Directory
1.pyenv installation and use
1.1 Introduction to pyenv
1.2 pyenv common commands
1.3pyenv installation and use
2. Frida installation
2.1 Introduction to Fraida
2.1 Fraida installation
2.2objection installation
2.3 objection commonly used commands
view log
View log information containing Frida
View the help command of objection
2.3.0 Enter objection REPL environment
2.3.1 Start the activity directly
2.3.2 Memory search DisplaySettings instance
2.3.3 How to View DisplaySettings Instance
2.3.4 Write js scripts on the DisplaySettings instance
2.3.5 Get all methods of a class
View currently available activities
View the so library files loaded by the current app
View the exported functions of the so library
Extract all or part of memory
Search the offset address of the entire memory
List all classes and methods in memory
Search for all classes containing the specified keyword
In-memory search for all methods that contain a string
Automatically generate hook script
hook specifies the class to monitor
2.4 Wallbreaker and frida-dexdump for objection plug-in installation
2.4.1 Use of Wallbreaker
2.4.2 Frida-dexdump shelling plug-in installation
3 install tool jadx
4 install vscode
1.pyenv installation and use
Introduction to 1.1pyenv
pyenv is a Python version management tool. it can:
1. Install multiple Python versions
2. Switch the global Python version
3. Specify a specific Python version for each project
1.2pyenv Common Commands
The main function of pyenv is to solve the problem of managing multiple Python versions on the same machine. How pyenv works is:
1. Install all Python in one directory (~/.pyenv/versions by default)
2. The main commands for switching different versions of Pythonpyenv by changing environment variables are:
– pyenv install: Install Python version, you can install multiple versions such as 2.x and 3.x
– pyenv versions: show all available Python versions
– pyenv global: set the global Python version
– pyenv local: set the local Python version for the directory
– pyenv rehash: recompile the Python version list
– pyenv uninstall: remove an installed version of Python
1.3pyenv installation and use
pyenv gihhub installation address:
pyenv installation environment
Home · pyenv/pyenv Wiki · GitHub
Install
GitHub – pyenv/pyenv-installer: This tool is used to install `pyenv` and friends.
add path
https://github.com/pyenv/pyenv#set-up-your-shell-environment-for-pyenv
pyenv download and install command:
Install the pyenv environment
sudo apt update; sudo apt install build-essential libssl-dev zlib1g-dev \libbz2-dev libreadline-dev libsqlite3-dev curl \libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma- dev
Download and install pyenv
proxychains4 git clone https://github.com/pyenv/pyenv.git ~/.pyenv
add path
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.zshrc echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.zshrc echo 'eval "$(pyenv init -)"' >> ~/.zshrc
Refresh the console to make the path take effect
exec "$SHELL"
Then check the version of Python3
pyenv install 3.
?
I install here
Python 3.10.11
proxychains4 pyenv install 3.10.11
After installation, view all versions of Python installation
pyenv versions
Switch to Python 3.10.11
pyenv local 3.10.11
At this point, the pyenv installation is over
2. Frida installation
2.1 Introduction to Fraida
Frida is a dynamic code emulation framework.
It can be used in many ways, the most commonly used are:
1. Android/iOS application analysis
We can use Frida to inject JS code on a real device or emulator to analyze, track and debug running applications.
2. API Monitoring and Simulation
We can use Frida to hook the call of an API, monitor or modify its parameters and return values, and analyze the application’s dependence on and use of the API.
3. Method Tracking
We can use Frida to track the running method of the application, monitor its calling and parameters, and track the execution process of the application.
4. Memory modification
We can use Frida to find the address of a value in the application’s memory, and then directly modify the value of the memory at runtime to affect the operation and logic of the application.
5. View environment variables
We can use Frida to view the list of environment variables that the application can access, as well as the value of each environment variable. This helps us understand the operating environment of the application.
Frida works by:
1. Through the custom JS API, users write JS scripts for analysis and interaction.
2. Inject a Frida agent between the real device/simulator and the application process.
3. The agent will load the JS script provided by the user, and the user can interact with the real machine application process through the JS API to achieve the purpose of code simulation and dynamic analysis.
4. The user communicates with the agent through the command line, sends his own JS script and instructions, and obtains the returned application information. Frida supports Android, iOS, macOS, Windows, Linux and other platforms, and is an extremely powerful dynamic code analysis framework
2.1Fraida installation
Frida Version History: Releases · frida/frida · GitHub
Install the latest version command:
proxychains4 pip install -U frida frida-tools
Since the latest version of objection is 1.11.0, and the latest update time is 2021.4.6, you should also find a recently released Frida
objection==1.11.0
frida==14.2.14
frida-tools==9.2.2
Install Frida command
proxychains4 pip install "frida==14.2.14" "frida-tools==9.2.2"
Check the device model of the emulator, here is x86_64
adb shell getprop ro.product.cpu.abi
Then find and download ffrida-server-14.2.14-android-x86_64.xz on GitHub, decompress it and rename it to fd, and push it to the emulator with the command
Connect the emulator and turn off the anti-virus software to prevent the port from being occupied
adb connect 192.168.2.6:5555
push to emulator
adb push '/root/desktop/fd' /data/local/tmp/
Then start Frida to see if it is normal
adb shell
su
cd /data/local/tmp/
chmod 777 fd
./fda -l 0.0.0.0:8888
0.0.0.0 means any network, press Enter as shown below
If there is no error, it can be explained.
Available port forwarding
adb forward tcp:27042 tcp:27042
Then execute the following command in the win system to see if you can connect to the emulator, and list the emulator process information. The win system must also install frida and frida-tools to execute. 192.168.2.6 is the emulator IP, otherwise an error will be reported.
frida-ps -H 192.168.2.6:8888
It means that the win system has been successfully connected, so that one end of frida is turned on and multi-terminal is running
Then you can perform the injection operation
frida -H 192.168.2.6:8888 -f your application package name -l the .js you want to inject --no-pause
2.2objection installation
objection historical version: Releases · sensepost/objection · GitHub
objection PyPI
Install objection command:
proxychains4 pip install objection==1.11.0
Execute the following command to explore the emulator settings com.android.settings application:
The meaning of each parameter of this command is:
-N: Indicates not to redirect Frida log output. Keep the original terminal output.
-h 192.168.2.6: Specify the IP address of the objection server as 192.168.2.6.
-p 8888: Specify the port of objection server as 8888.
-g com.android.settings: Specify the package name of the target application as com.android.settings.
explore: It means to start application exploration and run various detection modules.
Therefore, the overall meaning of this command is: do not redirect the Frida log output, connect to the objection server with the IP address 192.168.2.6 port 8888, detect the Android application com.android.settings, and run the exploratory detection module.
objection -N -h 192.168.2.6 -p 8888 -g com.android.settings explore
As shown in the figure below, it means that the installation is successful
2.3 Commonly used commands for objection
View Log
Enter the following command in the shell
cat.objection/objection.log
View log information containing Frida
cat .objection/objection.log |grep -i frida
View objection help command
objection --help
2.3.0 enter objection REPL environment
objection -g com.android.settings explore
Or add 0.0.0.0:8888 to frida startup
objection -N -h 192.168.2.6 -p 8888 -g com.android.settings explore
2.3.1 Start activity directly
Note that some real machine system roms do not have the DisplaySettings class
android intent launch_activity com.android.settings.DisplaySettings
2.3.2 Instance of Memory Search DisplaySettings
Search DisplaySettings instance in memory, return 36485274
android heap search instances com.android.settings.DisplaySettings --fresh
2.3.3 Method to view DisplaySettings instance
android heap execute 36485274 getPreferenceScreenResId
2.3.4 Write js script on DisplaySettings instance
Enter the DisplaySettings instance
android heap evaluate 36485274
Enter the command, then press the Esc key, and then press Enter to execute the js just entered
console.log("evaluate result:" + clazz)
2.3.5 Get all methods of a class
android: Indicates that the operation object is an Android application.
hooking: Indicates the hook operation.
list: For enumeration, here is the list of classes and methods.
class_methods: Indicates that the objects to be listed are classes and methods.
com.android.settings.DisplaySettings: The class of concern is com.android.settings.DisplaySettings.
Therefore, the overall meaning of this command is: in the Android Settings application, list all class and method information related to the com.android.settings.DisplaySettings class.
android hooking list class_methods com.android.settings.DisplaySettings
View currently available activities
android hooking list activities
View the so library files loaded by the current app
memory list modules
View the exported functions of the so library
View the export function of the library, and add j to save the data to the libart.json file –json /root/libart.json
memory list exports libssl.so
Save the json file to the kali linux directory /root/libart.json
memory list exports libssl.so --json /root/libart.json
Extract whole or part of memory
memory dump all from_base
After executing this command, objection will start to read the memory content from the base address of the current process, and save the dump result in the file `memory-all-from-base.dump`.
Search the offset address of the entire memory
The effect of using the two options –string and –offsets-only during the memory search process:
–string option: Used to specify the string to search for. The memory search tool will search for instances of this string in memory, and return information about the memory region containing the string.
–offsets-only option: This option can be used when we only care about the offset address (offset) of the memory area where a string instance is located. This option will cause the memory search tool to return only the memory offset address of the string instance, rather than the complete memory region information.
These two options are usually used together. For example, to search for the offset address of the “password” string, you can use the following command:
memory search --string "display" --offsets-only
List all classes and methods in memory
android hooking list classes
Search for all classes containing the specified keyword
This command will use objection to search for all classes containing the specified keyword in the Android application.
The meaning of each parameter of this command is:
android: Indicates that the operation object is an Android application.
hooking: Indicates the hook operation, here is the search class.
search: Indicates that a search operation is to be performed.
classes: Indicates that the target to search for is a class.
Keyword: Indicates the character string to be searched, here it is replaced with the actual character string you are to search for.
Therefore, the overall meaning of this command is: In the current Android application, search for all classes whose class name contains the specified string
adnroid hooking search classes search for specified keywords
android hooking search classes com.android.settings
Search all methods containing strings in memory
The meaning of each parameter of this command is:
android: Indicates that the operation object is an Android application.
hooking: Indicates the hook operation, here is the search method.
search: Indicates that a search operation is to be performed.
methods: Indicates that the target to search for is a method.
display: Indicates that the string to be searched is display.
android hooking search methods display
Automatically generate hook script
android hooking generate simple specifies the class to generate hook script
Use the android hooking generate
command to specify the class name com.android.settings.DisplaySettings
objection will automatically analyze all the methods of the DisplaySettings class, and generate the corresponding hook script, named display setting hook.js.
android hooking generate simple com.android.settings.DisplaySettings
1. Use the android hooking generate
command to specify the class name com.android.settings.DisplaySettings
.
2. objection will automatically analyze all the methods of the DisplaySettings class, and generate the corresponding hook script, named display setting hook.js.
3. The hook script can be used to hook all methods of the DisplaySettings class, monitor/modify parameters or return values, etc.
4. You can use the command objection run showing to set hook.js
to execute the hook script.
5. After the script is executed, the method calls of the DisplaySettings class will be hooked by frida, which can achieve monitoring/modification purposes.
Therefore, the main function of this command is to automatically generate the hook script of the specified class, which is convenient for the user to execute the method of the hook class of the script to achieve the desired purpose.
hook specifies the class to be monitored
android hooking watch class specifies the class to monitor
Specify the class to monitor, here is `android.bluetooth.BluetoothDevice`
android hooking watch class android.bluetooth.BluetoothDevice
Through this output log, you can see all the method calls of BluetoothDevice, parameter values and other information, which is very helpful for the analysis and security testing of the Bluetooth protocol.
Therefore, the main function of this command is to use frida to monitor the method calls of the BluetoothDevice class and output related log information for protocol analysis and penetration testing.
Use the command to get the json ID 579414
job list
Then in Settings->Sound->Media player or Bluetooth switch, you can output the monitoring log of calling Bluetooth related methods below
Each system is different and may be slightly different
Wallbreaker and frida-dexdump installed in 2.4objection plugin
GitHub official website: hluwa (cucurbit baby) GitHub
Create a directory
mkdir -p plugins/
Enter the plugins directory and download it to the directory
d plugins
proxychains4 git clone https://github.com/hluwa/Wallbreaker plugins/Wallbreaker
2.4.1Wallbreaker use
enter objecttion
objection -g com.android.settings explore
or
objection -N -h 192.168.2.3 -p 8888 -g com.android.settings explore
Execute plugin loading after entering objection
plugin load plugins/Wallbreaker
Print class full path
plugin wallbreaker classdump --fullname android.bluetooth.BluetoothDevice
Here is the full path to print the bluetooth class
2.4.2 frida-dexdump shelling plug-in installation
proxychains4 pip install frida-dexdump
After starting frida, the shelling command
frida-dexdump -U -f package name
3 installation tool jadx
Create a directory
mkdir -p jadx/
Enter the jadx directory and download
cd jadx
proxychains4 wget https://github.com/skylot/jadx/releases/download/v1.4.7/jadx-1.4.7.zip
Download and unzip
7z x *zip
Then enter the bin and start
cd bin
./jadx-gui
or
./bin/jadx-gui
or
./jadx/bin/jadx-gui
4 Install vscode
Official website: Running Visual Studio Code on Linux
Add to
proxychains4 sudo apt-get install wget gpg wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > packages.microsoft.gpg sudo install -D -o root -g root -m 644 packages.microsoft.gpg /etc/apt/keyrings/packages.microsoft.gpg sudo sh -c 'echo "deb [arch=amd64,arm64,armhf signed-by=/etc/apt/keyrings/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main " > /etc/apt/sources.list.d/vscode.list' rm -f packages.microsoft.gpg
Download and install
proxychains4 sudo apt install apt-transport-https
proxychains4 sudo apt update
proxychains4 sudo apt install code # or code-insiders
The installation is complete
refer to
Practical FRIDA advanced: memory roaming, hook anywhere, packet capture
Frida advanced: shelling, automation, objection memory roaming, hook anywhere, Wallbreaker plug-in, packet capture, fridaUiTools_frida objection_Catch the thief first catch the king’s blog-CSDN Blog