Frida进阶用法：Native层Hook与修改指南<\/h1>

一、Hook Native函数基础<\/h2>

1.1 基本Hook流程<\/h3>

定位目标函数<\/strong>：使用Module.findExportByName()<\/code>获取目标函数地址<\/li>
附加拦截器<\/strong>：使用Interceptor.attach()<\/code>附加回调函数<\/li>

处理参数和返回值<\/strong>：在onEnter<\/code>和onLeave<\/code>回调中操作<\/li> <\/ol> var<\/span> strcmp_adr<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libc.so"<\/span>, "strcmp"<\/span>); <\/span><\/span>Interceptor<\/span>.attach<\/span>(strcmp_adr<\/span>, { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("Hooking the strcmp function"<\/span>); <\/span><\/span> var<\/span> flag<\/span> =<\/span> Memory<\/span>.readUtf8String<\/span>(args<\/span>[1<\/span>]); <\/span><\/span> console<\/span>.log<\/span>("The flag is "<\/span> +<\/span> flag<\/span>); <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>1.2 过滤特定调用<\/h3> 通过检查参数值来过滤无关调用：<\/p> Interceptor<\/span>.attach<\/span>(strcmp_adr<\/span>, { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> var<\/span> arg0<\/span> =<\/span> Memory<\/span>.readUtf8String<\/span>(args<\/span>[0<\/span>]); <\/span><\/span> var<\/span> flag<\/span> =<\/span> Memory<\/span>.readUtf8String<\/span>(args<\/span>[1<\/span>]); <\/span><\/span> if<\/span>(arg0<\/span>.includes<\/span>("HELLO"<\/span>)) { <\/span><\/span> console<\/span>.log<\/span>("Hooking the strcmp function"<\/span>); <\/span><\/span> console<\/span>.log<\/span>("Input "<\/span> +<\/span> arg0<\/span>); <\/span><\/span> console<\/span>.log<\/span>("The flag is "<\/span> +<\/span> flag<\/span>); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>二、修改Native函数返回值<\/h2> 2.1 修改返回值方法<\/h3> 在onLeave<\/code>回调中使用retval.replace()<\/code>修改返回值：<\/p> var<\/span> check_flag<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("liba0x9.so"<\/span>, "Java_com_ad2001_a0x9_MainActivity_check_1flag"<\/span>); <\/span><\/span>Interceptor<\/span>.attach<\/span>(check_flag<\/span>, { <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("Original return value:"<\/span> +<\/span> retval<\/span>); <\/span><\/span> retval<\/span>.replace<\/span>(1337<\/span>); \/\/ 修改返回值为1337 <\/span><\/span><\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>2.2 完整模板<\/h3> Interceptor<\/span>.attach<\/span>(targetAddress<\/span>, { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> console<\/span>.log<\/span>('Entering '<\/span> +<\/span> functionName<\/span>); <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> console<\/span>.log<\/span>('Leaving '<\/span> +<\/span> functionName<\/span>); <\/span><\/span> retval<\/span>.replace<\/span>(value<\/span>); \/\/ 修改返回值 <\/span><\/span><\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>三、调用Native函数<\/h2> 3.1 调用流程<\/h3> 获取函数地址<\/li> 创建NativePointer对象<\/li> 创建NativeFunction对象<\/li> 调用函数<\/li> <\/ol> var<\/span> adr<\/span> =<\/span> Module<\/span>.findBaseAddress<\/span>("libfrida0xa.so"<\/span>).add<\/span>(0x1DD60<\/span>); <\/span><\/span>var<\/span> get_flag_ptr<\/span> =<\/span> new<\/span> NativePointer<\/span>(adr<\/span>); <\/span><\/span>const<\/span> get_flag<\/span> =<\/span> new<\/span> NativeFunction<\/span>(get_flag_ptr<\/span>, 'void'<\/span>, ['int'<\/span>, 'int'<\/span>]); <\/span><\/span>get_flag<\/span>(1<\/span>, 2<\/span>); <\/span><\/span><\/code><\/pre>3.2 完整模板<\/h3> var<\/span> native_adr<\/span> =<\/span> new<\/span> NativePointer<\/span>(<<\/span>address_of_the_native_function<\/span>><\/span>); <\/span><\/span>const<\/span> native_function<\/span> =<\/span> new<\/span> NativeFunction<\/span>(native_adr<\/span>, '<return type>'<\/span>, ['argument_data_type'<\/span>]); <\/span><\/span>native_function<\/span>(<<\/span>arguments<\/span>><\/span>); <\/span><\/span><\/code><\/pre>四、修改Native指令<\/h2> 4.1 修改指令步骤<\/h3> 获取指令地址<\/li> 修改内存保护属性<\/li> 使用ARM64Writer修改指令<\/li> 刷新并释放资源<\/li> <\/ol> var<\/span> jnz_adr<\/span> =<\/span> Module<\/span>.getBaseAddress<\/span>("libfrida0xb.so"<\/span>).add<\/span>(0x170CE<\/span>); <\/span><\/span>Memory<\/span>.protect<\/span>(jnz_adr<\/span>, 0x1000<\/span>, "rwx"<\/span>); <\/span><\/span>var<\/span> writer<\/span> =<\/span> new<\/span> Arm64Writer<\/span>(jnz_adr<\/span>); <\/span><\/span>try<\/span> { <\/span><\/span> writer<\/span>.putNop<\/span>(); \/\/ 将jnz指令替换为NOP <\/span><\/span><\/span><\/span> writer<\/span>.flush<\/span>(); <\/span><\/span> console<\/span>.log<\/span>("Command modification successful."<\/span>); <\/span><\/span>} finally<\/span> { <\/span><\/span> writer<\/span>.dispose<\/span>(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2 完整模板<\/h3> var<\/span> writer<\/span> =<\/span> new<\/span> ARM64Writer<\/span>(<<\/span>address_of_the_instruction<\/span>><\/span>); <\/span><\/span>try<\/span> { <\/span><\/span> \/* 自定义指令实现 *\/<\/span> <\/span><\/span> writer<\/span>.flush<\/span>(); <\/span><\/span>} finally<\/span> { <\/span><\/span> writer<\/span>.dispose<\/span>(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>五、实用API参考<\/h2> 5.1 函数地址获取方法<\/h3> 从导出表获取<\/strong>：<\/p> Module<\/span>.findExportByName<\/span>("libc.so"<\/span>, "strcmp"<\/span>) <\/span><\/span>Module<\/span>.getExportByName<\/span>("libc.so"<\/span>, "strcmp"<\/span>) \/\/ 找不到会抛出异常 <\/span><\/span><\/span><\/code><\/pre><\/li> 从导入表获取<\/strong>：<\/p> Module<\/span>.enumerateImports<\/span>("libfrida0x8.so"<\/span>)[4<\/span>]["address"<\/span>] <\/span><\/span><\/code><\/pre><\/li> 基地址+偏移量<\/strong>：<\/p> Module<\/span>.getBaseAddress<\/span>("libfrida0x8.so"<\/span>).add<\/span>(0x864<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.2 内存操作API<\/h3> 读取内存字符串<\/strong>：<\/p> Memory<\/span>.readUtf8String<\/span>(address<\/span>) <\/span><\/span><\/code><\/pre><\/li> 修改内存保护<\/strong>：<\/p> Memory<\/span>.protect<\/span>(address<\/span>, size<\/span>, "rwx"<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 六、实战技巧<\/h2> 处理ASLR<\/strong>：Android的地址空间随机化会导致每次运行地址不同，建议使用基地址+偏移量的方式<\/p> <\/li> 错误处理<\/strong>：使用try-finally<\/code>确保资源释放<\/p> <\/li> 性能考虑<\/strong>：在Hook频繁调用的函数时，尽量减少日志输出<\/p> <\/li> 多架构支持<\/strong>：注意区分ARM和x86架构的指令差异<\/p> <\/li> 调试技巧<\/strong>：使用console.log()<\/code>输出关键变量值辅助调试<\/p> <\/li> <\/ol> 七、总结<\/h2> Frida在Native层的Hook能力非常强大，通过掌握这些进阶用法，可以：<\/p> 拦截和修改任意Native函数调用<\/li> 动态修改程序逻辑<\/li> 调用未暴露的Native函数<\/li> 修改机器指令改变程序行为<\/li> <\/ol> 关键是要理解Native函数调用的原理和内存操作的基本概念，结合具体场景灵活运用这些技术。<\/p>