概述
之前了解到r2frida这一工具,由于环境问题,并未安装成功。
在Kali Linux和Windows上安装r2frida成功,记录一下。
Linux安装
环境
系统:Kali Linux 2021.2
软件:Node.js 12.22.5、Frida 15.1.3
安装目标:Radare2 5.4.2、r2frida 5.4.4
准备
radare2
git clone https://github.com/radareorg/radare2
radare2/sys/install.sh
r2frida
安装依赖
sudo apt install -y make gcc libzip-dev nodejs npm curl pkg-config git
更换npm源(可选)
npm config set registry http://registry.npm.taobao.org
克隆仓库
git clone https://github.com/nowsecure/r2frida
修改
编辑Makefile,修改frida_version为frida安装版本
编译
sudo make
sudo make install
安装成功将提示:
mkdir -p "//usr/local/lib/radare2/5.4.3"
cp -f io_frida.so* /"/usr/local/lib/radare2/5.4.3"
运行r2 frida://?显示帮助,测试插件是否安装成功。
Windows安装
环境
系统:Windows 10 20H2 x64
软件:Visual Studio 2019、Node.js 14.17.4、Cygwin 3.2.0(记得选择wget)、Frida 15.1.2
(提前安装好以上环境,VS版本至少为2015)
安装目标:Radare2 5.4.2、r2frida 5.4.4
准备
radare2
前往Releases · radareorg/radare2下载radare2-5.4.2-w64.zip,解压到任意目录。
将..\radare2\bin目录添加到PATH环境变量后,执行r2 -v查看版本号
r2frida
更换npm源(可选)
npm config set registry http://registry.npm.taobao.org
克隆仓库
git clone https://github.com/nowsecure/r2frida
修改
编辑build.bat,修改frida_version为frida安装版本,修改R2_BASE为radare2安装目录(不需要bin)
将..\radare2\include\libr\r_cons.h以UTF-8 with BOM编码重新保存(防止编译出错)
编译
在cmd中打开该目录,使用vcvarsall.bat初始化环境,然后执行安装脚本
"[Visual Studio安装位置]\VC\Auxiliary\Build\vcvarsall.bat" x64
.\build.bat install
安装成功将提示:
Installing...
Copying 'io_frida.dll' to C:\Users\xhy\.local\share\radare2\plugins
1 file(s) copied.
运行r2 frida://?显示帮助,测试插件是否安装成功。
结果如下:
r2 frida://[action]/[link]/[device]/[target]
* action = list | apps | attach | spawn | launch
* link = local | usb | remote host:port
* device = '' | host:port | device-id
* target = pid | appname | process-name | program-in-path | abspath
Local:
* frida://? # show this help
* frida:// # list local processes
* frida://0 # attach to frida-helper (no spawn needed)
* frida:///usr/local/bin/rax2 # abspath to spawn
* frida://rax2 # same as above, considering local/bin is in PATH
* frida://spawn/$(program) # spawn a new process in the current system
* frida://attach/(target) # attach to target PID in current host
USB:
* frida://list/usb// # list processes in the first usb device
* frida://apps/usb// # list apps in the first usb device
* frida://attach/usb//12345 # attach to given pid in the first usb device
* frida://spawn/usb//appname # spawn an app in the first resolved usb device
* frida://launch/usb//appname # spawn+resume an app in the first usb device
Remote:
* frida://attach/remote/10.0.0.3:9999/558 # attach to pid 558 on tcp remote frida-server
Environment:
R2FRIDA_SAFE_IO # Workaround a Frida bug on Android/thumb
R2FRIDA_DEBUG # Used to debug argument parsing behaviour
R2FRIDA_AGENT_SCRIPT # path to file of the r2frida agent
使用
(连接帮助见上文)
获取usb device id(可选)
执行frida-ls-devices,获取usb device id
然后启动app:
r2 frida://launch/usb/[设备id]/[包名]
设备id为空时,连接第一个usb设备
查询帮助
r2frida commands are prefixed with
=!or:.
附加上app后,如果要使用r2frida的命令,需要在前面增加=!或:
如:=!?、:?(获取帮助)
在命令后加问号,可查询命令帮助,如:/?、ps?
过滤输出
使用~过滤输出结果,类似于grep
例如::il~libart.so (仅输出libart.so地址)
查看信息
:i?: 查看帮助
:i: 查询信息
:ic: 列出所有类
:icl: 列出已加载的类
:icm: 列出类方法
:il: 列出模块
:iE 模块名: 列出模块导出符号
搜索字符串
:/?:查看帮助
:/ 关键字: 在内存中搜索关键字
打印内存、反汇编
p?:查看帮助 (这是r2的命令,不需要冒号)
s 地址: 设置当前地址
x: hexdump当前地址的内存
x @ 地址: hexdump指定地址的内存(其他命令同理)
ps: 打印字符串
pd: 反汇编
动态调试
:d?: 查看帮助
:dm: 列出内存区域(类似于maps文件)
:dt: 跟踪地址调用
:dtf: 跟踪地址调用,并格式化输出
Usage: dtf [format] || dtf [addr] [fmt]
^ = trace onEnter instead of onExit
+ = show backtrace on trace
p/x = show pointer in hexadecimal
c = show value as a string (char)
i = show decimal argument
z = show pointer to string
w = show pointer to UTF-16 string
a = show pointer to ANSI string
h = hexdump from pointer (optional length, h16 to dump 16 bytes)
H = hexdump from pointer (optional position of length argument, H1 to dump args[1] bytes)
s = show string in place
O = show pointer to ObjC object
Undocumented: Z, S
dtf trace format
加载Frida脚本
:.?: 查看帮助
:. 脚本路径: 加载js脚本
其他命令
cl清屏
