生成指针
const ptr1 = new NativePointer("100")
const ptr2 = new NativePointer("0x64")
const ptr3 = new NativePointer(100)
获取so地址,写入内存并读取
//获取地址
var pointer = Process.findModuleByName("libc.so").base
console.log("pointer = ",pointer)
//写入内存
const r = Memory.alloc(0x10)
r.writePointer(pointer)
//读取
var buffer = Memory.readByteArray(r,0x10)
console.log(buffer)
Hook系统C方法
var funAddress = Module.findExportByName(null, "strstr")
console.log("address = ",funAddress)
Interceptor.attach(funAddress,{
onEnter:function(args){
console.log(args[0].readCString)
console.log(args[1].readCString)
console.log("return address = ",this.returnAddress)//返回地址
console.log("thread id = ",this.threadId)//当前线程ID
console.log("Depth = ",this.depth)//深度
console.log("error = ",this.err)//当前错误
},
onLeave:function(retval){
retval.replace(0)
}
})
Hook自己的C方法
var funAddress = Module.findExportByName("libc_project.so", "Java_com_example_c_1project_MainActivity_addNumbers")
console.log("address = ",funAddress)
Interceptor.attach(funAddress,{
onEnter:function(args){
console.log(args[2].readCString)
console.log(args[3].readCString)
},
onLeave:function(retval){
retval.replace(0)
}
})
replace自己的C方法
var funAddress = Module.findExportByName("libc_project.so", "Java_com_example_c_1project_MainActivity_addNumbers")
Interceptor.replace(funAddress,new NativeCallback(function(env, jobject, a, b){
// 打印原始参数值
console.log("原始参数 - a: " + a + ", b: " + b);
// 将参数乘以10
var modifiedA = a * 10;
var modifiedB = b * 10;
// 打印修改后的参数值
console.log("修改后参数 - a: " + modifiedA + ", b: " + modifiedB);
// 计算并返回结果
var result = modifiedA + modifiedB;
console.log("计算结果: " + result);
return result;
},
'int',//返回值
['pointer', 'pointer', 'int', 'int']//传入参数
));
inline Hook C方法
根据地址来Hook方法
var funAddress = Module.findBaseAddress("libc_project.so")
if(funAddress){
var fun_24F90 = funAddress.add(0x24F90)
console.log("address = ",fun_24F90)
Interceptor.attach(fun_24F90,{
onEnter:function(args){
console.log(args[2])
console.log(args[3])
},
onLeave:function(retval){
console.log(hexdump(retval))
}
})
}
知道C方法基地址偏移量,生成方法并调用
Java.perform(function () {
// 1. 获取函数地址
var libcProjectSoBase = Module.findBaseAddress("libc_project.so");
if (libcProjectSoBase === null) {
console.error("[-] 错误:未找到 libc_project.so 的基地址。");
return;
}
var addNumbersAddr = libcProjectSoBase.add(0x25130);
console.log("[+] addNumbers 函数地址: " + addNumbersAddr);
// 2. 创建 NativeFunction 对象
try {
var nativeAddNumbers = new NativeFunction(
addNumbersAddr, // 函数地址
'int', // 返回值类型 (jint)
['pointer', 'pointer', 'int', 'int'] // 参数类型: JNIEnv*, jobject, jint, jint
);
} catch (e) {
console.error("[-] 创建 NativeFunction 失败: " + e.message);
return;
}
// 3. 准备参数
var env = Java.vm.getEnv(); // 获取 JNIEnv* 指针
// 对于此静态上下文,通常将 jobject (thiz) 参数设为 NULL
var thiz = NULL;
var a = 10; // 第一个整数参数
var b = 20; // 第二个整数参数
// 4. 调用函数
console.log("[+] 准备调用 nativeAddNumbers, 参数: " + a + ", " + b);
try {
var result = nativeAddNumbers(env, thiz, a, b);
console.log("[+] 调用成功!结果: " + result);
} catch (e) {
console.error("[-] 调用函数时出错: " + e.message);
}
});
