├── README.md ├── android_main.js └── ios_main.js /README.md: -------------------------------------------------------------------------------- 1 | # APPPrivacyDetect 2 | 3 | 为了响应工信部通报而写(抄)的一些检测APP违规收集信息的Frida脚本 4 | 5 | ## 说明 6 | 7 | ### Android 8 | 目前可以实现对以下信息收集的检测,可能hook的方法不全,但应付工信部大概足够了 9 | 10 | - AndroidId 11 | - IMEI 12 | - IMSI 13 | - MacAddress 14 | - InstallPackages : 获取应用列表 15 | - RequestPermission : 判断是哪个sdk在请求权限 16 | - ro.serialno 17 | - IPAddress 18 | - RunningAppProcesses 19 | - WifiState 20 | - HostInfo 21 | - SocketConnect 22 | - Location 23 | 24 | 25 | ### IOS 26 | 27 | - advertisingIdentifier(idfa) 28 | - identifierForVendor(idfv) 29 | - systemUptime 30 | - device_name 31 | 32 | ## 环境 33 | 34 | ### Android 35 | 36 | 测试环境: 37 | 38 | Pixel4A (5G) 39 | Android版本: 12 40 | 版本号: SQ3A.220605.009.A1 41 | MagiskFrida 15.1.14-4 42 | Magisk 25.1 43 | 44 | 45 | frida 15.2.2 46 | frida-tools 10.2.1 47 | 48 | 环境问题的影响很大,尽量在上述环境下使用该脚本 49 | 50 | ### IOS 51 | 52 | IPhone8(JailBreak) 53 | 54 | 55 | ## 用法 56 | 57 | ### Android 58 | 59 | 想要获取什么信息就在Java.perform里面加什么函数就可以了 60 | 61 | frida -U -l android_main.js -f com.dawnnnnnn.test1 --no-pause 62 | 63 | ### IOS 64 | 65 | 安装 [frida-ios-hook](https://github.com/noobpk/frida-ios-hook) 66 | 67 | ./ioshook -p com.dawnnnnnn.test1 -s ios_main.js 68 | 69 | ## 一些吐槽 70 | 71 | 1. 有时候不是APP本身出了问题,特别是手游,因为存在游戏渠道的原因,各渠道会打包自己的SDK进去,第三方的SDK出了问题,通报还是到我们这里来,不是很合理。 72 | 2. 网络应急技术处理协调中心某省分中心通报的很多安全漏洞简直就是无中生有,希望能好好做检测 73 | 3. 好卷,外部白帽子开始提交IOS的隐私合规问题了,不得不学习了一下IOS hook,写的很垃圾,但能用就行 74 | 75 | 76 | ## 鸣谢 77 | 78 | 本项目的很多函数来自以下项目或作者 79 | 80 | [m4bln](https://mabin004.github.io/2018/12/20/%E5%88%A9%E7%94%A8Frida%E4%BF%AE%E6%94%B9Android%E8%AE%BE%E5%A4%87%E7%9A%84%E5%94%AF%E4%B8%80%E6%A0%87%E5%BF%97%E7%AC%A6/) 81 | 82 | [移动安全王铁头](https://www.bilibili.com/read/cv9078155) 83 | 84 | [ChenJunsen](https://github.com/ChenJunsen/Hegui3.0) -------------------------------------------------------------------------------- /android_main.js: -------------------------------------------------------------------------------- 1 | var line_flag = 0 // 为避免异步输出可能导致的数据混乱,加一个标号 2 | 3 | function get_tmp_index() { 4 | line_flag = line_flag + 1; 5 | return line_flag 6 | } 7 | 8 | function log_with_index(index, data) { 9 | console.log(index + "|" + data) 10 | } 11 | 12 | function showStacks(tmp_index) { 13 | var Exception = Java.use("java.lang.Exception"); 14 | var ins = Exception.$new("Exception"); 15 | var straces = ins.getStackTrace(); 16 | if (undefined == straces || null == straces) { 17 | return; 18 | } 19 | log_with_index(tmp_index, "============================= Stack strat======================="); 20 | log_with_index(tmp_index, ""); 21 | for (var i = 0; i < straces.length; i++) { 22 | var str = " " + straces[i].toString(); 23 | log_with_index(tmp_index, str); 24 | } 25 | log_with_index(tmp_index, ""); 26 | log_with_index(tmp_index, "============================= Stack end=======================\r\n"); 27 | Exception.$dispose(); 28 | } 29 | 30 | // 获取ro.serialno信息 31 | function hookGetSystemInfo() { 32 | try { 33 | var SP = Java.use("android.os.SystemProperties"); 34 | if (SP.get != undefined) { 35 | SP.get.overload('java.lang.String').implementation = function (p1) { 36 | if (p1.indexOf("ro.serialno") < 0) return this.get(p1); 37 | var tmp_index = get_tmp_index(); 38 | showStacks(tmp_index); 39 | var temp = this.get(p1); 40 | log_with_index(tmp_index, "[*]" + p1 + " : " + temp); 41 | return temp; 42 | } 43 | SP.get.overload('java.lang.String', 'java.lang.String').implementation = function (p1, p2) { 44 | if (p1.indexOf("ro.serialno") < 0) return this.get(p1, p2); 45 | var tmp_index = get_tmp_index(); 46 | showStacks(tmp_index); 47 | var temp = this.get(p1, p2) 48 | log_with_index(tmp_index, "[*]" + p1 + "," + p2 + " : " + temp); 49 | return temp; 50 | } 51 | } 52 | } catch (e) { 53 | log_with_index(-1, "Function hookGetSystemInfo-android.os.SystemProperties failed. reason:" + e) 54 | } 55 | } 56 | 57 | // 获取应用请求权限信息 58 | function hookRequestPermission() { 59 | try { 60 | var AC = Java.use("android.support.v4.app.ActivityCompat") 61 | if (AC.requestPermissions != undefined) { 62 | AC.requestPermissions.overload('android.app.Activity', '[Ljava.lang.String;', 'int').implementation = function (p1, p2, p3) { 63 | var tmp_index = get_tmp_index(); 64 | showStacks(tmp_index); 65 | log_with_index(tmp_index, "=============================[*]Called - requestPermissions=======================\r\n"); 66 | var temp = this.requestPermissions(p1, p2, p3); 67 | log_with_index(tmp_index, "requestPermissions: " + p2); 68 | return temp 69 | } 70 | } 71 | } catch (e) { 72 | log_with_index(-1, "Function hookRequestPermission-android.support.v4.app.ActivityCompat failed. reason:" + e) 73 | } 74 | 75 | try { 76 | var AC2 = Java.use("androidx.core.app.ActivityCompat") 77 | if (AC2.requestPermissions != undefined) { 78 | AC2.requestPermissions.overload('android.app.Activity', '[Ljava.lang.String;', 'int').implementation = function (p1, p2, p3) { 79 | var tmp_index = get_tmp_index(); 80 | showStacks(tmp_index); 81 | log_with_index(tmp_index, "=============================[*]Called - requestPermissions=======================\r\n"); 82 | var temp = this.requestPermissions(p1, p2, p3); 83 | log_with_index(tmp_index, "requestPermissions: " + p1 + p2 + p3); 84 | return temp 85 | } 86 | } 87 | } catch (e) { 88 | log_with_index(-1, "Function hookRequestPermission-androidx.core.app.ActivityCompat failed. reason:" + e) 89 | } 90 | 91 | try { 92 | var AC3 = Java.use("android.app.Activity") 93 | if (AC3.requestPermissions != undefined) { 94 | AC3.requestPermissions.overload('[Ljava.lang.String;', 'int').implementation = function (p1, p2) { 95 | var tmp_index = get_tmp_index(); 96 | showStacks(tmp_index); 97 | log_with_index(tmp_index, "=============================[*]Called - requestPermissions=======================\r\n"); 98 | var temp = this.requestPermissions(p1, p2); 99 | log_with_index(tmp_index, "requestPermissions: " + p1 + p2); 100 | return temp 101 | } 102 | } 103 | } catch (e) { 104 | log_with_index(-1, "Function hookRequestPermission-android.app.Activity failed. reason:" + e) 105 | } 106 | } 107 | 108 | // 获取AndroidId信息 109 | function hookGetAndroidId() { 110 | try { 111 | var Secure = Java.use("android.provider.Settings$Secure"); 112 | if (Secure.getString != undefined) { 113 | Secure.getString.implementation = function (p1, p2) { 114 | if (p2.indexOf("android_id") < 0) return this.getString(p1, p2); 115 | var tmp_index = get_tmp_index(); 116 | showStacks(tmp_index); 117 | log_with_index(tmp_index, "=============================[*]Called - get android_ID=======================param is" + p2 + "\r\n"); 118 | var temp = this.getString(p1, p2); 119 | log_with_index(tmp_index, "get android_ID: " + temp); 120 | return temp; 121 | 122 | } 123 | } 124 | } catch (e) { 125 | log_with_index(-1, "Function hookGetAndroidId-android.provider.Settings$Secure failed. reason:" + e) 126 | } 127 | } 128 | 129 | // 获取IMSI信息 130 | function hookGetIMSI() { 131 | try { 132 | var TelephonyManager = Java.use("android.telephony.TelephonyManager"); 133 | if (TelephonyManager.getSimSerialNumber != undefined) { 134 | // 获取单个IMSI的方法 135 | TelephonyManager.getSimSerialNumber.overload().implementation = function () { 136 | var tmp_index = get_tmp_index(); 137 | showStacks(tmp_index); 138 | log_with_index(tmp_index, "=============================[*]Called - getSimSerialNumber(String)=======================\r\n"); 139 | var temp = this.getSimSerialNumber(); 140 | log_with_index(tmp_index, "getSimSerialNumber(String): " + temp); 141 | return temp; 142 | }; 143 | 144 | // 应该也是获取IMSI的方法 145 | TelephonyManager.getSubscriberId.overload('int').implementation = function () { 146 | var tmp_index = get_tmp_index(); 147 | showStacks(tmp_index); 148 | log_with_index(tmp_index, "=============================[*]Called - getSubscriberId(int)=======================\r\n"); 149 | var temp = this.getSubscriberId(); 150 | log_with_index(tmp_index, "getSubscriberId(int): " + temp); 151 | return temp; 152 | } 153 | 154 | // 获取多个IMSI的方法 155 | TelephonyManager.getSimSerialNumber.overload('int').implementation = function (p) { 156 | var tmp_index = get_tmp_index(); 157 | showStacks(tmp_index); 158 | log_with_index(tmp_index, "=============================[*]Called - getSimSerialNumber(int)==============param is" + p + "\r\n"); 159 | var temp = this.getSimSerialNumber(p); 160 | log_with_index(tmp_index, "getSimSerialNumber(int) " + temp); 161 | return temp; 162 | }; 163 | 164 | TelephonyManager.getLine1Number.overload('int').implementation = function (p) { 165 | var tmp_index = get_tmp_index(); 166 | showStacks(tmp_index); 167 | log_with_index(tmp_index, "=============================[*]Called - getLine1Number(int)==============param is" + p + "\r\n"); 168 | var temp = this.getLine1Number(p); 169 | log_with_index(tmp_index, "getLine1Number(int) " + temp); 170 | return temp; 171 | }; 172 | } 173 | } catch (e) { 174 | log_with_index(-1, "Function hookGetIMSI-android.telephony.TelephonyManager failed. reason:" + e) 175 | } 176 | 177 | } 178 | 179 | // 获取IMEI信息 180 | function hookGetIMEI() { 181 | try { 182 | var TelephonyManager = Java.use("android.telephony.TelephonyManager"); 183 | if (TelephonyManager.getDeviceId != undefined) { 184 | // getDeviceId was deprecated in API level 26 185 | //获取单个IMEI 186 | TelephonyManager.getDeviceId.overload().implementation = function () { 187 | var tmp_index = get_tmp_index(); 188 | showStacks(tmp_index); 189 | log_with_index(tmp_index, "============================= [*]Called - getDeviceId()=======================\r\n"); 190 | log_with_index(tmp_index, "getDeviceId: " + 'Dawnnnnnn'); 191 | // var temp = this.getDeviceId(); 192 | // log_with_index(tmp_index, "getDeviceId: " + temp); 193 | // 这里可能因为API LEVEL的关系导致调用getdeviceId时应用闪退,那就不调用了 194 | return 'Dawnnnnnn'; 195 | }; 196 | //获取多个IMEI的方法 197 | TelephonyManager.getDeviceId.overload('int').implementation = function (p) { 198 | var tmp_index = get_tmp_index(); 199 | showStacks(tmp_index); 200 | log_with_index(tmp_index, "============================= [*]Called - getDeviceId()=======================param is" + p + "\r\n"); 201 | var temp = this.getDeviceId(p); 202 | log_with_index(tmp_index, "getDeviceId " + p + ": " + temp); 203 | return temp; 204 | }; 205 | 206 | //API LEVEL26以上的获取单个IMEI方法 207 | TelephonyManager.getImei.overload().implementation = function () { 208 | var tmp_index = get_tmp_index(); 209 | showStacks(tmp_index); 210 | log_with_index(tmp_index, "============================= [*]Called - getImei()=======================\r\n"); 211 | var temp = this.getImei(); 212 | log_with_index(tmp_index, "getImei: " + temp); 213 | return temp; 214 | }; 215 | 216 | 217 | // API LEVEL26以上的获取多个IMEI方法 218 | TelephonyManager.getImei.overload('int').implementation = function (p) { 219 | var tmp_index = get_tmp_index(); 220 | showStacks(tmp_index); 221 | log_with_index(tmp_index, "============================= [*]Called - getImei()====================param is" + p + "\r\n"); 222 | var temp = this.getImei(p); 223 | log_with_index(tmp_index, "getImei: " + temp); 224 | return temp; 225 | }; 226 | } 227 | } catch (e) { 228 | log_with_index(-1, "Function hookGetIMEI-android.telephony.TelephonyManager failed. reason:" + e) 229 | } 230 | } 231 | 232 | 233 | // 获取MEID信息 234 | function hookGetMEID() { 235 | try { 236 | var TelephonyManager = Java.use("android.telephony.TelephonyManager"); 237 | if (TelephonyManager.getMeid != undefined) { 238 | TelephonyManager.getMeid.overload().implementation = function () { 239 | var tmp_index = get_tmp_index(); 240 | showStacks(tmp_index); 241 | log_with_index(tmp_index, "============================= [*]Called - getMeid()=======================\r\n"); 242 | var temp = this.getMeid(); 243 | log_with_index(tmp_index, "getDeviceId: " + temp); 244 | return temp; 245 | }; 246 | TelephonyManager.getMeid.overload('int').implementation = function (p) { 247 | var tmp_index = get_tmp_index(); 248 | showStacks(tmp_index); 249 | log_with_index(tmp_index, "============================= [*]Called - getMeid()=======================param is" + p + "\r\n"); 250 | var temp = this.getMeid(p); 251 | log_with_index(tmp_index, "getMeid " + p + ": " + temp); 252 | return temp; 253 | }; 254 | } 255 | } catch (e) { 256 | log_with_index(-1, "Function hookGetMEID-android.telephony.TelephonyManager failed. reason:" + e) 257 | } 258 | } 259 | 260 | 261 | // 获取Mac地址信息 262 | function hookGetMacAddress() { 263 | try { 264 | var wifiInfo = Java.use("android.net.wifi.WifiInfo"); 265 | if (wifiInfo.getMacAddress != undefined) { 266 | wifiInfo.getMacAddress.implementation = function () { 267 | var tmp_index = get_tmp_index(); 268 | showStacks(tmp_index); 269 | log_with_index(tmp_index, "============================= [*]Called - getMacAddress()=======================\r\n"); 270 | var temp = this.getMacAddress(); 271 | log_with_index(tmp_index, "getMacAddress: " + temp); 272 | return temp; 273 | }; 274 | } 275 | } catch (e) { 276 | log_with_index(-1, "Function hookGetMacAddress-android.net.wifi.WifiInfo failed. reason:" + e) 277 | } 278 | 279 | try { 280 | var networkInterface = Java.use("java.net.NetworkInterface"); 281 | if (networkInterface.getHardwareAddress != undefined) { 282 | networkInterface.getHardwareAddress.overload().implementation = function () { 283 | var tmp_index = get_tmp_index(); 284 | showStacks(tmp_index); 285 | log_with_index(tmp_index, "============================= [*]Called - getHardwareAddress()=======================\r\n"); 286 | var temp = this.getHardwareAddress(); 287 | log_with_index(tmp_index, "getHardwareAddress: " + temp); 288 | return temp; 289 | }; 290 | } 291 | } catch (e) { 292 | log_with_index(-1, "Function hookGetMacAddress-java.net.NetworkInterface failed. reason:" + e) 293 | } 294 | } 295 | 296 | 297 | // 获取IP地址信息 298 | function hookGetIPAddress() { 299 | // This method was deprecated in API level 31. 300 | try { 301 | var wifiInfo = Java.use("android.net.wifi.WifiInfo"); 302 | if (wifiInfo.getIpAddress != undefined) { 303 | wifiInfo.getIpAddress.implementation = function () { 304 | var tmp_index = get_tmp_index(); 305 | showStacks(tmp_index); 306 | log_with_index(tmp_index, "============================= [*]Called - getIpAddress()=======================\r\n"); 307 | var temp = this.getIpAddress(); 308 | log_with_index(tmp_index, "getIpAddress: " + temp); 309 | return temp; 310 | }; 311 | } 312 | } catch (e) { 313 | log_with_index(-1, "Function hookGetIPAddress-android.net.wifi.WifiInfo failed. reason:" + e) 314 | } 315 | } 316 | 317 | // 获取RunningAppProcesses信息 318 | function hookGetRunningAppProcesses() { 319 | try { 320 | var AM = Java.use("android.app.ActivityManager"); 321 | if (AM.getRunningAppProcesses != undefined) { 322 | AM.getRunningAppProcesses.implementation = function () { 323 | var tmp_index = get_tmp_index(); 324 | showStacks(tmp_index); 325 | log_with_index(tmp_index, "============================= [*]Called - getRunningAppProcesses()=======================\r\n"); 326 | var temp = this.getRunningAppProcesses(); 327 | log_with_index(tmp_index, "getRunningAppProcesses: " + temp); 328 | return temp; 329 | } 330 | } 331 | } catch (e) { 332 | log_with_index(-1, "Function hookGetRunningAppProcesses-android.app.ActivityManager failed. reason:" + e) 333 | } 334 | 335 | } 336 | 337 | // 获取WIFI状态信息 338 | function hookGetWifiState() { 339 | try { 340 | var wifiManager = Java.use("android.net.wifi.WifiManager"); 341 | if (wifiManager.getWifiState != undefined) { 342 | wifiManager.getWifiState.implementation = function () { 343 | var tmp_index = get_tmp_index(); 344 | showStacks(tmp_index); 345 | log_with_index(tmp_index, "============================= [*]Called - getWifiState()=======================\r\n"); 346 | var temp = this.getWifiState(); 347 | log_with_index(tmp_index, "getWifiState: " + temp); 348 | return temp; 349 | }; 350 | if (wifiManager.getSSID != undefined) { 351 | wifiManager.getSSID.implementation = function () { 352 | showStacks(tmp_index); 353 | log_with_index(tmp_index, "============================= [*]Called - getSSID()=======================\r\n"); 354 | var temp = this.getSSID(); 355 | log_with_index(tmp_index, "getSSID: " + temp); 356 | return temp; 357 | } 358 | 359 | } 360 | } 361 | var WifiInfo = Java.use("android.net.wifi.WifiInfo"); 362 | if (WifiInfo.getSSID != undefined) { 363 | WifiInfo.getSSID.implementation = function () { 364 | var tmp_index = get_tmp_index(); 365 | showStacks(tmp_index); 366 | log_with_index(tmp_index, "============================= [*]Called - getSSID()=======================\r\n"); 367 | var temp = this.getSSID(); 368 | log_with_index(tmp_index, "getSSID: " + temp); 369 | return temp; 370 | }; 371 | } 372 | 373 | } catch (e) { 374 | log_with_index(-1, "Function hookGetWifiState-android.net.wifi.WifiManager failed. reason:" + e) 375 | } 376 | } 377 | 378 | // 获取网络状态信息 379 | function hookGetActiveNetworkInfo() { 380 | // This method was deprecated in API level 29. 381 | try { 382 | var CM = Java.use("android.net.ConnectivityManager"); 383 | if (CM.getActiveNetworkInfo != undefined) { 384 | CM.getActiveNetworkInfo.implementation = function () { 385 | var tmp_index = get_tmp_index(); 386 | showStacks(tmp_index); 387 | log_with_index(tmp_index, "============================= [*]Called - getActiveNetworkInfo()=======================\r\n"); 388 | var temp = this.getActiveNetworkInfo(); 389 | log_with_index(tmp_index, "getActiveNetworkInfo: " + temp); 390 | return temp; 391 | } 392 | } 393 | } catch (e) { 394 | log_with_index(-1, "Function hookGetActiveNetworkInfo-android.net.ConnectivityManager failed. reason:" + e) 395 | } 396 | } 397 | 398 | // 获取hostaddress、hostname信息 399 | function hookGetHostInfo() { 400 | try { 401 | var socketAddress = Java.use("java.net.InetSocketAddress"); 402 | if (socketAddress.getHostAddress != undefined) { 403 | socketAddress.getHostAddress.implementation = function () { 404 | var tmp_index = get_tmp_index(); 405 | showStacks(tmp_index); 406 | log_with_index(tmp_index, "============================= [*]Called - getHostAddress()=======================\r\n"); 407 | var temp = this.getHostAddress(); 408 | log_with_index(tmp_index, "getHostAddress: " + temp); 409 | return temp; 410 | }; 411 | socketAddress.getAddress.implementation = function () { 412 | var tmp_index = get_tmp_index(); 413 | showStacks(tmp_index); 414 | log_with_index(tmp_index, "============================= [*]Called - getAddress()=======================\r\n"); 415 | var temp = this.getAddress(); 416 | log_with_index(tmp_index, "getAddress: " + temp); 417 | return temp; 418 | }; 419 | socketAddress.getHostName.implementation = function () { 420 | var tmp_index = get_tmp_index(); 421 | showStacks(tmp_index); 422 | log_with_index(tmp_index, "============================= [*]Called - getHostName()=======================\r\n"); 423 | var temp = this.getHostName(); 424 | log_with_index(tmp_index, "getHostName: " + temp); 425 | return temp; 426 | }; 427 | } 428 | } catch (e) { 429 | log_with_index(-1, "Function hookGetHostInfo-java.net.InetSocketAddress failed. reason:" + e) 430 | } 431 | 432 | try { 433 | var inetAddress = Java.use("java.net.InetAddress"); 434 | if (inetAddress.getHostAddress != undefined) { 435 | inetAddress.getHostAddress.implementation = function () { 436 | var tmp_index = get_tmp_index(); 437 | showStacks(tmp_index); 438 | log_with_index(tmp_index, "============================= [*]Called - getHostAddress()=======================\r\n"); 439 | var temp = this.getHostAddress(); 440 | log_with_index(tmp_index, "getHostAddress: " + temp); 441 | return temp; 442 | }; 443 | inetAddress.getAddress.implementation = function () { 444 | var tmp_index = get_tmp_index(); 445 | showStacks(tmp_index); 446 | log_with_index(tmp_index, "============================= [*]Called - getAddress()=======================\r\n"); 447 | var temp = this.getAddress(); 448 | log_with_index(tmp_index, "getAddress: " + temp); 449 | return temp; 450 | }; 451 | inetAddress.getHostName.implementation = function () { 452 | var tmp_index = get_tmp_index(); 453 | showStacks(tmp_index); 454 | log_with_index(tmp_index, "============================= [*]Called - getHostName()=======================\r\n"); 455 | var temp = this.getHostName(); 456 | log_with_index(tmp_index, "getHostName: " + temp); 457 | return temp; 458 | }; 459 | } 460 | } catch (e) { 461 | log_with_index(-1, "Function hookGetHostInfo-java.net.InetAddress failed. reason:" + e) 462 | } 463 | 464 | try { 465 | var inet4Address = Java.use("java.net.Inet4Address"); 466 | if (inet4Address.getHostAddress != undefined) { 467 | inet4Address.getHostAddress.implementation = function () { 468 | var tmp_index = get_tmp_index(); 469 | showStacks(tmp_index); 470 | log_with_index(tmp_index, "============================= [*]Called - getHostAddress()=======================\r\n"); 471 | var temp = this.getHostAddress(); 472 | log_with_index(tmp_index, "getHostAddress: " + temp); 473 | return temp; 474 | }; 475 | } 476 | } catch (e) { 477 | log_with_index(-1, "Function hookGetHostInfo-java.net.Inet4Address failed. reason:" + e) 478 | } 479 | try { 480 | var inet6Address = Java.use("java.net.Inet6Address"); 481 | inet6Address.getHostAddress.implementation = function () { 482 | var tmp_index = get_tmp_index(); 483 | showStacks(tmp_index); 484 | log_with_index(tmp_index, "============================= [*]Called - getHostAddress()=======================\r\n"); 485 | var temp = this.getHostAddress(); 486 | log_with_index(tmp_index, "getHostAddress: " + temp); 487 | return temp; 488 | }; 489 | } catch (e) { 490 | log_with_index(-1, "Function hookGetHostInfo-java.net.Inet6Address failed. reason:" + e) 491 | } 492 | 493 | } 494 | 495 | // 获取网络连接信息 496 | function hookGetSocketConnect() { 497 | try { 498 | var socket = Java.use("java.net.Socket"); 499 | // 这里有个bug,当p1的值中不包含域名时(猜测),this.connect会失败导致应用和Frida闪退,原因不明,该函数暂时弃用 500 | // https://stackoverflow.com/questions/56146503/can-anyone-help-me-how-to-hook-java-net-socket-connectjava-net-socketaddress-i 501 | if (socket.connect != undefined) { 502 | socket.connect.overload('java.net.SocketAddress', 'int').implementation = function (p1, p2) { 503 | var tmp_index = get_tmp_index(); 504 | showStacks(tmp_index); 505 | log_with_index(tmp_index, "============================= [*]Called - connect(p1,p2)=======================\r\n"); 506 | log_with_index(tmp_index, p1, p2) 507 | var temp = this.connect(p1, p2); 508 | return temp; 509 | } 510 | socket.connect.overload('java.net.SocketAddress').implementation = function (p1) { 511 | var tmp_index = get_tmp_index(); 512 | showStacks(tmp_index); 513 | log_with_index(tmp_index, "============================= [*]Called - connect(p1)=======================\r\n"); 514 | log_with_index(tmp_index, p1) 515 | var temp = this.connect(p1); 516 | return temp; 517 | } 518 | } 519 | } catch (e) { 520 | log_with_index(-1, "Function hookGetSocketConnect-java.net.Socket failed. reason:" + e) 521 | } 522 | } 523 | 524 | 525 | // 获取定位信息 526 | function hookGetLocation() { 527 | try { 528 | var geocoder = Java.use("android.location.Geocoder"); 529 | if (geocoder.getFromLocation != undefined) { 530 | // This method was deprecated in API level 33. 531 | geocoder.getFromLocation.overload('double', 'double', 'int').implementation = function (p1, p2, p3) { 532 | var tmp_index = get_tmp_index(); 533 | showStacks(tmp_index); 534 | log_with_index(tmp_index, "============================= [*]Called - getFromLocation(p1,p2,p3)=======================\r\n"); 535 | var temp = this.getFromLocation(p1, p2, p3); 536 | log_with_index(tmp_index, "getFromLocation: " + temp); 537 | return temp; 538 | } 539 | // This method was deprecated in API level 33. 540 | geocoder.getFromLocationName.overload('java.lang.String', 'int', 'double', 'double', 'double', 'double').implementation = function (p1, p2, p3, p4, p5, p6) { 541 | var tmp_index = get_tmp_index(); 542 | showStacks(tmp_index); 543 | log_with_index(tmp_index, "============================= [*]Called - getFromLocationName(p1,p2,p3,p4,p5,p6)=======================\r\n"); 544 | var temp = this.getFromLocationName(p1, p2, p3, p4, p5, p6); 545 | log_with_index(tmp_index, "getFromLocationName: " + temp); 546 | return temp; 547 | } 548 | geocoder.getFromLocationName.overload('java.lang.String', 'int').implementation = function (p1, p2) { 549 | var tmp_index = get_tmp_index(); 550 | showStacks(tmp_index); 551 | log_with_index(tmp_index, "============================= [*]Called - getFromLocationName(p1,p2)=======================\r\n"); 552 | var temp = this.getFromLocationName(p1, p2); 553 | log_with_index(tmp_index, "getFromLocationName: " + temp); 554 | return temp; 555 | } 556 | } 557 | } catch (e) { 558 | log_with_index(-1, "Function hookGetLocation-android.location.Geocoder failed. reason:" + e) 559 | } 560 | 561 | 562 | try { 563 | var LocationManager = Java.use("android.location.LocationManager"); 564 | if (LocationManager.requestLocationUpdates != undefined) { 565 | LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.app.PendingIntent').implementation = function (p1, p2) { 566 | var tmp_index = get_tmp_index(); 567 | showStacks(tmp_index); 568 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2)=======================\r\n"); 569 | var temp = this.requestLocationUpdates(p1, p2); 570 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 571 | return temp; 572 | } 573 | LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper').implementation = function (p1, p2, p3) { 574 | var tmp_index = get_tmp_index(); 575 | showStacks(tmp_index); 576 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3)=======================\r\n"); 577 | var temp = this.requestLocationUpdates(p1, p2, p3); 578 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 579 | return temp; 580 | } 581 | LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'java.util.concurrent.Executor', 'android.location.LocationListener').implementation = function (p1, p2, p3) { 582 | var tmp_index = get_tmp_index(); 583 | showStacks(tmp_index); 584 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3)=======================\r\n"); 585 | var temp = this.requestLocationUpdates(p1, p2, p3); 586 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 587 | return temp; 588 | } 589 | LocationManager.requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.app.PendingIntent').implementation = function (p1, p2, p3, p4) { 590 | var tmp_index = get_tmp_index(); 591 | showStacks(tmp_index); 592 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3,p4)=======================\r\n"); 593 | var temp = this.requestLocationUpdates(p1, p2, p3, p4); 594 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 595 | return temp; 596 | } 597 | LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.app.PendingIntent').implementation = function (p1, p2, p3, p4) { 598 | var tmp_index = get_tmp_index(); 599 | showStacks(tmp_index); 600 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3,p4)=======================\r\n"); 601 | var temp = this.requestLocationUpdates(p1, p2, p3, p4); 602 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 603 | return temp; 604 | } 605 | LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener').implementation = function (p1, p2, p3, p4) { 606 | var tmp_index = get_tmp_index(); 607 | showStacks(tmp_index); 608 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3,p4)=======================\r\n"); 609 | var temp = this.requestLocationUpdates(p1, p2, p3, p4); 610 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 611 | return temp; 612 | } 613 | LocationManager.requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.location.LocationListener', 'android.os.Looper').implementation = function (p1, p2, p3, p4, p5) { 614 | var tmp_index = get_tmp_index(); 615 | showStacks(tmp_index); 616 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3,p4,p5)=======================\r\n"); 617 | var temp = this.requestLocationUpdates(p1, p2, p3, p4, p5); 618 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 619 | return temp; 620 | } 621 | LocationManager.requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'java.util.concurrent.Executor', 'android.location.LocationListener').implementation = function (p1, p2, p3, p4, p5) { 622 | var tmp_index = get_tmp_index(); 623 | showStacks(tmp_index); 624 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3,p4,p5)=======================\r\n"); 625 | var temp = this.requestLocationUpdates(p1, p2, p3, p4, p5); 626 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 627 | return temp; 628 | } 629 | LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener', 'android.os.Looper').implementation = function (p1, p2, p3, p4, p5) { 630 | var tmp_index = get_tmp_index(); 631 | showStacks(tmp_index); 632 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3,p4,p5)=======================\r\n"); 633 | var temp = this.requestLocationUpdates(p1, p2, p3, p4, p5); 634 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 635 | return temp; 636 | } 637 | LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper', 'android.app.PendingIntent').implementation = function (p1, p2, p3, p4) { 638 | var tmp_index = get_tmp_index(); 639 | showStacks(tmp_index); 640 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3,p4)=======================\r\n"); 641 | var temp = this.requestLocationUpdates(p1, p2, p3, p4); 642 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 643 | return temp; 644 | } 645 | LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'java.util.concurrent.Executor', 'android.location.LocationListener').implementation = function (p1, p2, p3, p4, p5) { 646 | var tmp_index = get_tmp_index(); 647 | showStacks(tmp_index); 648 | log_with_index(tmp_index, "============================= [*]Called - requestLocationUpdates(p1,p2,p3,p4,p5)=======================\r\n"); 649 | var temp = this.requestLocationUpdates(p1, p2, p3, p4, p5); 650 | log_with_index(tmp_index, "requestLocationUpdates: " + temp); 651 | return temp; 652 | } 653 | LocationManager.getLastKnownLocation.overload('java.lang.String').implementation = function (p1) { 654 | var tmp_index = get_tmp_index(); 655 | showStacks(tmp_index); 656 | log_with_index(tmp_index, "============================= [*]Called - getLastKnownLocation(p1)=======================\r\n"); 657 | var temp = this.getLastKnownLocation(p1); 658 | log_with_index(tmp_index, "getLastKnownLocation: " + temp); 659 | return temp; 660 | } 661 | LocationManager.getCurrentLocation.overload('java.lang.String', 'android.location.LocationRequest', 'android.os.CancellationSignal', 'java.util.concurrent.Executor', 'java.util.function.Consumer').implementation = function (p1, p2, p3, p4, p5) { 662 | var tmp_index = get_tmp_index(); 663 | showStacks(tmp_index); 664 | log_with_index(tmp_index, "============================= [*]Called - getCurrentLocation(p1,p2,p3,p4,p5)=======================\r\n"); 665 | var temp = this.getCurrentLocation(p1, p2, p3, p4, p5); 666 | log_with_index(tmp_index, "getCurrentLocation: " + temp); 667 | return temp; 668 | } 669 | LocationManager.getCurrentLocation.overload('java.lang.String', 'android.os.CancellationSignal', 'java.util.concurrent.Executor', 'java.util.function.Consumer').implementation = function (p1, p2, p3, p4) { 670 | var tmp_index = get_tmp_index(); 671 | showStacks(tmp_index); 672 | log_with_index(tmp_index, "============================= [*]Called - getCurrentLocation(p1,p2,p3,p4)=======================\r\n"); 673 | var temp = this.getCurrentLocation(p1, p2, p3, p4); 674 | log_with_index(tmp_index, "getCurrentLocation: " + temp); 675 | return temp; 676 | } 677 | LocationManager.getProviders.overload('java.lang.Boolean').implementation = function (p1) { 678 | var tmp_index = get_tmp_index(); 679 | showStacks(tmp_index); 680 | log_with_index(tmp_index, "============================= [*]Called - getProviders(p1)=======================\r\n"); 681 | var temp = this.getProviders(p1); 682 | log_with_index(tmp_index, "getProviders: " + temp); 683 | return temp; 684 | } 685 | LocationManager.getProviders.overload('android.location.Criteria','java.lang.Boolean').implementation = function (p1,p2) { 686 | var tmp_index = get_tmp_index(); 687 | showStacks(tmp_index); 688 | log_with_index(tmp_index, "============================= [*]Called - getProviders(p1,p2)=======================\r\n"); 689 | var temp = this.getProviders(p1,p2); 690 | log_with_index(tmp_index, "getProviders: " + temp); 691 | return temp; 692 | } 693 | } 694 | } catch (e) { 695 | log_with_index(-1, "Function hookGetLocation-android.location.LocationManager failed. reason:" + e) 696 | } 697 | 698 | } 699 | 700 | // 获取GetInstallPackages信息 701 | function hookGetInstallPackages() { 702 | try { 703 | var pmPackageManager = Java.use("android.content.pm.PackageManager"); 704 | if (pmPackageManager.getInstalledPackages != undefined) { 705 | pmPackageManager.getInstalledPackages.overload('int').implementation = function (p1) { 706 | var tmp_index = get_tmp_index(); 707 | showStacks(tmp_index); 708 | log_with_index(tmp_index, "============================= [*]Called - pm-getInstalledPackages()=======================\r\n"); 709 | var temp = this.getInstalledPackages(p1); 710 | log_with_index(tmp_index, "getInstalledPackages: " + temp); 711 | return temp; 712 | }; 713 | pmPackageManager.getInstalledApplications.overload('int').implementation = function (p1) { 714 | var tmp_index = get_tmp_index(); 715 | showStacks(tmp_index); 716 | log_with_index(tmp_index, "============================= [*]Called - pm-getInstalledApplications()=======================\r\n"); 717 | var temp = this.getInstalledApplications(p1); 718 | log_with_index(tmp_index, "getInstalledApplications: " + temp); 719 | return temp; 720 | }; 721 | pmPackageManager.getInstalledModules.overload('int').implementation = function (p1) { 722 | var tmp_index = get_tmp_index(); 723 | showStacks(tmp_index); 724 | log_with_index(tmp_index, "============================= [*]Called - app-getInstalledModules()=======================\r\n"); 725 | var temp = this.getInstalledModules(p1); 726 | log_with_index(tmp_index, "getInstalledModules: " + temp); 727 | return temp; 728 | }; 729 | } 730 | } catch (e) { 731 | log_with_index(-1, "Function hookGetInstallPackages-android.content.pm.PackageManager failed. reason:" + e) 732 | } 733 | 734 | try { 735 | var appPackageManager = Java.use("android.app.ApplicationPackageManager"); 736 | if (appPackageManager.getInstalledPackages != undefined) { 737 | appPackageManager.getInstalledPackages.overload('int').implementation = function (p1) { 738 | var tmp_index = get_tmp_index(); 739 | showStacks(tmp_index); 740 | log_with_index(tmp_index, "============================= [*]Called - app-getInstalledPackages()=======================\r\n"); 741 | var temp = this.getInstalledPackages(p1); 742 | log_with_index(tmp_index, "getInstalledPackages: " + temp); 743 | return temp; 744 | }; 745 | appPackageManager.getInstalledApplications.overload('int').implementation = function (p1) { 746 | var tmp_index = get_tmp_index(); 747 | showStacks(tmp_index); 748 | log_with_index(tmp_index, "============================= [*]Called - app-getInstalledApplications()=======================\r\n"); 749 | var temp = this.getInstalledApplications(p1); 750 | log_with_index(tmp_index, "getInstalledApplications: " + temp); 751 | return temp; 752 | }; 753 | appPackageManager.queryIntentActivities.implementation = function (p1, p2) { 754 | var tmp_index = get_tmp_index(); 755 | showStacks(tmp_index); 756 | log_with_index(tmp_index, "============================= [*]Called - app-queryIntentActivities()=======================\r\n"); 757 | var temp = this.queryIntentActivities(p1, p2); 758 | log_with_index(tmp_index, "queryIntentActivities: " + temp); 759 | return temp; 760 | }; 761 | appPackageManager.getInstalledApplicationsAsUser.overload('int', 'int').implementation = function (p1, p2) { 762 | var tmp_index = get_tmp_index(); 763 | showStacks(tmp_index); 764 | log_with_index(tmp_index, "============================= [*]Called - app-getInstalledApplicationsAsUser(p1,p2)=======================\r\n"); 765 | var temp = this.getInstalledApplicationsAsUser(p1, p2); 766 | log_with_index(tmp_index, "getInstalledApplicationsAsUser: " + temp); 767 | return temp; 768 | }; 769 | appPackageManager.getInstalledPackagesAsUser.overload('int', 'int').implementation = function (p1, p2) { 770 | var tmp_index = get_tmp_index(); 771 | showStacks(tmp_index); 772 | log_with_index(tmp_index, "============================= [*]Called - app-getInstalledPackagesAsUser(p1,p2)=======================\r\n"); 773 | var temp = this.getInstalledPackagesAsUser(p1, p2); 774 | log_with_index(tmp_index, "getInstalledPackagesAsUser: " + temp); 775 | return temp; 776 | }; 777 | } 778 | } catch (e) { 779 | log_with_index(-1, "Function hookGetInstallPackages-android.app.ApplicationPackageManager failed. reason:" + e) 780 | } 781 | 782 | } 783 | 784 | 785 | // 获取国内特色信息 786 | // 这个需要在特定品牌手机上才能测试,原生系统不存在对应SDK,以下为小米品牌SDK 787 | // 参考 https://www.ichdata.com/wp-content/uploads/2020/06/2021032423172817.pdf 788 | // https://github.com/gzu-liyujiang/Android_CN_OAID 789 | //xiaomi 790 | function hookGetIdProvider() { 791 | try { 792 | var IdProvider = Java.use("com.android.id.impl.IdProviderImpl"); 793 | if (IdProvider.getUDID != undefined) { 794 | IdProvider.getUDID.implementation = function () { 795 | var tmp_index = get_tmp_index(); 796 | showStacks(tmp_index); 797 | log_with_index(tmp_index, "============================= [*]Called - getUDID()=======================\r\n"); 798 | var temp = this.getUDID(); 799 | log_with_index(tmp_index, "getUDID: " + temp); 800 | return temp; 801 | }; 802 | } 803 | if (IdProvider.getOAID != undefined) { 804 | IdProvider.getOAID.overload('android.content.Context').implementation = function (p1) { 805 | var tmp_index = get_tmp_index(); 806 | showStacks(tmp_index); 807 | log_with_index(tmp_index, "============================= [*]Called - getOAID(p1)=======================\r\n"); 808 | var temp = this.getOAID(p1); 809 | log_with_index(tmp_index, "getOAID: " + temp); 810 | return temp; 811 | }; 812 | } 813 | if (IdProvider.getVAID != undefined) { 814 | IdProvider.getVAID.implementation = function () { 815 | var tmp_index = get_tmp_index(); 816 | showStacks(tmp_index); 817 | log_with_index(tmp_index, "============================= [*]Called - getVAID()=======================\r\n"); 818 | var temp = this.getVAID(); 819 | log_with_index(tmp_index, "getVAID: " + temp); 820 | return temp; 821 | }; 822 | } 823 | if (IdProvider.getAAID != undefined) { 824 | IdProvider.getAAID.implementation = function () { 825 | var tmp_index = get_tmp_index(); 826 | showStacks(tmp_index); 827 | log_with_index(tmp_index, "============================= [*]Called - getAAID()=======================\r\n"); 828 | var temp = this.getAAID(); 829 | log_with_index(tmp_index, "getAAID: " + temp); 830 | return temp; 831 | }; 832 | } 833 | 834 | } catch (e) { 835 | log_with_index(-1, "Function hookGetIdProvider-com.android.id.impl.IdProviderImpl failed. reason:" + e) 836 | } 837 | } 838 | 839 | // samsung 840 | function hookGetIDeviceIdService() { 841 | try { 842 | var IdProvider = Java.use("com.samsung.android.deviceidservice.IDeviceIdService$Stub$Proxy"); 843 | if (IdProvider.getOAID != undefined) { 844 | IdProvider.getOAID.implementation = function () { 845 | var tmp_index = get_tmp_index(); 846 | showStacks(tmp_index); 847 | log_with_index(tmp_index, "============================= [*]Called - getOAID()=======================\r\n"); 848 | var temp = this.getOAID(); 849 | log_with_index(tmp_index, "getOAID: " + temp); 850 | return temp; 851 | }; 852 | } 853 | if (IdProvider.getVAID != undefined) { 854 | IdProvider.getVAID.overload('java.lang.String').implementation = function (p1) { 855 | var tmp_index = get_tmp_index(); 856 | showStacks(tmp_index); 857 | log_with_index(tmp_index, "============================= [*]Called - getVAID(p1)=======================\r\n"); 858 | var temp = this.getVAID(p1); 859 | log_with_index(tmp_index, "getVAID: " + temp); 860 | return temp; 861 | }; 862 | } 863 | if (IdProvider.getAAID != undefined) { 864 | IdProvider.getAAID.overload('java.lang.String').implementation = function (p1) { 865 | var tmp_index = get_tmp_index(); 866 | showStacks(tmp_index); 867 | log_with_index(tmp_index, "============================= [*]Called - getAAID(p1)=======================\r\n"); 868 | var temp = this.getAAID(p1); 869 | log_with_index(tmp_index, "getAAID: " + temp); 870 | return temp; 871 | }; 872 | } 873 | 874 | } catch (e) { 875 | log_with_index(-1, "Function hookGetIDeviceIdService-com.samsung.android.deviceidservice.IDeviceIdService$Stub$Proxy failed. reason:" + e) 876 | } 877 | 878 | try { 879 | var IdProvider = Java.use("repeackage.com.samsung.android.deviceidservice.IDeviceIdService$Stub$Proxy"); 880 | if (IdProvider.getOAID != undefined) { 881 | IdProvider.getOAID.implementation = function () { 882 | var tmp_index = get_tmp_index(); 883 | showStacks(tmp_index); 884 | log_with_index(tmp_index, "============================= [*]Called - getOAID()=======================\r\n"); 885 | var temp = this.getOAID(); 886 | log_with_index(tmp_index, "getOAID: " + temp); 887 | return temp; 888 | }; 889 | } 890 | if (IdProvider.getVAID != undefined) { 891 | IdProvider.getVAID.overload('java.lang.String').implementation = function (p1) { 892 | var tmp_index = get_tmp_index(); 893 | showStacks(tmp_index); 894 | log_with_index(tmp_index, "============================= [*]Called - getVAID(p1)=======================\r\n"); 895 | var temp = this.getVAID(p1); 896 | log_with_index(tmp_index, "getVAID: " + temp); 897 | return temp; 898 | }; 899 | } 900 | if (IdProvider.getAAID != undefined) { 901 | IdProvider.getAAID.overload('java.lang.String').implementation = function (p1) { 902 | var tmp_index = get_tmp_index(); 903 | showStacks(tmp_index); 904 | log_with_index(tmp_index, "============================= [*]Called - getAAID(p1)=======================\r\n"); 905 | var temp = this.getAAID(p1); 906 | log_with_index(tmp_index, "getAAID: " + temp); 907 | return temp; 908 | }; 909 | } 910 | 911 | } catch (e) { 912 | log_with_index(-1, "Function hookGetIDeviceIdServicerepeackage.com.samsung.android.deviceidservice.IDeviceIdService$Stub$Proxy failed. reason:" + e) 913 | } 914 | } 915 | 916 | function hookGetICCID() { 917 | try { 918 | var UC = Java.use("android.telephony.UiccCardInfo"); 919 | if (UC.getIccId != undefined) { 920 | UC.getIccId.implementation = function () { 921 | var tmp_index = get_tmp_index(); 922 | showStacks(tmp_index); 923 | log_with_index(tmp_index, "============================= [*]Called - getIccId()=======================\r\n"); 924 | var temp = this.getIccId(); 925 | log_with_index(tmp_index, "getIccId: " + temp); 926 | return temp; 927 | }; 928 | } 929 | 930 | } catch (e) { 931 | log_with_index(-1, "Function hookGetICCID-android.telephony.UiccCardInfo failed. reason:" + e) 932 | } 933 | } 934 | 935 | function hookGetSensorList() { 936 | try { 937 | var SM = Java.use("android.hardware.SensorManager"); 938 | if (SM.getSensorList != undefined) { 939 | SM.getSensorList.overload('int').implementation = function (p1) { 940 | var tmp_index = get_tmp_index(); 941 | showStacks(tmp_index); 942 | log_with_index(tmp_index, "============================= [*]Called - getSensorList()=======================\r\n"); 943 | var temp = this.getSensorList(p1); 944 | log_with_index(tmp_index, "getSensorList: " + temp); 945 | return temp; 946 | }; 947 | } 948 | 949 | } catch (e) { 950 | log_with_index(-1, "Function hookGetSensorList-android.hardware.SensorManager failed. reason:" + e) 951 | } 952 | } 953 | 954 | function hookStartActivity() { 955 | try { 956 | var UC = Java.use("android.app.Activity"); 957 | if (UC.startActivity != undefined) { 958 | UC.startActivity.overload('android.content.Intent').implementation = function (p1) { 959 | var tmp_index = get_tmp_index(); 960 | showStacks(tmp_index); 961 | log_with_index(tmp_index, "============================= [*]Called - startActivity(p1)=======================\r\n"); 962 | var temp = this.startActivity(p1); 963 | log_with_index(tmp_index, "startActivity: " + temp + p1); 964 | return temp; 965 | }; 966 | UC.startActivity.overload('android.content.Intent', 'android.os.Bundle').implementation = function (p1,p2) { 967 | var tmp_index = get_tmp_index(); 968 | showStacks(tmp_index); 969 | log_with_index(tmp_index, "============================= [*]Called - startActivity(p1,p2)=======================\r\n"); 970 | var temp = this.startActivity(p1,p2); 971 | log_with_index(tmp_index, "startActivity: " + temp + p1 + p2); 972 | return temp; 973 | }; 974 | } 975 | 976 | } catch (e) { 977 | log_with_index(-1, "Function hookStartActivity-android.app.Activity failed. reason:" + e) 978 | } 979 | } 980 | 981 | 982 | function hookGetPackageInfo() { 983 | try { 984 | var PM = Java.use("android.app.ApplicationPackageManager"); 985 | if (PM.getPackageInfo != undefined) { 986 | PM.getPackageInfo.overload('java.lang.String','int').implementation = function (p1,p2) { 987 | var tmp_index = get_tmp_index(); 988 | showStacks(tmp_index); 989 | log_with_index(tmp_index, "============================= [*]Called - GetPackageInfo(p1,p2)=======================\r\n"); 990 | var temp = this.getPackageInfo(p1,p2); 991 | log_with_index(tmp_index, "GetPackageInfo: " + temp); 992 | return temp; 993 | }; 994 | 995 | PM.getPackageInfo.overload('java.lang.String','android.content.pm.PackageManager.PackageInfoFlags').implementation = function (p1,p2) { 996 | var tmp_index = get_tmp_index(); 997 | showStacks(tmp_index); 998 | log_with_index(tmp_index, "============================= [*]Called - GetPackageInfo(p1,p2)=======================\r\n"); 999 | var temp = this.getPackageInfo(p1,p2); 1000 | log_with_index(tmp_index, "GetPackageInfo: " + temp); 1001 | return temp; 1002 | }; 1003 | 1004 | PM.getPackageInfo.overload('android.content.pm.VersionedPackage','android.content.pm.PackageManager.PackageInfoFlags').implementation = function (p1,p2) { 1005 | var tmp_index = get_tmp_index(); 1006 | showStacks(tmp_index); 1007 | log_with_index(tmp_index, "============================= [*]Called - GetPackageInfo(p1,p2)=======================\r\n"); 1008 | var temp = this.getPackageInfo(p1,p2); 1009 | log_with_index(tmp_index, "GetPackageInfo: " + temp); 1010 | return temp; 1011 | }; 1012 | 1013 | PM.getPackageInfo.overload('android.content.pm.VersionedPackage','int').implementation = function (p1,p2) { 1014 | var tmp_index = get_tmp_index(); 1015 | showStacks(tmp_index); 1016 | log_with_index(tmp_index, "============================= [*]Called - GetPackageInfo(p1,p2)=======================\r\n"); 1017 | var temp = this.getPackageInfo(p1,p2); 1018 | log_with_index(tmp_index, "GetPackageInfo: " + temp); 1019 | return temp; 1020 | }; 1021 | 1022 | } 1023 | 1024 | } catch (e) { 1025 | log_with_index(-1, "Function hookGetPackageInfo-aandroid.app.ApplicationPackageManager failed. reason:" + e) 1026 | } 1027 | } 1028 | 1029 | 1030 | function hookGetExtraInfo() { 1031 | try { 1032 | var NW = Java.use("android.net.NetworkInfo"); 1033 | if (NW.getExtraInfo != undefined) { 1034 | NW.getExtraInfo.implementation = function () { 1035 | var tmp_index = get_tmp_index(); 1036 | showStacks(tmp_index); 1037 | log_with_index(tmp_index, "============================= [*]Called - getExtraInfo()=======================\r\n"); 1038 | var temp = this.getExtraInfo(); 1039 | log_with_index(tmp_index, "getExtraInfo: " + temp); 1040 | return temp; 1041 | }; 1042 | } 1043 | 1044 | } catch (e) { 1045 | log_with_index(-1, "Function hookGetExtraInfo-android.net.NetworkInfo failed. reason:" + e) 1046 | } 1047 | } 1048 | 1049 | 1050 | function hookGetExternalStorageDirectory() { 1051 | try { 1052 | var ENV = Java.use("android.os.Environment"); 1053 | if (ENV.getExternalStorageDirectory != undefined) { 1054 | ENV.getExternalStorageDirectory.implementation = function () { 1055 | var tmp_index = get_tmp_index(); 1056 | showStacks(tmp_index); 1057 | log_with_index(tmp_index, "============================= [*]Called - getExternalStorageDirectory()=======================\r\n"); 1058 | var temp = this.getExternalStorageDirectory(); 1059 | log_with_index(tmp_index, "getExternalStorageDirectory: " + temp); 1060 | return temp; 1061 | }; 1062 | } 1063 | 1064 | } catch (e) { 1065 | log_with_index(-1, "Function hookGetExternalStorageDirectory-android.os.Environment failed. reason:" + e) 1066 | } 1067 | } 1068 | 1069 | function hookGetMediaAttribute() { 1070 | try { 1071 | var ME = Java.use("android.media.ExifInterface"); 1072 | if (ME.getAttribute != undefined) { 1073 | ME.getAttribute.overload('java.lang.String').implementation = function (p1) { 1074 | var tmp_index = get_tmp_index(); 1075 | showStacks(tmp_index); 1076 | log_with_index(tmp_index, "============================= [*]Called - getAttribute(p1)=======================\r\n"); 1077 | var temp = this.getAttribute(p1); 1078 | log_with_index(tmp_index, "getAttribute: " + temp); 1079 | return temp; 1080 | }; 1081 | } 1082 | 1083 | } catch (e) { 1084 | log_with_index(-1, "Function hookGetMediaAttribute-android.media.ExifInterface failed. reason:" + e) 1085 | } 1086 | } 1087 | 1088 | 1089 | 1090 | Java.perform(function () { 1091 | hookGetSystemInfo(); 1092 | hookRequestPermission(); 1093 | hookGetAndroidId(); 1094 | hookGetIMSI(); 1095 | hookGetIMEI(); 1096 | hookGetMEID(); 1097 | hookGetMacAddress(); 1098 | hookGetIPAddress(); 1099 | hookGetRunningAppProcesses(); 1100 | hookGetWifiState(); 1101 | hookGetActiveNetworkInfo(); 1102 | hookGetHostInfo(); 1103 | hookGetLocation(); 1104 | hookGetInstallPackages(); 1105 | hookGetIdProvider(); 1106 | hookGetIDeviceIdService(); 1107 | hookGetICCID(); 1108 | hookGetSensorList(); 1109 | hookGetExternalStorageDirectory(); 1110 | hookGetExtraInfo(); 1111 | hookGetPackageInfo(); 1112 | hookGetMediaAttribute(); 1113 | }) -------------------------------------------------------------------------------- /ios_main.js: -------------------------------------------------------------------------------- 1 | function showStacks(ctx) { 2 | console.log("============================= Stack strat======================="); 3 | console.log(""); 4 | console.log( 5 | "\tBacktrace:\n\t" + 6 | Thread.backtrace(ctx, Backtracer.ACCURATE) 7 | .map(DebugSymbol.fromAddress) 8 | .join("\n\t") 9 | ); 10 | console.log(""); 11 | console.log("============================= Stack end=======================\r\n"); 12 | } 13 | 14 | 15 | Interceptor.attach( 16 | ObjC.classes.UIDevice["- name"].implementation, 17 | { 18 | onLeave: function(retval){ 19 | var message = ObjC.Object(retval); 20 | var ctx = this.context; 21 | showStacks(ctx); 22 | console.log('device_name:' + message.toString()); 23 | } 24 | 25 | } 26 | ); 27 | 28 | Interceptor.attach( 29 | ObjC.classes.ASIdentifierManager["- advertisingIdentifier"].implementation, 30 | { 31 | onLeave: function(retval){ 32 | var message = ObjC.Object(retval); 33 | var ctx = this.context; 34 | showStacks(ctx); 35 | console.log('advertisingIdentifier(idfa):' + message.toString()); 36 | } 37 | 38 | } 39 | ); 40 | 41 | Interceptor.attach( 42 | ObjC.classes.UIDevice["- identifierForVendor"].implementation, 43 | { 44 | onLeave: function(retval){ 45 | var message = ObjC.Object(retval); 46 | var ctx = this.context; 47 | showStacks(ctx); 48 | console.log('identifierForVendor(idfv):' + message.toString()); 49 | } 50 | 51 | } 52 | ); 53 | 54 | Interceptor.attach( 55 | ObjC.classes.NSProcessInfo["- systemUptime"].implementation, 56 | { 57 | onLeave: function(retval){ 58 | var ctx = this.context; 59 | showStacks(ctx); 60 | console.log('systemUptime:' + retval 61 | ); 62 | } 63 | 64 | } 65 | ); --------------------------------------------------------------------------------