3

Chromium based browser/Webview启用--js-flags

 11 months ago
source link: https://o0xmuhe.github.io/2023/09/08/Chromium-based-browser-Webview%E5%90%AF%E7%94%A8-js-flags/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Chromium based browser/Webview启用--js-flags

因为工作需求要去验证一些PoC,而很多PoC需要开natives-syntax才能跑,如果转成纯JS实现又需要花更多时间,所以需要在Android的app/webview里也实现添加 js-flags,方便后面搞分析 :)

PC上比较简单没啥好说的,直接命令行传递参数就行

./chrome --js-flags="--allow-natives-syntax"

Android

相关的代码,可以知道参数配置的文件相关情况

image.png

具体的操作步骤:

  1. chrome://flags里开启Enable command line on non-rooted devices

  2. 把启动参数写到 /data/local/tmp 下,文件名固定

echo "chrome --js-flags=\"--expose-gc --allow-natives-syntax\"" > /data/local/tmp/chrome-command-line

然后就可以验证PoC了

image.png

Webview

系统webview

https://developer.android.com/develop/ui/views/layout/webapps/debugging#java

image.png

主要是依赖这个 DevTools来做的,参考:https://chromium.googlesource.com/chromium/src/+/HEAD/android_webview/docs/developer-ui.md

am start -a "com.android.webview.SHOW_DEV_UI"

这样看到的flags配置,并没有开启命令行选项的配置,这个和浏览器不太一样,参考:

https://chromium.googlesource.cm/chromium/src/+/HEAD/android_webview/docs/commandline-flags.md

image.png

文件路径是 /data/local/tmp/webview-command-line

FLAG_FILE=/data/local/tmp/webview-command-line
# Overwrite flags (supports multiple). The first token is ignored. We use '_'
# as a convenient placeholder, but any token is acceptable.
adb shell "echo '_ --highlight-all-webviews --force-enable-metrics-reporting' > ${FLAG_FILE}"
# Clear flags
adb shell "rm ${FLAG_FILE}"
# Print flags
adb shell "cat ${FLAG_FILE}"

这样不太行,所以考虑直接frida hook,要注意因为加载目标类在webview的dex中,所以需要遍历classloader找到对应的classloader去钩目标类

Java.perform(function () {
    Java.enumerateClassLoaders({
        onMatch: function (loader) {
            try {
                if(loader.findClass("org.chromium.base.CommandLine")){
                    console.log("[+]Successfully found loader")
                    console.log(loader);
                    Java.classFactory.loader = loader;
                    let CommandLine = Java.use("org.chromium.base.CommandLine");
                    CommandLine.nativeInit.implementation = function(...args){
                                this.nativeInit(...args);
                                this.nativeAppendSwitchWithValue("--js-flags", "--allow-natives-syntax");
                    }
                }
            }
            catch(error){
                console.log("[!]Find error:" + error)
            }
        },
        onComplete: function () {
            console.log("[+]onComplete");
        }
    });
});

完整脚本: https://gist.github.com/o0xmuhe/98299328206820d2c55a7f44d300cdc0

APP自己实现的webview

和系统的webview做法一样, 找到合适的位置直接hook CommandLine 就行, 不同厂商做法不太一样,这个需要自己逆向一下

https://juejin.cn/post/6847902219757420552
https://developer.android.com/develop/ui/views/layout/webapps/debugging#java


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK