·
移动应用安全与风控
adb reboot bootloader
fastboot flashing unlock 或 fastboot oem unlock
adb pull /sdcard/Download/magisk_patched-23000_T5HA4.img .
adb reboot bootloader
fastboot boot magisk_patched-23000_T5HA4.img
<meta-data android:name="xposedmodule" android:value="true" />
<meta-data
android:name="xposeddescription"
android:value="Edxposed demo!" />
<meta-data android:name="xposedminversion" android:value="54" />
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.hook.xposed">
<application
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name">
<meta-data
android:name="xposedmodule"
android:value="true" />
<meta-data
android:name="xposeddescription"
android:value="Edxposed Xposed Test" />
<meta-data
android:name="xposedminversion"
android:value="54" />
</application>
</manifest>
dependencies {
compileOnly 'de.robv.android.xposed:api:82'
compileOnly 'de.robv.android.xposed:api:82:sources'
}
repositories {
jcenter()
}
dependencies {
compileOnly files('libs/XposedBridgeApi-82.jar')
}
com.hook.xposed.InitHook
findAndHookMethod("android.app.Application",
loadPackageParam.classLoader,
"attach",
Context.class,
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) {
Context context = (Context) param.args[0];
ClassLoader classLoader = context.getClassLoader();
.....
}
}
);
......
public String getTextViewShowData(String input, int count) {
return "Hello, welcome to here!!!";
}
......
XposedHelpers.findAndHookMethod("com.demo.app.MainActivity", lpparam.classLoader, "getTextViewShowData", String.class, int.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.setResult("this function is be hooked!!!");
}
});
Class<?> customClass = XposedHelpers.findClass("自定义变量的的完整路径", classLoader);
findAndHookMethod(
"目标类名",
classLoader,
"目标方法名",
String.class,
customClass,
new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) {
}
}
);
$ pip3 install frida-tools
adb push frida-server /data/local/tmp
adb shell // 进入到Android的命令行模式
$ su // 切换到root模式
# chemod a+x /data/local/tmp/frida-server
# ./data/local/tmp/frida-server
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
$ frida-ps -U
PID Name
----- -------------------------------------------------------
5805 com.google.android.gms
5366 com.google.android.gms.persistent
11067 com.google.android.gms.ui
7371 com.google.android.gms.unstable
5649 com.google.android.googlequicksearchbox
5592 com.google.android.googlequicksearchbox:interactor
5628 android.process.media
$ frida-ls-devices
Id Type Name
local local Local System
CVH7N15A20001095 usb Nexus 6P
socket remote Local Socket
$ frida-trace -i "recv*" -i "send*" <进程名>
$ frida-trace -m "ObjC" <进程名>
$ frida-trace -U -f <进程名> -I "call"
$ frida-trace -U -i "Java_*" <进程名>
$ frida-ps -U
$ frida-ps -Ua
$ frida-ps -Uai
$ frida -U Chrome -l test.js --debug
# 发现应用程序中的内部函数
$ frida-discover -n <进程名>
$ frida-discover -p <进程id>
$ frida-kill -D <DEVICE-ID> <PID>
$ frida-ls-devices
Id Type Name
---------------- ------ ------------
local local Local System
CVH7N15A20001095 usb Nexus 6P
socket remote Local Socket
$ frida-ps -D CVH7N15A20001095 -a
PID Name
----- -------------------------------------------------------
5805 com.google.android.gms
5366 com.google.android.gms.persistent
11067 com.google.android.gms.ui
7371 com.google.android.gms.unstable
5649 com.google.android.googlequicksearchbox
5592 com.google.android.googlequicksearchbox:interactor
5628 android.process.media
$ frida-kill -D CVH7N15A20001095 5805
process = frida.attach(target_process)
script = process.create_script(script_code)
script.load()
pid = device.spawn([packename])
process = device.attach(pid)
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
device.resume(pid)
device = frida.get_device_manager().get_device("device id")
manager = frida.get_device_manager()
device = manager.add_remote_device("30.128.25.128:8080")
device = frida.get_usb_device()
import sys
import frida
device = frida.get_usb_device()
pid = device.spawn(["com.frida.test"])
session = device.attach(pid)
device.resume(pid)
jscode = """
Java.perform(function(){
var main=Java.use("com.frida.test.MainActivity");
main.test.implementation = function()
{
console.log("You have been Hooked");
}
});
"""
def on_message(message,data):
print(message["payload"])
script = session.create_script(jscode)
script.on("message",on_message)
script.load()
sys.stdin.read()
import frida
import sys
device = frida.get_usb_device()
pid = device.spawn(["com.frida.test"])
session = device.attach(pid)
device.resume(pid)
jscode = """
var openPtr = Module.findExportByName("libc.so", "open");
Interceptor.attach(openPtr, {
onEnter : function(args){
var pathPtr = args[0];
send("open called ! path=" + pathPtr.readUtf8String());
},
onLeave : function(retval){
send("open leave.....");
}
});
"""
def on_message(message, data):
print(message["payload"])
script = session.create_script(jscode)
script.on("message", on_message)
script.load()
sys.stdin.read()
pip3 install objection
objection -g [packageName/bundleID] explore
objection -g packageName explore --startup-command 'android hooking watch class_method xxxx'
android hooking list activities
android hooking list services
android hooking list receivers
android intent launch_activity [class_activity]
android intent launch_service [class_service]
android/ios hooking list classes
android/ios hooking list class_methods <class_name>
android/ios hooking search classes <class_name>
android/ios hooking search methods <method_name>
android/ios hooking watch class [class_name]
android/ios hooking watch class_method [class_name] --dump-args --dump-backtrace --dump-return
android/ios hooking set return_value [class_name] false
android/ios hooking generate simple [class_name]
# 搜索指定类的实例, 获取该类的实例id
search instances search instances [class_name]
# 通过实例id直接调用该类中的方法
android heap execute [instance_id] [method_name]
android/ios sslpinning disable
# 枚举当前进程模块
memory list modules
# 查看指定模块的导出函数
memory list exports [lib_name]
# 将导出函数的结果保存到指定的文件
memory list exports [lib_name] --json result.json
# 搜索内存
memory search --string --offsets-only
android root disable
android root simulate
android/ios ui screenshot [image.png]
ios jailbreak disable
ios keychain dump
ios ui biometrics_bypass
android shell_exec [command]
git clone --recursive https://github.com/theos/theos.git /opt/theos
export THEOS=/opt/theos
export PATH="$THEOS/bin:$PATH"
brew install ldid
{ Filter = { Bundles = ( "com.test.demo","com.test.demo1" ); }; }
%hook ClassName
+ (id)sharedInstance {
return %orig;
}
- (void)messageName:(int)argument {
%orig;
}
- (id)noArguments {
%orig;
}
%end
%hook ClassName
+ (id)sharedInstance {
return %orig;
}
%end
%group testGroup
%hook ClassName
// Hooking a class method
+ (id)sharedInstance {
return %orig;
}
%end
%end
%ctor {
%init(testGroup);
}
%hook ClassName
%new
- (void)addNewMethod {
}
%end
%hook ClassName
- (int)add:(int)a to:(int)b {
if (a != 0) {
// Return original result if `a` is not 0
return %orig;
}
// Otherwise, use 1 as `a`
return %orig(1, b);
}
%end
%hook ClassName
- (void)targetMethod:(id)arg1 {
%log
}
%end
#import <SpringBoard/SpringBoard.h>
%hook SpringBoard
-(void)applicationDidFinishLaunching:(id)application {
%orig;
UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"Test"
message:@"Tweak test!!!"
delegate:nil
cancelButtonTitle:@"确定"
otherButtonTitles:nil];
[alert show];
}
%end
export THEOS_DEVICE_IP=[目标手机IP]
make do
# Drozer依赖python 2.x,此处的pip 必须为python 2.x的版本
pip install drozer-2.4.4-py2-none-any.whl --ignore-installed pyOpenSSL
pip install protobuf==3.17.3 pyOpenSSL Twisted service_identity
# 安装 Mac Command Line
xcode-select --install
adb forward tcp:31415 tcp:31415
drozer console connect
dz> run app.package.info -a package_name
dz> run app.package.attacksurface package_name
# 其它组件信息查询命令类似,只需更改命令中的组件类型即可
dz> run app.activity.info -a package_name
# 启动时使用空action
dz> run app.activity.start --component package_name activity_name
# 启动时指定action
dz> run app.activity.start --component package_name activity_name
--action android.intent.action.XXX
# 获取目标应用中对外暴露的URI
dz> run scanner.provider.finduris -a package_name
# 通过暴露的URI进行信息检索
dz> run app.provider.query content://uri/passwords/ --vertical
dz> run scanner.provider.injection -a package_name
# 全局可写文件检测
dz> run scanner.misc.writablefiles --privileged /data/data/pacakge_name
# 全局可读文件检测
dz> run scanner.misc.readablefiles --privileged /data/data/pacakge_name
看雪ID:FIGHTING安
https://bbs.kanxue.com/user-home-967913.htm
# 往期推荐
球分享
球点赞
球在看
点击阅读原文查看更多