b站刷到一位老师分享了hook pc端微信信息撤回功能的视频,跟着动手操作了一遍之后,尝试了一下hook Android端的微信,下面分享一下学习过程。
一
PC端
import frida,sys
# 创建脚本
jsCode="""
//写入js脚本 就和之前一样
//下面的代码获取dll的加载地址
const baseAddr=Module.findBaseAddress('WeChatWin.dll');
console.log("baseAddr:"+baseAddr);
//每次需要修改的只有这里
const revokeMsgFunAddr=getRealAddr('0x1823CD710');
console.log("function addr:",revokeMsgFunAddr);
//根据地址进行frida注入
Interceptor.attach(revokeMsgFunAddr,{
//一旦进入hook的函数,该回调函数就会被调用
onEnter(args){
console.log("-----revokeMsg------")
}
});
//dll地址加上偏移地址,定位到这个函数
function getRealAddr(addr){
//基地址
const idaBase=ptr('0x180000000');
const offset=ptr(addr).sub(idaBase);
const result=ptr(baseAddr).add(offset);
return result;
}
"""
#使用任务管理器查看微信的PID然后填入
session = frida.attach(7876)
# 运行脚本
script = session.create_script(jsCode)
script.load()
print("Successfully attached!!!!")
# 防止运行完进程直接退出
sys.stdin.read()
Interceptor.attach(revokeMsgFunAddr,{
//一旦进入hook的函数,该回调函数就会被调用
onEnter(args){
console.log("-----revokeMsg------")
console.log(this.context.rdi);
this.context.rdi=0;
}
});
二
Android端
Java.perform(function(){
console.log("==========begain==========")
let RevokeMsgEvent = Java.use("com.tencent.mm.autogen.events.RevokeMsgEvent");
RevokeMsgEvent["$init"].implementation = function () {
console.log(`RevokeMsgEvent.$init is called`);
this["$init"]();
};
});
this["$init"]();
直接删除,并没有起到什么效果。this.f153351e = false;
,我尝试了一下将该变量赋值为true,注意没有f153351e,这是jadx帮它命名的,实际的变量名是e。Java.choose("com.tencent.mm.autogen.events.RevokeMsgEvent",{//遍历内存中的所有对象
onMatch:function(obj){
obj.e.value=true;
console.log("value : ",obj.e.value);
},onComplete:function(){
console.log("内存对象搜索完毕")
}
})
let s = Java.use("tj0.s");
s["h"].implementation = function (str, j15, n0Var, str2, str3, str4) {
console.log(`s.h is called: str=${str}, j15=${j15}, n0Var=${n0Var}, str2=${str2}, str3=${str3}, str4=${str4}`);
this["h"](str, j15, n0Var, str2, str3, str4);
};
function main() {
Java.perform(function () {
Java.enumerateClassLoaders({
onMatch: function (loader) {
try {
var factory = Java.ClassFactory.get(loader);
var s = factory.use("tj0.s");
s["h"].implementation = function (str, j15, n0Var, str2, str3, str4) {
console.log(`s.h is called: str=${str}, j15=${j15}, n0Var=${n0Var}, str2=${str2}, str3=${str3}, str4=${str4}`);
this["h"](str, j15, n0Var, str2, str3, str4);
};
} catch (e) {
console.log("Error accessing class or method: " + e);
}
},
onComplete: function () {}
});
});
}
Java.perform(function(){
console.log("==========begain==========")
let RevokeMsgEvent = Java.use("com.tencent.mm.autogen.events.RevokeMsgEvent");
//hook构造方法
RevokeMsgEvent["$init"].implementation = function () {
console.log(`RevokeMsgEvent.$init is called`);
showStacks();
this["$init"]();
};
function showStacks(){
console.log(
Java.use("android.util.Log") //首先找到log类
.getStackTraceString( //调用log类的该方法
Java.use("java.lang.Throwable").$new() //new一个对象
)
)
}
});
var sClass=Java.use("ij0.s");
sClass.i.implementation=function(){
console.log("======================");
};
三
Xposed实现hook的持久化
Java.perform(function(){
var sClass=Java.use("ij0.s");
sClass.i.implementation=function(){
console.log("======================");
};
});
package com.example.xposeddemo;
import android.util.Log;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
import java.util.Map;
import java.util.Objects;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XC_MethodReplacement;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class Hook implements IXposedHookLoadPackage {
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if(!loadPackageParam.packageName.equals("com.tencent.mm")) return;
Class<?> clazz=XposedHelpers.findClass("ij0.s",loadPackageParam.classLoader);
Log.d("mxy", clazz.toString());
XposedHelpers.findAndHookMethod(clazz, "i", new XC_MethodReplacement() {
@Override
protected Object replaceHookedMethod(MethodHookParam methodHookParam) throws Throwable {
Log.d("mxy", "hook successfully");
return null;
}
});
}
}
大哥们如果知道什么问题的话麻烦在评论区指点指点。
看雪ID:马先越
https://bbs.kanxue.com/user-home-984774.htm
# 往期推荐
2、BFS Ekoparty 2022 Linux Kernel Exploitation Challenge
3、银狐样本分析
球分享
球点赞
球在看
点击阅读原文查看更多
原文始发于微信公众号(看雪学苑):hook 微信信息撤回功能