Frida安装与使用

发表于2022-07-16Zeno Chen

一、安装

MAC上的安装[需要访问海外服务器]
安装python3.11,不要和xcode的python混淆,否则导致xcode不正常

brew install python@3.11

增加到PATH里面去

export PATH=/usr/local/opt/python@3.11/libexec/bin:${PATH}
alias python3="/usr/local/bin/python3.11"
zeno@zMac ~ % pip3 install frida-tools

手机上的安装

cydia仓库中增加源:https://build.frida.re

然后搜索 frida,进行安装即可

默认的安装IP仅仅监听本地端口,修改/Library/LaunchDaemons/re.frida.server.plist

        <key>ProgramArguments</key>
        <array>
                <string>/usr/sbin/frida-server</string>
                <string>-l</string>                                                          
                <string>0.0.0.0:27042</string>
        </array>

这里监听所有的IP,方便调试

iphone-xrdev:~ root# launchctl unload /Library/LaunchDaemons/re.frida.server.plist
iphone-xrdev:~ root# launchctl load /Library/LaunchDaemons/re.frida.server.plist

二、PC端链接

常用的有2种链接方式:1.usb链接上电脑,打开xcode,然后直接链接;2.使用IP地址直接链接
我们使用后者,因为方便

三、使用免越狱的dylib注入

四、常用的方法

  • 挂载进程
zeno@zMac ~ % frida -H 172.16.1.240 Safari
     ____
    / _  |   Frida 15.1.28 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to iPhone (id=00008020-000XXXXX3E69002E)

使用TAB查看本地的环境或者命令行补全

[Local::ProcN[iPhone::Walkr ]-> <TAB>
Backtracer           Process
ObjC
[Local::ProcName::Calculator]-> ObjC.<TAB>
Object            implement         selector
available         mainQueue         selectorAsString
classes           schedule

执行脚本

[iPhone::Walkr ]-> Object.keys(ObjC.classes).slice(0, 10)
[
    "NSLeafProxy",
    "JSExport",
    "PFEmbeddedMulticasterImplementation",
    "PFMulticasterDistributionMethods",
    "_TtCs12_SwiftObject",
    "_TtGCs13ManagedBufferVCs20__BridgingHashBuffer6HeaderPs9AnyObject__$",
    "Swift.__BridgingHashBuffer",
    "SwiftKeychainWrapper.KeychainWrapper",
    "Lottie.TrimPathNode",
    "Lottie.TrimPathProperties"
]

常用的工具指令的执行
zeno@zMac ~ % frida-ps -H 172.16.1.240 -a
 PID  Name   Identifier              
----  -----  ------------------------
1901  Cydia  com.saurik.Cydia        
2349  Walkr  com.fourdesire.spacewalk 

zeno@zMac ~ % frida-ps -H 172.16.1.240 -ai
 PID  Name          Identifier                          
----  ------------  ------------------------------------
1901  Cydia         com.saurik.Cydia                    
2349  Walkr         com.fourdesire.spacewalk

zeno@zMac ~ % frida-trace -i "recv*" -i "read*" twitter
recv: Auto-generated handler: …/recv.js
# (snip)
recvfrom: Auto-generated handler: …/recvfrom.js
Started tracing 21 functions. Press Ctrl+C to stop.
    39 ms	recv()
   112 ms	recvfrom()
   128 ms	recvfrom()
   129 ms	recvfrom()

跟踪方法

zeno@zMac ~ % frida-trace -U -i "CCCryptorCreate*" Twitter
Uploading data...
CCCryptorCreate: Auto-generated handler …/CCCryptorCreate.js
CCCryptorCreateFromData: Auto-generated handler …/CCCryptorCreateFromData.js
CCCryptorCreateWithMode: Auto-generated handler …/CCCryptorCreateWithMode.js
CCCryptorCreateFromDataWithMode: Auto-generated handler …/CCCryptorCreateFromDataWithMode.js
Started tracing 4 functions. Press Ctrl+C to stop.

显示设备

zeno@zMac ~ % frida-ls-devices
Id                         Type    Name                                 
-------------------------  ------  -------------------------------------
local                      local   Local System                         
00008020-001600002600002E  usb     iPhone                               
00008030-001200003A00002E  usb     iPhone                               
socket                     remote  Local Socket                         
00008030-001200003A00002E  remote  iOS Device [fe80::xxx:7ef4:xxxx:7a63]
00008020-001600002600002E  remote  iOS Device [fe80::xxx:d159:xxxx:f8cb]

加载脚本

zeno@zMac ~ % frida Calculator -l calc.js
    _____
   (_____)
    |   |    Frida 4.0.0 - A world-class dynamic
    |   |                  instrumentation framework
    |`-'|
    |   |    Commands:
    |   |        help      -> Displays the help system
    |   |        object?   -> Display information about 'object'
    |   |        exit/quit -> Exit
    |   |
    |   |    More info at https://frida.re/docs/home/
    `._.'

# The code in calc.js has now been loaded and executed

关于Zeno Chen

本人涉及的领域较多,杂而不精 程序设计语言: Perl, Java, PHP, Python; 数据库系统: MySQL,Oracle; 偶尔做做电路板的开发,主攻STM32单片机
此条目发表在C/C++分类目录。将固定链接加入收藏夹。