Frida Libc Write

Assets

Java.perform(function () {
    var AAssetManager_open = Module.findExportByName("libandroid.so", "AAssetManager_open");
    var AAsset_read = Module.findExportByName("libandroid.so", "AAsset_read");
    var AAsset_getLength = Module.findExportByName("libandroid.so", "AAsset_getLength");

    if (AAssetManager_open && AAsset_read && AAsset_getLength) {
        console.log("[*] Hooking AAssetManager_open...");

        Interceptor.attach(AAssetManager_open, {
            onEnter: function (args) {
                this.assetManager = args[0];
                this.fileName = args[1].readUtf8String(); // Get asset file name
                console.log("[+] AAssetManager_open called for file: " + this.fileName);
            },
            onLeave: function (retval) {
                if (retval.toInt32() !== 0) {
                    this.assetPointer = retval; // Save AAsset pointer
                }
            }
        });

        console.log("[*] Hooking AAsset_read...");

        Interceptor.attach(AAsset_read, {
            onEnter: function (args) {
                this.asset = args[0]; // AAsset pointer
                this.buffer = args[1]; // Buffer pointer
                this.size = args[2].toInt32(); // Size of read request
            },
            onLeave: function (retval) {
                if (retval.toInt32() > 0) {
                    var content = Memory.readUtf8String(this.buffer, retval.toInt32());
                    console.log("[+] Read content (" + retval.toInt32() + " bytes): " + content);
                }
            }
        });

        console.log("[*] Hooking AAsset_getLength...");

        Interceptor.attach(AAsset_getLength, {
            onEnter: function (args) {
                this.asset = args[0]; // AAsset pointer
            },
            onLeave: function (retval) {
                console.log("[+] Asset file size: " + retval.toInt32() + " bytes");
            }
        });

    } else {
        console.log("[-] Failed to find AAssetManager_open or AAsset_read or AAsset_getLength symbols.");
    }
});

gistfile1.txt

Java.perform(function () {
    var libc = Module.findExportByName("libc.so", "write");
    var libc_writev = Module.findExportByName("libc.so", "writev");
    var libc_pwrite = Module.findExportByName("libc.so", "pwrite");
    
    function hook_write(func_name, addr) {
        if (addr !== null) {
            Interceptor.attach(addr, {
                onEnter: function (args) {
                    var fd = args[0].toInt32();
                    var buffer = args[1];
                    var count = args[2].toInt32();
                    var data = Memory.readUtf8String(buffer, count);
                    
                    console.log("[+] " + func_name + " Hooked!");
                    console.log("    FD: " + fd);
                    console.log("    Data: " + data);
                },
                onLeave: function (retval) {
                    console.log("    Return: " + retval.toInt32());
                }
            });
        }
    }
    
    hook_write("write", libc);
    hook_write("writev", libc_writev);
    hook_write("pwrite", libc_pwrite);
});

Load SO

var libName = '/data/local/tmp/libnative.so';  // Replace with the name of your native library

// Load your native library into the target process
Module.load(libName);

// Optionally, you can also hook into functions from your library
var targetFunction = Module.findExportByName('libnative.so', 'yourFunctionName');
if (targetFunction) {
    Interceptor.attach(targetFunction, {
        onEnter: function(args) {
            console.log('Function called');
        },
        onLeave: function(retval) {
            console.log('Function returned');
        }
    });
}