0x1 frida 编译流程

github: https://github.com/taisuii/rusda

建立一个项目目录并拉下frida源码,并进入项目目录

1
2
git clone --recurse-submodules -b 16.2.1 https://github.com/frida/frida
cd frida

此时执行ls ,看到的文件应当是如此

1
2
3
4
5
(base) r@ubuntu20:~/Documents/FRIDA/frida$ ls
BSDmakefile      COPYING     frida-gum     frida.sln    Makefile.freebsd.mk  Makefile.toolchain.mk
build            frida-clr   frida-node    frida-swift  Makefile.linux.mk    README.md
config.mk        frida-core  frida-python  frida-tools  Makefile.macos.mk    releng
CONTRIBUTING.md  frida-go    frida-qml     Makefile     Makefile.sdk.mk

一键 安装nodejs22

1
2
3
4
5
6
7
8
9
10
11
12
# 构造下载 URL
NODE_TAR_URL="https://nodejs.org/dist/v22.12.0/node-v22.12.0-linux-x64.tar.xz"
wget $NODE_TAR_URL
# 解压 Node.js 安装包到用户目录
tar -xf node-v22.12.0-linux-x64.tar.xz -C $HOME/bin
rm -r node-v22.12.0-linux-x64.tar.xz
# 设置 NODE_HOME 和 PATH
export NODE_HOME=$HOME/bin/node-v22.12.0-linux-x64
export PATH=${NODE_HOME}/bin:$PATH
# 打印 Node.js 版本以确认安装成功
node -v

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
(base) r@ubuntu20:~/Documents/FRIDA/frida$ # 构造下载 URL
(base) r@ubuntu20:~/Documents/FRIDA/frida$ NODE_TAR_URL="https://nodejs.org/dist/v22.12.0/node-v22.12.0-linux-x64.tar.xz"
(base) r@ubuntu20:~/Documents/FRIDA/frida$ wget $NODE_TAR_URL 
--2024-12-09 23:31:18--  https://nodejs.org/dist/v22.12.0/node-v22.12.0-linux-x64.tar.xz
正在解析主机 nodejs.org (nodejs.org)... 198.18.1.205
正在连接 nodejs.org (nodejs.org)|198.18.1.205|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 29734248 (28M) [application/x-xz]
正在保存至: “node-v22.12.0-linux-x64.tar.xz”

node-v22.12.0-linux-x64.tar.xz          100%[============================================================================>]  28.36M  8.89MB/s    用时 3.2s  

2024-12-09 23:31:21 (8.89 MB/s) - 已保存 “node-v22.12.0-linux-x64.tar.xz” [29734248/29734248])

(base) r@ubuntu20:~/Documents/FRIDA/frida$ # 解压 Node.js 安装包到用户目录
(base) r@ubuntu20:~/Documents/FRIDA/frida$ tar -xf node-v22.12.0-linux-x64.tar.xz -C $HOME/bin
(base) r@ubuntu20:~/Documents/FRIDA/frida$ # 设置 NODE_HOME 和 PATH
(base) r@ubuntu20:~/Documents/FRIDA/frida$ export NODE_HOME=$HOME/bin/node-v22.12.0-linux-x64
(base) r@ubuntu20:~/Documents/FRIDA/frida$ export PATH=${NODE_HOME}/bin:$PATH
(base) r@ubuntu20:~/Documents/FRIDA/frida$ # 打印 Node.js 版本以确认安装成功
(base) r@ubuntu20:~/Documents/FRIDA/frida$ node -v
v22.12.0
(base) r@ubuntu20:~/Documents/FRIDA/frida$ ls
BSDmakefile      COPYING     frida-go    frida-python  frida-swift  Makefile.freebsd.mk  Makefile.sdk.mk                 README.md
config.mk        frida-clr   frida-gum   frida-qml     frida-tools  Makefile.linux.mk    Makefile.toolchain.mk           releng
CONTRIBUTING.md  frida-core  frida-node  frida.sln     Makefile     Makefile.macos.mk    node-v22.12.0-linux-x64.tar.xz
(base) r@ubuntu20:~/Documents/FRIDA/frida$ rm -r node-v22.12.0-linux-x64.tar.xz
(base) r@ubuntu20:~/Documents/FRIDA/frida$

再make一下

1
make

安装ndk

执行以下命令,查看所需要的ndk版本,得到以下输出

1
cat releng/setup-env.sh |grep "ndk_required="
1
2
(base) r@ubuntu20:~/Documents/FRIDA/frida$ cat releng/setup-env.sh |grep "ndk_required="
  ndk_required=25

一键安装ndk25

NDK 下载 | Android NDK | Android Developers

1
2
3
4
5
6
wget https://dl.google.com/android/repository/android-ndk-r25c-linux.zip
unzip android-ndk-r25c-linux.zip $HOME/bin/
rm -r android-ndk-r25c-linux.zip
export ANDROID_NDK_ROOT=$HOME/bin/android-ndk-r25c
export PATH=$ANDROID_NDK_ROOT:$PATH
ndk-build -v

安装依赖

1
2
sudo apt update
sudo apt-get install build-essential git lib32stdc++-9-dev libc6-dev-i386
1
pip3 install lief

编译

查看编译选项

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(frida-compile) r@ubuntu20:~/Documents/FRIDA/frida$ make
make[1]: 进入目录“/home/r/Documents/FRIDA/frida”
 
Usage: make TARGET [VARIABLE=value]
 
Where TARGET specifies one or more of:
 
  /* gum */
  gum-linux-x86                     Build for Linux/x86
  gum-linux-x86_64                  Build for Linux/x86-64
  gum-linux-x86-thin                Build for Linux/x86 without cross-arch support
  gum-linux-x86_64-thin             Build for Linux/x86-64 without cross-arch support
  gum-linux-x86_64-gir              Build for Linux/x86-64 with shared GLib and GIR
  gum-linux-arm                     Build for Linux/arm
  gum-linux-armbe8                  Build for Linux/armbe8
  gum-linux-armhf                   Build for Linux/armhf
......等等

编译安卓arm64的frida

1
make core-android-arm64

如果出现两个两个错误:关键词 master version

  • master 手动修改文件 | 没有规则可制作目标“.git/refs/heads/master”,由“build/frida-version.h” 需求。 停止。
1
2
3
4
5
6
7
8
9
frida$ gedit releng/frida.mk
frida$ gedit releng/frida-deps.vcxproj
# CTRL + H 查找 master 替换为 main
# 修改完记得 CTRL + S 保存

# 原数据
build/frida-version.h: releng/generate-version-header.py .git/refs/heads/**master**
# 更改为如下代码
build/frida-version.h: releng/generate-version-header.py .git/refs/heads/**main**
  • version 这个问题是 build/frida-version.h 文件不存在导致的,手动调用 Python 脚本传入版本信息保存地址
1
2
3
4
5
6
7
8
9
10
11
12
python3 releng/generate-version-header.py "build/frida-version.h"
   #ifndef __FRIDA_VERSION_H__
   #define __FRIDA_VERSION_H__

   #define FRIDA_VERSION "16.2.1"

   #define FRIDA_MAJOR_VERSION 16
   #define FRIDA_MINOR_VERSION 2
   #define FRIDA_MICRO_VERSION 1
   #define FRIDA_NANO_VERSION 0

   #endif

继续执行 make core-android-arm64 进行编译

编译完成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Installing lib/base/libfrida-base-1.0.a to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/lib
Installing lib/base/frida-base.h to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/include/frida-1.0
Installing lib/base/frida-base-1.0.vapi to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/share/vala/vapi
Installing lib/payload/libfrida-payload-1.0.a to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/lib
Installing lib/payload/frida-payload.h to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/include/frida-1.0
Installing lib/payload/frida-payload-1.0.vapi to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/share/vala/vapi
Installing lib/gadget/frida-gadget.so to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/lib/frida/64
Installing src/api/frida-core.h to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/include/frida-1.0
Installing src/api/frida-core-1.0.vapi to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/share/vala/vapi
Installing src/api/frida-core-1.0.deps to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/share/vala/vapi
Installing src/api/libfrida-core-1.0.a to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/lib
Installing server/frida-server to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/bin
Installing portal/frida-portal to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/bin
Installing inject/frida-inject to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/bin
Installing /home/r/Documents/FRIDA/frida/frida-core/lib/selinux/frida-selinux.h to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/include/frida-1.0
Installing /home/r/Documents/FRIDA/frida/build/tmp-android-arm64/frida-core/meson-private/frida-base-1.0.pc to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/lib/pkgconfig
Installing /home/r/Documents/FRIDA/frida/build/tmp-android-arm64/frida-core/meson-private/frida-payload-1.0.pc to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/lib/pkgconfig
Installing /home/r/Documents/FRIDA/frida/build/tmp-android-arm64/frida-core/meson-private/frida-core-1.0.pc to /home/r/Documents/FRIDA/frida/build/frida-android-arm64/lib/pkgconfig
make[1]: 离开目录“/home/r/Documents/FRIDA/frida”

查看编译后的文件

1
cd build/frida-android-arm64/bin && ls
1
2
3
(frida-compile) r@ubuntu20:~/Documents/FRIDA/frida$ cd build/frida-android-arm64/bin && ls
frida-inject  frida-portal  frida-server  gum-graft
(frida-compile) r@ubuntu20:~/Documents/FRIDA/frida/build/frida-android-arm64/bin$

0x2 修改frida

先把所有的 “frida_agent_main” 换成”main”

然后直接git am打上patch, 如果不会打的话其实一个个改也不费事,因为核心其实在python脚本,和前面的字符串处理

我这里把frida改成了rusda,你也可以改成其他的

github: GitHub - taisuii/rusda: 对frida 16.2.1的patch

python脚本新建在frida-core/src目录下

如果你提示No module named ‘lief’ 说明Python模块没有装好 pip3 install lief

然后编译,这里可以过滤日志编译,如果编译成功还是有很多特征大部分原因是python脚本没有打上patch

1
make core-android-arm64 | grep Patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
(base) r@ubuntu20:~/Documents/FRIDA/frida$ make core-android-arm64 | grep Patch
[*] Patch frida-agent: /home/r/Documents/FRIDA/frida/build/tmp-android-arm64/frida-core/src/frida-agent@emb/frida-agent-64.so
[*] Patch `frida` to `rusda`
[*] Patching section name=.rodata offset=0x1c4a26 orig:FridaScriptEngine new:enignEtpircSadirF
[*] Patching section name=.rodata offset=0x1d24db orig:FridaScriptEngine new:enignEtpircSadirF
[*] Patching section name=.rodata offset=0x1d9472 orig:GLib-GIO new:OIG-biLG
[*] Patching section name=.rodata offset=0x1959df orig:GDBusProxy new:yxorPsuBDG
[*] Patching section name=.rodata offset=0x1c4b31 orig:GDBusProxy new:yxorPsuBDG
[*] Patching section name=.rodata offset=0x1b1746 orig:GumScript new:tpircSmuG
[*] Patching section name=.rodata offset=0x210bed orig:GumScript new:tpircSmuG
[*] Patching section name=.rodata offset=0x238393 orig:GumScript new:tpircSmuG
[*] Patching section name=.rodata offset=0x246184 orig:GumScript new:tpircSmuG
[*] Patch `gum-js-loop` to `russellloop`
[*] Patch `gmain` to `rmain`
[*] Patch `gdbus` to `rubus`
[*] Patch Finish
[*] Patch frida-agent: /home/r/Documents/FRIDA/frida/build/tmp-android-arm64/frida-core/src/frida-agent@emb/frida-agent-32.so
[*] Patch `frida` to `rusda`
[*] Patching section name=.rodata offset=0xcc3a3 orig:FridaScriptEngine new:enignEtpircSadirF
[*] Patching section name=.rodata offset=0xd984c orig:FridaScriptEngine new:enignEtpircSadirF
[*] Patching section name=.rodata offset=0xe066f orig:GLib-GIO new:OIG-biLG
[*] Patching section name=.rodata offset=0x9e15e orig:GDBusProxy new:yxorPsuBDG
[*] Patching section name=.rodata offset=0xcc4ae orig:GDBusProxy new:yxorPsuBDG
[*] Patching section name=.rodata offset=0xb96c5 orig:GumScript new:tpircSmuG
[*] Patching section name=.rodata offset=0x115e26 orig:GumScript new:tpircSmuG
[*] Patching section name=.rodata offset=0x13d0a3 orig:GumScript new:tpircSmuG
[*] Patching section name=.rodata offset=0x14aa2d orig:GumScript new:tpircSmuG
[*] Patch `gum-js-loop` to `russellloop`
[*] Patch `gmain` to `rmain`
[*] Patch `gdbus` to `rubus`
[*] Patch Finish
[*] Patch frida-agent: /home/r/Documents/FRIDA/frida/build/tmp-android-arm64/frida-core/src/frida-agent@emb/frida-agent-arm64.so
[*] Patch `frida` to `rusda`
[*] Patch frida-agent: /home/r/Documents/FRIDA/frida/build/tmp-android-arm64/frida-core/src/frida-agent@emb/frida-agent-arm.so
[*] Patch `frida` to `rusda`
(base) r@ubuntu20:~/Documents/FRIDA/frida$ ls

0x3 运行测试

这里换个端口,就是全绿

1
2
3
4
5
6
cd build/frida-android-arm64/bin
adb push frida-server /data/local/tmp
adb shell
chmod +x frida-server
./frida-server -l 127.0.0.1:12345

1
frida -H 127.0.0.1:12345 -f com.yimian.envcheck

0x4 参考

GitHub - Ylarod/Florida: 基础反检测 frida-server / Basic anti-detection frida-server

GitHub - hluwa/Patchs: strongR-frida

[原创]FRIDA 最新版编译 | 16.0.9-Android安全-看雪-安全社区|安全招聘|kanxue.com