frida(objection)中x.ts到x.py封装路径
frida : enumerateClassLoadersSync
结论: frida调用了android art源码中的函数 art::ClassLinker::VisitClassLoaders, 传入的回调函数visitor是frida自己构造的
简版路径:
- -: enumerateClassLoadersSync
- –: enumerateClassLoaders
- —: _enumerateClassLoadersArt
- ----
- -----VisitClassLoaders
void ClassLinker::VisitClassLoaders(ClassLoaderVisitor* visitor) const {...}
_enumerateClassLoadersArt (callbacks) {
//...
const visitClassLoaders = api['art::ClassLinker::VisitClassLoaders'];
//...
withRunnableArtThread(vm, env, thread => {
const collectLoaderHandles = makeArtClassLoaderVisitor(
// 此箭头函数 即为 frida自己构造的 ClassLoaderVisitor* visitor
loader => {
loaderHandles.push(addGlobalReference(vmHandle, thread, loader));
return true;
});
withAllArtThreadsSuspended(() => {
// 调用android art函数 art::ClassLinker::VisitClassLoaders
visitClassLoaders(api.artClassLinker.address, collectLoaderHandles);
});
});
//...
}
frida : enumerateLoadedClassesSync
结论: frida调用了android art源码中的函数 art::ClassLinker::VisitClassLoaders, 传入的回调函数visitor是frida自己构造的
简版路径:
- -: enumerateLoadedClassesSync
- –: enumerateLoadedClasses
- —: _enumerateLoadedClassesArt
- ----
- -----VisitClasses
void ClassLinker::VisitClasses(ClassVisitor* visitor) {...}
_enumerateLoadedClassesArt (callbacks) {
//...
withRunnableArtThread(vm, env, thread => {
const collectClassHandles = makeArtClassVisitor(
// 此箭头函数 即为 frida自己构造的 ClassVisitor* visitor
klass => {
classHandles.push(addGlobalReference(vmHandle, thread, klass));
return true;
});
// 调用android art函数 art::ClassLinker::VisitClasses
api['art::ClassLinker::VisitClasses'](api.artClassLinker.address, collectClassHandles);
});
//...
}
frida(objection)中x.ts到x.py封装路径
objection run "android hooking list classes"
基于 ==
简版路径: android hooking list classes --> show_android_classes --> android_hooking_get_classes == androidHookingGetClasses --> getClasses --> Java.enumerateLoadedClassesSync
注意 当前(2024-12-08)的==版本号还是1.11.0但是内容变化较大(子命令都变了, 比如explore改为start了)
1. android hooking list classes
objection/objection/console/commands.py : android hooking list classes
COMMANDS = {
//...
'android': {
'meta': 'Commands specific to Android',
'commands': {
'hooking': {
'commands': {
'list': {
'commands': {
'classes': {
'meta': 'List the currently loaded classes',
'exec': android_hooking.show_android_classes
},
//...
2. android_hooking_get_classes: hooking.py
objection/objection/commands/android/hooking.py:
def show_android_classes(args: list = None) -> None:
api = state_connection.get_api()
classes = api.android_hooking_get_classes()
3. 驼峰 到 下划线 名字转换 谁干的?
猜测 android_hooking_get_classes==androidHookingGetClasses 是由frida自己干的?
4. androidHookingGetClasses: android.ts
objection/agent/src/rpc/android.ts
export const android = {
//...
androidHookingGetClasses: (): Promise<string[]> => hooking.getClasses(),
//...
}
5. getClasses : hooking.ts
objection/agent/src/android/hooking.ts
export namespace hooking {
//...
export const getClasses = (): Promise<string[]> => {
return wrapJavaPerform(() => {
return Java.enumerateLoadedClassesSync();
});
};
6. androidHookingGetClasses、getClasses: agent.js
*.ts的编译产物objection/objection/agent.js
export const android = {
//...
androidHookingGetClasses: () => hooking.getClasses(),
//...
}
//...
export const getClasses = () => {
return wrapJavaPerform(() => {
return Java.enumerateLoadedClassesSync();
});
};
7. Java.enumerateLoadedClassesSync: frida自带api
因篇幅问题不能全部显示,请点此查看更多更全内容