一.笔者的话

自我学习用，别带批判精神

1.Global
2.console
3.rpc
4.Frida
5.Process
Module
ModuleMap
Memory
MemoryAccessMonitor
Thread
Int64
UInt64
NativePointer
NativeFunction
NativeCallback
SystemFunction
Socket
SocketListener
SocketConnection
IOStream
InputStream
OutputStream
UnixInputStream
UnixOutputStream
Win32InputStream
Win32OutputStream
File
SqliteDatabase
SqliteStatement
Interceptor
Stalker
ApiResolver
DebugSymbol
Instruction
ObjC
Java
WeakRef
X86Writer
X86Relocator
X86enumtypes
ArmWriter
ArmRelocation
ThumbWriter
ThumbRelocator
ARMenumtypes
Arm64Writer
Arm64Relocator
AArch64enumtypes
MipsWriter
MipsRelocator
Mipsenumtypes

1.Global

hexdump(target[, options])generate a hexdump from the provided ArrayBuffer or NativePointer target, optionally with options for customizing the output.
翻译对已有的 ArrayBuffer 或者 NativePointer 的对象生成一个hexdump,可以自定义规定输出的选项
个人理解根据hexdump的意思来看，查看二进制的16进制编码，而当中的参数
offset:从偏移量开始输出,length:只格式化输入文件的前length个字节，header:暂且不知，ansi:以ansi码的方式输出。
For example:

var libc = Module.findBaseAddress('libc.so');
var buf = Memory.readByteArray(libc, 64);
console.log(hexdump(buf, {
  offset: 0,
  length: 64,
  header: true,
  ansi: true
}));
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00000000  7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00  .ELF............
00000010  03 00 28 00 01 00 00 00 00 00 00 00 34 00 00 00  ..(.........4...
00000020  34 a8 04 00 00 00 00 05 34 00 20 00 08 00 28 00  4.......4. ...(.
00000030  1e 00 1d 00 06 00 00 00 34 00 00 00 34 00 00 00  ........4...4...

int64(v): short-hand for new Int64(v) int64(v):简写为 Int64
uint64(v): short-hand for new UInt64(v)uint64(v): 简写为 UInt64(v)
ptr(s): short-hand for new NativePointer(s)ptr(s):简写为 NativePointer(s)
NULL: short-hand for ptr("0")NULL: 简写为 ptr("0")

recv([type, ]callback): request callback to be called on the next message received from your Frida-based application. Optionally type may be specified to only receive a message where the type field is set to type.
This will only give you one message, so you need to call recv() again to receive the next one.
翻译:声明一个回调函数，在下次frida程序接收到信息时进行使用，
接收的内容的类型是仅仅为type指定的类型。 一个recv函数只能接收一次信息，如果你需要多次的接收信息，那么需要很多次的recv()

send(message[, data]): send the JavaScript object message to your Frida-based application (it must be serializable to JSON). If you also have some raw binary data that you’d like to send along with it, e.g. you dumped some memory using Memory#readByteArray, then you may pass this through the optional data argument. This requires it to either be an ArrayBuffer or an array of integers between 0 and 255.
`翻译':发送javascript对象消息到frida的应用程序（它必须被可序列化为json）,如果你还想与它一起发送一些原始的二进制数据，比如你使用Memory#readByteArray转存了一些内存，然后你可以通过一些可选的data参数来传递它，它要求是ArrayBuffer 或者是0到255之间的整数数组。

Performance considerationsWhile send() is asynchronous, the total overhead of sending a single message is not optimized for high frequencies, so that means Frida leaves it up to you to batch multiple values into a single send()-call, based on whether low delay or high throughput is desired.
翻译：性能方面考虑，send函数是异步的，但是发送单个消息的代价并没有对高负载进行优化，那么意味着frida会根据根据是否将多个值批量处理为单个send函数进行调用，一次来降低延迟与提高吞吐量

setTimeout(fn, delay): call fn after delay milliseconds. Returns an id that can be passed to clearTimeout to cancel it.
'翻译':在延迟delay毫秒后会调用fn,返回一个id ，这个id可以用claerTimeout来取消延时
个人理解:在等待delay毫秒后调用fn函数 fn可以执行一次，settimeout函数会返回个id，
clearTimeout(id): cancel id returned by call to setTimeout
翻译：取得一个id。调用本函数来取消延迟

setInterval(fn, delay): call fn e
very delay milliseconds. Returns an id that can be passed to clearInterval to cancel it.
翻译：在delay毫秒后调用fn，setInterval函数在使用后返回个id供clearInterval(id)取消他。
个人理解：定时器,每隔delay毫秒后进行执行，fn可执行好多次
clearInterval(id): cancel id returned by call to setInterval
翻译`：取得一个id。调用本函数来取消延迟

2.console

console.log(line), console.warn(line), console.error(line): write line to the console of your Frida-based application. The exact behavior depends on where frida-core is integrated. For example, this output goes to stdout or stderr when using Frida through frida-python, qDebug when usingfrida-qml, etc.
翻译：console.log（line），console.warn（line），console.error（line）：将行写入基于Frida的应用程序的控制台。 确切的行为取决于frida-core的集成位置。 例如，当使用Frida通过frida-python时，此输出转到stdout或stderr，使用frida-qml时使用qDebug等。
Arguments that are ArrayBuffer objects will be substituted by the result of hexdump() with default options.
'翻译'：ArrayBuffer对象的参数将被hexdump（）的结果替换为默认选项。

3.rpc

empty object that you can either replace or insert into to expose an RPC-style API to your application. The key specifies the method name and the value is your exported function. This function may either return a plain value for returning that to the caller immediately, or a Promise for returning asynchronously.
翻译:你能够替换掉一个空对象，插入一个对象，向你的应用程序公开RPC样式的api，Key指定导出的名称，Value指定导出的函数，函数可以返回一个正常值，也可返回一个异步方式
For example:

'use strict';

rpc.exports = {
    add: function (a, b) {
        return a + b;
    },
    sub: function (a, b) {
        return new Promise(function (resolve) {
            setTimeout(function () {
                resolve(a - b);
            }, 100);
        });
    }
};

如果使用node.js可以这样

'use strict';

const frida = require('frida');
const fs = require('fs');
const path = require('path');
const util = require('util');

const readFile = util.promisify(fs.readFile);

let session, script;
async function run () {
  const source = await readFile(path.join(__dirname, '_agent.js'), 'utf8');
  session = await frida.attach('iTunes');
  script = await session.createScript(source);
  script.message.connect(onMessage);
  await script.load();
  console.log(await script.exports.add(2, 3));
  console.log(await script.exports.sub(5, 3));
}

run().catch(onError);

function onError(error) {
  console.error(error.stack);
}

function onMessage(message, data) {
  if (message.type === 'send') {
    console.log(message.payload);
  } else if (message.type === 'error') {
    console.error(message.stack);
  }
}

使用python可以如下

import codecs
import frida

def on_message(message, data):
    if message['type'] == 'send':
        print(message['payload'])
    elif message['type'] == 'error':
        print(message['stack'])

session = frida.attach('iTunes')
with codecs.open('./agent.js', 'r', 'utf-8') as f:
    source = f.read()
script = session.create_script(source)
script.on('message', on_message)
script.load()
print(script.exports.add(2, 3))
print(script.exports.sub(5, 3))
session.detach()

In the example above we used script.on('message', on_message) to monitor for any messages from the injected process, JavaScript side. There are other notifications that you can watch for as well on both the script and session. If you want to be notified when the target process exits, use session.on('detached', your_function).
'翻译'：在这个例子中我们使用script.on('message', on_message) 来监控任何来自目标进程的消息，JavaScript方面， 您还可以在脚本和会话中查看其他通知。 如果您希望在目标进程退出时收到通知，请使用session.on（'detached'，your_function）。

3.Frida

Frida.version: property containing the current Frida version 包含当前frida版本的型号
Frida.heapSize: dynamic property containing the current size of Frida’s private heap, shared by all scripts and Frida’s own runtime. This is useful for keeping an eye on how much memory your instrumentation is using out of the total consumed by the hosting process.
翻译包含Frida私有堆当前大小的动态属性，由所有脚本和Frida自己的运行时共享。 这有助于密切关注托管进程消耗的总量中您的仪器使用的内存量。

4.process

Process.arch：属性包含字符串ia32，x64，arm 或arm64
Process.platform：属性包含字符串windows， darwin，linux或qnx
Process.pageSize：包含虚拟内存页面大小（以字节为单位）的属性。这用于使脚本更加便携。
Process.pointerSize：包含指针大小（以字节为单位）的属性。这用于使脚本更加便携。
Process.isDebuggerAttached()：返回一个指示调试器当前是否连接的布尔值
Process.getCurrentThreadId()：获取此线程的操作系统特定的id作为数字
Process.enumerateThreads(callbacks)：枚举所有线程，其中callbacks是一个对象，指定：
　　onMatch: function (thread)：用thread对象调用包含：
　　id：操作系统特定的ID
　　state：字符串指定是running，stopped，waiting， uninterruptible或halted
　　context：与键对象pc和sp，其是指定EIP / RIP / PC分别
　　
　　onComplete: function ()：在结束时调用