Frida Hook Native层技术详解<\/h1>

一、Native方法与JNI基础<\/h2>

1.1 Native方法定义<\/h3>

在Java中声明native方法时，使用native<\/code>关键字表明该方法由其他语言（通常是C\/C++）实现：<\/p>

public<\/span> native<\/span> int<\/span> cmpstr<\/span>(<\/span>String str);<\/span>
<\/span><\/span><\/code><\/pre>1.2 JNI函数命名规范<\/h3>
JNI函数的命名遵循特定格式：Java_包名_类名_方法名<\/code>

示例：Java_com_ad2001_frida0x8_MainActivity_cmpstr<\/code><\/p>
二、Frida Hook Native层技术<\/h2>
2.1 基础函数Hook（Frida 0x8）<\/h3>
场景<\/strong>：通过校验取决于native层的字符串比较函数<\/p>
Hook策略<\/strong>：拦截strcmp函数获取中间参数<\/p>
function<\/span> hook<\/span>() {
<\/span><\/span>  \/\/ 查找strcmp函数地址
<\/span><\/span><\/span><\/span>  var<\/span> target<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libc.so"<\/span>, "strcmp"<\/span>);
<\/span><\/span>  console<\/span>.log<\/span>("strcmp地址:"<\/span>, target<\/span>);
<\/span><\/span>  
<\/span><\/span>  \/\/ 拦截函数调用
<\/span><\/span><\/span><\/span>  Interceptor<\/span>.attach<\/span>(target<\/span>, {
<\/span><\/span>    onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>      \/\/ 读取第一个参数（输入字符串）
<\/span><\/span><\/span><\/span>      var<\/span> input<\/span> =<\/span> Memory<\/span>.readUtf8String<\/span>(args<\/span>[0<\/span>]);
<\/span><\/span>      
<\/span><\/span>      \/\/ 添加过滤条件避免过多输出
<\/span><\/span><\/span><\/span>      if<\/span> (input<\/span>.includes<\/span>("aaa"<\/span>)) {
<\/span><\/span>        \/\/ 读取并打印第二个参数
<\/span><\/span><\/span><\/span>        console<\/span>.log<\/span>("strcmp参数2:"<\/span>, Memory<\/span>.readUtf8String<\/span>(args<\/span>[1<\/span>]));
<\/span><\/span>      }
<\/span><\/span>    },
<\/span><\/span>    onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {
<\/span><\/span>      \/\/ 可在此处修改返回值
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>  });
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

Module.findExportByName()<\/code> 用于查找导出函数<\/li>
Memory.readUtf8String()<\/code> 读取UTF-8格式字符串<\/li>
Interceptor.attach()<\/code> 拦截函数执行<\/li>
地址一次查找，多次调用拦截<\/li>
<\/ul>
2.2 修改返回值（Frida 0x9）<\/h3>
场景<\/strong>：只需返回特定值（1337）即可通过验证<\/p>
public<\/span> native<\/span> int<\/span> check_flag<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>Hook策略<\/strong>：直接修改函数返回值<\/p>
var<\/span> target<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libnative.so"<\/span>, "Java_com_example_check_flag"<\/span>);
<\/span><\/span>Interceptor<\/span>.attach<\/span>(target<\/span>, {
<\/span><\/span>  onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {
<\/span><\/span>    \/\/ 修改返回值为1337
<\/span><\/span><\/span><\/span>    retval<\/span>.replace<\/span>(1337<\/span>);
<\/span><\/span>  }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>2.3 主动调用Native函数（Frida 0xA）<\/h3>
场景<\/strong>：发现敏感函数get_flag()<\/code>未被主动调用<\/p>
两种调用方式<\/strong>：<\/p>
方式一：导出函数的主动调用<\/h4>
\/\/ 查找导出函数地址
<\/span><\/span><\/span><\/span>var<\/span> target<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libnative.so"<\/span>, "get_flag"<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 创建NativeFunction对象
<\/span><\/span><\/span><\/span>const<\/span> get_flag<\/span> =<\/span> new<\/span> NativeFunction<\/span>(target<\/span>, 'void'<\/span>, ['int'<\/span>, 'int'<\/span>]);
<\/span><\/span>
<\/span><\/span>\/\/ 主动调用
<\/span><\/span><\/span><\/span>get_flag<\/span>(1<\/span>, 2<\/span>);
<\/span><\/span><\/code><\/pre>方式二：未导出函数的主动调用<\/h4>
\/\/ 获取SO基址
<\/span><\/span><\/span><\/span>var<\/span> base<\/span> =<\/span> Module<\/span>.findBaseAddress<\/span>("libnative.so"<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 计算函数地址（基址+偏移）
<\/span><\/span><\/span><\/span>var<\/span> offset<\/span> =<\/span> 0x1234<\/span>;
<\/span><\/span>var<\/span> target<\/span> =<\/span> base<\/span>.add<\/span>(offset<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 创建NativeFunction并调用
<\/span><\/span><\/span><\/span>const<\/span> get_flag<\/span> =<\/span> new<\/span> NativeFunction<\/span>(target<\/span>, 'void'<\/span>, ['int'<\/span>, 'int'<\/span>]);
<\/span><\/span>get_flag<\/span>(1<\/span>, 2<\/span>);
<\/span><\/span><\/code><\/pre>关键区别<\/strong>：<\/p>

导出函数：可直接通过名称查找地址<\/li>
未导出函数：需要SO基址+偏移地址计算<\/li>
<\/ul>
2.4 修改汇编代码（Frida 0xB）<\/h3>
场景<\/strong>：条件跳转永远不执行核心逻辑<\/p>
解决方案<\/strong>：使用NOP指令替换条件跳转<\/p>
\/\/ 获取目标地址
<\/span><\/span><\/span><\/span>var<\/span> target<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libnative.so"<\/span>, "target_function"<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 准备NOP指令（ARM64为4字节）
<\/span><\/span><\/span><\/span>var<\/span> nop<\/span> =<\/span> [0x1F<\/span>, 0x20<\/span>, 0x03<\/span>, 0xD5<\/span>];
<\/span><\/span>
<\/span><\/span>\/\/ 写入NOP指令替换原指令
<\/span><\/span><\/span><\/span>Memory<\/span>.writeByteArray<\/span>(target<\/span>, nop<\/span>);
<\/span><\/span><\/code><\/pre>技术细节<\/strong>：<\/p>

ARM64架构中指令长度固定为4字节<\/li>
NOP指令同样为4字节，可完全替换条件跳转指令<\/li>
修改后需重新反编译查看伪代码变化<\/li>
<\/ul>
2.5 Hook构造函数与参数修改（Frida 0x7）<\/h3>
场景<\/strong>：需要修改Checker构造函数的参数<\/p>
class<\/span> Checker<\/span> {<\/span>
<\/span><\/span>    public<\/span> Checker<\/span>(<\/span>int<\/span> num1,<\/span> int<\/span> num2)<\/span> {<\/span>
<\/span><\/span>        \/\/ 构造函数逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Hook策略<\/strong>：拦截构造函数并修改参数<\/p>
\/\/ 拦截构造函数
<\/span><\/span><\/span><\/span>Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>  var<\/span> Checker<\/span> =<\/span> Java<\/span>.use<\/span>("com.example.Checker"<\/span>);
<\/span><\/span>  
<\/span><\/span>  Checker<\/span>.$init<\/span>.implementation<\/span> =<\/span> function<\/span>(num1<\/span>, num2<\/span>) {
<\/span><\/span>    \/\/ 修改参数值
<\/span><\/span><\/span><\/span>    num1<\/span> =<\/span> 600<\/span>;
<\/span><\/span>    num2<\/span> =<\/span> 600<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 调用原构造函数
<\/span><\/span><\/span><\/span>    this<\/span>.$init<\/span>(num1<\/span>, num2<\/span>);
<\/span><\/span>  };
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>三、关键技术总结<\/h2>
3.1 地址查找方法<\/h3>

导出函数<\/strong>：Module.findExportByName("lib.so", "函数名")<\/code><\/li>
未导出函数<\/strong>：Module.findBaseAddress("lib.so").add(偏移)<\/code><\/li>
<\/ol>
3.2 函数拦截与修改<\/h3>

参数读取<\/strong>：Memory.readUtf8String()<\/code>、Memory.readInt()<\/code><\/li>
返回值修改<\/strong>：retval.replace(新值)<\/code><\/li>
主动调用<\/strong>：new NativeFunction()<\/code><\/li>
<\/ul>
3.3 汇编级修改<\/h3>

指令替换<\/strong>：Memory.writeByteArray(地址, 新指令)<\/code><\/li>
ARM64特性<\/strong>：固定4字节指令长度<\/li>
常用替换<\/strong>：条件跳转 → NOP指令<\/li>
<\/ul>
3.4 应用场景对应方案<\/h3>

获取中间参数<\/strong>：Hook基础库函数（strcmp等）<\/li>
修改验证结果<\/strong>：直接修改返回值<\/li>
触发未调用函数<\/strong>：主动调用Native函数<\/li>
绕过条件检查<\/strong>：修改汇编代码<\/li>
修改对象属性<\/strong>：Hook构造函数<\/li>
<\/ol>
四、完整示例模板<\/h2>
function<\/span> main<\/span>() {
<\/span><\/span>  Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>    \/\/ 1. Hook Native函数示例
<\/span><\/span><\/span><\/span>    var<\/span> target<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libc.so"<\/span>, "strcmp"<\/span>);
<\/span><\/span>    Interceptor<\/span>.attach<\/span>(target<\/span>, {
<\/span><\/span>      onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("参数1:"<\/span>, Memory<\/span>.readUtf8String<\/span>(args<\/span>[0<\/span>]));
<\/span><\/span>        console<\/span>.log<\/span>("参数2:"<\/span>, Memory<\/span>.readUtf8String<\/span>(args<\/span>[1<\/span>]));
<\/span><\/span>      }
<\/span><\/span>    });
<\/span><\/span>    
<\/span><\/span>    \/\/ 2. 主动调用示例
<\/span><\/span><\/span><\/span>    var<\/span> funcAddr<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libnative.so"<\/span>, "target_func"<\/span>);
<\/span><\/span>    const<\/span> nativeFunc<\/span> =<\/span> new<\/span> NativeFunction<\/span>(funcAddr<\/span>, 'int'<\/span>, ['int'<\/span>, 'string'<\/span>]);
<\/span><\/span>    var<\/span> result<\/span> =<\/span> nativeFunc<\/span>(123<\/span>, "test"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 3. 修改汇编示例
<\/span><\/span><\/span><\/span>    var<\/span> patchAddr<\/span> =<\/span> Module<\/span>.findBaseAddress<\/span>("libnative.so"<\/span>).add<\/span>(0x1234<\/span>);
<\/span><\/span>    Memory<\/span>.writeByteArray<\/span>(patchAddr<\/span>, [0x1F<\/span>, 0x20<\/span>, 0x03<\/span>, 0xD5<\/span>]);
<\/span><\/span>  });
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>setImmediate<\/span>(main<\/span>);
<\/span><\/span><\/code><\/pre>通过掌握这些技术，可以有效地分析和修改Android应用的Native层逻辑，实现各种逆向工程需求。<\/p>

Frida Hook Native层技术详解<\/h1>

一、Native方法与JNI基础<\/h2>

1.2 JNI函数命名规范<\/h3>
JNI函数的命名遵循特定格式：`Java_包名_类名_方法名<\/code> 示例：Java_com_ad2001_frida0x8_MainActivity_cmpstr<\/code><\/p>`

2.3 主动调用Native函数（Frida 0xA）<\/h3>
场景<\/strong>：发现敏感函数`get_flag()<\/code>未被主动调用<\/p>`
`两种调用方式<\/strong>：<\/p>`

三、关键技术总结<\/h2>

Frida Hook Native层技术详解<\/h1>

一、Native方法与JNI基础<\/h2>

1.2 JNI函数命名规范<\/h3> JNI函数的命名遵循特定格式：Java_包名_类名_方法名<\/code> 示例：Java_com_ad2001_frida0x8_MainActivity_cmpstr<\/code><\/p>

2.3 主动调用Native函数（Frida 0xA）<\/h3> 场景<\/strong>：发现敏感函数get_flag()<\/code>未被主动调用<\/p> 两种调用方式<\/strong>：<\/p>

三、关键技术总结<\/h2>

1.2 JNI函数命名规范<\/h3>
JNI函数的命名遵循特定格式：`Java_包名_类名_方法名<\/code> 示例：Java_com_ad2001_frida0x8_MainActivity_cmpstr<\/code><\/p>`

2.3 主动调用Native函数（Frida 0xA）<\/h3>
场景<\/strong>：发现敏感函数`get_flag()<\/code>未被主动调用<\/p>`
`两种调用方式<\/strong>：<\/p>`