1

I have an android application into which I load a library and at some point I read a file. This is the code that is being used in the app.

    FILE *fp = fopen(file_name, "r");
    if (fp == NULL) {
        return res;
    }

Now I am attempting using Frida to hook that fopen in order to force it to return null but I do not seem to be able to find out how.

The library that is included in the application is called libnative-lib.so and my attempt in hooking fopen includes the following code for frida

 Module.enumerateExports("libnative-lib.so", {                
      onMatch: function(e) {                            
          if(e.type == 'function') {
              if(e.name == "fopen") {
        console.log("Function recognized by name");
        Interceptor.attach(e.address, {       
        onEnter: function(args) {         
            console.log("Interceptor attached onEnter...");
            },                                
        onLeave: function(retval){        
            console.log("Interceptor attached onLeave...");
            }                                 
        });                                                                   
              }                   
          }                                             
      },                                                
      onComplete: function() {}                         
  });
4

2 回答 2

2

Instead of enumerating the exports of a specific library, you can try calling Module.findExportByName(null, "fopen") to get the address of fopen (the null argument tells frida to look through the exports of all of the loaded libraries) and use the Interceptor API the same way you did.
This should look somewhat like this:

Interceptor.attach(Module.findExportByName(null, "fopen"), {
    onEnter: function(args) {
        console.log("Interceptor attached onEnter...");
    },
    onLeave: function(args) {
        console.log("Interceptor attached onLeave...");
    }
}

You haven't stated exactly how your code fails, but to make sure that the library you are talking about is actually loaded in the app, you can list all of the loaded modules: 

Process.enumerateModules()
    .forEach(function(m) {
        // You can print just the name by using m.name or the entire system path with m.path
        console.log(JSON.stringify(m));
    });

Another way would be using Process.enumerateModules() to find the correct module and then calling enumerateExports on the Module object you got.
This will make sure you are searching for fopen in the correct module if the name of the module is not exactly libnative-lib.so: 

Process.enumerateModules()
    .filter(function(m){ return m["path"].toLowerCase().indexOf("libnative") != -1 ; })
    .forEach(function(mod) {
        console.log(JSON.stringify(mod));
        mod.enumerateExports().forEach(function (exp) {
            if (exp.name.indexOf("fopen") != -1) {
                console.log("fopen found!");
            }
        })
    });

HTH, if this still doesn't solve your problem post some additional information in your question.

于 2019-06-15T21:26:34.050 回答
0

fopen will invoke open

I would suggest use a condition to assert it opens your specific file & not to replace/override.

Interceptor.attach(Module.findExportByName(null, "open"), {
  onEnter: function(args) {
    this.file_name = Memory.readCString(ptr(args[0]));
  },
  onLeave: function(retval) {
    if ("your file name" === this.file_name) // passed from onEnter
      retval.replace(0x0); // return null
  }
});

BTW, if you enable the flag --enable-jit you could filter with ECMAScript6

Module.enumerateExports(moduleName).filter(ex => ex.name.includes('fopen')).forEach(ex => { .. })
于 2019-06-16T12:11:48.613 回答