Hook抓包核心思想:数据包在明文状态下的一切时机进行dump
HTTP
request
使用socket实现原生的请求
新建一个安卓项目,在mainactivity里添加
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
new Thread(new Runnable() {
@Override
public void run() {
httpsock();
}
}).start();
}
private static void httpsock(){
try {
final String host = "www.httpbin.org";
final int port = 80;
final String path = "/get";
Socket socket = new Socket(host, port);
StringBuilder sb = new StringBuilder();
sb.append("GET " + path + " HTTP/1.1\r\n");
sb.append("User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\r\n");
sb.append("Host: "+ host+"\r\n");
sb.append("\r\n");
OutputStream outputStream = socket.getOutputStream();
outputStream.write(sb.toString().getBytes());
InputStream inputStream = socket.getInputStream();
byte[] buffer = new byte[1024];
int len;
while ((len = inputStream.read(buffer, 0, buffer.length)) != -1){
Log.d("response==>", new String(Arrays.copyOf(buffer, len)));
}
} catch (IOException e) {
e.printStackTrace();
}
}
}
复制代码运行一下
分析
这是socket发送http请求的数据包,把数据包写进outputStream后进行发送,outputStream是socket对象的方法,先看一下socket的实现。跟进一下socket的实现
这些都是实现的接口,要找到实现的地方,跟进setImpl方法
可以看到impl是实例对象,这里有分支,先看一下factory,在该文件搜索factory = ,看被什么赋值了,
![图片[1]-Hook抓包-一一网](https://www.proyy.com/skycj/data/images/2021-09-08/65b1451b918e3adc475baf51173aeb39.jpg)
看到两次赋值的值都是null,所以走else,跟进 SocksSocketImpl();,这里就到socket实现的地方。
进行搜索getOutputStream()方法实现的地方,发现没有找到,那就是存在父类了,跟进父类PlainSocketImpl。
再次搜索没有,再跟进它的父类AbstractPlainSocketImpl
再搜索,发现找到了getOutputStream()实现的地方,两个if都是抛出异常,看第三个if,跟进SocketOutputStream(),
找到了SocketOutputStream()对象的地方,搜索write()方法,参数是字节
跟进socketWrite(),调用了socketWrite0()方法,跟进
可以看到该方法在native层。
frida抓包
跟到socketWrite0()这里,应该是java层最底层了,hook socketWrite0尝试下
function main(){
Java.perform(function(){
//Http request
Java.use("java.net.SocketOutputStream").socketWrite0.implementation = function(fd,bytes,off,len){
hexdump(bytes,off,len)
this.socketWrite0(fd,bytes,off,len)
}
// 打印字节数组
function hexdump(bytearry,offset,length){
var HexDump = Java.use("com.android.internal.util.HexDump")
console.log(HexDump.dumpHexString(bytearry,offset,length))
}
})
}
setImmediate(main)
复制代码运行frida,运行脚本,成功抓到包
![图片[2]-Hook抓包-一一网](https://www.proyy.com/skycj/data/images/2021-09-08/aa3673768bb867bc0fc907fa73ea0ea8.jpg)
再完善一下,添加请求地址,堆栈
function main(){
Java.perform(function(){
//Http request
Java.use("java.net.SocketOutputStream").socketWrite0.implementation = function(fd,bytes,off,len){
// 地址
printAddress(this.socket, true)
// 请求
hexdump(bytes,off,len)
// 堆栈
showStacks()
this.socketWrite0(fd,bytes,off,len)
}
function printAddress(socket, isSend){
var localAddress = socket.value.getLocalAddress().toString()
var remoteAddress = socket.value.getRemoteSocketAddress().toString()
if(isSend){
console.log(localAddress +"====>"+ remoteAddress)
}else{
console.log(remoteAddress +"====>"+ localAddress)
}
}
function hexdump(bytearry,offset,length){
var HexDump = Java.use("com.android.internal.util.HexDump")
console.log(HexDump.dumpHexString(bytearry,offset,length))
}
function showStacks() {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}
})
}
setImmediate(main)
复制代码请求地址,堆栈都打印了
现在知识完成request部分,还有response
response
分析
接受数据是InputStream,调用的是socket的getInputStream,getInputStream和getOuputStream是成对出现的,按着刚才的思路可以找到。或者,socketWrite0()是在SocketOutputStream,那么socketRead0()就是在SocketInputStream里。
frida抓包
用Frida hook试试,再之前的代码上添加
//Http response
Java.use("java.net.SocketInputStream").socketRead0.implementation = function(fd,bytes,off,len,timeout){
printAddress(this.socket, true)
hexdump(bytes,off,len)
showStacks()
return this.socketRead0(fd,bytes,off,len,timeout)
}
复制代码也是成功抓到返回的数据
HTTP通用的收发包都抓到了,那HTTPS的呢
HTTPS
request
也是一样,创建一个HTTPS的请求
try {
final String host = "www.httpbin.org";
final int port = 443;
final String path = "/get";
SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(host, port);
StringBuilder sb = new StringBuilder();
sb.append("GET " + path + " HTTP/1.1\r\n");
sb.append("User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\r\n");
sb.append("Host: "+ host+"\r\n");
sb.append("\r\n");
Log.d("request body ===>", sb.toString());
OutputStream outputStream = socket.getOutputStream();
outputStream.write(sb.toString().getBytes());
InputStream inputStream = socket.getInputStream();
byte[] buffer = new byte[1024];
int len;
while ((len = inputStream.read(buffer, 0, buffer.length)) != -1){
Log.d("response ==>", new String(Arrays.copyOf(buffer, len)));
}
} catch (IOException e) {
e.printStackTrace();
}
复制代码运行之后
分析
这里使用调试,可以快速定位到对象类的位置,
在源码中搜一下ConscryptFileDescriptorSocket
然后在源码文件搜索内部类SSLOutputStream,是继承OutputStream,然后对原来的write方法进行重写
跟踪一下write方法里的ssl.write()
再跟踪NativeCrypto.SSL_write(),又到了native层,可以说已经在java层跟到底了
frida抓包
用frida hook下org.conscrypt.NativeCrypto类下的SSL_write()方法
function main(){
Java.perform(function(){
//Https request
Java.use("org.conscrypt.NativeCrypto").SSL_write.implementation = function(ssl,fd,shc,bytes,off,len,timeout){
hexdump(bytes,off,len)
showStacks()
this.SSL_write(ssl,fd,shc,bytes,off,len,timeout)
}
// 打印字节数组
function hexdump(bytearry,offset,length){
var HexDump = Java.use("com.android.internal.util.HexDump")
console.log(HexDump.dumpHexString(bytearry,offset,length))
}
function showStacks() {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}
})
}
setImmediate(main)
复制代码运行会看到报错了,说找不到NativeCrypto这个类
使用objection看一下,内存中是否存在NativeCrypto,多加了com.android前缀,再用frida试一下com.android.org.conscrypt.NativeCrypto
这次成功抓到包
response
response同理
frida抓包
//Https response
Java.use("com.android.org.conscrypt.NativeCrypto").SSL_read.implementation = function(ssl,fd,shc,bytes,off,len,timeout){
hexdump(bytes,off,len)
showStacks()
return this.SSL_read(ssl,fd,shc,bytes,off,len,timeout)
}
复制代码![图片[3]-Hook抓包-一一网](https://www.proyy.com/skycj/data/images/2021-09-08/9244085c5a04d7d1c7bf205b8d3bba61.jpg)
完整代码
function main(){
Java.perform(function(){
//Http request
Java.use("java.net.SocketOutputStream").socketWrite0.implementation = function(fd,bytes,off,len){
printAddress(this.socket, true)
hexdump(bytes,off,len)
showStacks()
this.socketWrite0(fd,bytes,off,len)
}
//Http response
Java.use("java.net.SocketInputStream").socketRead0.implementation = function(fd,bytes,off,len,timeout){
printAddress(this.socket, false)
hexdump(bytes,off,len)
showStacks()
return this.socketRead0(fd,bytes,off,len,timeout)
}
//Https request
Java.use("com.android.org.conscrypt.NativeCrypto").SSL_write.implementation = function(sslNativePointer,fd,shc,bytes,off,len,timeout){
printHttpsAddress(fd)
hexdump(bytes,off,len)
showStacks()
return this.SSL_write(sslNativePointer,fd,shc,bytes,off,len,timeout)
}
//Https response
Java.use("com.android.org.conscrypt.NativeCrypto").SSL_read.implementation = function(sslNativePointer,fd,shc,bytes,off,len,timeout){
printHttpsAddress(fd)
hexdump(bytes,off,len)
showStacks()
return this.SSL_read(sslNativePointer,fd,shc,bytes,off,len,timeout)
}
function printHttpsAddress(fd, isSend){
var local = Socket.localAddress(fd.getInt$())
var peer = Socket.peerAddress(fd.getInt$())
if(isSend){
console.log(local.ip+":"+local.port +"====>"+ peer.ip+":"+peer.port)
}else{
console.log(peer.ip+":"+peer.port +"====>"+ local.ip+":"+local.port)
}
}
function printAddress(socket, isSend){
var localAddress = socket.value.getLocalAddress().toString()
var remoteAddress = socket.value.getRemoteSocketAddress().toString()
if(isSend){
console.log(localAddress +"====>"+ remoteAddress)
}else{
console.log(remoteAddress +"====>"+ localAddress)
}
}
function hexdump(bytearry,offset,length){
var HexDump = Java.use("com.android.internal.util.HexDump")
console.log(HexDump.dumpHexString(bytearry,offset,length))
}
function showStacks() {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}
})
}
setImmediate(main)
复制代码推荐一波肉师傅的知识星球,这个男人除了生孩子什么都会
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
