Hook抓包

Hook抓包核心思想：数据包在明文状态下的一切时机进行dump

HTTP

request

使用socket实现原生的请求
新建一个安卓项目，在mainactivity里添加

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        new Thread(new Runnable() {
            @Override
            public void run() {
                httpsock();
            }
        }).start();

    }
    private static void httpsock(){
        try {
            final String host = "www.httpbin.org";
            final int port = 80;
            final String path = "/get";
            Socket socket = new Socket(host, port);

            StringBuilder sb = new StringBuilder();
            sb.append("GET " + path + " HTTP/1.1\r\n");
            sb.append("User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\r\n");
            sb.append("Host: "+ host+"\r\n");
            sb.append("\r\n");

            OutputStream outputStream = socket.getOutputStream();
            outputStream.write(sb.toString().getBytes());

            InputStream inputStream = socket.getInputStream();
            byte[] buffer = new byte[1024];
            int len;
            while ((len = inputStream.read(buffer, 0, buffer.length)) != -1){
                Log.d("response==>", new String(Arrays.copyOf(buffer, len)));
            }

        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

运行一下

分析

这是socket发送http请求的数据包，把数据包写进outputStream后进行发送，outputStream是socket对象的方法，先看一下socket的实现。跟进一下socket的实现

这些都是实现的接口，要找到实现的地方，跟进setImpl方法

可以看到impl是实例对象，这里有分支，先看一下factory，在该文件搜索factory = ，看被什么赋值了，

看到两次赋值的值都是null，所以走else，跟进 SocksSocketImpl();，这里就到socket实现的地方。

进行搜索getOutputStream()方法实现的地方，发现没有找到，那就是存在父类了，跟进父类PlainSocketImpl。
再次搜索没有，再跟进它的父类AbstractPlainSocketImpl

再搜索，发现找到了getOutputStream()实现的地方，两个if都是抛出异常，看第三个if，跟进SocketOutputStream()，

找到了SocketOutputStream()对象的地方，搜索write()方法，参数是字节

跟进socketWrite()，调用了socketWrite0()方法，跟进

可以看到该方法在native层。

frida抓包

跟到socketWrite0()这里，应该是java层最底层了，hook socketWrite0尝试下

function main(){
    Java.perform(function(){
        //Http request
        Java.use("java.net.SocketOutputStream").socketWrite0.implementation = function(fd,bytes,off,len){
            hexdump(bytes,off,len)
            this.socketWrite0(fd,bytes,off,len)
        }
        
		// 打印字节数组
        function hexdump(bytearry,offset,length){
            var HexDump = Java.use("com.android.internal.util.HexDump")
            console.log(HexDump.dumpHexString(bytearry,offset,length))
        }

    })
}
setImmediate(main)

运行frida，运行脚本，成功抓到包

再完善一下，添加请求地址，堆栈

function main(){
    Java.perform(function(){
        //Http request
        Java.use("java.net.SocketOutputStream").socketWrite0.implementation = function(fd,bytes,off,len){
            // 地址
            printAddress(this.socket, true)
            // 请求
            hexdump(bytes,off,len)
            // 堆栈
            showStacks()
            this.socketWrite0(fd,bytes,off,len)
        }
        
        function printAddress(socket, isSend){
            var localAddress = socket.value.getLocalAddress().toString()
            var remoteAddress = socket.value.getRemoteSocketAddress().toString()
            if(isSend){
                console.log(localAddress +"====>"+ remoteAddress)
            }else{
                console.log(remoteAddress +"====>"+ localAddress)
            }
        }
        function hexdump(bytearry,offset,length){
            var HexDump = Java.use("com.android.internal.util.HexDump")
            console.log(HexDump.dumpHexString(bytearry,offset,length))
        }
        function showStacks() {
            console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
        }

    })
}
setImmediate(main)

请求地址，堆栈都打印了

现在知识完成request部分，还有response

response

分析

接受数据是InputStream，调用的是socket的getInputStream，getInputStream和getOuputStream是成对出现的，按着刚才的思路可以找到。或者，socketWrite0()是在SocketOutputStream，那么socketRead0()就是在SocketInputStream里。

frida抓包

用Frida hook试试，再之前的代码上添加

//Http response
Java.use("java.net.SocketInputStream").socketRead0.implementation = function(fd,bytes,off,len,timeout){
    printAddress(this.socket, true)
    hexdump(bytes,off,len)
    showStacks()
    return this.socketRead0(fd,bytes,off,len,timeout)
}

也是成功抓到返回的数据

HTTP通用的收发包都抓到了，那HTTPS的呢

HTTPS

request

也是一样，创建一个HTTPS的请求

try {
    final String host = "www.httpbin.org";
    final int port = 443;
    final String path = "/get";
    SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(host, port);

    StringBuilder sb = new StringBuilder();
    sb.append("GET " + path + " HTTP/1.1\r\n");
    sb.append("User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\r\n");
    sb.append("Host: "+ host+"\r\n");
    sb.append("\r\n");
    Log.d("request body ===>", sb.toString());

    OutputStream outputStream = socket.getOutputStream();
    outputStream.write(sb.toString().getBytes());

    InputStream inputStream = socket.getInputStream();
    byte[] buffer = new byte[1024];
    int len;
    while ((len = inputStream.read(buffer, 0, buffer.length)) != -1){
        Log.d("response ==>", new String(Arrays.copyOf(buffer, len)));
    }

} catch (IOException e) {
    e.printStackTrace();
}

运行之后

分析

这里使用调试，可以快速定位到对象类的位置，

在源码中搜一下ConscryptFileDescriptorSocket
网址：http://aospxref.com/android-8.1.0_r81/

然后在源码文件搜索内部类SSLOutputStream，是继承OutputStream，然后对原来的write方法进行重写

跟踪一下write方法里的ssl.write()


再跟踪NativeCrypto.SSL_write()，又到了native层，可以说已经在java层跟到底了

frida抓包

用frida hook下org.conscrypt.NativeCrypto类下的SSL_write()方法

function main(){
    Java.perform(function(){
        //Https request
        Java.use("org.conscrypt.NativeCrypto").SSL_write.implementation = function(ssl,fd,shc,bytes,off,len,timeout){
            hexdump(bytes,off,len)
            showStacks()
            this.SSL_write(ssl,fd,shc,bytes,off,len,timeout)
        }
        
		// 打印字节数组
        function hexdump(bytearry,offset,length){
            var HexDump = Java.use("com.android.internal.util.HexDump")
            console.log(HexDump.dumpHexString(bytearry,offset,length))
        }
        function showStacks() {
            console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
        }
    })
}
setImmediate(main)

运行会看到报错了，说找不到NativeCrypto这个类

使用objection看一下，内存中是否存在NativeCrypto，多加了com.android前缀，再用frida试一下com.android.org.conscrypt.NativeCrypto

这次成功抓到包

response

response同理

frida抓包

//Https response
Java.use("com.android.org.conscrypt.NativeCrypto").SSL_read.implementation = function(ssl,fd,shc,bytes,off,len,timeout){
    hexdump(bytes,off,len)
    showStacks()
    return this.SSL_read(ssl,fd,shc,bytes,off,len,timeout)
}

完整代码

function main(){
    Java.perform(function(){
        //Http request
        Java.use("java.net.SocketOutputStream").socketWrite0.implementation = function(fd,bytes,off,len){
            printAddress(this.socket, true)
            hexdump(bytes,off,len)
            showStacks()
            this.socketWrite0(fd,bytes,off,len)
        }
        //Http response
        Java.use("java.net.SocketInputStream").socketRead0.implementation = function(fd,bytes,off,len,timeout){
            printAddress(this.socket, false)
            hexdump(bytes,off,len)
            showStacks()
            return this.socketRead0(fd,bytes,off,len,timeout)
        }

        //Https request
        Java.use("com.android.org.conscrypt.NativeCrypto").SSL_write.implementation = function(sslNativePointer,fd,shc,bytes,off,len,timeout){
            printHttpsAddress(fd)
            hexdump(bytes,off,len)
            showStacks()
            return this.SSL_write(sslNativePointer,fd,shc,bytes,off,len,timeout)
        }
        //Https response
        Java.use("com.android.org.conscrypt.NativeCrypto").SSL_read.implementation = function(sslNativePointer,fd,shc,bytes,off,len,timeout){
            printHttpsAddress(fd)
            hexdump(bytes,off,len)
            showStacks()
            return this.SSL_read(sslNativePointer,fd,shc,bytes,off,len,timeout)
        }

        function printHttpsAddress(fd, isSend){
            var local = Socket.localAddress(fd.getInt$())
            var peer = Socket.peerAddress(fd.getInt$())
            if(isSend){
                console.log(local.ip+":"+local.port +"====>"+ peer.ip+":"+peer.port)
            }else{
                console.log(peer.ip+":"+peer.port +"====>"+ local.ip+":"+local.port)
            }
        }

        function printAddress(socket, isSend){
            var localAddress = socket.value.getLocalAddress().toString()
            var remoteAddress = socket.value.getRemoteSocketAddress().toString()
            if(isSend){
                console.log(localAddress +"====>"+ remoteAddress)
            }else{
                console.log(remoteAddress +"====>"+ localAddress)
            }
        }

        function hexdump(bytearry,offset,length){
            var HexDump = Java.use("com.android.internal.util.HexDump")
            console.log(HexDump.dumpHexString(bytearry,offset,length))
        }
        
        function showStacks() {
            console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
        }
    })
}
setImmediate(main)