace -UF -m "-[DetailViewController setObj:]"'代码解读运行运行
复制代码
js代码如下:
  1. {
  2.   onEnter(log, args, state) {
  3.     var self = new ObjC.Object(args[0]);  // 当前对象
  4.     var method = args[1].readUtf8String();  // 当前方法名
  5.     log(`[${self.$className} ${method}]`);

  6.     var before = args[2];

  7.     // 注意,日志输出请直接使用log函数。不要使用console.log()
  8.    
  9.     var after = new ObjC.Object(args[2]); // 打印NSData
  10.     var outValue = after.bytes().readUtf8String(after.length()) // 将data转换为string
  11.     log(`before:=${before}=`);
  12.     log(`after:=${outValue}=`);
  13.   },
  14.   onLeave(log, retval, state) {

  15.   }
  16. }
复制代码
11、打印对象的所有属性和方法
  1. frida-trace -UF -m "-[DetailViewController setObj:]"

  2. js代码如下:
  3. {
  4.   onEnter(log, args, state) {
  5.     var self = new ObjC.Object(args[0]);  // 当前对象
  6.     var method = args[1].readUtf8String();  // 当前方法名
  7.     log(`[${self.$className} ${method}]`);

  8.     var customObj = new ObjC.Object(args[2]); // 自定义对象
  9.     // 打印该对象所有属性
  10.     var ivarList = customObj.$ivars;
  11.     for (key in ivarList) {
  12.        log(`key${key}=${ivarList[key]}=`);
  13.     }

  14.     // 打印该对象所有方法
  15.     var methodList = customObj.$methods;
  16.     for (var i=0; i<methodList.length; i++) {
  17.        log(`method=${methodList[i]}=`);
  18.     }
  19.   },
  20.   onLeave(log, retval, state) {

  21.   }
  22. }
复制代码
12、打印调用栈
  1. frida-trace -UF -m "+[NSURL URLWithString:]"

  2. js代码如下:
  3. {
  4.   onEnter(log, args, state) {
  5.     var url = new ObjC.Object(args[2]);
  6.     log(`+[NSURL URLWithString:${url}]`);
  7.     log('NSURL URLWithString: called from:\n' +
  8.         Thread.backtrace(this.context, Backtracer.ACCURATE)
  9.         .map(DebugSymbol.fromAddress).join('\n') + '\n');
  10.   },
  11.   onLeave(log, retval, state) {
  12.   }
  13. }
复制代码
13、日志输出到文件
  1. frida-trace -UF -m "+[NSURL URLWithString:]" -o run.log'代码解读运行运行
复制代码
14、更多数据类型
  1. /**
  2. * Converts to a signed 32-bit integer.
  3. */
  4.   toInt32(): number;

  5.   /**
  6.   * Converts to an unsigned 32-bit integer.
  7.   */
  8.   toUInt32(): number;

  9.   /**
  10.   * Converts to a “0x”-prefixed hexadecimal string, unless a `radix`
  11.   * is specified.
  12.   */
  13.   toString(radix?: number): string;

  14.   /**
  15.   * Converts to a JSON-serializable value. Same as `toString()`.
  16.   */
  17.   toJSON(): string;

  18.   /**
  19.   * Returns a string containing a `Memory#scan()`-compatible match pattern for this pointer’s raw value.
  20.   */
  21.   toMatchPattern(): string;

  22.   readPointer(): NativePointer;
  23.   readS8(): number;
  24.   readU8(): number;
  25.   readS16(): number;
  26.   readU16(): number;
  27.   readS32(): number;
  28.   readU32(): number;
  29.   readS64(): Int64;
  30.   readU64(): UInt64;
  31.   readShort(): number;
  32.   readUShort(): number;
  33.   readInt(): number;
  34.   readUInt(): number;
  35.   readLong(): number | Int64;
  36.   readULong(): number | UInt64;
  37.   readFloat(): number;
  38.   readDouble(): number;
  39.   readByteArray(length: number): ArrayBuffer | null;
  40.   readCString(size?: number): string | null;
  41.   readUtf8String(size?: number): string | null;
  42.   readUtf16String(length?: number): string | null;
复制代码















回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|我爱代码 - 专业游戏安全与逆向论坛 ( 陇ICP备17000105号-1 )

GMT+8, 2025-4-2 03:32 , Processed in 0.272081 second(s), 22 queries .

Powered by Discuz! X3.4

© 2001-2023 Discuz! Team.

快速回复 返回顶部 返回列表