当前位置：首页 > news >正文

frida(objection)中x.ts到x.py封装路径

news 2024/12/14 0:43:38

frida : enumerateClassLoadersSync

结论: frida调用了android art源码中的函数 art::ClassLinker::VisitClassLoaders, 传入的回调函数visitor是frida自己构造的

简版路径:

-frida-java-bridge.git/index.js: enumerateClassLoadersSync
–frida-java-bridge/index.js: enumerateClassLoaders
—frida-java-bridge/index.js: _enumerateClassLoadersArt
----art/runtime/class_linker.cc/art::ClassLinker::VisitClassLoaders
-----VisitClassLoaders

void ClassLinker::VisitClassLoaders(ClassLoaderVisitor* visitor) const {...}

_enumerateClassLoadersArt (callbacks) {
//...const visitClassLoaders = api['art::ClassLinker::VisitClassLoaders'];//...withRunnableArtThread(vm, env, thread => {
const collectLoaderHandles = makeArtClassLoaderVisitor(
// 此箭头函数 即为 frida自己构造的 ClassLoaderVisitor* visitor
loader => { loaderHandles.push(addGlobalReference(vmHandle, thread, loader));return true;});withAllArtThreadsSuspended(() => {
// 调用android art函数 art::ClassLinker::VisitClassLoadersvisitClassLoaders(api.artClassLinker.address, collectLoaderHandles); });});
//...}

frida : enumerateLoadedClassesSync

结论: frida调用了android art源码中的函数 art::ClassLinker::VisitClassLoaders, 传入的回调函数visitor是frida自己构造的

简版路径:

-frida-java-bridge.git/index.js: enumerateLoadedClassesSync
–frida-java-bridge/index.js: enumerateLoadedClasses
—frida-java-bridge/index.js: _enumerateLoadedClassesArt
----art/runtime/class_linker.cc/art::ClassLinker::VisitClasses
-----VisitClasses

void ClassLinker::VisitClasses(ClassVisitor* visitor)  {...}

_enumerateLoadedClassesArt (callbacks) {//...withRunnableArtThread(vm, env, thread => {
const collectClassHandles = makeArtClassVisitor(
// 此箭头函数 即为 frida自己构造的 ClassVisitor* visitor
klass => {  classHandles.push(addGlobalReference(vmHandle, thread, klass));return true;});// 调用android art函数 art::ClassLinker::VisitClassesapi['art::ClassLinker::VisitClasses'](api.artClassLinker.address, collectClassHandles); });//...}

frida(objection)中x.ts到x.py封装路径

objection run "android hooking list classes"

基于sensepost/objection.git/1.11.0 == sensepost/objection.git/e7eb1

简版路径: android hooking list classes --> show_android_classes --> android_hooking_get_classes == androidHookingGetClasses --> getClasses --> Java.enumerateLoadedClassesSync

注意当前(2024-12-08)的sensepost/objection.git/master==sensepost/objection.git/5f22e版本号还是1.11.0但是内容变化较大(子命令都变了, 比如explore改为start了)

1. `android hooking list classes`

objection/objection/console/commands.py : android hooking list classes


COMMANDS = {
//...'android': {'meta': 'Commands specific to Android','commands': {'hooking': {'commands': {'list': {'commands': {'classes': {'meta': 'List the currently loaded classes','exec': android_hooking.show_android_classes},
//...

2. android_hooking_get_classes: hooking.py

objection/objection/commands/android/hooking.py:

def show_android_classes(args: list = None) -> None:api = state_connection.get_api()classes = api.android_hooking_get_classes()

3. 驼峰到下划线名字转换谁干的?

猜测 android_hooking_get_classes==androidHookingGetClasses 是由frida自己干的？

4. androidHookingGetClasses: android.ts

objection/agent/src/rpc/android.ts

export const android = {
//...androidHookingGetClasses: (): Promise<string[]> => hooking.getClasses(),
//...
}

5. getClasses : hooking.ts

objection/agent/src/android/hooking.ts


export namespace hooking {
//...export const getClasses = (): Promise<string[]> => {return wrapJavaPerform(() => {return Java.enumerateLoadedClassesSync();});};

6. androidHookingGetClasses、getClasses: agent.js

*.ts的编译产物objection/objection/agent.js

export const android = {
//...androidHookingGetClasses: () => hooking.getClasses(),
//...
}//...
export const getClasses = () => {return wrapJavaPerform(() => {return Java.enumerateLoadedClassesSync();});
};