-
Notifications
You must be signed in to change notification settings - Fork 861
Hacking
So you want to dig a little deeper into the project and its source code. This article aims to give you a birds eye view on the project structure, a quick flow example to run a hook and other goodies.
At its core, objection relies heavily on Frida to perform most of the magic. Frida, together with some purpose built hooks and the python REPL is what makes up objection.
A command is entered into the objection REPL, dispatching a python method which may or may not expect arguments. Depending on the method, a runtime specific hook will get injected into the mobile devices process and executed. Feedback from the hook is sent back to the python environment using send() invocations and reported back to the screen.
Lets take a quick look at the project structure.
Command line argument parsing is handled with click, the REPL is handled by python-prompt-toolkit and hook compilation (basically adding the global error handler per runtime) is handled with jinja. If you add the -d flag to the explore command to debug hooks, hooks themselves are formatted using jsbeautifier and dumped to screen (and application log) before being handed off to Frida.
- Python methods to invoke when matched to a command live in objection/commands.
- Frida hooks to load and execute live in their runtime specific directories in objection/hooks.
- Classes and methods responsible for the command line interface, as well as the REPL live in objection/console.
When a command is entered in the objection explore REPL, the run_command() method is run to process the string input received from prompt_toolkit. The run_command() method 'explodes' the received command, honoring quotes just like a shell would, and tries to find a python method to execute with _find_command_exec_method .
Commands that can be run is defined in a repository located in the COMMANDS variable in repository.py, specifying an exec key with a value being the python method to execute. Any remaining tokens will be passed on to the python method that will get called as arguments.
Communications with a remote FridaGadget is handled in utils/frida-transport.py.
Depending on the type of Frida hook that will be run (based on an entered command), either a synchronous invocation will occur, which will load, execute and unload the hook, or an asynchronous invocation will occur which loads, executes and backgrounds the hook. Only when the jobs kill <job_id> command is run will an asynchronous invocation be stopped.