我正在构建一个 frida js 脚本,该脚本读取一个包含指令的 json 对象,该对象指向在 android APK 的本机库中附加 frida 函数的位置。如果我对 libname 和函数名称进行硬编码,我可以在函数在应用程序内运行时成功附加到该函数,但由于某种原因,我不知道为什么当我从 json 对象读取名称时,附件不会发生。假设我想附加到名为Java_sg_vantagepoint_uncrackable3_CodeCheck_barinside的函数libfoo.so。
成功运行的代码:
Interceptor.attach(Module.findExportByName("libfoo.so", "Java_sg_vantagepoint_uncrackable3_CodeCheck_bar"), {
onEnter: function(args){
console.log('libfoo.so::Java_sg_vantagepoint_uncrackable3_CodeCheck_bar')
// this is logged when the function runs in the APP
if(args){
for(var arg in args){
console.log('args[' + arg + ']:')
console.log('Java_sg_vantagepoint_uncrackable3_CodeCheck_bar::args[arg] ' + args[arg])}
}
},
onLeave: function(args){
console.log('Leaving Java_sg_vantagepoint_uncrackable3_CodeCheck_bar...')
}
}
)
不起作用的代码:
var params = {
"libs": ["libfoo.so"]
}
for(var lib in params.libs)
{
const currentLib = params.libs[lib]
Module.ensureInitialized(currentLib)
console.log('current lib: ' + currentLib)
var libExports = Module.load(currentLib).enumerateExports()
for(var i in libExports)
{
var currentLibExport = libExports[i]
if(currentLibExport.name.toLowerCase().includes('java'))
{
console.log('attaching to export: ' + currentLib + '::' + currentLibExport.name + ' at address: ' + currentLibExport.address)
Interceptor.attach(currentLibExport.address, {
onEnter: function(args){
console.log('onEnter ' + currentLib + '::' + currentLibExport.name)
if(args){
for(var arg in args){
console.log(currentLib + '::' + currentLibExport.name + '::args[arg] ' + args[arg])
}
} else
{
console.log('no args for ' + currentLib + '::' + currentLibExport.name)
}
},
onLeave: function(args){
console.log('onLeave ' + currentLib + '::' + currentLibExport.name )
}
}
)
}
}
}
这不仅不附加到命名的函数Java_sg_vantagepoint_uncrackable3_CodeCheck_bar,而且在运行时甚至更陌生,它记录了以下内容:
onEnter libfoo.so::main
onLeave libfoo.so::main
这对我来说毫无意义,因为我没有附加到该main功能