526互联

【Android逆向】定位native函数在哪个so中方法

发布时间 2023-03-28 17:08:53作者: 明月照江江

1. 在逆向过程中经常需要定位方法在哪个so中,而app加载的so很多,比如

image

那么如何快速定位方法在哪里呢

2. 比如如下案例,首先看日志

03-28 11:01:56.457 14566 14566 D KM-NATIVE: JNI_OnLoad
03-28 11:01:56.457 14566 14566 D KM-NATIVE: JniHelper>>>init>>>start
03-28 11:01:56.457 14566 14566 D KM-NATIVE: JniHelper>>>init>>>finish
03-28 11:01:56.926 14566 14729 D KM-NATIVE: call Java_com_km_encryption_api_Security_sign
03-28 11:01:56.926 14566 14716 D KM-NATIVE: call Java_com_km_encryption_api_Security_sign

启动时发现Java_com_km_encryption_api_Security_sign,在java层找也确实又这个方法,但不能确定在哪个so加载的

3. 通过枚举模块的导出表可以实现定位

function main() {
    console.log("==== 0")

    Java.perform(function () {

        var process_Obj_Module_Arr = Process.enumerateModules();
        for(var i = 0; i < process_Obj_Module_Arr.length; i++) {
            //包含"lib"字符串的
            if(process_Obj_Module_Arr[i].path.indexOf("lib")!=-1)
            {
                console.log("模块名称:",process_Obj_Module_Arr[i].name);
                // console.log("模块地址:",process_Obj_Module_Arr[i].base);
                // console.log("大小:",process_Obj_Module_Arr[i].size);
                // console.log("文件系统路径",process_Obj_Module_Arr[i].path);

                var libname = process_Obj_Module_Arr[i].name
                frida_Module_import(libname)
            }
        }
    })
}

function frida_Module_import(libname) {
    Java.perform(function () {
        const hooks = Module.load(libname);
        var Imports = hooks.enumerateExports();
        for(var i = 0; i < Imports.length; i++) {
            if (Imports[i].name.indexOf('Java') != -1) {
                //函数类型
                console.log("type:",Imports[i].type);
                //函数名称
                console.log("name:",Imports[i].name);
                //属于的模块
                console.log("module:",Imports[i].module);
                //函数地址
                console.log("address:",Imports[i].address); 
            }
         }
    });
}

setImmediate(main)

# frida -UF com.kmxs.reader -l lessonqm.js --no-pause

日志

模块名称: libsmsdk.so
模块名称: libcrashsdk.so
模块名称: libcommon-encryption.so
type: function
name: _ZN9JniHelper4initEP7_JavaVM
module: undefined
address: 0xd2dd8c5d
type: function
name: Java_com_km_encryption_api_Security_init
module: undefined
address: 0xd2dd8fb5
type: function
name: Java_com_km_encryption_api_Security_decode
module: undefined
address: 0xd2dd9051
type: function
name: Java_com_km_encryption_api_Security_token
module: undefined
address: 0xd2dd9205
type: function
name: Java_com_km_encryption_api_Security_sign
module: undefined
address: 0xd2dd9249
....

顺利发现该方法在libcommon-encryption.so中