Analysis Tool | M001
🎣 Android Frida Hooking
⚙️ Setup
# Install Frida server on Android device # Download from https://github.com/frida/frida/releases adb push frida-server /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" # Install Frida on PC pip install frida-tools # Verify connection frida-ps -U
🔧 Basic Hooking
# Java.perform for Java methods
Java.perform(function() {
var Activity = Java.use('android.app.Activity');
Activity.onCreate.overload('android.os.Bundle').implementation = function(bundle) {
console.log('Activity created!');
return this.onCreate(bundle);
}
});
// Hook native functions
var open = Module.getExportByName('libc.so', 'open');
Interceptor.attach(open, {
onEnter: function(args) {
console.log('Opening: ' + Memory.readUtf8String(args[0]));
}
});
🔐 Crypto Hooking
# Hook crypto operations
Java.perform(function() {
var Cipher = Java.use('javax.crypto.Cipher');
Cipher.init.overload('int, java.security.Key, java.security.SecureRandom').implementation = function(mode, key, random) {
console.log('Cipher init - Mode: ' + mode);
console.log('Key: ' + key.getEncoded().toString('hex'));
return this.init(mode, key, random);
}
});
// Hook native crypto
var EVP_EncryptInit = Module.getExportByName('libcrypto.so', 'EVP_EncryptInit');
Interceptor.attach(EVP_EncryptInit, {
onEnter: function(args) {
console.log('Encrypt init');
}
});
📋 Common Scripts
# Root detection bypass
Java.perform(function() {
var Build = Java.use('android.os.Build');
Build.TAGS.value = 'release-keys';
});
// SSL bypass
Java.perform(function() {
var TrustManager = Java.use('javax.net.ssl.TrustManager');
TrustManager.checkServerTrusted.implementation = function(chain, authType) {
return;
}
});
// SharedPreferences dump
Java.perform(function() {
var Context = Java.use('android.content.Context');
var SharedPrefs = Context.getSharedPreferences('prefs', 0);
var all = SharedPrefs.getAll();
console.log(JSON.stringify(all));
});