在前面的文章中，對(duì)圖中大部分的API進(jìn)行了介紹，今天繼續(xù)后面內(nèi)容的介紹。

Kernel

顧名思義，與內(nèi)核相關(guān)的，枚舉內(nèi)核加載的模塊，或者操控內(nèi)核內(nèi)存部分。經(jīng)過測(cè)試，在Android和Linux系統(tǒng)下，Kernel.available是false，相關(guān)的API都是不能夠使用的。

Kernel.available: a boolean specifying whether the Kernel API is available. Do not invoke any other Kernel properties or methods unless this is the case. 如果不是可獲取的，那么后面的所有屬性和方法都不能使用。

Kernel.base: base address of the kernel, as a UInt64.

Kernel.pageSize: size of a kernel page in bytes, as a number.

Kernel.enumerateModules(): enumerates kernel modules loaded right now, returning an array of objects containing the following properties:

• name: canonical module name as a string

• base: base address as a NativePointer

• size: size in bytes

Kernel.enumerateRanges(protection|specifier): enumerate kernel memory ranges satisfying protection given as a string of the form: rwx, where rw- means “must be at least readable and writable”. Alternatively you may provide a specifier object with a protection key whose value is as aforementioned, and a coalesce key set to true if you’d like neighboring ranges with the same protection to be coalesced (the default is false; i.e. keeping the ranges separate). Returns an array of objects containing the following properties:

• base: base address as a NativePointer

• size: size in bytes

• protection: protection string (see above)

Kernel.enumerateModuleRanges(name, protection): just like Kernel.enumerateRanges, except it’s scoped to the specified module name – which may be null for the module of the kernel itself. Each range also has a name field containing a unique identifier as a string.

Kernel.alloc(size): allocate size bytes of kernel memory, rounded up to a multiple of the kernel’s page size. The returned value is a UInt64 specifying the base address of the allocation.

Kernel.protect(address, size, protection): update protection on a region of kernel memory, where protection is a string of the same format as Kernel.enumerateRanges().

For example:

1. Kernel.protect(UInt64('0x1234'), 4096, 'rw-');

Kernel.readByteArray(address, length): just like NativePointer#readByteArray, but reading from kernel memory.

Kernel.writeByteArray(address, bytes): just like NativePointer#writeByteArray, but writing to kernel memory.

Kernel.scan(address, size, pattern, callbacks): just like Memory.scan, but scanning kernel memory.

Kernel.scanSync(address, size, pattern): synchronous version of scan() that returns the matches in an array.

1. setTimeout(function (){

2. ? ?Java.perform(function (){

3. ? ? ? ? ? ?console.log(Kernel.available);

4. ? ? ? ? ? ?console.log(Kernel.base);

5. ? ? ? ? ? ?console.log(Kernel.pageSize);

6. ? ?});

7. ?});

運(yùn)行結(jié)果，在Android和Linux系統(tǒng)上運(yùn)行結(jié)果相同：

CModule

簡(jiǎn)單理解就是在代碼中插入C模塊。

new CModule(source[, symbols]): compiles C source code string to machine code, straight to memory. Useful for implementing hot callbacks, e.g. for Interceptor and Stalker, but also useful when needing to start new threads in order to call functions in a tight loop, e.g. for fuzzing purposes. Global functions are automatically exported as NativePointer properties named exactly like in the C source code. This means you can pass them to Interceptor and Stalker, or call them using NativePointer. The optional second argument, symbols, is an object specifying additional symbol names and their NativePointer values, each of which will be plugged in at creation. This may for example be one or more memory blocks allocated using Memory.alloc(), and/or NativeCallback values for receiving callbacks from the C module.

To perform initialization and cleanup, you may define functions with the following names and signatures:

• void init (void)

  Note that all data is read-only, so writable globals should be declared extern, allocated using e.g. Memory.alloc(), and passed in as symbols through the constructor’s second argument.

  
  

• void finalize (void)

dispose(): eagerly unmaps the module from memory. Useful for short-lived modules when waiting for a future garbage collection isn’t desirable. 例子：

1. var source = [

2. ?'#include <stdio.h>',

3. ?'',

4. ?'void hello(void) {',

5. ?' ?printf("Hello World from CModule\\n");',

6. ?'}',

7. ].join('\n');

8. 
   

9. var cm = new CModule(source);

10. 
    

11. console.log(JSON.stringify(cm));

12. 
    

13. var hello = new NativeFunction(cm.hello, 'void', []);

14. hello();

運(yùn)行

1. frida -p 0 --runtime=v8 -l example.js

結(jié)果如下所示：

DebugSymbol

調(diào)試符號(hào)相關(guān)內(nèi)容。

DebugSymbol.fromAddress(address), DebugSymbol.fromName(name): look up debug information for address/name and return it as an object containing:

• address: Address that this symbol is for, as a NativePointer.

• name: Name of the symbol, as a string, or null if unknown.

• moduleName: Module name owning this symbol, as a string, or null if unknown.

• fileName: File name owning this symbol, as a string, or null if unknown.

• lineNumber: Line number in fileName, as a number, or null if unknown.

You may also call toString() on it, which is very useful when combined with Thread.backtrace():

DebugSymbol.getFunctionByName(name): resolves a function name and returns its address as a NativePointer. Returns the first if more than one function is found. Throws an exception if the name cannot be resolved.

DebugSymbol.findFunctionsNamed(name): resolves a function name and returns its addresses as an array of NativePointer objects.

DebugSymbol.findFunctionsMatching(glob): resolves function names matching glob and returns their addresses as an array of NativePointer objects.

DebugSymbol.load(path): loads debug symbols for a specific module.

例子：

1. Interceptor.attach(Module.getExportByName(null, 'read'), {

2. ?onEnter: function (args) {

3. ? ?console.log('read called from:\n' +

4. ? ?Thread.backtrace(this.context, Backtracer.ACCURATE)

5. ? ?.map(DebugSymbol.fromAddress).join('\n') + '\n');

6. ?}

7. })

Interceptor在后面的文章中會(huì)介紹，根據(jù)英文翻譯大致能推測(cè)出來它的功能類似攔截器。

運(yùn)行 frida-U-l hello.js com.lingpao.lpcf622b–debug--runtime=v8 結(jié)果：

寫在最后

Frida 基本API的使用到這里基本上差不多了。在接下來的文章中，會(huì)介紹一些高級(jí)的API及他們的使用。本篇文章涉及的API使用的不是很多，在解決一些疑難問題的時(shí)候，可能會(huì)用到。

公眾號(hào)

更多內(nèi)容，歡迎關(guān)注我的公眾號(hào):無情劍客。