我想搞清楚怎么用 Frida 来 hook 系统调用,问题是我有个 app,感觉用了 DexGuard(八成是吧),RASP 也挺猛的。我觉得最靠谱的方法可能就是用 Frida Stalker 追一下系统调用,看看哪里崩了,然后顺着找。有更牛的办法吗?还是这已经是最优解了?尤其是遇到这种强悍的 root 检测和 RASP 时。
function hookSVCInstruction() {
let pattern = '01 00 00 D4'; // bytecode SVC 0x80
Stalker.follow(Process.getCurrentThreadId(), {
events: {
call: true,
exec: true
},
onReceive: function (events) {
Stalker.parse(events, {
onEvent: function (type, event) {
if (type === 'exec' && event.opcode === pattern) {
console.log("Found SVC 0x80 at address: " + event.address);
hookInstruction(event.address);
}
}
});
}
});
}
function hookInstruction(address) {
Interceptor.attach(address, {
onEnter: function (args) {
console.log("SVC 0x80 called at address: " + address);
// ...
},
onLeave: function (retval) {
console.log("SVC 0x80 returned from address: " + address);
}
});
}
function main() {
hookSVCInstruction();
}
setImmediate(main);