Frida是一个强大的动态插桩工具,可以用来监控和修改APK的网络请求。以下是几种使用Frida抓取APK网络包的方法:
// 针对HttpURLConnection
Java.perform(function() {
var URL = Java.use("java.net.URL");
var HttpURLConnection = Java.use("java.net.HttpURLConnection");
URL.openConnection.overload().implementation = function() {
var connection = this.openConnection();
console.log("[*] URL: " + this.toString());
// Hook setRequestProperty
HttpURLConnection.setRequestProperty.implementation = function(key, value) {
console.log("[*] Request Header: " + key + ": " + value);
return this.setRequestProperty(key, value);
};
return connection;
};
});
// 针对OkHttp
Java.perform(function() {
var OkHttpClient = Java.use("okhttp3.OkHttpClient");
var Request = Java.use("okhttp3.Request");
OkHttpClient.newCall.implementation = function(request) {
console.log("[*] Request URL: " + request.url().toString());
var headers = request.headers();
for (var i = 0; i < headers.size(); i++) {
console.log("[*] Header: " + headers.name(i) + ": " + headers.value(i));
}
return this.newCall(request);
};
});
// Hook SSL上下文初始化
Java.perform(function() {
var SSLContext = Java.use("javax.net.ssl.SSLContext");
SSLContext.init.implementation = function(keyManagers, trustManagers, secureRandom) {
console.log("[*] SSLContext.init() called");
// 打印调用栈
console.log(Java.use("android.util.Log").getStackTraceString(
Java.use("java.lang.Exception").$new()
));
return this.init(keyManagers, trustManagers, secureRandom);
};
});
// 信任所有证书(用于绕过证书验证)
Java.perform(function() {
var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
TrustManagerImpl.checkServerTrusted.implementation = function(chain, authType, host) {
console.log("[*] Bypassing SSL verification for: " + host);
return this.checkServerTrusted(chain, authType, host);
};
});
配合Burp Suite:
配合mitmproxy:
// Hook Socket读写操作
Java.perform(function() {
var Socket = Java.use("java.net.Socket");
var InputStream = Java.use("java.io.InputStream");
var OutputStream = Java.use("java.io.OutputStream");
Socket.getInputStream.implementation = function() {
var inputStream = this.getInputStream();
return Java.registerClass({
name: 'com.example.MyInputStream',
superClass: InputStream,
methods: {
read: function(buffer, byteOffset, byteCount) {
var ret = this.super.read(buffer, byteOffset, byteCount);
if (ret > 0) {
var data = Java.array('byte', buffer).slice(byteOffset, byteOffset + ret);
console.log("[*] Received data: " +
JSON.stringify(Array.from(new Uint8Array(data))));
}
return ret;
}
}
}).$new(inputStream);
};
Socket.getOutputStream.implementation = function() {
var outputStream = this.getOutputStream();
return Java.registerClass({
name: 'com.example.MyOutputStream',
superClass: OutputStream,
methods: {
write: function(buffer, byteOffset, byteCount) {
var data = Java.array('byte', buffer).slice(byteOffset, byteOffset + byteCount);
console.log("[*] Sent data: " +
JSON.stringify(Array.from(new Uint8Array(data))));
return this.super.write(buffer, byteOffset, byteCount);
}
}
}).$new(outputStream);
};
});
network_hook.jsfrida -U -l network_hook.js -f com.target.app --no-pause如果需要更详细的网络抓包,建议结合使用Frida和Wireshark/Charles/Burp等专业抓包工具。