process,计算机为CPU分配资源的单位。-----箴言-----
Process是非常重要的一个对象,本篇展示了如何使用CLI命令行交互窗口,以及Process的使用:
1. 简介:
Frida提供了交互命令行,类似于Python交互命令行。
使用如下命令可以进入指定app的交互命令行窗口:
frida -U -n 包名。
2. Process实践与解释:
可以用下面的命令列出Process模块的一些信息:
frida -U -n com.example.myapplication3
[Android Emulator 5554::com.example.myapplication3]-> Process
{
"arch": "ia32",
"codeSigningPolicy": "optional",
"id": 1386,
"pageSize": 4096,
"platform": "linux",
"pointerSize": 4
}说明:
arch:cpu架构,字符串ia32,x64,arm 或arm64
codeSigningPolicy:策略
id:进程id
pageSize:页大小,即虚拟内存页面大小(以字节为单位)
platform:平台,其实就是系统,例如,字符串windows, darwin,linux或qnx
pointerSize:指针大小(以字节为单位)
当然,我们也可以分别获取它们的值:
[Android Emulator 5554::com.example.myapplication3]-> Process.arch
"ia32"
[Android Emulator 5554::com.example.myapplication3]-> Process.codeSigningPolicy
"optional"
[Android Emulator 5554::com.example.myapplication3]-> Process.pageSize
4096
[Android Emulator 5554::com.example.myapplication3]-> Process.platform
"linux"
[Android Emulator 5554::com.example.myapplication3]-> Process.pointerSize
4
[Android Emulator 5554::com.example.myapplication3]-> Process.id
1386获取是否在调试:
[Android Emulator 5554::com.example.myapplication3]-> Process.isDebuggerAttached()
false
获取当前加载的模块(so库),返回模块对象的数组。
[Android Emulator 5554::com.example.myapplication3]-> Process.enumerateModules()
[
{
"base": "0xb776b000",
"name": "app_process",
"path": "/system/bin/app_process",
"size": 24576
},
{
"base": "0xb76dd000",
"name": "libcutils.so",
"path": "/system/lib/libcutils.so",
"size": 122880
},
{
"base": "0xb76b6000",
"name": "libutils.so",
"path": "/system/lib/libutils.so",
"size": 159744
},
{
"base": "0xb76aa000",
"name": "liblog.so",
"path": "/system/lib/liblog.so",
"size": 49152
},
{
"base": "0xb7666000",
"name": "libbinder.so",
"path": "/system/lib/libbinder.so",
"size": 278528
},
......
{
"base": "0xb7728000",
"name": "linker",
"path": "/system/bin/linker",
"size": 241664
}
]enumerateModules说明:
base:模块基地址
name:模块名称
path:模块路径
size:模块大小
我们也可以获取单个模块的这些信息:
[Android Emulator 5554::com.example.myapplication3]-> Process.getModuleByName("linker")
{
"base": "0xb7728000",
"name": "linker",
"path": "/system/bin/linker",
"size": 241664
}
[Android Emulator 5554::com.example.myapplication3]-> Process.getModuleByAddress("0xb7728000")
{
"base": "0xb7728000",
"name": "linker",
"path": "/system/bin/linker",
"size": 241664
}
[Android Emulator 5554::com.example.myapplication3]-> Process.getCurrentThreadId()
1459
[Android Emulator 5554::com.example.myapplication3]-> Process.propertyIsEnumerable()
false
[Android Emulator 5554::com.example.myapplication3]-> Process.propertyIsEnumerable("arch")
true
[Android Emulator 5554::com.example.myapplication3]-> Process.propertyIsEnumerable("enumerateThreadsSync")
true3. Frida 结果与maps表比较:
用libc.so举例:
(1)frida的结果:
{
"base": "0xb727a000",
"name": "libc.so",
"path": "/system/lib/libc.so",
"size": 1085440
},
(2)maps表的结果:
b727a000-b728f000 r-xp 00000000 08:06 1120 /system/lib/libc.so
b728f000-b7290000 rwxp 00015000 08:06 1120 /system/lib/libc.so
b7290000-b729a000 r-xp 00016000 08:06 1120 /system/lib/libc.so
b729a000-b729b000 rwxp 00020000 08:06 1120 /system/lib/libc.so
b729b000-b72a1000 r-xp 00021000 08:06 1120 /system/lib/libc.so
b72a1000-b72a2000 rwxp 00027000 08:06 1120 /system/lib/libc.so
b72a2000-b72fe000 r-xp 00028000 08:06 1120 /system/lib/libc.so
b72fe000-b72ff000 rwxp 00084000 08:06 1120 /system/lib/libc.so
b72ff000-b736f000 r-xp 00085000 08:06 1120 /system/lib/libc.so
b736f000-b7370000 ---p 00000000 00:00 0
b7370000-b7374000 r--p 000f5000 08:06 1120 /system/lib/libc.so
b7374000-b7377000 rw-p 000f9000 08:06 1120 /system/lib/libc.so
b7377000-b7383000 rw-p 00000000 00:00 0
(3)frida地址计算:
0xb727a000 + 1085440 = 0xb737c688
0xb737c688在maps表的b7377000-b7383000 之间。
喜欢本文,点个赞再走呗 :)