jjzjj

Frida-trace常用命令

加载时间中..... 2023-03-28 原文

转载:https://blog.csdn.net/tslx1020/article/details/128250777

1、spawn - 冷启动

frida-trace -U -f com.apple.ExampleCode -m “+[NSURL URLWithString:]"

2、attach - 热启动

frida-trace -UF -m “+[NSURL URLWithString:]"

3、Hook类方法

 frida-trace -UF -m “+[NSURL URLWithString:]"

4、Hook实例方法

frida-trace -UF -m “-[NSURL host]"

5、Hook类的所有方法

frida-trace -UF -m “*[NSURL *]"

6、模糊Hook类的所有方法

frida-trace -UF -m “*[service *]"

7、模糊Hook所有类的特定方法

frida-trace -UF -m “[ sign]"

8、模糊Hook所有类的特定方法并忽略大小写

假设我们要hook所有类中包含getSign或getsign关键词的方法

frida-trace -UF -m “[ get?ign]"

9、模糊Hook所有类的特定方法并排除viewDidLoad方法

 frida-trace -UF -m “*[DetailViewController *]" -M “-[DetailViewController viewDidLoad]"

10、Hook某个动态库

frida-trace -UF -I “libcommonCrypto*"

11、Hook get或post的接口地址

frida-trace -UF -m "+[NSURL URLWithString:]"

js例子

{
  onEnter(log, args, state) {
    var args2 = new ObjC.Object(args[2]);
    log(`-[NSURL URLWithString:${args2}]`);
  },
  onLeave(log, retval, state) {
  }
}

12、Hook post的body

frida-trace -UF -m “-[NSMutableURLRequest setHTTPBody:]”

js例子

{
  onEnter(log, args, state) {
    var args2 = new ObjC.Object(args[2]);
    log(`-[NSMutableURLRequest setHTTPBody:${args2.bytes().readUtf8String(args2.length())}]`);
  },
  onLeave(log, retval, state) {
  }
}

13、Hook即将显示页面

frida-trace -UF -m “-[UINavigationController pushViewController:animated:]” -m “-[UIViewController presentViewController:animated:completion:]”


pushViewController:animated:方法的js代码如下:
{
  onEnter(log, args, state) {
    var args2 = new ObjC.Object(args[2]);
    log(`-[UINavigationController pushViewController:${args2.$className} animated:${args[3]}]`);
  },
  onLeave(log, retval, state) {
  }
}

presentViewController:animated:completion:
{
  onEnter(log, args, state) {
    var args2 = new ObjC.Object(args[2]);
    log(`-[UIViewController presentViewController:${args2.$className} animated:${args[3]} completion:${args[4]}]`);
  },
  onLeave(log, retval, state) {
  }
}

14、Hook 通用加密算法

Md5
 frida-trace -UF -i “CC_MD5”
 
 
 #js
 {
  onEnter(log, args, state) {
    this.args0 = args[0];	// 入参
    this.args2 = args[2];	// 返回值指针
  },
  onLeave(log, retval, state) {
    var ByteArray = Memory.readByteArray(this.args2, 16);
    var uint8Array = new Uint8Array(ByteArray);

    var str = "";
    for(var i = 0; i < uint8Array.length; i++) {
        var hextemp = (uint8Array[i].toString(16))
        if(hextemp.length == 1){
            hextemp = "0" + hextemp
        }
        str += hextemp;
    }
    log(`CC_MD5(${this.args0.readUtf8String()})`);   	// 入参
    log(`CC_MD5()=${str}=`);	// 返回值
  }
}
Base64编码方法
frida-trace -UF -m “-[NSData base64EncodedStringWithOptions:]”

#js
{
  onEnter(log, args, state) {
    this.self = args[0];
  },
  onLeave(log, retval, state) {
    var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.self, 4);
    var after = new ObjC.Object(retval);
    log(`-[NSData base64EncodedStringWithOptions:]before=${before}=`);
    log(`-[NSData base64EncodedStringWithOptions:]after=${after}=`);
  }
}
Base64解码
frida-trace -UF -m “-[NSData initWithBase64EncodedData:options:]” -m “-[NSData initWithBase64EncodedString:options:]”

initWithBase64EncodedData:options:方法对应的js代码如下:
{
  onEnter(log, args, state) {
    this.arg2 = args[2];
  },
  onLeave(log, retval, state) {
    var before = ObjC.classes.NSString.alloc().initWithData_encoding_(this.arg2, 4);
    var after = ObjC.classes.NSString.alloc().initWithData_encoding_(retval, 4);
    log(`-[NSData initWithBase64EncodedData:]before=${before}=`);
    log(`-[NSData initWithBase64EncodedData:]after=${after}=`);
  }
}


initWithBase64EncodedString:options:方法对应的js代码如下:
{
  onEnter(log, args, state) {
    this.arg2 = args[2];
  },
  onLeave(log, retval, state) {
    var before = new ObjC.Object(this.arg2);
    var after = ObjC.classes.NSString.alloc().initWithData_encoding_(retval, 4);
    log(`-[NSData initWithBase64EncodedString:]before=${before}=`);
    log(`-[NSData initWithBase64EncodedString:]after=${after}=`);
  }
}
加密函数AES、DES、3DES
frida-trace -UF -i CCCrypt

#js
{
	onEnter: function(log, args, state) {
		this.op = args[0]
		this.alg = args[1]
		this.options = args[2]
		this.key = args[3]
		this.keyLength = args[4]
		this.iv = args[5]
		this.dataIn = args[6]
		this.dataInLength = args[7]
		this.dataOut = args[8]
		this.dataOutAvailable = args[9]
		this.dataOutMoved = args[10]

		log('CCCrypt(' +
			'op: ' + this.op + '[0:加密,1:解密]' + ', ' +
			'alg: ' + this.alg + '[0:AES128,1:DES,2:3DES]' + ', ' +
			'options: ' + this.options + '[1:ECB,2:CBC,3:CFB]' + ', ' +
			'key: ' + this.key + ', ' +
			'keyLength: ' + this.keyLength + ', ' +
			'iv: ' + this.iv + ', ' +
			'dataIn: ' + this.dataIn + ', ' +
			'inLength: ' + this.inLength + ', ' +
			'dataOut: ' + this.dataOut + ', ' +
			'dataOutAvailable: ' + this.dataOutAvailable + ', ' +
			'dataOutMoved: ' + this.dataOutMoved + ')')

		if (this.op == 0) {
			log("dataIn:")
			log(hexdump(ptr(this.dataIn), {
				length: this.dataInLength.toInt32(),
				header: true,
				ansi: true
			}))
			log("key: ")
			log(hexdump(ptr(this.key), {
				length: this.keyLength.toInt32(),
				header: true,
				ansi: true
			}))
			log("iv: ")
			log(hexdump(ptr(this.iv), {
				length: this.keyLength.toInt32(),
				header: true,
				ansi: true
			}))
		}
	},
	onLeave: function(log, retval, state) {
		if (this.op == 1) {
			log("dataOut:")
			log(hexdump(ptr(this.dataOut), {
				length: Memory.readUInt(this.dataOutMoved),
				header: true,
				ansi: true
			}))
			log("key: ")
			log(hexdump(ptr(this.key), {
				length: this.keyLength.toInt32(),
				header: true,
				ansi: true
			}))
			log("iv: ")
			log(hexdump(ptr(this.iv), {
				length: this.keyLength.toInt32(),
				header: true,
				ansi: true
			}))
		} else {
			log("dataOut:")
			log(hexdump(ptr(this.dataOut), {
				length: Memory.readUInt(this.dataOutMoved),
				header: true,
				ansi: true
			}))
		}
		log("CCCrypt did finish")
	}
}
RSA
frida-trace -UF -i “SecKeyEncrypt” -i “SecKeyRawSign”

SecKeyEncrypt公钥加密函数对应的js代码如下:
{
  onEnter(log, args, state) {
    // 由于同一条加密信息可能会多次调用该函数,故在这输出该函数的调用栈。可根据栈信息去分析上层函数
    log(`SecKeyEncrypt()=${args[2].readCString()}=`);
    log('SecKeyEncrypt called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE)
        .map(DebugSymbol.fromAddress).join('\n') + '\n');
  },
  onLeave(log, retval, state) {
  }
}

SecKeyRawSign私钥加密函数对应的js代码如下:
{
  onEnter(log, args, state) {
    log(`SecKeyRawSign()=${args[2].readCString()}=`);
    log('SecKeyRawSign called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE)
        .map(DebugSymbol.fromAddress).join('\n') + '\n');
  },
  onLeave(log, retval, state) {
  }
}

15.修改方法的入参

frida-trace -UF -m “-[DetailViewController setObj:]”


#js
/*
 * Auto-generated by Frida. Please modify to match the signature of -[DetailViewController setObj:].
 * This stub is currently auto-generated from manpages when available.
 *
 * For full API reference, see: https://frida.re/docs/javascript-api/
 */

{
  /**
   * Called synchronously when about to call -[DetailViewController setObj:].
   *
   * @this {object} - Object allowing you to store state for use in onLeave.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {array} args - Function arguments represented as an array of NativePointer objects.
   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
   * @param {object} state - Object allowing you to keep state across function calls.
   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
   * However, do not use this to store function arguments across onEnter/onLeave, but instead
   * use "this" which is an object for keeping state local to an invocation.
   */
  onEnter(log, args, state) {
    var self = new ObjC.Object(args[0]);  // 当前对象
    var method = args[1].readUtf8String();  // 当前方法名
    log(`[${self.$className} ${method}]`);

    // 字符串
    // var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
    // args[2] = str  // 修改入参为字符串

    // 数组
    // var array = ObjC.classes.NSMutableArray.array();  // 对应的oc语法:NSMutableArray array = [NSMutablearray array];
    // array.addObject_("item1");  // 对应的oc语法:[array addObject:@"item1"];
    // array.addObject_("item2");  // 对应的oc语法:[array addObject:@"item2"];
    // args[2] = array; // 修改入参为数组

    // 字典
    // var dictionary = ObjC.classes.NSMutableDictionary.dictionary(); // 对应的oc语法:NSMutableDictionary *dictionary = [NSMutableDictionary dictionary];
    // dictionary.setObject_forKey_("value1", "key1"); // 对应的oc语法:[dictionary setObject:@"value1" forKey:@"key1"]
    // dictionary.setObject_forKey_("value2", "key2"); // 对应的oc语法:[dictionary setObject:@"value2" forKey:@"key2"]
    // args[2] = dictionary; // 修改入参为字典

    // 字节
    var data = ObjC.classes.NSMutableData.data(); // 对应的oc语法:NSMutableData *data = [NSMutableData data];
    var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 获取一个字符串。 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
    var subData = str.dataUsingEncoding_(4);  // 将str转换为data,编码为utf-8。对应的oc语法:NSData *subData = [str dataUsingEncoding:NSUTF8StringEncoding];
    data.appendData_(subData);  // 将subData添加到data。对应的oc语法:[data appendData:subData];
    args[2] = data; // 修改入参字段

    // 更多数据类型:https://developer.apple.com/documentation/foundation
  },

  onLeave(log, retval, state) {

  }
}

16、修改方法的返回值

frida-trace -UF -m “-[DetailViewController Obj]”

#js
{
  onEnter(log, args, state) {

  },
  onLeave(log, retval, state) {
    // 字符串
    var str = ObjC.classes.NSString.stringWithString_("hi wit!")  // 对应的oc语法:NSString *str = [NSString stringWithString:@"hi with!"];
    retval.replace(str)  // 修改返回值
    var after = new ObjC.Object(retval); // 打印出来是个指针时,请用该方式转换后再打印
    log(`before:=${retval}=`);
    log(`after:=${after}=`);
  }
}

17、打印字符串、数组、字典

frida-trace -UF -m “-[DetailViewController setObj:]”

{
  onEnter(log, args, state) {
    var self = new ObjC.Object(args[0]);  // 当前对象
    var method = args[1].readUtf8String();  // 当前方法名
    log(`[${self.$className} ${method}]`);

    var before = args[2];
    // 注意,日志输出请直接使用log函数。不要使用console.log()
    var after = new ObjC.Object(args[2]); // 打印出来是个指针时,请用该方式转换后再打印
    log(`before:=${before}=`);
    log(`after:=${after}=`);
  },
  onLeave(log, retval, state) {

  }
}

18、打印NSData

frida-trace -UF -m “-[DetailViewController setObj:]”

#js
{
  onEnter(log, args, state) {
    var self = new ObjC.Object(args[0]);  // 当前对象
    var method = args[1].readUtf8String();  // 当前方法名
    log(`[${self.$className} ${method}]`);

    var before = args[2];

    // 注意,日志输出请直接使用log函数。不要使用console.log()
   
    var after = new ObjC.Object(args[2]); // 打印NSData
    var outValue = after.bytes().readUtf8String(after.length()) // 将data转换为string
    log(`before:=${before}=`);
    log(`after:=${outValue}=`);
  },
  onLeave(log, retval, state) {

  }
}

19、打印对象的所有属性和方法

frida-trace -UF -m “-[DetailViewController setObj:]”

#js
{
  onEnter(log, args, state) {
    var self = new ObjC.Object(args[0]);  // 当前对象
    var method = args[1].readUtf8String();  // 当前方法名
    log(`[${self.$className} ${method}]`);

    var customObj = new ObjC.Object(args[2]); // 自定义对象
    // 打印该对象所有属性
    var ivarList = customObj.$ivars;
    for (key in ivarList) {
       log(`key${key}=${ivarList[key]}=`);
    }

    // 打印该对象所有方法
    var methodList = customObj.$methods;
    for (var i=0; i<methodList.length; i++) {
       log(`method=${methodList[i]}=`);
    }
  },
  onLeave(log, retval, state) {

  }
}

20、打印调用栈

frida-trace -UF -m “+[NSURL URLWithString:]”

#js
{
  onEnter(log, args, state) {
    var url = new ObjC.Object(args[2]);
    log(`+[NSURL URLWithString:${url}]`);
    log('NSURL URLWithString: called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE)
        .map(DebugSymbol.fromAddress).join('\n') + '\n');
  },
  onLeave(log, retval, state) {
  }
}

21、日志输出到文件

frida-trace -UF -m “+[NSURL URLWithString:]” -o run.log

22、更多数据类型

/**
 * Converts to a signed 32-bit integer.
 */
  toInt32(): number;

  /**
  * Converts to an unsigned 32-bit integer.
  */
  toUInt32(): number;

  /**
  * Converts to a “0x”-prefixed hexadecimal string, unless a `radix`
  * is specified.
  */
  toString(radix?: number): string;

  /**
  * Converts to a JSON-serializable value. Same as `toString()`.
  */
  toJSON(): string;

  /**
  * Returns a string containing a `Memory#scan()`-compatible match pattern for this pointer’s raw value.
  */
  toMatchPattern(): string;

  readPointer(): NativePointer;
  readS8(): number;
  readU8(): number;
  readS16(): number;
  readU16(): number;
  readS32(): number;
  readU32(): number;
  readS64(): Int64;
  readU64(): UInt64;
  readShort(): number;
  readUShort(): number;
  readInt(): number;
  readUInt(): number;
  readLong(): number | Int64;
  readULong(): number | UInt64;
  readFloat(): number;
  readDouble(): number;
  readByteArray(length: number): ArrayBuffer | null;
  readCString(size?: number): string | null;
  readUtf8String(size?: number): string | null;
  readUtf16String(length?: number): string | null;
用命Frida-traceargslogcodePython

有关Frida-trace常用命令的更多相关文章

  1. 华为常用命令 - 2

    system-view进入系统视图quit退到系统视图sysname交换机命名vlan20创建vlan(进入vlan20)displayvlan显示vlanundovlan20删除vlan20displayvlan20显示vlan里的端口20Interfacee1/0/24进入端口24portlink-typeaccessvlan20把当前端口放入vlan20undoporte1/0/10删除当前VLAN端口10displaycurrent-configuration显示当前配置02配置交换机支持TELNETinterfacevlan1进入VLAN1ipaddress192.168.3.100

  2. ruby 2.0 未定义方法 ObjectSpace.trace_object_allocations - 2

    在ruby​​2.0.0/247或head上试过这个:require'objspace'ObjectSpace.trace_object_allocations->undefinedmethod`trace_object_allocations'forObjectSpace:Module文档说它应该可以工作http://www.ruby-doc.org/stdlib-2.0/libdoc/objspace/rdoc/ObjectSpace.html知道我错过了什么吗? 最佳答案 对于更高的ruby​​版本,您仍然可能会遇到如下错误:

  3. Ruby - fork 进程上的 set_trace_func - 2

    我想实现以下目标:构建一个Ruby命令行实用程序来注册一些set_trace_func事件,然后调用您传递给它的任何ruby​​可执行参数(比如rspec)。注册的事件然后转移到调用的命令。myutility的伪代码:set_trace_func()#Setsomeeventshereexec(ARGV.join(''))#Executeargumentpassed然后调用myutilityrspec。我的目标是实际在任意命令上注册跟踪点(只要它们使用ruby​​垫片)。我尝试过的事情:exec不起作用,原因很明显(它完全取代了进程)。popen、系统、反引号。这些启动了一个独立的过程

  4. ruby - 如何在 capistrano 中使用 --trace 运行 rake? - 2

    我希望capistrano使用--trace调用rake,这样我就可以弄清楚它失败的原因。我该怎么做呢?set:rake'rake--trace'不起作用。 最佳答案 我找到的最好的方法是:set:rake,"#{rake}--trace"这样您就不会覆盖rake变量。例如,如果您使用bundler,这之前设置为:“bundleexecrake”之后:“bundleexecrake--trace” 关于ruby-如何在capistrano中使用--trace运行rake?,我们在Stac

  5. camille mumu 模拟器 frida 踩坑记录 - 2

    1.了解监管机构已经卷到需要监控进程了,为了跟上通报步伐查了下资料,打算浅试一下camille,依据原作的文档初步了解到需要python3、adb、frida、模拟器(木木-已成功、夜神)、root手机,开始逐个尝试,记录一下所遇到的情况。 原作祭上:camille/use.mdatmaster·zhengjim/camille·GitHubhttps://www.cnblogs.com/zhengjim/p/15508738.html2.PythonPython38、pip更新电脑中如果有多个python环境的,记得改好名哦,不然会报错,我是配置了环境变量然后让38的置顶pip如果久没用了也

  6. git常用命令 - 2

    gitclonehttp:www.git.com.cn........ 克隆git项目gitbranch 查看分支gitbranch-r查看远程分支gitpushorigin--delete分支名 删除远程分支tmpgitcheckout切换分支gitcheckout-b切换并创建分支gitcheckout-b分支名origin/分支名(如果远程分支已存在最好用此命令,在创建分支时会把远程分支最新代码一并拉下来,不会把原分支代码带过来)gitbranch-D删除分支gitpushorigin--delete分支名gitpush--set-upstreamorigin分支名 推送本地分支到远端g

  7. 3. Android逆向-基于Frida的工具Objection - 2

    文章目录Objection安装使用安装使用Ubuntu连接测试Windows问题Objection安装使用在开始熟悉Frida时,接触的示例是需要frida-server在一个root过的os环境中运行,便于读取/访问所有需要的数据或其他app。一般真机开发过程,都是一个比较纯粹的App开发,不会在一个Root过的Android设备上进行开发。这篇主要就是学习在非Root环境下hookapp。这里介绍并使用一个基于Frida开发的工具objection:📱objection-runtimemobileexploration(github.com)。本篇文章主要描述下objection安装及在使

  8. ruby-on-rails - rails : Logging the entire stack trace of an exception - 2

    我一直在尝试找出记录堆栈跟踪的正确方法。我遇到了this链接指出logger.error$!,$!.backtrace是要走的路,但这对我不起作用log_error。根据文档,我看不出将第二个参数传递给错误方法是如何工作的,因为rails使用的ruby​​记录器只接受一个参数。奇怪的是(或者可能不是)第二个论点被接受了,没有任何口译员的提示。但是,我传递给它的任何内容都将被忽略。谁能解释一下我错过了什么?对错误的第二个论点是什么以及是什么吞噬了它有什么见解吗? 最佳答案 如果您查看ActiveSupport中BufferedLogg

  9. Coresight - HW Assisted Tracing on ARM - 2

    文章目录一、Introduction二、AcronymsandClassification2.1Acronyms2.2Classification三、DeviceTreeBindings四、Frameworkandimplementation五、DeviceNamingscheme六、TopologyRepresentation七、Howtousethetracermodules7.1UsingthesysFSinterface7.2Usingperfframework参考资料一、IntroductionCoresight是一个允许调试基于ARM的SoC技术。它包括JTAG和硬件辅助跟踪的解决

  10. javascript交互式调试(相当于python的pdb.set_trace()) - 2

    我正在使用一些javascript代码,我希望能够在函数调用的上下文中运行一个交互式控制台-也就是说,基本上正是python的importpdb;pdb.set_trace()完成。有什么办法吗?如果不是,那么最好的近似值是多少?我目前正在使用Chrome的控制台来处理一些事情,我基本上喜欢被放到函数调用的中间并使用Chrome的控制台来查看局部变量等。 最佳答案 设置断点,Chrome的检查器将允许您检查应用的状态。点击行号。将出现一个蓝色标记。当您点击该行时,执行将暂停。在您的代码中编写一个debugger语句。当您点击语句时,

随机推荐