Frida 最新更新了新的API。过去很多使用的脚本都没法用了。很多脚本都无法正常使用了。
问题1:
{'type': 'error', 'description': "ReferenceError: 'Java' is not defined", 'stack': "ReferenceError: 'Java' is not defined\n解决办法:
script.js
import Java from "frida-java-bridge";
if (Java.available) {
Java.perform(() => {
send({
type: "status",
message: "Application class-loader now available"
});
});
} else {
console.log("No Java VM in this process");
}要导入
import Java from "frida-java-bridge";问题2:
脚本需要编译然后加载。
def on_diagnostics(diag):
print("diag", diag)
compiler = frida.Compiler()
compiler.on("diagnostics", on_diagnostics)
... # frida initialize procedure
bundle = compiler.build("sw44.js")
script = session.create_script(bundle)
...
问题3:
script:
function hook_dlopen() {
// Hook 所有可能的 dlopen 变体
const dlopenFuncs = [
'android_dlopen_ext',
'dlopen',
'__loader_dlopen'
];
let interceptors = [];
dlopenFuncs.forEach(funcName => {
let funcPtr = Module.findExportByName(null, funcName);
if (funcPtr) {
let interceptor = Interceptor.attach(funcPtr, {
onEnter: function(args) {
var pathptr = args[0];
if (pathptr && !pathptr.isNull()) {
var path = ptr(pathptr).readCString();
console.log("[LOAD]", path);
// 检查是否是可疑的检测库
if (path && (path.includes("libtt") || path.includes("libbili") ||
path.includes("security") || path.includes("protect"))) {
console.warn("!!! Possible Frida detection library loaded:", path);
// 打印调用栈可以帮助定位谁加载了这个库
console.log(Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
}
}
}
});
interceptors.push(interceptor);
console.log(`Hooked ${funcName} at ${funcPtr}`);
}
});
// 返回所有拦截器以便后续管理
return interceptors;
}
// 延迟执行以避免错过早期加载的库
setImmediate(hook_dlopen);加载出现错误:
'{'type': 'error', 'description': 'TypeError: not a function', 'stack': 'TypeError: not a function\n at <anonymous> (sw44.js:27)\n at forEach (native)\n at hook_dlopen原因:
最新版的Frida把全局的API变了。
之前这些
Module.ensureInitialized()
Module.findBaseAddress()
Module.getBaseAddress()
Module.findExportByName()
Module.getExportByName()
Module.findSymbolByName()
Module.getSymbolByName()现在是:
Module.getGlobalExportByName('open')
Process.getModuleByName('libc.so').getExportByName('open')
Process.getModuleByName('libc.so').base
const openImpl = Process.getModuleByName('libc.so').getExportByName('open');
const libc = Process.getModuleByName('libc.so');
const openImpl = libc.getExportByName('open');
const readImpl = libc.getExportByName('read');
更新后的脚本是:
import Java from "frida-java-bridge";
if (Java.available) {
Java.perform(() => {
send({
type: "status",
message: "Application class-loader now available"
});
});
} else {
console.log("No Java VM in this process");
}
function hook_dlopen() {
// Hook
const dlopenFuncs = [
'android_dlopen_ext',
'dlopen',
'__loader_dlopen'
];
let interceptors = [];
dlopenFuncs.forEach(funcName => {
var funcPtr = Module.getGlobalExportByName(funcName);
//var funcPtr = Module.findExportByName(null, funcName);
if (funcPtr) {
let interceptor = Interceptor.attach(funcPtr, {
onEnter: function(args) {
var pathptr = args[0];
if (pathptr && !pathptr.isNull()) {
var path = ptr(pathptr).readCString();
console.log("[LOAD]", path);
// 检查是否是可疑的检测库
if (path && (path.includes("libtt") || path.includes("libbili") ||
path.includes("security") || path.includes("protect"))) {
console.warn("!!! Possible Frida detection library loaded:", path);
// 打印调用栈可以帮助定位谁加载了这个库
console.log(Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
}
}
}
});
interceptors.push(interceptor);
console.log(`Hooked ${funcName} at ${funcPtr}`);
}
});
// 返回所有拦截器以便后续管理
return interceptors;
}
// 延迟执行以避免错过早期加载的库
setImmediate(hook_dlopen);
现在加载就没问题了。
ref: https://frida.re/news/2025/05/17/frida-17-0-0-released/
Leave a Reply