Frida -Uf spawn 时找不到已加载 so,但 attach 后正常
环境:
Windows
雷电模拟器
Android 14
ABI: x86_64
Frida: 17.9.1
Package: com.ad2001.a0x9
目标 so: liba0x9.so
APK 中确认存在:
lib/x86_64/liba0x9.so
并且手动启动 App 后,用 PID attach:
uv run frida -Up PID
可以正常枚举到:
liba0x9.so /data/app/.../base.apk!/lib/x86_64/liba0x9.so
但是如果用 -Uf spawn 启动:
uv run frida -Uf com.ad2001.a0x9 -l hooktest.js
脚本里:
Process.findModuleByName("liba0x9.so")
一直返回 null,导致访问 module.base 报错:
TypeError: cannot read property 'base' of null
我尝试过轮询等待模块加载,仍然找不到。但是 hook android_dlopen_ext 时能看到系统实际加载了这个 so:
/data/app/.../base.apk!/lib/x86_64/liba0x9.so
并且 android_dlopen_ext 返回值不是 0,说明加载应该是成功的。
另外,直接 hook System.loadLibrary 会导致 UnsatisfiedLinkError,看起来是因为 hook 后 caller 变成了 java.lang.System / BootClassLoader,导致系统没有用 App 的 ClassLoader 去找 base.apk!/lib/x86_64/liba0x9.so。
目前临时解决方法是:
adb shell monkey -p com.ad2001.a0x9 1
timeout /t 2 >nul
adb shell pidof com.ad2001.a0x9
uv run frida -Up PID -l hooktest.js
这样 attach 已运行进程就可以正常找到 liba0x9.so。
想问一下:这种情况是不是雷电模拟器 x86_64 / Android 14 / base.apk!/lib/x86_64/*.so 加载方式导致 Frida 在 -Uf spawn 时模块枚举不稳定?有没有比 attach PID 或 /proc/self/maps + offset 更好的解决方案?
以下是hook脚本:
```
Java.perform(function () {
var moduleName = "liba0x9.so";
var functionName = "Java_com_ad2001_a0x9_MainActivity_check_1flag";
var module = Process.findModuleByName(moduleName);
console.log("base address:", module.base);
});
```[/md]
D:\Python\fridahook>uv run frida -Uf com.ad2001.a0x9
____
/ _ | Frida 17.9.1 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to PGEM10 (id=127.0.0.1:16384)
Spawned `com.ad2001.a0x9`. Resuming main thread!
[PGEM10::com.ad2001.a0x9 ]-> Java.perform(function () {
var moduleName = "liba0x9.so";
var functionName = "Java_com_ad2001_a0x9_MainActivity_check_1flag";
var module = Process.findModuleByName(moduleName);
console.log("base address:", module.base);
});
TypeError: cannot read property 'base' of null
at <anonymous> (<input>:5)
at <anonymous> (/frida/bridges/java.js:1)
at _performPendingVmOps (/frida/bridges/java.js:8)
at <anonymous> (/frida/bridges/java.js:8)
at <anonymous> (/frida/bridges/java.js:1)
at _performPendingVmOpsWhenReady (/frida/bridges/java.js:8)
at perform (/frida/bridges/java.js:8)
at <eval> (<input>:6)
at eval (native)
at <anonymous> (/frida/repl/agent.js:1)
at i (/frida/repl/agent.js:1)
at fridaEvaluateExpression (/frida/repl/agent.js:1)
at call (native)
at handleRpcMessage (/frida/runtime/message-dispatcher.js:39)
at handleMessage (/frida/runtime/message-dispatcher.js:25)
[PGEM10::com.ad2001.a0x9 ]->
附件信息:APK,js脚本
通过网盘分享的文件:Frida 0x9.7z
链接: https://pan.baidu.com/s/1XepIzOwu1ObxWRPhpZttkw?pwd=52pj 提取码: 52pj
--来自百度网盘超级会员v2的分享
求大佬解决 | 
|
发表于 2026-5-15 20:59
|楼主
分享到朋友圈