參考資訊:
https://github.com/frida/frida
https://frida.re/docs/functions/
https://frida.re/docs/installation/
https://github.com/frida/frida/issues/113
https://rastating.github.io/overcoming-some-gotchas-in-frida/
main.c
#include <stdio.h>
#include <unistd.h>
extern int cnt;
int main(int argc, char *argv[])
{
while (1) {
printf("%d\n", cnt++);
sleep(1);
}
return 0;
}
test.c
#include <stdio.h> int cnt = 0;
hook.py
import os
import sys
import frida
def on_message(message, data):
print(message)
session = frida.attach("main")
script = session.create_script("""
var q = [];
var m = Process.enumerateModules();
for (var i = 0; i < m.length; i++) {
var e = m[i].enumerateExports();
for (var j = 0; j < e.length; j++) {
if ((e[j]['type'] == 'variable') && (e[j]['name'] == 'cnt')) {
q.push(ptr(e[j]['address']));
}
}
}
var remaining = 1000;
function crackNext() {
for (var i = 0; i < q.length; i++) {
if (q[i]) {
send(q[i].readInt());
}
}
if (--remaining > 0) {
setTimeout(crackNext, 1000);
}
}
setTimeout(crackNext, 0);
""")
script.on('message', on_message)
script.load()
sys.stdin.read()
編譯、執行
$ gcc test.c -o test.so -shared -fPIC
$ gcc main.c -o main test.so
$ LD_LIBRARY_PATH=. ./main&
2827
2828
$ python3 ./hook.py
{'type': 'send', 'payload': 2827}
{'type': 'send', 'payload': 0}
{'type': 'send', 'payload': 2828}
{'type': 'send', 'payload': 0}