Inspect Android Message Inserts with Frida
· One min read
This example shows how to observe arguments passed to an Android database insert method with Frida.
Class names, method signatures, and parameter structures may change whenever the target application is updated. Perform dynamic analysis only in an authorized test environment, and do not record or upload real users' private messages.
Java.perform(function () {
var SQLiteDatabase = Java.use("com.tencent.wcdb.database.SQLiteDatabase");
SQLiteDatabase["insert"].implementation = function (table, nullColumnHack, contentValues) {
console.log(
"SQLiteDatabase.insert called:",
"table=", table,
"nullColumnHack=", nullColumnHack,
"contentValues=", contentValues
);
var result = this["insert"](table, nullColumnHack, contentValues);
console.log("SQLiteDatabase.insert result=", result);
return result;
};
});
In this example:
tableidentifies the destination table. A value such asmessagemay represent ordinary messages, while another table may store application-specific message types.contentValuescontains the key/value pairs passed to SQLite. A field such ascontentmay contain serialized message data.
When the hook does not trigger, inspect all overloads first and choose the exact signature with overload(...). Also verify the process, class loader, application architecture, and whether the database implementation changed in the current version.