{"id":256,"date":"2024-08-01T01:49:36","date_gmt":"2024-07-31T17:49:36","guid":{"rendered":"http:\/\/www.94i.top\/?p=256"},"modified":"2024-10-08T17:38:55","modified_gmt":"2024-10-08T09:38:55","slug":"frida%e5%ad%a6%e4%b9%a0","status":"publish","type":"post","link":"https:\/\/www.94i.top\/index.php\/2024\/08\/01\/frida%e5%ad%a6%e4%b9%a0\/","title":{"rendered":"Frida\u5b66\u4e60"},"content":{"rendered":"<h1>\u77e5\u8bc6<\/h1>\n<ul>\n<li>\u7f51\u4e0a\u5bf9frida\u7684\u68c0\u6d4b\u901a\u5e38\u4f1a\u4f7f\u7528openat\u3001open\u3001strstr\u3001pthread_create\u3001snprintf\u3001sprintf\u3001readlinkat\u7b49\u4e00\u7cfb\u5217\u51fd\u6570\u3002<\/li>\n<\/ul>\n<h1>\u547d\u4ee4\u8bb0\u5f55<\/h1>\n<pre><code class=\"language-shell\"># frida\u542f\u52a8\nadb shell\nsu\n\/data\/local\/tmp\/frida-server-16.4.7-android-arm64\n\n# \u7aef\u53e3\u8f6c\u53d1\nadb forward tcp:27042 tcp:27042\nadb forward tcp:27043 tcp:27043\n\n# \u67e5\u770b\u5e94\u7528pid\nfrida-ps -U\n\n# \u547d\u4ee4\u6ce8\u5165\nfrida -U -f &#039;\u5c0f\u9ed1\u76d2&#039; -l xhh.js<\/code><\/pre>\n<h1>frida hook\u6a21\u677f<\/h1>\n<h2>Python\u6a21\u677f<\/h2>\n<pre><code class=\"language-python\">import frida\nimport sys\n\ndef on_message(message, data):\n    if message[&#039;type&#039;] == &#039;send&#039;:\n        print(&quot;[*] {0}&quot;.format(message[&#039;payload&#039;]))\n    else:\n        print(message)       \n\nwith open(&#039;.\/webview.js&#039;,&#039;r&#039;, encoding=&#039;UTF-8&#039;) as f:\n    jscode1 = f.read()\n\n#process = frida.get_remote_device().enumerate_processes()\n#print(process)\n# get_usb_device\u6539\u6210get_remote_device\u65b9\u6cd5\uff0cget_usb_device\u6709\u7684\u7535\u8111\u4f1a\u62a5\u9519\nprocess = frida.get_remote_device().attach(&#039;\u871c\u96ea\u51b0\u57ce&#039;)  # &#039;App\u540d\u79f0&#039;, \u6216 App\u5e94\u7528\u7684 Process Pid 15325\nscript = process.create_script(jscode1)  # \u628ajs\u7684hook\u811a\u672c\u6ce8\u5165\u5230\u8fdb\u7a0b\u91cc\u9762\nscript.on(&#039;message&#039;, on_message)\nprint(&#039;[*] Running CTF&#039;)\nscript.load()\nsys.stdin.read()\n<\/code><\/pre>\n<h2>frida Hook\u8c03\u7528\u7684so\u7684\u51fd\u6570<\/h2>\n<pre><code class=\"language-javascript\">function hook_dlsym() {\n    var count = 0\n    console.log(&quot;=== HOOKING dlsym ===&quot;)\n    var interceptor = Interceptor.attach(Module.findExportByName(null, &quot;dlsym&quot;),\n        {\n            onEnter: function (args) {\n                const name = ptr(args[1]).readCString()\n                \/\/ const module = Process.findModuleByAddress(ptr(this.returnAddress))\n                console.log(&quot;[dlsym]&quot;, name)\n                if (name == &quot;pthread_create&quot;) {\n                    count++\n                }\n            }\n        }\n    )\n    return Interceptor\n}\n\nfunction hook_dlopen() {\n    var interceptor = Interceptor.attach(Module.findExportByName(null, &quot;android_dlopen_ext&quot;),\n        {\n            onEnter: function (args) {\n                var pathptr = args[0];\n                if (pathptr !== undefined &amp;&amp; pathptr != null) {\n                    var path = ptr(pathptr).readCString();\n                    console.log(&quot;[LOAD]&quot;, path)\n                    if (path.indexOf(&quot;libmsaoaidsec.so&quot;) &gt; -1) {\n                        hook_dlsym()\n                    }\n                }\n            },\n        }\n    )\n    return interceptor\n}\n\nvar dlopen_interceptor = hook_dlopen()\n<\/code><\/pre>\n<h2>hook so\u5c42\u51fd\u6570\u6a21\u677f<\/h2>\n<pre><code class=\"language-javascript\">function hook_sub_A6854(){\n    Java.perform(function () {\n\n        var a45d = Module.findExportByName(&quot;libhbsecurity.so&quot;)\n        a45d = a45d.add(0xA6854)\n        Interceptor.attach(a45d,{\n            onEnter:function(arg){\n                console.log(arg[1].readCString())\n            },\n            onLeave:function(ret){\n                console.log(ret.readCString())\n            }\n        })\n\n    });\n}<\/code><\/pre>\n<h2>registerNative<\/h2>\n<h3>\u7b2c\u4e00\u79cd<\/h3>\n<p>\u8fd9\u4e2a\u51fd\u6570\u7684\u4f5c\u7528\u5c31\u4e0d\u8d58\u8ff0\u4e86\uff1b\u56e0\u4e3a\u4ece\u7b2c\u4e09\u4e2a\u53c2\u6570\u80fd\u770b\u5230jni\u51fd\u6570\u7684\u6620\u5c04\u5173\u7cfb\uff0c\u800c\u5f88\u591a\u52a0\u89e3\u5bc6\u51fd\u6570\u90fd\u662fJava\u5c42\u58f0\u660e\u3001\u5728so\u5c42\u5b9e\u73b0\u7684\uff0c\u6240\u4ee5\u8fd9\u4e2a\u51fd\u6570\u683c\u5916\u91cd\u8981\uff1b\u4e0b\u9762\u8fd9\u6bb5\u4ee3\u7801\u53ef\u4ee5\u52a8\u6001\u83b7\u53d6registerNative\u51fd\u6570\u5730\u5740\uff0c\u5e76\u4e14\u6253\u5370\u7b2c\u4e09\u4e2a\u53c2\u6570\u7684\u5185\u5bb9\uff1a<\/p>\n<pre><code class=\"language-javascript\">function hook_libart() {\n    var module_libart = Process.findModuleByName(&quot;libart.so&quot;);\n    var symbols = module_libart.enumerateSymbols();     \/\/\u679a\u4e3e\u6a21\u5757\u7684\u7b26\u53f7\n\n    var addr_GetStringUTFChars = null;\n    var addr_FindClass = null;\n    var addr_GetStaticFieldID = null;\n    var addr_SetStaticIntField = null;\n    var addr_RegisterNatives = null;        \n\n    for (var i = 0; i &lt; symbols.length; i++) {\n        var name = symbols[i].name;\n        if (name.indexOf(&quot;art&quot;) &gt;= 0) {\/\/\u52a8\u6001\u83b7\u53d6\u5404\u4e2a\u51fd\u6570\u7684\u5730\u5740\n            if ((name.indexOf(&quot;CheckJNI&quot;) == -1) &amp;&amp; (name.indexOf(&quot;JNI&quot;) &gt;= 0)) {\n                if (name.indexOf(&quot;GetStringUTFChars&quot;) &gt;= 0) {\n                    console.log(name);\n                    addr_GetStringUTFChars = symbols[i].address;\n                } else if (name.indexOf(&quot;FindClass&quot;) &gt;= 0) {\n                    console.log(name);\n                    addr_FindClass = symbols[i].address;\n                } else if (name.indexOf(&quot;GetStaticFieldID&quot;) &gt;= 0) {\n                    console.log(name);\n                    addr_GetStaticFieldID = symbols[i].address;\n                } else if (name.indexOf(&quot;SetStaticIntField&quot;) &gt;= 0) {\n                    console.log(name);\n                    addr_SetStaticIntField = symbols[i].address;\n                } else if (name.indexOf(&quot;RegisterNatives&quot;) &gt;= 0) {\n                    console.log(name);\n                    addr_RegisterNatives = symbols[i].address;\n                }\n            }\n        }\n    }\n\n    if (addr_RegisterNatives) {\n        Interceptor.attach(addr_RegisterNatives, {\n            onEnter: function (args) {\n                console.log(&quot;addr_RegisterNatives:&quot;, hexdump(args[2]));    \/\/\u6253\u5370\u7b2c\u4e09\u4e2a\u53c2\u6570\uff0c\u4e5f\u5c31\u662fjava\u548cnative\u6620\u5c04\u7684\u6570\u7ec4\u9996\u5730\u5740\n                console.log(&quot;addr_RegisterNatives name:&quot;, ptr(args[2]).readPointer().readCString())\/\/java\u5c42\u51fd\u6570\u540d\u79f0\n                console.log(&quot;addr_RegisterNatives sig:&quot;, ptr(args[2]).add(Process.pointerSize).readPointer().readCString());\/\/\u51fd\u6570\u53c2\u6570\n                console.log(&quot;addr_RegisterNatives addr:&quot;, ptr(args[2]).add(Process.pointerSize+Process.pointerSize));\/\/native\u51fd\u6570\u5165\u53e3\u5730\u5740\n            }, onLeave: function (retval) {\n\n            }\n        });\n    }\n}<\/code><\/pre>\n<p>\u3000\u6ce8\u610f\uff1a\u56e0\u4e3a\u4e00\u4e2ajni\u51fd\u6570\u6ce8\u518c\u53ea\u8c03\u7528\u4e00\u6b21registerNative\uff0c\u6240\u4ee5\u8fd9\u91cc\u5efa\u8bae\u7528frida -U --no-pause -f com.xxxx.xxxx -l xxxx.js\u547d\u4ee4\u6ce8\u5165js\uff0c\u540c\u65f6\u542f\u52a8\u76ee\u6807app\uff1b\u5982\u679c\u4eba\u4e3a\u5f00\u542f\u76ee\u6807app\uff0c\u518d\u8fd0\u884cfrida\uff0c\u53ef\u80fdregiserNative\u51fd\u6570\u5df2\u7ecf\u6267\u884c\u8fc7\u4e86\uff01<\/p>\n<h3>\u7b2c\u4e8c\u79cd<\/h3>\n<pre><code class=\"language-javascript\">function hook_RegisterNatives() {\n    var symbols = Module.enumerateSymbolsSync(&quot;libart.so&quot;);\n    var addrRegisterNatives = null;\n    for (var i = 0; i &lt; symbols.length; i++) {\n        var symbol = symbols[i];\n\n        \/\/_ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi\n        if (symbol.name.indexOf(&quot;art&quot;) &gt;= 0 &amp;&amp;\n                symbol.name.indexOf(&quot;JNI&quot;) &gt;= 0 &amp;&amp; \n                symbol.name.indexOf(&quot;RegisterNatives&quot;) &gt;= 0 &amp;&amp; \n                symbol.name.indexOf(&quot;CheckJNI&quot;) &lt; 0) {\n            addrRegisterNatives = symbol.address;\n            console.log(&quot;RegisterNatives is at &quot;, symbol.address, symbol.name);\n        }\n    }\n\n    if (addrRegisterNatives != null) {\n        Interceptor.attach(addrRegisterNatives, {\n            onEnter: function (args) {\n                console.log(&quot;[RegisterNatives] method_count:&quot;, args[3]);\n                var env = args[0];\n                var java_class = args[1];\n                var class_name = Java.vm.tryGetEnv().getClassName(java_class);\n                \/\/console.log(class_name);\n\n                var methods_ptr = ptr(args[2]);\n\n                var method_count = parseInt(args[3]);\n                for (var i = 0; i &lt; method_count; i++) {\n                    var name_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3));\n                    var sig_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize));\n                    var fnPtr_ptr = Memory.readPointer(methods_ptr.add(i * Process.pointerSize * 3 + Process.pointerSize * 2));\n\n                    var name = Memory.readCString(name_ptr);\n                    var sig = Memory.readCString(sig_ptr);\n                    var find_module = Process.findModuleByAddress(fnPtr_ptr);\n                    console.log(&quot;[RegisterNatives] java_class:&quot;, class_name, &quot;name:&quot;, name, &quot;sig:&quot;, sig, &quot;fnPtr:&quot;, fnPtr_ptr, &quot;module_name:&quot;, find_module.name, &quot;module_base:&quot;, find_module.base, &quot;offset:&quot;, ptr(fnPtr_ptr).sub(find_module.base));\n\n                }\n            }\n        });\n    }\n}\n\nsetImmediate(hook_RegisterNatives);<\/code><\/pre>\n<h2>frida\u5c06so\u4e2d\u5730\u5740\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32<\/h2>\n<pre><code class=\"language-javascript\">function jstring2Str(jstring) { \/\/\u4ecefrida_common_funs.js\u4e2dcopy\u51fa\u6765\n    var ret;\n    Java.perform(function() {\n        var String = Java.use(&quot;java.lang.String&quot;);\n        ret = Java.cast(jstring, String);\/\/jstring-&gt;String\n    });\n    return ret;\n }<\/code><\/pre>\n<h2>java\u5c42\u904d\u5386hashmap<\/h2>\n<pre><code class=\"language-javascript\">\/\/\u4e0d\u80fd\u904d\u5386\u7a7amap\nfunction iterMap(map){\n    var map_result = &#039;&#039;;\n    var keyset = map.keySet();\n    var it = keyset.iterator();\n    while(it.hasNext()){\n        var keystr = it.next().toString();\n        var valuestr = map.get(keystr).toString();\n        map_result += valuestr;\n    }\n    return map_result\n}<\/code><\/pre>\n<h2>\u7b97\u6cd5\u81ea\u5410\u811a\u672c<\/h2>\n<p><a href=\"https:\/\/github.com\/1398440232\/FridaStudy\/blob\/main\/suanfazitu.js\" title=\"\u7b97\u6cd5\u81ea\u5410\">\u7b97\u6cd5\u81ea\u5410<\/a><\/p>\n<h1>Webview<\/h1>\n<p>\u5173\u4e8ewebview\uff1a\u73b0\u5728\u5f88\u591aApp\u91cc\u90fd\u5185\u7f6e\u4e86Web\u7f51\u9875\uff08Hyprid App\uff09\uff0c\u6bd4\u5982\u8bf4\u5f88\u591a\u7535\u5546\u5e73\u53f0\uff0c\u6dd8\u5b9d\u3001\u4eac\u4e1c\u3001\u805a\u5212\u7b97\u7b49\u7b49\u3002<\/p>\n<p>\u90a3\u4e48\u5982\u4f55\u5bf9webview\u8fdb\u884chook\u5462\uff1f<\/p>\n<p>\u9996\u5148\uff0c\u5148\u8d34\u51fafrida\u5bf9webview\u8fdb\u884chook\u7684js\u6a21\u677f<\/p>\n<pre><code class=\"language-javascript\">Java.perform(function (){\n\nvar WebView = Java.use(&quot;android.webkit.WebView&quot;);\n\nWebView.setWebContentsDebuggingEnabled.overload(&quot;boolean&quot;).implementation = function (s) {\n\n\/\/ send(s.toString());\n\nconsole.log(&quot;webview hook&quot;)\n\n\/\/ this.loadUrl.overload(&quot;java.lang.String&quot;).call(this, s);\n\/\/ console.log(this.)\n\nthis.setWebContentsDebuggingEnabled(true)\n\n};\n\n});<\/code><\/pre>\n<p>\u7136\u540e\u5c31\u8fd0\u884chook\u7684python\u6a21\u677f\u4ee3\u7801\uff0c\u7136\u540e\u5728\u6d4f\u89c8\u5668\uff08\u8fd9\u91cc\u4f7f\u7528edge\u6d4f\u89c8\u5668\uff09\u8f93\u5165edge:\/\/inspect\/#devices \uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u770b\u5230webview\u7684\u4fe1\u606f\uff0c\u70b9\u51fbinspect\u6309\u94ae\u5c31\u4f1a\u8fdb\u5165\u5230DevTools\u754c\u9762\uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u5bf9\u5176\u8fdb\u884c\u8c03\u8bd5\u64cd\u4f5c\u4e86\u3002<\/p>\n<h1>\u9047\u5230\u7684\u95ee\u9898<\/h1>\n<p>frida\u6ce8\u5165\u8fdb\u7a0b\u62a5\u9519Failed to spawn: unable to find application with identifier\u7684\u4e00\u79cd\u89e3\u51b3\u601d\u8def<br \/>\nfrida-ps -U -a \u5f97\u5230 identifier<br \/>\n\u7136\u540e<br \/>\n<code>frida -U --pause -f com.max.xiaoheihe -l xhh.js<\/code>\u6ce8\u5165<\/p>\n<h1>jadx<\/h1>\n<h1>IDA<\/h1>\n<h2>IDA\u52a8\u6001\u8c03\u8bd5<\/h2>\n<p>\u5728b\u7ad9\u4e0a\u770b\u5230\u89c6\u9891\u5173\u4e8eida\u7684\u52a8\u6001\u8c03\u8bd5\uff0c\u5bf9\u6574\u4f53\u7684\u601d\u8def\u6709\u4e86\u4e00\u5b9a\u7684\u8ba4\u8bc6\u3002<a href=\"https:\/\/b23.tv\/Em38gDN\" title=\"\u3010\u975e\u5e38\u8be6\u7ec6-IDA\u52a8\u6001\u8c03\u8bd5\u5b89\u5353.so\u6587\u4ef6\u3011\">\u3010\u975e\u5e38\u8be6\u7ec6-IDA\u52a8\u6001\u8c03\u8bd5\u5b89\u5353.so\u6587\u4ef6\u3011<\/a><br \/>\n\u5176\u4e2d\u7528\u5230\u4e86Android Studio\u7684ddms\uff0c\u4f46\u662f\u5728\u7f51\u4e0a\u641c\u7d22ddms\uff0c\u53d1\u73b0\u65e9\u5df2\u88ab\u79fb\u9664\uff0c\u5728\u8be5\u89c6\u9891\u8bc4\u8bba\u4e0b\u770b\u5230\u535a\u4e3b\u8bf4\u7528monitor\uff0c\u4e8e\u662f\u641c\u96c6\u5173\u4e8emonitor\u7684\u8d44\u6599\uff0c\u6700\u7ec8\u4e0b\u8f7d\u4e86Android Studio3.1\u7248\u672c\uff0c\u5b89\u88c5\u597d\u540e\u5728SDK\u7684tools\u6587\u4ef6\u5939\u4e0b\u627e\u5230monitor.bat\u6587\u4ef6\uff0c\u53cc\u51fb\u8fd0\u884c\u62a5\u9519\uff0c\u67e5\u627e\u8d44\u6599\u53d1\u73b0\u662fjava\u7248\u672c\u4e0d\u5bf9\uff0c\u4e8e\u662f\u5b89\u88c5java1.8\uff0c\u4e5f\u5c31\u662fjava se8\uff0c\u914d\u7f6e\u597d\u73af\u5883\u53d8\u91cf\u540e\u91cd\u65b0\u8fd0\u884cmonitor.bat\uff0c\u754c\u9762\u6b63\u5e38\u51fa\u73b0\u3002\u540e\u9762\u6b65\u9aa4\u5c31\u662f\u542f\u52a8android_server64\u670d\u52a1\uff0c\u5e76\u8bbe\u7f6e\u7aef\u53e3\u8f6c\u53d1\uff0c\u63a5\u7740\u5c31\u662f\u4e0b\u9762\u7684\u64cd\u4f5c\u3002<\/p>\n<pre><code class=\"language-shell\">adb shell am start -D -n com.max.xiaoheihe\/com.max.xiaoheihe.MainActivity<\/code><\/pre>\n<p>\u6839\u636e\u6b65\u9aa4\u8f93\u5165\u6b64\u547d\u4ee4\u540e\u62a5\u9519\uff0c\u6539\u4e3a\u8f93\u5165\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-shell\">adb shell monkey -p com.max.xiaoheihe -c android.intent.category.LAUNCHER 1<\/code><\/pre>\n<p>\u540e\u6b63\u5e38\u51fa\u73b0Waiting For Debugger\u5f39\u7a97\uff0c\u63a5\u7740\u8f93\u5165\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-shell\">jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=9675\n#\u6ce8\uff1a9675\u8fd9\u4e2a\u7aef\u53e3\u4e3a\u5728monitor\u4e2d\u770b\u5230\u7684app\u7684\u7aef\u53e3<\/code><\/pre>\n<p>\u540emonitor\u754c\u9762\u4e2d\u7ea2\u8272\u7684\u8718\u86db\u53d8\u4e3a\u7eff\u8272\uff0c\u70b9\u51fbIDA\u4e2d\u7684\u8fd0\u884c\u6309\u94ae\uff0c\u76f4\u81f3\u5f39\u7a97\u6d88\u5931\u3002<\/p>\n<h2>\u4f2a\u6307\u4ee4\u53caDC\u7cfb\u5217\u6307\u4ee4<\/h2>\n<p>ARM \u4f2a\u6307\u4ee4\u5b83\u4e0d\u662fARM \u6307\u4ee4\u96c6\u4e2d\u7684\u6307\u4ee4\uff0c\u53ea\u662f\u4e3a\u4e86\u65b9\u4fbf\u7f16\u8bd1\u5668\u7f16\u7a0b\u800c\u5b9a\u4e49\u7684\u6307<br \/>\n\u4ee4\uff0c\u4f7f\u7528\u65f6\u53ef\u4ee5\u50cf\u5176\u4ed6ARM \u6307\u4ee4\u4e00\u6837\u4f7f\u7528\uff0c\u4f46\u5728\u7f16\u8bd1\u65f6\u8fd9\u4e9b\u6307\u4ee4\u5c06\u88ab\u7b49\u6548\u7684ARM<br \/>\n\u6307\u4ee4\u4ee3\u66ff\u3002<\/p>\n<p>DCB\u5b83\u5173\u8054\u7684\u4f2a\u6307\u4ee4\u6709DCB\u3001DCW\u3001DCD\u3001DCQ\u6307\u4ee4\u3002\u5b83\u4eec\u90fd\u662f\u7528\u4e8e\u5206\u914d\u4e00\u6bb5\u5185\u5b58\u5355\u5143\uff0c\u5e76\u5bf9\u5176\u8fdb\u884c\u505a\u521d\u59cb\u5316\u5de5\u4f5c\u3002\u4e0d\u8fc7\u5b83\u4eec\u5206\u914d\u7684\u5185\u5b58\u7a7a\u95f4\u5927\u5c0f\u4e0d\u540c\u3002<br \/>\n\u4e0b\u9762\u5c31\u9488\u5bf9\u8fd9\u56db\u4e2a\u4f2a\u6307\u4ee4\u505a\u4e0b\u533a\u5206<br \/>\nDCB\u8868\u793a\uff1a\u5b83\u5206\u914d\u4e00\u6bb5\u5b57\u8282\u7684\u5185\u5b58\u5355\u5143\uff0c\u5b83\u6bcf\u4e2a\u64cd\u4f5c\u6570\u90fd\u5360\u6709\u4e00\u4e2a\u5b57\u8282\uff0c\u64cd\u4f5c\u6570\u8303\u56f4\u4e3a-128\uff5e255\u7684\u6570\u503c\u6216\u5b57\u7b26\u4e32\u3002<\/p>\n<p>DCW\u8868\u793a\uff1a\u5b83\u5206\u914d\u4e00\u6bb5\u534a\u5b57\u7684\u5185\u5b58\u5355\u5143\uff0c\u5b83\u7684\u6bcf\u4e2a\u64cd\u4f5c\u6570\u90fd\u5360\u6709\u4e24\u4e2a\u5b57\u8282\uff0c\u64cd\u4f5c\u6570\u662f16\u4f4d\u4e8c\u8fdb\u5236\u6570\uff0c\u53d6\u503c\u8303\u56f4\u4e3a-32768\uff5e65535\u3002<\/p>\n<p>DCD\u8868\u793a\uff1a\u5b83\u5206\u914d\u4e00\u6bb5\u5b57\u7684\u5185\u5b58\u5355\u5143\uff0c\u5b83\u7684\u6bcf\u4e2a\u64cd\u4f5c\u6570\u90fd\u5360\u67094\u4e2a\u5b57\u8282\uff0c\u64cd\u4f5c\u6570\u53ef\u4ee5\u662f32\u4f4d\u7684\u6570\u5b57\u8868\u8fbe\u5f0f\uff0c\u4e5f\u53ef\u4ee5\u662f\u7a0b\u5e8f\u4e2d\u7684\u6807\u53f7\u3002<\/p>\n<p>DCQ\u8868\u793a\uff1a\u5b83\u5206\u914d\u4e00\u6bb5\u53cc\u5b57\u7684\u5185\u5b58\u5355\u5143\uff0c\u5b83\u7684\u6bcf\u4e2a\u64cd\u4f5c\u6570\u90fd\u5360\u67098\u4e2a\u5b57\u8282\u3002<\/p>\n<h2>\u7ecf\u9a8c<\/h2>\n<h3>1.JNI_OnLoad<\/h3>\n<p>\u5982\u679c\u6253\u5f00so\u4e4b\u540e\u53d1\u73b0\u6ca1\u6709Java_xxx\u8fd9\u6837\u7684\u51fd\u6570\u5f00\u5934\u4e00\u822c\u90fd\u662f\u5728JNI_OnLoad\u4e2d\u91c7\u7528\u4e86\u52a8\u6001\u6ce8\u518c\u65b9\u5f0f\uff0c\u6240\u4ee5\u53ea\u9700\u8981\u627e\u5230JNI_OnLoad\u51fd\u6570\uff0c\u7136\u540e\u627e\u5230RegisterNatives\u51fd\u6570\u5373\u53ef<\/p>\n<p>\u6211\u4eec\u5982\u679c\u624b\u52a8\u6ce8\u518c\u8fc7Native\u65b9\u6cd5\uff0c\u90fd\u77e5\u9053RegisterNatives\u51fd\u6570\u7684\u4e09\u4e2a\u53c2\u6570\u542b\u4e49\uff1a<br \/>\njint RegisterNatives(jclass clazz, const JNINativeMethod* methods, jint nMethods)<br \/>\n\u7b2c\u4e00\u4e2a\u53c2\u6570\uff1a\u9700\u8981\u6ce8\u518cnative\u51fd\u6570\u7684\u4e0a\u5c42Java\u7c7b\u7b2c\u4e8c\u4e2a\u53c2\u6570\uff1a\u6ce8\u518c\u7684\u65b9\u6cd5\u7ed3\u6784\u4f53\u4fe1\u606f\u7b2c\u4e09\u4e2a\u53c2\u6570\uff1a\u9700\u8981\u6ce8\u518c\u7684\u65b9\u6cd5\u4e2a\u6570\u8fd9\u91cc\u5f53\u7136\u662f\u91cd\u70b9\u770b\u7b2c\u4e8c\u4e2a\u53c2\u6570\uff0c\u8fd9\u91cc\u5f53\u7136\u4e5f\u9700\u8981\u77e5\u9053\u65b9\u6cd5\u7ed3\u6784\u4f53\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-cpp\">typedef struct {\n    const char* name;\n    const char* signature;\n    void*       fnPtr;\n} JNINativeMethod;<\/code><\/pre>\n<p>\u7ed3\u6784\u4f53\u5305\u542b\u4e09\u90e8\u5206\u5206\u522b\u662f\uff1a\u65b9\u6cd5\u540d\u3001\u65b9\u6cd5\u7684\u7b7e\u540d\u3001\u5bf9\u5e94\u7684native\u51fd\u6570\u5730\u5740\uff1b<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u77e5\u8bc6 \u7f51\u4e0a\u5bf9frida\u7684\u68c0\u6d4b\u901a\u5e38\u4f1a\u4f7f\u7528openat\u3001open\u3001strstr\u3001pthread_create\u3001sn [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-256","post","type-post","status-publish","format-standard","hentry","category-13"],"_links":{"self":[{"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/posts\/256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/comments?post=256"}],"version-history":[{"count":31,"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/posts\/256\/revisions"}],"predecessor-version":[{"id":489,"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/posts\/256\/revisions\/489"}],"wp:attachment":[{"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/media?parent=256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/categories?post=256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.94i.top\/index.php\/wp-json\/wp\/v2\/tags?post=256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}