I am trying to hook android11 system_server On linux. frida version is 14.2.13.
The script as below:
Java.perform(function () {
var clazz = Java.use("com.android.server.policy.PhoneWindowManager")
var func = "powerPress"
console.log(func)
clazz[func].implementation = function (arg1,arg2,arg3) {
console.log("Enter " + func + " " + arg1,arg2,arg3)
this[func](arg1,arg2,arg3)
}
}
)
The command to launch frida:
$ frida -U -l script.js -p $(adb shell pidof system_server)
____
/ _ | Frida 14.2.13 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://www.frida.re/docs/home/
Attaching...
powerPress
Error: expected a pointer
at value (frida/runtime/core.js:170)
at yt (frida/node_modules/frida-java-bridge/lib/android.js:889)
at activate (frida/node_modules/frida-java-bridge/lib/android.js:970)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/android.js:745)
at forEach (native)
at St (frida/node_modules/frida-java-bridge/lib/android.js:746)
at Et (frida/node_modules/frida-java-bridge/lib/android.js:737)
at vt (frida/node_modules/frida-java-bridge/lib/android.js:696)
at replace (frida/node_modules/frida-java-bridge/lib/android.js:1021)
at set (frida/node_modules/frida-java-bridge/lib/class-factory.js:1010)
at set (frida/node_modules/frida-java-bridge/lib/class-factory.js:925)
at <anonymous> (/script.js:4)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)
at <anonymous> (frida/node_modules/frida-java-bridge/index.js:213)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:232)
at perform (frida/node_modules/frida-java-bridge/index.js:192)
at <eval> (/script.js:10)
[device]-> Enter powerPress 44442 true 1
Enter powerPress 46290 true 1
Enter powerPress 52580 true 1
Enter powerPress 53910 true 1
The hook looks like work but exception happen!
this is not how you would normaly hook a function have a look on the official docs
https://frida.re/docs/android/
try this instead
Java.perform(function () {
Java.Use("com.android.server.policy.PhoneWindowManager").powerPress.overload().implementation = function(arg1, arg2, arg3){
console.log("Enter Powerpress :" + arg1,arg2,arg3);
Java.Use("com.android.server.policy.PhoneWindowManager").powerPress.overload().call(this, arg1,arg2,arg3);
}
)
guessing that you are passing args you will need to specify the type of each arg and pass it to the overload function launch the script it will give you a error and copy paste the correct function overload on both the call line and the implementation line
If the method no overrides, then no need to add overload.
Use apply to call original function.
Java.perform(function () {
var clazz = Java.use("com.android.server.policy.PhoneWindowManager")
var func = "powerPress"
console.log(func)
clazz[func].implementation = function (arg1,arg2,arg3) {
console.log("Enter " + func + " " + arg1,arg2,arg3)
this[func].apply(this,[arg1,arg2,arg3])
//or this[func].call(this,arg1,arg2,arg3)
}
}
)
Related
I am trying to hook function of android messaging application.
I run frida hook script. then I get a following error:
Error: java.lang.ClassNotFoundException: Didn't find class "i0.a.a.a.e3.z" on path: DexPathList[[/data/app/xxxxx==/base.apk]]
In Jadx-Gui, base.apk is decompiled as follows
package i0.a.a.a.e3;
/* loaded from: classes5.dex */
public final class z {
}
script is as follows
let z = Java.use("i0.a.a.a.e3.z");
How can I solve this error?
Try running your hook inside the Java.perform() method of Frida.
Java.perform(function() {
let z = Java.use("i0.a.a.a.e3.z");
z["somefunction"].implementation = function (str) {
console.log('somefunctionis called' + ', ' + 'str: ' + str);
let ret = this.somefunction(str);
console.log('somefunctionret value is ' + ret);
return ret;
};
})
It solved my problem that was similar to yours.
I want to overload following method that I found by decompiling Android app with apktool:
invoke-virtual {v0, v4, v3}, Lokhttp3/aa$a;->b(Ljava/lang/String;Ljava/lang/String;)Lokhttp3/aa$a;
Here is my Frida script:
Java.perform(function() {
var targetClass = Java.use("okhttp3.aa$a");
targetClass.b.overload("java.lang.String", "java.lang.String").implementation = function(a, b) {
console.log("str1:" + a);
console.log("str2:" + b);
return this.b(a, b);
}
});
Hook fails with:
[ERROR] Error: expected a pointer
at value (frida/runtime/core.js:170)
at At (frida/node_modules/frida-java-bridge/lib/android.js:879)
at activate (frida/node_modules/frida-java-bridge/lib/android.js:960)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/android.js:740)
at forEach (native)
at St (frida/node_modules/frida-java-bridge/lib/android.js:741)
at kt (frida/node_modules/frida-java-bridge/lib/android.js:732)
at vt (frida/node_modules/frida-java-bridge/lib/android.js:696)
at replace (frida/node_modules/frida-java-bridge/lib/android.js:1011)
at set (frida/node_modules/frida-java-bridge/lib/class-factory.js:1010)
at <anonymous> (/script2.js:3)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:238)
at <anonymous> (frida/node_modules/frida-java-bridge/index.js:213)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:16)
at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:232)
at perform (frida/node_modules/frida-java-bridge/index.js:192)
at <eval> (/script2.js:8)
How to correctly overload that method?
UPDATE
I figured out that error raised because I tried to load multiple scripts at once.
Is it possible?
import frida
import sys
package_name = "com.test.com"
def hook_okhttp_url():
hook_code = open('hook_okhttp_url.js').read()
return hook_code
def hook_cronet_header():
hook_code = open('hook_cronet_header.js').read()
return hook_code
def on_message(message, data):
if message['type'] == 'error':
print("[ERROR] " + message['stack'])
elif message['type'] == 'send':
print("[INFO] " + message['payload'])
else:
print(message)
device = frida.get_usb_device()
process = device.attach(package_name)
okhttp_script = process.create_script(hook_okhttp_url())
cronet_script = process.create_script(hook_cronet_header())
okhttp_script.on('message', on_message)
cronet_script.on('message', on_message)
print('[*] Running Hook Test ...')
okhttp_script.load()
cronet_script.load()
sys.stdin.read()
I figured out that error raised because I tried to load multiple scripts at once.
Is it possible?
When it comes to overloaded methods I prefer to hook and call method this way (as it makes less problems):
Java.perform(function() {
const targetClass = Java.use("okhttp3.aa$a");
const targetMethod = targetClass.b.overload("java.lang.String", "java.lang.String");
targetMethod.implementation = function(a, b) {
console.log("str1:" + a);
console.log("str2:" + b);
return targetMethod.call(this, a, b);
}
});
Ended up with concatenating all js files with my hooks into one.
I'm trying to generate a binding for android from my go program but gomobile is giving me an error as
no exported names in the package "src/github.com/rohankeskar19/android_whisper"
This is the command I Used
gomobile bind -v -target=android -o ethereumchat.aar src\github.com\rohankeskar19\android_whisper\
This is my folder structure
bin
pkg
src
|
-github.com/
|
-rohankeskar19/
|
-android_whisper/
|
-ethereumchat.go
I know that in order to export names they have to start with capital letter
This is my code
package ethereumchat
import (
"log"
"context"
"fmt"
"github.com/ethereum/go-ethereum/whisper/shhclient"
)
func Newkeypair(address string) string {
client, err := shhclient.Dial(address)
if err != nil{
log.Fatal(err)
return "Error occured while connecting to whisper"
}
keyID, err := client.NewKeyPair(context.Background())
if err != nil {
log.Fatal(err)
return "Error occured while creating key pair"
}
return keyID
}
Use the same name for you package as the folder in which it is located. (Your package is ethereumchat but the directory is andorid_whisper.)
I made an application in Visual Basic that opens cmd and transfer files to an Android receiver over VPN. it works fine but how do i get the response from cmd to check whether the transfer was succesful or not?
sample codes
Public Class Form1
Private Sub btnSend_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnSend.Click
Shell("cmd.exe /k" + "adb push C:\Users\user\Desktop\Newfolder\1.png /sdcard/test")
End Sub
Private Sub btnConnect_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnConnect.Click
Shell("adb connect " + TextBox1.Text)
btnSend.Enabled = True
btnConnect.Enabled = False
End Sub
End Class
I am assuming that you are wanting to get the return code or std output of the adb commands. Either way you are going to need to start your own process instead of using the Shell command because:
A process can return an exit code when it terminates. However, you cannot use Shell to retrieve this exit code, because Shell returns zero if it waits for termination, and also because the process runs in a different object from Shell. From http://msdn.microsoft.com/en-us/library/xe736fyk%28v=vs.90%29.aspx
the link will show you how to set up a processes that returns an exit code. The relevant code is
Dim procID As Integer
Dim newProc As Diagnostics.Process
newProc = Diagnostics.Process.Start("C:\WINDOWS\NOTEPAD.EXE")
procID = newProc.Id
newProc.WaitForExit()
Dim procEC As Integer = -1
If newProc.HasExited Then
procEC = newProc.ExitCode
End If
MsgBox("Process with ID " & CStr(ProcID) & _
" terminated with exit code " & CStr(procEC))
if you are wanting not the return code, but the standard output from the program, then according to http://msdn.microsoft.com/en-us/library/vstudio/system.diagnostics.process.standardoutput?cs-save-lang=1&cs-lang=vb#code-snippet-4
you can do that via this code snippet:
Imports System
Imports System.IO
Imports System.Diagnostics
Class IORedirExample
Public Shared Sub Main()
Dim args() As String = Environment.GetCommandLineArgs()
If args.Length > 1
' This is the code for the spawned process'
Console.WriteLine("Hello from the redirected process!")
Else
' This is the code for the base process '
Dim myProcess As New Process()
' Start a new instance of this program but specify the spawned version. '
Dim myProcessStartInfo As New ProcessStartInfo(args(0), "spawn")
myProcessStartInfo.UseShellExecute = False
myProcessStartInfo.RedirectStandardOutput = True
myProcess.StartInfo = myProcessStartInfo
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
' Read the standard output of the spawned process. '
Dim myString As String = myStreamReader.ReadLine()
Console.WriteLine(myString)
myProcess.WaitForExit()
myProcess.Close()
End If
End Sub
End Class
when you are trying this out yourself, remember that you must include the
myProcessStartInfo.UseShellExecute = False
line as well.
I am developing in Android, I am using instrumentation to test Phone application.
Instrumentation is Android env to test applications.
For that I use am command with name of test case.
I run adb, then I enter adb shell, then write in shell the am command.
I wish to deliver a parameter together with this am command.
I mean that I wish to deliver parameters to the test launched by the am command.
Is it possible ???
Please help ?
you can pass a data uri, mime type and even "extras" to the am command.
am [start|instrument]
am start [-a <action>] [-d ]
[-t <mime_type>] [-c <category> [-c <category>] ...]
[-e <extra_key> <extra_value>
[-e <extra_key> <extra_value> ...]
[-n <component>]
[-D] [<uri>]
am instrument [-e <arg_name> <arg_value>] [-p <prof_file>] [-w] <component>
You could pass them as "extras" and then get the extras that are passed to it.
You would pass them like this:
am start -a android.intent.action.VIEW -c android.intent.category.DEFAULT
-e foo bar -e bert ernie -n my.package.component.blah
then in your code:
Bundle extras = this.getIntent ( ).getExtras ( );
if ( extras != null ) {
if ( extras.containsKey ( "foo" ) ) {
Log.d ( "FOO", extras.getString ( "foo" ) );
} else {
Log.d ( "FOO", "no foo here" );
}
if ( extras.containsKey ( "bert" ) ) {
Log.d ( "BERT", extras.getString ( "bert" ) );
} else {
Log.d ( "BERT", "Bert is all alone" );
}
} else {
this.setTitle ( "no extras found" );
}
Pass the paramater in: (e.g., -e peerID SCH-I545)
adb -s 0915f98870e60701 shell am instrument -w -e class /
com.example.android.testing.uiautomator.BasicSample.sendInvite /
-e peerID SCH-I545 /
com.example.android.testing.uiautomator.BasicSample.test/android.sup /
port.test.runner.AndroidJUnitRunner
In the test class:
{
Bundle extras = InstrumentationRegistry.getArguments();
String peerID = null;
if ( extras != null ) {
if ( extras.containsKey ( "peerID" ) ) {
peerID = extras.getString("peerID");
System.out.println("PeerID: " + peerID);
} else {
System.out.println("No PeerID in extras");
}
} else {
System.out.println("No extras");
}
}
to send extra value you should add -n(Component) for sending extra value with -e
here is the sample to sent multiple key-value
adb shell am start -n com.example.jk.checkwifi/.MainActivity -e "imei" $myimei -e "ip" $IP
then to get data inside activity, get like this inside onCreate
ip = intent.getStringExtra("ip")
exactly is:
./adb shell am start -a android.intent.action.VIEW -c android.intent.category.DEFAULT -e user_id 1 -n com.shortcut.activity/com.shortcut.activity.SelectCardActivity
com.shortcut.activity/com.shortcut.activity.SelectCardActivity -> uir to your main class activity start app.
will pass to your app param user_id = 1
and on class SelectCardActivity you get it as bellow :
Bundle installparams = this.getIntent ( ).getExtras ( );
Since you are already working on Android sdk, given you know the sdk location on your system -
Go to sdk location on terminal(command prompt)-> type adb shell -> type am help
with example
http://whenpridefucks.blogspot.in/2011/12/android-send-broadcast-intents-via-adb.html