使用jnitrace-engine和frida-compile

调试app时，想要知道它调用了哪些java函数可以使用jnirace-engine。https://github.com/chame1eon/jnitrace-engine

首先安装，npm install jnitrace-engine

写frida脚本jnitraceuse.js可以直接调用

import {JNIInterceptor} from "jnitrace-engine";

import {JNILibraryWatcher} from "jnitrace-engine";

function hookjni() {

    JNILibraryWatcher.setCallback({

        onLoaded(path) {

            console.log("Library Loaded " + path);

        }

    });

    JNIInterceptor.attach("FindClass", {

        onEnter(args) {

            console.log("FindClass->", args[1].readUtf8String());

        },

        onLeave(retval) {

            // Change the retval to be returned to the caller of FindClass

            //retval.replace(NULL);

            // Detach all JNI intercepts

            //JNIInterceptor.detatchAll();

        }

    });

    JNIInterceptor.attach("GetMethodID", {

        onEnter(args) {

            console.log("Address of GetMethodID method", this.jniAddress,args[2].readUtf8String(), args[3].readUtf8String());

        },

        onLeave(retval) {

        }

    });

    JNIInterceptor.attach("GetStaticMethodID", {

        onEnter(args) {

            console.log("Address of GetStaticMethodID method", this.jniAddress, args[2].readUtf8String(), args[3].readUtf8String());

        },

        onLeave(retval) {

        }

    });

    JNIInterceptor.attach("RegisterNatives", {

        onEnter: function (args) {

            //functions->RegisterNatives(this, clazz, methods, nMethods);

            var num = args[3];

            var methods = args[2];

            console.log("Registernative num:" + num, hexdump(methods));

            var i = 0;

            for (i = 0; i < num; i++) {

                console.log("num:" + i);

                var nameptr = ptr(methods).add(Process.pointerSize * 3 * i).add(0);

                var sigptr = ptr(methods).add(Process.pointerSize * 3 * i).add(Process.pointerSize * 1);

                var funptr = ptr(methods).add(Process.pointerSize * 3 * i).add(Process.pointerSize * 2);

                console.log("RegisterNative:name->" + ptr(nameptr).readPointer().readCString() + ",sig:" + ptr(sigptr).readPointer().readCString() + "addr:" + funptr)

            }

        }, onLeave: function (retval) {

        }

    })

}

function main() {

    hookjni();

}

setImmediate(main)

此脚本需要由frida-compile编译才能执行

全局安装frida-compile: npm install -g frida-compile。如果本地安装总会出错。

frida-compile编译

frida-compile projects/jnitraceuse.js -o _agent.js

奇怪的事情发生了，会出现错误

搜遍了网络也没找到原因，无奈之下采取了如下方法才得以成功编译

1、修改frida-agent-example/package.json中的build和watch，指向需要编译的文件

2、运行npm run build

编译后生成了_agent.js，使用frida附加，注意要使用--runtime=v8

frida -UF --runtime=v8 -l _agent.js --no-pause

运行后的截图如下