如何获取fridajavascriptrpc.exports到python的所有函数?
How to get all functions from frida javascript rpc.exports to python?
我有一个包含一些 rpc.exports
的 js 文件
rpc.exports = {
callfunctionsecret: callSecretFun,
callfunctionsomethingelse: callSomethingElse,
}
我想在 python 中列出所有这些功能,但找不到实现的方法
device = frida.get_usb_device()
pid = device.spawn([package_name])
device.resume(pid)
time.sleep(1)
session = device.attach(pid)
with open(sys.argv[1]) as jsfile:
script = session.create_script(jsfile.read())
print(dir(script.exports))
# output
['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_script']
# output doesn't contain "callfunctionsecret" and "callfunctionsomethingelse"
有没有办法在某种列表中获取函数名称?
# e.g.
['callfunctionsecret','callfunctionsomethingelse']
到目前为止,我只到了可以使用
访问函数对象的地步
print(script.exports.__getattrs__(callfunctionsecret))
但这要求我们首先知道函数名,这违背了列出所有函数名的目的
据我所知,这没有记录,也没有明确的方法。 ScriptExports as class 不包含用于此目的的任何有用信息或方法。但是,如果您搜索 frida-gum's code,就会有这样的操作用于此目的,list。可以触发此操作并像这样获取所有 rpc 导出:
agent.js
function callSecretFun(n) {
return n*100
}
rpc.exports = {
callfunctionsecret: callSecretFun,
fun1: function() {send("fun1"); return 1000},
fun2: function() {send("fun2")}
}
agent.py
import sys
import frida
session = frida.attach("hello")
with open("agent.js", "r") as f:
script = session.create_script(f.read())
script.load()
rpc_exports = script._rpc_request('list') # send an rpc request to list rpc exports
print(rpc_exports)
sys.stdin.read()
输出:
$ python3 agent.py
['callfunctionsecret', 'fun1', 'fun2']
我有一个包含一些 rpc.exports
的 js 文件rpc.exports = {
callfunctionsecret: callSecretFun,
callfunctionsomethingelse: callSomethingElse,
}
我想在 python 中列出所有这些功能,但找不到实现的方法
device = frida.get_usb_device()
pid = device.spawn([package_name])
device.resume(pid)
time.sleep(1)
session = device.attach(pid)
with open(sys.argv[1]) as jsfile:
script = session.create_script(jsfile.read())
print(dir(script.exports))
# output
['__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_script']
# output doesn't contain "callfunctionsecret" and "callfunctionsomethingelse"
有没有办法在某种列表中获取函数名称?
# e.g.
['callfunctionsecret','callfunctionsomethingelse']
到目前为止,我只到了可以使用
访问函数对象的地步print(script.exports.__getattrs__(callfunctionsecret))
但这要求我们首先知道函数名,这违背了列出所有函数名的目的
据我所知,这没有记录,也没有明确的方法。 ScriptExports as class 不包含用于此目的的任何有用信息或方法。但是,如果您搜索 frida-gum's code,就会有这样的操作用于此目的,list。可以触发此操作并像这样获取所有 rpc 导出:
agent.js
function callSecretFun(n) {
return n*100
}
rpc.exports = {
callfunctionsecret: callSecretFun,
fun1: function() {send("fun1"); return 1000},
fun2: function() {send("fun2")}
}
agent.py
import sys
import frida
session = frida.attach("hello")
with open("agent.js", "r") as f:
script = session.create_script(f.read())
script.load()
rpc_exports = script._rpc_request('list') # send an rpc request to list rpc exports
print(rpc_exports)
sys.stdin.read()
输出:
$ python3 agent.py
['callfunctionsecret', 'fun1', 'fun2']