monkeylord / xposedfridabridge Goto Github PK

View Code? Open in Web Editor NEW

191.0 191.0 50.0 129 KB

A frida script implement XposedBridge & load xposed modules, without installing xposed framwork.

License: MIT License

JavaScript 100.00%

xposedfridabridge's Introduction

XposedFridaBridge

介绍 Introduction

A frida script implement XposedBridge & load xposed modules, without installing xposed framwork.

在不安装Xposed Framework的情况下，通过Frida使用Xposed插件。

用法 Usage

准备工作 Preparation

将XposedBridge.jar推入设备中 push XposedBridge.jar into device
安装插件或将插件APK推入设备中 install modules or push module apks into device
配置插件列表 configure modules.list

adb push XposedBridge.jar /data/local/tmp/XposedBridge.jar
adb install module.apk
adb shell 'echo "/data/app/demo.xposedmodule-1/base.apk" > /data/local/tmp/conf/modules.list'

/data/local/tmp/conf/modules.list与XposedInstaller沙箱下的/conf/modules.list相同，其格式是每行一个APK路径，插件APK可安装，也可不安装。路径指向/data/local/tmp中的APK也可以。

开始使用 Load Modules

frida -U [target app process] -l XposedFridaBridge.js

已知问题 Known Issues

在Nexus5设备上测试通过，可以使用justtrustme等插件，但是部分模拟器可能会有兼容性问题，比如夜神，com.android.org.conscrypt.TrustManagerImpl中的checkServerTrusted不能被Frida Hook，Hook之后会崩溃。

xposedfridabridge's People

Contributors

Stargazers

Watchers

xposedfridabridge's Issues

请问Frida是哪个版本的?我用的最新的12.11.6版本好像不太行

最大的问题还是那个XposedBridge.hookMethodNative和 XposedBridge.invokeOriginalMethodNative，老是出一些问题，测试模块是对话框取消，设备7.0，

大佬这种错误该怎么解决啊（ Wrapper is disposed; perhaps it was borrowed from a hook instead of calling Java.retain() to make a long-lived wrapper）

环境

pixel3
Android 9.0
frida 14.2.18

xposed代码

package com.hujinwen.tiktok;

import android.util.Log;

import java.lang.reflect.Field;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

/**
 * Created by hu-jinwen on 2021/9/11
 */
public class TiktokHooker implements IXposedHookLoadPackage {

    private static final String LOG_TAG = "TiktokHooker";


    /**
     * Hook com.ss.android.deviceregister.b.d$a
     */
    @Override
    public void handleLoadPackage(LoadPackageParam loadPackageParam) throws Throwable {
        if (loadPackageParam.packageName.equals("com.ss.android.ugc.aweme")) {
            Log.i(LOG_TAG, "Find process -> " + loadPackageParam.packageName);

            Class<?> clazz = XposedHelpers.findClass("com.ss.android.deviceregister.b.d.a", loadPackageParam.classLoader);
            Log.i(LOG_TAG, "Find class -> " + clazz);

            XposedBridge.hookAllMethods(clazz, "a", new XC_MethodHook() {
                @Override
                protected void afterHookedMethod(MethodHookParam methodHookParam) throws Throwable {
                    String stackTraceString = Log.getStackTraceString(new Exception());
                    if (stackTraceString.contains("com.ss.android.deviceregister.b.d$a.a(RegisterServiceController.java:")) {
                        Log.i(LOG_TAG, "进来了关键分枝\n");
                        Log.i(LOG_TAG, stackTraceString);
                    }
                }
            });

        }
    }

}

Java.ClassFactory.get报错

frida 版本12.8.0和12.11.7都报错，好像是Java对象没有ClassFactory这个属性
TypeError: cannot read property 'get' of undefined
at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:56618)
at FrameworkInit (/XposedFridaBridge.js:286)
at /XposedFridaBridge.js:383
at frida/node_modules/frida-java-bridge/lib/vm.js:11
at frida/node_modules/frida-java-bridge/index.js:366
at startBridge (/XposedFridaBridge.js:412)
at frida/runtime/core.js:55

android5.0 没有成功啊

执行 frida -U com.example.flutterapp -l .\XposedFridaBridge.js 错误信息如下：

[XposedFridaBridge] Start Loading Xposed
[XposedFridaBridge] Current Application: com.example.flutterapp
[XposedFridaBridge] Current Application Classloader: dalvik.system.PathClassLoader[DexPathList[[zip file "/data/app/com.example.flutterapp-1/base.apk"],nativeLibraryDirectories=[/data/app/com.example.flutterapp-1/lib/arm, /vendor/lib, /system/lib]]]
Error: java.lang.IllegalArgumentException: Optimized data directory /data/local/tmp is not owned by the current user. Shared storage cannot protect your application from code injection attacks.
at frida/node_modules/frida-java/lib/env.js:222
at input:1
at frida/node_modules/frida-java/lib/class-factory.js:200
at FrameworkInit (repl1.js:253)
at [anon] (repl1.js:350)
at frida/node_modules/frida-java/lib/vm.js:39
at frida/node_modules/frida-java/index.js:363
at repl1.js:357

请问下，这怎么解决？


[XposedFridaBridge] Start Loading Xposed
[XposedFridaBridge] Current Application:  com.sankuai.meituan.dispatch.homebrew
[XposedFridaBridge] Current Application Classloader:  dalvik.system.PathClassLoader[DexPathList[[zip file "/data/app/com.sankuai.meituan.dispatch.homebrew-8OPVfVgdkiF4h_VzAJFMdg==/base.apk"],nativeLibraryDirectories=[/data/app/com.sankuai.meituan.dispatch.homebrew-8OPVfVgdkiF4h_VzAJFMdg==/lib/arm, /data/app/com.sankuai.meituan.dispatch.homebrew-8OPVfVgdkiF4h_VzAJFMdg==/base.apk!/lib/armeabi, /system/lib, /vendor/lib]]]
TypeError: cannot read property 'get' of undefined
    at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:56618)
    at FrameworkInit (/XposedFridaBridge.js:283)
    at /XposedFridaBridge.js:375
    at frida/node_modules/frida-java-bridge/lib/vm.js:11
    at frida/node_modules/frida-java-bridge/index.js:366
    at /XposedFridaBridge.js:382
[Nexus 5X::com.sankuai.meituan.dispatch.homebrew]->

Error: Implementation for dispatchSensorEvent expected return value compatible with void

我在hook dispatchSensorEvent时返回结果是void 这里就直接报错了 xpfridabridge.js 中好像没有对void返回结果做处理