Frida Native层操作指南<\/h1>

1. Native层函数Hook基础<\/h2>

1.1 基本Hook模板<\/h3>
Interceptor<\/span>.attach<\/span>(targetAddress<\/span>, {
<\/span><\/span>    onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("正在进入函数"<\/span>);
<\/span><\/span>        \/\/ 可以查看和修改传入参数
<\/span><\/span><\/span><\/span>    },
<\/span><\/span>    onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("正在离开函数"<\/span>);
<\/span><\/span>        \/\/ 可以查看和修改返回值
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>1.2 获取函数地址的方法<\/h3>


Module.enumerateExports()<\/strong><\/p>

获取导出函数的名称、地址等信息<\/li>
适用于查找模块自身导出的函数<\/li>
<\/ul>
<\/li>

Module.getExportByName()<\/strong><\/p>

通过函数名获取导出项地址<\/li>
找不到会抛出异常<\/li>
<\/ul>
<\/li>

Module.findExportByName()<\/strong><\/p>

通过函数名获取导出项地址<\/li>
找不到返回null<\/li>
<\/ul>
<\/li>

Module.getBaseAddress()<\/strong><\/p>

获取模块基址地址<\/li>
可用于基于偏移量的计算<\/li>
<\/ul>
<\/li>

Module.enumerateImports()<\/strong><\/p>

获取模块导入的外部函数\/变量信息<\/li>
<\/ul>
<\/li>
<\/ol>
1.3 实际应用示例<\/h3>
Hook libc.so中的strcmp函数：<\/p>
var<\/span> strcmp<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libc.so"<\/span>, "strcmp"<\/span>);
<\/span><\/span>Interceptor<\/span>.attach<\/span>(strcmp<\/span>, {
<\/span><\/span>    onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>        \/\/ 增加条件判断，避免hook所有strcmp调用
<\/span><\/span><\/span><\/span>        if<\/span>(Memory<\/span>.readUtf8String<\/span>(args<\/span>[0<\/span>]).includes<\/span>("666"<\/span>)) {
<\/span><\/span>            console<\/span>.log<\/span>("strcmp参数2:"<\/span>, Memory<\/span>.readUtf8String<\/span>(args<\/span>[1<\/span>]));
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>2. 函数返回值修改<\/h2>
修改Native层函数的返回值：<\/p>
var<\/span> check_flag<\/span> =<\/span> Module<\/span>.enumerateExports<\/span>("liba0x9.so"<\/span>)[0<\/span>]["address"<\/span>];
<\/span><\/span>Interceptor<\/span>.attach<\/span>(check_flag<\/span>, {
<\/span><\/span>    onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {
<\/span><\/span>        if<\/span>(retval<\/span>.toInt32<\/span>() ===<\/span> 1337<\/span>) {
<\/span><\/span>            console<\/span>.log<\/span>("Flag found!"<\/span>);
<\/span><\/span>        }
<\/span><\/span>        \/\/ 修改返回值
<\/span><\/span><\/span><\/span>        retval<\/span>.replace<\/span>(1<\/span>);
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>3. 导入表与导出表<\/h2>

导入表(Imports)<\/strong>: 模块调用的外部函数<\/li>
导出表(Exports)<\/strong>: 模块对外提供的函数<\/li>
<\/ul>
查看导出表示例：<\/p>
var<\/span> exports<\/span> =<\/span> Module<\/span>.enumerateExports<\/span>("liba0x9.so"<\/span>);
<\/span><\/span>exports<\/span>.forEach<\/span>(function<\/span>(exp<\/span>) {
<\/span><\/span>    console<\/span>.log<\/span>("Name:"<\/span>, exp<\/span>.name<\/span>, "Address:"<\/span>, exp<\/span>.address<\/span>);
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>4. Hook未调用的Native方法<\/h2>
4.1 直接调用Native函数<\/h3>
var<\/span> native_adr<\/span> =<\/span> new<\/span> NativePointer<\/span>(<<\/span>address_of_the_native_function<\/span>><\/span>);
<\/span><\/span>var<\/span> native_func<\/span> =<\/span> new<\/span> NativeFunction<\/span>(native_adr<\/span>, <<\/span>return_type<\/span>><\/span>, ['argument_data_type'<\/span>]);
<\/span><\/span>var<\/span> result<\/span> =<\/span> native_func<\/span>(<<\/span>arguments<\/span>><\/span>);
<\/span><\/span><\/code><\/pre>4.2 查找并调用get_flag函数示例<\/h3>
var<\/span> base<\/span> =<\/span> Module<\/span>.findBaseAddress<\/span>("libfrida0xa.so"<\/span>);
<\/span><\/span>var<\/span> exports<\/span> =<\/span> Module<\/span>.enumerateExports<\/span>("libfrida0xa.so"<\/span>);
<\/span><\/span>for<\/span>(var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> exports<\/span>.length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>    if<\/span>(exports<\/span>[i<\/span>].name<\/span> ===<\/span> "_Z8get_flagii"<\/span>) { \/\/ C++ name mangling
<\/span><\/span><\/span><\/span>        console<\/span>.log<\/span>("get_flag地址:"<\/span>, exports<\/span>[i<\/span>].address<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("偏移:"<\/span>, exports<\/span>[i<\/span>].address<\/span> -<\/span> base<\/span>);
<\/span><\/span>        
<\/span><\/span>        var<\/span> get_flag<\/span> =<\/span> new<\/span> NativeFunction<\/span>(exports<\/span>[i<\/span>].address<\/span>, 'void'<\/span>, ['int'<\/span>, 'int'<\/span>]);
<\/span><\/span>        get_flag<\/span>(0<\/span>, 0<\/span>); \/\/ 调用函数
<\/span><\/span><\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. C++ Name Mangling问题<\/h2>
C++编译器会对函数名进行重整(name mangling)，例如：<\/p>

int add(int a, int b)<\/code> → _Z3addii<\/code><\/li>
float add(float a, float b)<\/code> → _Z3addff<\/code><\/li>
<\/ul>
在Hook时需要特别注意使用正确的重整名称。<\/p>
6. Hook Android日志函数<\/h2>
直接截获__android_log_print的输出：<\/p>
var<\/span> android_log_print<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("liblog.so"<\/span>, "__android_log_print"<\/span>);
<\/span><\/span>Interceptor<\/span>.attach<\/span>(android_log_print<\/span>, {
<\/span><\/span>    onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>        \/\/ 第四个参数是日志内容
<\/span><\/span><\/span><\/span>        console<\/span>.log<\/span>("Log:"<\/span>, Memory<\/span>.readUtf8String<\/span>(args<\/span>[3<\/span>]));
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>7. 修改Native层汇编指令<\/h2>
7.1 x86架构模板<\/h3>
var<\/span> writer<\/span> =<\/span> new<\/span> X86Writer<\/span>(opcodeaddr<\/span>);
<\/span><\/span>Memory<\/span>.patchCode<\/span>(opcodeaddr<\/span>, 0x1000<\/span>, function<\/span>(code<\/span>) {
<\/span><\/span>    try<\/span> {
<\/span><\/span>        \/\/ 写入汇编指令
<\/span><\/span><\/span><\/span>        writer<\/span>.putNop<\/span>();
<\/span><\/span>        writer<\/span>.putRet<\/span>();
<\/span><\/span>        writer<\/span>.flush<\/span>();
<\/span><\/span>    } finally<\/span> {
<\/span><\/span>        writer<\/span>.dispose<\/span>();
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>7.2 ARM64架构示例<\/h3>
修改跳转指令（如nop掉B.NE）：<\/p>
var<\/span> target<\/span> =<\/span> base<\/span>.add<\/span>(0x15248<\/span>); \/\/ 偏移地址
<\/span><\/span><\/span><\/span>Memory<\/span>.patchCode<\/span>(target<\/span>, 4<\/span>, function<\/span>(code<\/span>) {
<\/span><\/span>    var<\/span> writer<\/span> =<\/span> new<\/span> Arm64Writer<\/span>(code<\/span>, {pc<\/span>:<\/span> target<\/span>});
<\/span><\/span>    try<\/span> {
<\/span><\/span>        writer<\/span>.putNop<\/span>(); \/\/ 替换B.NE为NOP
<\/span><\/span><\/span><\/span>        writer<\/span>.flush<\/span>();
<\/span><\/span>    } finally<\/span> {
<\/span><\/span>        writer<\/span>.dispose<\/span>();
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>8. 关键注意事项<\/h2>

权限问题<\/strong>: 修改代码段前需要设置内存为可写(rwx)<\/li>
架构差异<\/strong>: x86和ARM64的汇编指令不同<\/li>
地址随机化(ASLR)<\/strong>: 使用基地址+偏移量的方式更可靠<\/li>
资源释放<\/strong>: 使用完Writer后必须调用dispose()<\/li>
线程安全<\/strong>: 修改运行时代码需谨慎，可能导致崩溃<\/li>
<\/ol>
9. 实用技巧<\/h2>

批量Hook<\/strong>: 遍历导出表批量Hook特定模式的函数<\/li>
条件Hook<\/strong>: 增加条件判断避免Hook无关调用<\/li>
日志过滤<\/strong>: 结合logcat命令查看完整输出<\/li>
错误处理<\/strong>: 添加try-catch防止脚本崩溃<\/li>
性能优化<\/strong>: 避免在频繁调用的函数中执行复杂操作<\/li>
<\/ol>
通过以上方法，可以有效地对Android应用的Native层进行Hook、分析和修改，实现各种安全分析和逆向工程目的。<\/p>