frida 如何Hook app启动阶段的方法

参考上面的文章，但是代码在最新的frida15.2上面总是报错，

{type: error, description: Error: VM::AttachCurrentThread failed: -1, stack: Error: VM::AttachCurrentThread failed: -1
    
at o (frida/node_modules/frida-java-bridge/lib/result.js:4)
    
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:25)
    
at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:14)
    
at Xe (frida/node_modules/frida-java-bridge/lib/android.js:499)
    
at Ie (frida/node_modules/frida-java-bridge/lib/android.js:195)
    
at Ce (frida/node_modules/frida-java-bridge/lib/android.js:16)
    
at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:17)
    
at g (frida/node_modules/frida-java-bridge/index.js:9)
    
at <anonymous> (frida/node_modules/frida-java-bridge/index.js:317)
    
at call (native)
    
at o (/_java.js)
    
at <anonymous> (/_java.js)
    
at <anonymous> (frida/runtime/java.js:1)
    
at call (native)
    
at o (/_java.js)
    
at r (/_java.js)
    
at <eval> (frida/runtime/java.js:3)
    
at _loadJava (native)
    
at get (frida/runtime/core.js:125)
    
at <eval> (/script1.js:11), fileName: frida/node_modules/frida-java-bridge/lib/result.js, lineNumber: 4, columnNumber: 1}

重新搞了一下，在原来

Java.perform(function()
    {  
        var MainActivity = Java.use("com.rom.cpptest.MainActivity"); // 类的加载路径

        MainActivity.onCreate.overload(android.os.Bundle).implementation = function(str){   
            send("success1");
            this.onCreate(str);
            send("success2 "+str);
        };
    });

再包裹一下

function hook_OnCreate()
{
    Java.perform(function()
    {
        var MainActivity = Java.use("com.rom.cpptest.MainActivity"); // 类的加载路径

        MainActivity.onCreate.overload(android.os.Bundle).implementation = function(str){
            send("success1");
            this.onCreate(str);
            send("success2 "+str);
        };
    });
}
setImmediate(hook_OnCreate);

整体代码如下，就可以运行了

import frida  # 导入frida模块
import sys  # 导入sys模块

jscode = """ 
function hook_OnCreate()
{
    Java.perform(function()
    {  
        var MainActivity = Java.use("com.rom.cpptest.MainActivity"); // 类的加载路径
    
        MainActivity.onCreate.overload(android.os.Bundle).implementation = function(str){   
            send("success1");
            this.onCreate(str);
            send("success2 "+str);
        };
    });  
}
setImmediate(hook_OnCreate);
"""
def on_message(message, data):  # js中执行send函数后要回调的函数
    if message["type"] == "send":
        print("[*] {0}".format(message["payload"]))
    else:
        print(message)


device = frida.get_usb_device()
pid = device.spawn([com.rom.cpptest])  # app包名
process = device.attach(pid)  # 加载进程号
script = process.create_script(jscode)  # 创建js脚本
script.on(message, on_message)  # 加载回调函数，也就是js中执行send函数规定要执行的python函数
script.load()  # 加载脚本
device.resume(pid)  # 重启app
sys.stdin.read()