使用以下js脚本截取app进程的任意一段内存:
dumpmemory.js
function dump_memory(base,size) {
Java.perform(function () {
var currentApplication = Java.use("android.app.ActivityThread").currentApplication();
var dir = currentApplication.getApplicationContext().getFilesDir().getPath();
var file_path = dir + "/dumpmemory.bin";
var file_handle = new File(file_path, "wb");
if (file_handle && file_handle != null) {
Memory.protect(ptr(base),size, 'rwx');
var libso_buffer = ptr(base).readByteArray(size);
file_handle.write(libso_buffer);
file_handle.flush();
file_handle.close();
console.log("[dump]:", file_path);
}
});
}
dump_memory(0x76bf330020,4096);
’dump_memory函数的第一个参数是要获得的内存的基址,以16进制表示;第二个参数是要获得的内存大小,单位为字节。打开app,输入”frida -U {包名} -l dumpmemory.js”就可以。执行完,交互界面会显示生成文件的路径。
更方便的一种方法是使用objection,一个基于Frida开发的命令行工具。先输入:
“obejction -g {包名} explore”注入到手机应用。然后使用“memory dump from_base 0x19940000 524288 0x199c0000”将一段内存dump到当前目录下。第一个数字是dump的16进制表示的基址,第二个数字是需要dump的十进制表示的内存大小,第三个数字是dump的16进制表示的尾址。但是该方法只能dump有可读权限的内存,遇到不可读的内存就会报错:
memory dump from_base 0x199c0000 96731136 0x1f600000
com.example.myapplication on (OPPO: 10) [usb] # memory dump from_base 0x199c0000 96731136 0x1f600000
Dumping 92.2 MiB from 0x199c0000 to 0x1f600000
A Frida agent exception has occurred.
Error: access violation accessing 0x199c0000
at <anonymous> (frida/runtime/core.js:127)
at <anonymous> (/script1.js:21631)
at memoryDump (/script1.js:24722)
at apply (native)
at <anonymous> (frida/runtime/message-dispatcher.js:13)
at c (frida/runtime/message-dispatcher.js:23)
Python stack trace: Traceback (most recent call last):
File "/home/daidaihaofei/.pyenv/versions/3.8.6/lib/python3.8/site-packages/objection/console/repl.py", line 371, in start_repl
self.run_command(document)
File "/home/daidaihaofei/.pyenv/versions/3.8.6/lib/python3.8/site-packages/objection/console/repl.py", line 185, in run_command
exec_method(arguments)
File "/home/daidaihaofei/.pyenv/versions/3.8.6/lib/python3.8/site-packages/objection/commands/memory.py", line 132, in dump_from_base
dump = api.memory_dump(int(base_address, 16), int(memory_size))
File "/home/daidaihaofei/.pyenv/versions/3.8.6/lib/python3.8/site-packages/frida/core.py", line 401, in method
return script._rpc_request('call', js_name, args, **kwargs)
File "/home/daidaihaofei/.pyenv/versions/3.8.6/lib/python3.8/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/home/daidaihaofei/.pyenv/versions/3.8.6/lib/python3.8/site-packages/frida/core.py", line 333, in _rpc_request
raise result[2]
frida.core.RPCException: Error: access violation accessing 0x199c0000
at <anonymous> (frida/runtime/core.js:127)
at <anonymous> (/script1.js:21631)
at memoryDump (/script1.js:24722)
at apply (native)
at <anonymous> (frida/runtime/message-dispatcher.js:13)
at c (frida/runtime/message-dispatcher.js:23)
原因是这段内存是不可读的:
199c0000-1f600000 ---p 00000000 00:00 0 [anon:dalvik-main space (region space)]
本文地址:https://blog.csdn.net/Invoker123/article/details/114340114
黄山市民网:https://www.huangshanshimin.com/
