Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "how to use hook in Android", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "how to use hook in Android" article.

Xposed framework

Xposed is an open source framework, which has source code on github. You can download apk directly and then install and activate it. In many places, there are tutorials in this area, and Daniel has made targeted changes to different mobile phone architectures. You can search in the forum

By replacing the / system/bin/app_process program to control the zygote process, app_process will load the jar package XposedBridge.jar during startup, thus hijacking the Zygote process and its created Dalvik virtual machine.

Xposed hijacks all Hook Function at boot time, adding custom code before and after the execution of the original Function.

Many people use this framework to privatize and customize android. In fact, this framework provides great convenience in android security testing. Xposed is mainly the hook of methods. In the previous repackaging technology, it is troublesome to modify the smali code.

The information in android application can be easily obtained by using xposed framework, such as encrypting private key, salt value and so on. There is no need to compile and obtain key conversion algorithm, and there is no need to understand the key storage mechanism. You can directly use hook function to get input and output.

Principle

In Android systems, application processes are hatched by Zygote processes, while Zygote processes are started by Init processes. When the Zygote process starts, it creates a Dalvik virtual machine instance, and whenever it incubates a new application process, it copies the Dalvik virtual machine instance to the new application process, so that each application process has a separate Dalvik virtual machine instance. This is why Xposed chose to replace app_process.

During the startup of the Zygote process, in addition to creating a Dalvik virtual machine instance, the Java runtime library is loaded into the process and some JNI methods of the Android core classes are registered into the Dalvik virtual machine instance created earlier. Note that when an application process is incubated by the Zygote process, it not only gets a copy of the Dalvik virtual machine instance in the Zygote process, but also shares the Java runtime library with Zygote. This is why the jar package XposedBridge can be loaded into every Android application. XposedBridge has a private Native (JNI) method hookMethodNative, which is also used in app_process. This function provides a method object that uses Java's Reflection mechanism to override built-in methods. Those who have the ability can analyze the source code of xposed. I have to say that the author has a deep understanding of the mechanism of android and java.

Simple example

A very simple android login code:

It is very simple to judge that the user name and password entered by the user are correct. Here is a simple demonstration to hook the user name and password information entered by the user whether it is correct or not.

To briefly talk about the development of the xposed module, the first thing you need is to import api.

Defined in manifest

Declare that this is a xposed module, named hook test, and use api version number 82

Here is the hook code for the runtime:

Look at the comments in the code, mainly three method calls, handleLoadPackage, mainly to get the relevant information of the android package, here because it is only the hook of the logintest, make a simple judgment.

FindAndHookMethod is the main hook entry, in which several parameters are package name, function name of classloader,hook, parameter type (this is easy to make mistakes, for example, list type is written as List.class), callback function

The more important callback functions are beforeHookedMethod and afterHookedMethod. One is hijacked before the function runs, and the other is released after hook. In the instance, the fields entered by the user are hijacked and printed, and then the parameters are changed to the correct login user name and password, so that any character entered in app can be logged in successfully.

Frida Hook framework

Frida is a hook framework based on python + javascript, which kills android\ ios\ linux\ win\ osx and other platforms. Because it is based on script interaction, it is more convenient than xposed and substrace cydia. This article focuses on the use of Frida under android.

The official website of Frida is http://www.frida.re/

Installation

It is very easy to install Frida and execute it directly on the PC.

Pip install frida

Can

On the server side where Android devices need to be imported into frida, you need to root your mobile phone.

Running

Run frida-server on the device:

Run adb forward tcp retweet on your computer:

Port 27042 is used to communicate with frida-server, and each port after that corresponds to each injected process.

Run the following command to verify the successful installation:

$frida-ps-R

Normally, the list of output processes should be as follows:

The compilation of Hook module

The main module of hook is written by js and communicates with server using api of javascript.

The following is a brief introduction with a real example, first of all, the test code:

Decompiling to obtain the core functions in app

For the above js code, in fact, it is to call a function in app, such as sign value generation function, encryption and decryption function, do not need to analyze the algorithm flow alone, analyze where the key value is, directly call the corresponding function of app, and let app help us to complete these tasks.

The app we analyzed here is Youbao, which is a beverage vending machine. At that time, when we saw the pick-up of the bag, there was only an order id. I wondered if it was the id of the order traversing the order. The order that paid successfully but did not pick up the goods would not respond to the request and drop out by itself.

The following is the analysis process of Youbao's order.

1. Grab the payment order successful link

Analysis:

Sign is the check value, mainly to prevent order forgery, orderid is the generated payment order id, this is mainly to prevent forgery

two。 Reverse translation of Youbao app

The package where morder/shipping is found is: com/ub/main/d/e.class

Where localStringBuffer stores the parameter information in url, and the code found by the request is in a ()

The b function of the function that generates the signature in com/ub/main/d/e.class

* * add the sign value to send the request

3. You can decompile his sign calculation method, or you can call the b function directly to generate a sign. later, it is found that app will automatically take a timestamp, so we don't need to give him an array parameter.

Just call a function directly, give him the orderId, and let him directly return a value, and you will have the above js code.

4. Automated batch processing

Look at the code.

Construct a class, and then directly fuzz uid it, extract the signvalue inside and splice it into the post data.

The post request that can be generated is exactly the same as that of the captured packet, but the test is not successful. The reason for the analysis may be that the order id is bound to the user's id.

But I learned how to analyze app through frida.

Hook of complex parameters

If you encounter that the parameter type of the function is array, map, or ArrayList, first target the fun1 function of the MyClass class, declare as follows:

Solution:

Load each class with the XposedHelpers findClass method provided by Xposed itself, and then pass the resulting class to the hook function as an argument!

The above is about the content of this article on "how to use hook in Android". I believe we all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.