Frida在J2SE上的基本使用

Posted on

Frida server

服务器配置

  • 操作系统:Ubuntu Linux
  • IP:192.168.76.142
  • OpenJDK 11, OpenJFX

运行Frida server

1
user@VMware-Virtual-Platform:~/apps$ sudo ./frida-server-16.4.4-linux-x86_64 -l 0.0.0.0:23947

运行java用户程序

1
2
3
4
user@VMware-Virtual-Platform:~/challs$ java --module-path $PATH_TO_FX --add-modules javafx.controls,javafx.fxml -jar ./WhackAMoleGame_flag1.jar & echo "$!"
[1] 53915
53915

Frida client

python部分:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import frida
import sys


with open(sys.argv[1], "r") as f:
    jscode = f.read()


def printMessage(message, data):
    if message["type"] == "send":
        print("[*] {0}".format(message["payload"]))
    else:
        print(message)


device = frida.get_device_manager().add_remote_device("192.168.76.142:23947")
print(device)
process = device.attach(53915)

script = process.create_script(jscode)
script.on("message", printMessage)
script.load()
sys.stdin.read()

JavaScript部分:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
// let libjvm = Module.enumerateSymbolsSync('libjvm.so');
Java.perform(function () {
  var ClassName = Java.use("yyyyy");
  console.log("Find ClassName Successfully!" + ClassName); //定位类成功!

  Java.enumerateLoadedClasses({
    onMatch: function (c) {
      if (!c.includes("xxxxx")) return;
      try {
        console.log(c);
        let props =
          "\t" + Object.getOwnPropertyNames(Java.use(c).__proto__).join(", ");
        console.log(props);
      } catch (error) {}
    },

    onComplete: function () {},
  });

  let clazz1 = Java.use("packegeName.className");
  clazz1["foo1"].overload().implementatin = () => {
    console.log("foo1");
  };

  clazz1["foo2"].overload("java.lang.String").implementatin = (
    s
  ) => {
    console.log("foo2" + s);
  };
});