├── README.md
└── frida_svc_attach.js


/README.md:
--------------------------------------------------------------------------------
1 | # frida-script
2 | 
3 | 
4 | ## have fun
5 | 


--------------------------------------------------------------------------------
/frida_svc_attach.js:
--------------------------------------------------------------------------------
 1 | 
 2 | let target_code_hex;
 3 | let call_number_openat;
 4 | let call_number_faccessat;
 5 | let arch = Process.arch;
 6 | if ("arm" === arch){
 7 |     target_code_hex = "00 00 00 EF";
 8 |     call_number_openat = 322;
 9 |     call_number_faccessat = 334;
10 | }else if("arm64" === arch){
11 |     target_code_hex = "01 00 00 D4";
12 |     call_number_openat = 56;
13 |     call_number_faccessat = 48;
14 | }else {
15 |     console.log("arch not support!")
16 | }
17 | 
18 | if (arch){
19 |     console.log("\nthe_arch = " + arch);
20 |     // 直接Process.enumerateModules()，可能会因为某些地址不可读造成非法访问
21 |     Process.enumerateRanges('r--').forEach(function (range) {
22 |         if(!range.file || !range.file.path){
23 |             return;
24 |         }
25 |         let path = range.file.path;
26 |         if ((!path.startsWith("/data/app/")) || (!path.endsWith(".so"))){
27 |             return;
28 |         }
29 |         let baseAddress = Module.getBaseAddress(path);
30 |         let soNameList = path.split("/");
31 |         let soName = soNameList[soNameList.length - 1];
32 |         console.log("\npath = " + path + " , baseAddress = " + baseAddress + " , rangeAddress = " + range.base + " , size = " + range.size);
33 | 
34 |         Memory.scan(range.base, range.size, target_code_hex, {
35 |             onMatch: function (match){
36 |                 let code_address = match;
37 |                 let code_address_str = code_address.toString();
38 |                 if (code_address_str.endsWith("0") || code_address_str.endsWith("4") || code_address_str.endsWith("8") || code_address_str.endsWith("c")){
39 |                     console.log("--------------------------");
40 |                     let call_number = 0;
41 |                     if ("arm" === arch){
42 |                         // call_number = (code_address.sub(0x4).readS16() - 28672);  // 0x7000
43 |                         call_number = (code_address.sub(0x4).readS32()) & 0xFFF;
44 |                     }else if("arm64" === arch){
45 |                         call_number = (code_address.sub(0x4).readS32() >> 5) & 0xFFFF;
46 |                     }else {
47 |                         console.log("the arch get call_number not support!")
48 |                     }
49 |                     console.log("find svc : so_name = " + soName + " , address = " + code_address + " , call_number = " + call_number + " , offset = " + code_address.sub(baseAddress));
50 | 
51 |                     // hook svc __NR_openat
52 |                     if (call_number_openat === call_number){
53 |                         let target_hook_addr = code_address;
54 |                         let target_hook_addr_offset = target_hook_addr.sub(baseAddress);
55 |                         console.log("find svc openat , start inlinehook by frida!")
56 |                         Interceptor.attach(target_hook_addr, {
57 |                             onEnter: function (args){
58 |                                 console.log("\nonEnter_" + target_hook_addr_offset + " , __NR_openat , args[1] = " + args[1].readCString());
59 |                                 this.new_addr = Memory.allocUtf8String("/proc/self/status11");
60 |                                 args[1] = this.new_addr;
61 |                                 console.log("onEnter_" + target_hook_addr_offset + " , __NR_openat , args[1] = " + args[1].readCString());
62 |                             }, onLeave: function (retval){
63 |                                 console.log("onLeave_" + target_hook_addr_offset + " , __NR_openat , retval = " + retval)
64 |                             }
65 |                         });
66 | 
67 |                     }
68 |                     // hook svc __NR_faccessat
69 |                     if (call_number_faccessat === call_number){
70 |                         let target_hook_addr = code_address;
71 |                         let target_hook_addr_offset = target_hook_addr.sub(baseAddress);
72 |                         console.log("find svc faccessat , start inlinehook by frida!")
73 |                         Interceptor.attach(target_hook_addr, {
74 |                             onEnter: function (args){
75 |                                 console.log("\nonEnter_" + target_hook_addr_offset + " , __NR_faccessat , args[1] = " + args[1].readCString());
76 |                                 // this.new_addr = Memory.allocUtf8String("/proc/self/status11");
77 |                                 // args[1] = this.new_addr;
78 |                                 console.log("onEnter_" + target_hook_addr_offset + " , __NR_faccessat , args[1] = " + args[1].readCString());
79 |                             }, onLeave: function (retval){
80 |                                 console.log("onLeave_" + target_hook_addr_offset + " , __NR_faccessat , retval = " + retval)
81 |                             }
82 |                         });
83 | 
84 |                     }
85 |                 }
86 |             }, onComplete: function () {}
87 |         });
88 | 
89 |     });
90 | }
91 | 
92 | 
93 | 


--------------------------------------------------------------------------------