前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >获取安卓敏感调用检测

获取安卓敏感调用检测

作者头像
tea9
发布2023-03-07 20:43:39
1.5K0
发布2023-03-07 20:43:39
举报
文章被收录于专栏:tea9的博客tea9的博客

获取安卓敏感调用检测脚本

代码语言:javascript
复制
//hook常规的获取设备信息接口
//通过打印堆栈信息来看是什么sdk调用


function showjavastack(){
    var javastack = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());
    //console.log(javastack);
}   

function hook(){
    Java.perform(function() {
        var TelephonyManager = Java.use("android.telephony.TelephonyManager");
        //IMEI hook
        TelephonyManager.getDeviceId.overload().implementation = function () {
            console.log("[*]Called - getDeviceId()");
            var temp = this.getDeviceId();
            console.log("real IMEI: "+temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        };
        // muti IMEI
        TelephonyManager.getDeviceId.overload('int').implementation = function (p) {
            console.log("[*]Called - getDeviceId(int) param is"+p);
            var temp = this.getDeviceId(p);
            console.log("real IMEI "+p+": "+temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        };
        //IMSI hook
        TelephonyManager.getSimSerialNumber.overload().implementation = function () {
            console.log("[*]Called - getSimSerialNumber(String)");
            var temp = this.getSimSerialNumber();
            console.log("real IMSI: "+temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        };
        //取出 IMEI 需要 api26以上
        TelephonyManager.getImei.overload().implementation = function(){
            console.log("[*]Called - getImei");
            var temp = this.getImei();
            console.log("real IMEI:" + temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        }
        TelephonyManager.getImei.overload('int').implementation = function(a){
            console.log("[*]Called - getImei(int)");
            var temp = this.getImei(a);
            console.log("real IMEI(int):" + temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        }
        TelephonyManager.getSimOperatorName.overload().implementation = function(){
            console.log("[*]Called - getSimOperatorName");
            var temp = this.getSimOperatorName();
            console.log("real 运营商:" + temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        }
        TelephonyManager.getSimOperatorName.overload('int').implementation = function(a){
            console.log("[*]Called - getSimOperatorName(int)");
            var temp = this.getSimOperatorName(a);
            console.log("real 运营商:" + temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        }
        TelephonyManager.getLine1Number.overload().implementation = function(){
            console.log("[*]Called - getLine1Number");
            var temp = this.getLine1Number();
            console.log("real MSISDN:" + temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        }
        TelephonyManager.getLine1Number.overload('int').implementation = function(a){
            console.log("[*]Called - getLine1Number");
            var temp = this.getLine1Number(a);
            console.log("real MSISDN:" + temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
        }
        
        
        //////////////////////////////////////

        
    
        // hook MAC
        var wifi = Java.use("android.net.wifi.WifiInfo");
        wifi.getMacAddress.implementation = function () {
            console.log("[*]Called - getMacAddress");
            var tmp = this.getMacAddress();
            console.log("[*]real MAC: "+tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }

        var NetworkInterface = Java.use("java.net.NetworkInterface");
        NetworkInterface.getHardwareAddress.implementation = function () {
            console.log("[*]Called - getHardwareAddress");
            var tmp = this.getHardwareAddress();
            console.log("[*]real HardwareAddress: "+tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
    
        //ANDOID_ID hook
        var Secure = Java.use("android.provider.Settings$Secure");
        Secure.getString.implementation = function (p1,p2) {
            if(p2.indexOf("android_id")<0) return this.getString(p1,p2);
            console.log("[*]Called - get android_ID, param is:"+p2);
            var temp = this.getString(p1,p2);
            console.log("real Android_ID: "+temp);
            showjavastack();
            console.log("------------------------------------------------------");
            return temp;
    
        }
    
        //android获取GPS
        var LocationManager = Java.use("android.location.LocationManager");
        LocationManager.getLastKnownLocation.implementation = function(a){
            console.log("[*]Called - getLastKnownLocation");
            var tmp = this.getLastKnownLocation(a);
            console.log("调用getLastKnownLocation获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.app.PendingIntent').implementation = function(a,b){
            console.log("[*]Called - requestLocationUpdates.overload('android.location.LocationRequest', 'android.app.PendingIntent')");
            var tmp = this.requestLocationUpdates(a,b);
            console.log("调用requestLocationUpdates获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper').implementation = function(a,b,c){
            console.log("[*]Called - requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper')");
            var tmp = this.requestLocationUpdates(a,b,c);
            console.log("调用requestLocationUpdates获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        LocationManager.requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper', 'android.app.PendingIntent').implementation = function(a,b,c,d){
            console.log("[*]Called - requestLocationUpdates.overload('android.location.LocationRequest', 'android.location.LocationListener', 'android.os.Looper', 'android.app.PendingIntent')");
            var tmp = this.requestLocationUpdates(a,b,c,d);
            console.log("调用requestLocationUpdates获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        LocationManager.requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.app.PendingIntent').implementation = function(a,b,c,d){
            console.log("[*]Called - requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.app.PendingIntent')");
            var tmp = this.requestLocationUpdates(a,b,c,d);
            console.log("调用requestLocationUpdates获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.app.PendingIntent').implementation = function(a,b,c,d){
            console.log("[*]Called - requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.app.PendingIntent')");
            var tmp = this.requestLocationUpdates(a,b,c,d);
            console.log("调用requestLocationUpdates获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener').implementation = function(a,b,c,d){
            console.log("[*]Called - requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener')");
            var tmp = this.requestLocationUpdates(a,b,c,d);
            console.log("调用requestLocationUpdates获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        LocationManager.requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.location.LocationListener', 'android.os.Looper').implementation = function(a,b,c,d,e){
            console.log("[*]Called - requestLocationUpdates.overload('long', 'float', 'android.location.Criteria', 'android.location.LocationListener', 'android.os.Looper')");
            var tmp = this.requestLocationUpdates(a,b,c,d,e);
            console.log("调用requestLocationUpdates获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        LocationManager.requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener', 'android.os.Looper').implementation = function(a,b,c,d,e){
            console.log("[*]Called - requestLocationUpdates.overload('java.lang.String', 'long', 'float', 'android.location.LocationListener', 'android.os.Looper')");
            var tmp = this.requestLocationUpdates(a,b,c,d,e);
            console.log("调用requestLocationUpdates获取了GPS地址" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }

        //获取应用列表
        var Runtime = Java.use("java.lang.Runtime");
        Runtime.exec.overload('java.lang.String').implementation = function(a){
            console.log("[*]Called - exec(command)");
            var tmp = this.exec(a);
            console.log("执行exec的命令:" + a);
            if(a.indexOf("packages") != -1){
                console.log("应用使用"+ a + "收集应用列表");
                showjavastack();
            }
            console.log("------------------------------------------------------");
            return tmp;
        }
        var PackageManager = Java.use("android.content.pm.PackageManager");
        PackageManager.getInstalledPackages.implementation = function(a){
            console.log("[*]Called - getInstalledPackages");
            var tmp = this.getInstalledPackages(a);
            console.log("调用getInstalledPackages获取了应用列表" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        PackageManager.getInstalledApplications.implementation = function(a){
            console.log("[*]Called - getInstalledApplications");
            var tmp = this.getInstalledApplications(a);
            console.log("调用getInstalledApplications获取了应用列表" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        PackageManager.queryIntentActivities.implementation = function(a,b){
            console.log("[*]Called - queryIntentActivities");
            var tmp = this.queryIntentActivities(a,b);
            console.log("调用queryIntentActivities获取了应用列表" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        var ContextWrapper = Java.use("android.content.ContextWrapper");
        ContextWrapper.getPackageManager.implementation = function(){
            console.log("[*]Called - getPackageManager");
            var tmp = this.getPackageManager();
            console.log("调用getPackageManager获取了应用列表" + tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }

    
        //android的hidden API,需要通过反射调用
        var SP = Java.use("android.os.SystemProperties");
        SP.get.overload('java.lang.String').implementation = function (p1) {
            var tmp = this.get(p1);
            console.log("[*]"+p1+" : "+tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        }
        SP.get.overload('java.lang.String', 'java.lang.String').implementation = function (p1,p2) {
            var tmp = this.get(p1,p2)
            console.log("[*]"+p1+","+p2+" : "+tmp);
            showjavastack();
            console.log("------------------------------------------------------");
            return tmp;
        } 
        
    })
}

function main(){
    hook();
}

setImmediate(main); ```
//新建一个命令行

adb shell

cd 保存frida_server的路径

./frida_server

//新建另一个命令行

//转发frida_server默认端口
adb forward tcp:27042 tcp:27042

frida -Uf packagename -l hook_privacy.js的绝对路径

如果需要查看调用,讲hook_privacy.js中showjavastack注释去掉

再次执行frida -Uf packagename -l hook_privacy.js的绝对路径

本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 获取安卓敏感调用检测脚本
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档