Frida Handleiding

Reading time: 8 minutes

tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Installasie

Installeer frida tools:

bash
pip install frida-tools
pip install frida

Laai af en installeer op die Android-toestel die frida server (Download the latest release).
Eenreël-opdrag om adb in root-modus te herbegin, daaraan te koppel, frida-server op te laai, exec permissions te gee en dit in die agtergrond te laat loop:

bash
adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &"

Kontroleer of dit werk:

bash
frida-ps -U #List packages and processes
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name

Frida server vs. Gadget (root vs. no-root)

Twee algemene maniere om Android apps met Frida te instrumenteer:

  • Frida server (rooted devices): Stoot en voer 'n inheemse daemon uit wat jou toelaat om aan enige proses te koppel.
  • Frida Gadget (no root): Bundel Frida as 'n gedeelde biblioteek binne die APK en laai dit outomaties in die teikenproses.

Frida server (rooted)

bash
# Download the matching frida-server binary for your device's arch
# https://github.com/frida/frida/releases
adb root
adb push frida-server-<ver>-android-<arch> /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &    # run at boot via init/magisk if desired

# From host, list processes and attach
frida-ps -Uai
frida -U -n com.example.app

Frida Gadget (no-root)

  1. Pak die APK uit, voeg die gadget .so en konfigurasie by:
  • Plaas libfrida-gadget.so in lib// (bv., lib/arm64-v8a/)
  • Skep assets/frida-gadget.config met jou script-laaistellings

Voorbeeld frida-gadget.config

json
{
"interaction": { "type": "script", "path": "/sdcard/ssl-bypass.js" },
"runtime": { "logFile": "/sdcard/frida-gadget.log" }
}
  1. Verwys/laai die gadget sodat dit vroeg geïnitialiseer word:
  • Maklikste: Voeg 'n klein Java-stub by System.loadLibrary("frida-gadget") in Application.onCreate(), of gebruik die reeds bestaande native lib loading.
  1. Herpak en teken die APK, en installeer dit dan:
bash
apktool d app.apk -o app_m
# ... add gadget .so and config ...
apktool b app_m -o app_gadget.apk
uber-apk-signer -a app_gadget.apk -o out_signed
adb install -r out_signed/app_gadget-aligned-debugSigned.apk
  1. Koppel vanaf host na die gadget-proses:
bash
frida-ps -Uai
frida -U -n com.example.app

Aantekeninge

  • Gadget word deur sommige beskermings opgespoor; hou name/paaie onopvallend en laai laat/voorwaardelik indien nodig.
  • By geharde apps, verkies rooted testing met server + late attach, of kombineer met Magisk/Zygisk verberging.

Handleidings

Handleiding 1

Van: https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1
APK: https://github.com/t0thkr1s/frida-demo/releases
Bronkode: https://github.com/t0thkr1s/frida-demo

Volg die skakel om dit te lees.

Handleiding 2

Van: https://11x256.github.io/Frida-hooking-android-part-2/ (Dele 2, 3 & 4)
APKs en Bronkode: https://github.com/11x256/frida-android-examples

Volg die skakel om dit te lees.

Handleiding 3

Van: https://joshspicer.com/android-frida-1
APK: https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk

Volg die skakel om dit te lees.

Jy kan meer Awesome Frida-skripte hier vind: https://codeshare.frida.re/

Vinnige Voorbeelde

Frida vanaf die opdragreël aanroep

bash
frida-ps -U

#Basic frida hooking
frida -l disableRoot.js -f owasp.mstg.uncrackable1

#Hooking before starting the app
frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
#The --no-pause and -f options allow the app to be spawned automatically,
#frozen so that the instrumentation can occur, and the automatically
#continue execution with our modified code.

Basiese Python-skrip

python
import frida, sys

jscode = open(sys.argv[0]).read()
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()

Hooking funksies sonder parameters

Hook die funksie a() van die klas sg.vantagepoint.a.c

javascript
Java.perform(function () {
;  rootcheck1.a.overload().implementation = function() {
rootcheck1.a.overload().implementation = function() {
send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
return false;
};
});

Hook java exit()

javascript
var sysexit = Java.use("java.lang.System")
sysexit.exit.overload("int").implementation = function (var_0) {
send("java.lang.System.exit(I)V  // We avoid exiting the application  :)")
}

Hook MainActivity .onStart() en .onCreate()

javascript
var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity")
mainactivity.onStart.overload().implementation = function () {
send("MainActivity.onStart() HIT!!!")
var ret = this.onStart.overload().call(this)
}
mainactivity.onCreate.overload("android.os.Bundle").implementation = function (
var_0
) {
send("MainActivity.onCreate() HIT!!!")
var ret = this.onCreate.overload("android.os.Bundle").call(this, var_0)
}

Hook android .onCreate()

javascript
var activity = Java.use("android.app.Activity")
activity.onCreate.overload("android.os.Bundle").implementation = function (
var_0
) {
send("Activity HIT!!!")
var ret = this.onCreate.overload("android.os.Bundle").call(this, var_0)
}

Hooking funksies met parameters en die waarde terugkry

Hooking 'n decryption function. Druk die input, roep die oorspronklike funksie aan om die input te decrypt en uiteindelik druk die plain data uit:

javascript
function getString(data) {
var ret = ""
for (var i = 0; i < data.length; i++) {
ret += data[i].toString()
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a")
aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding")
send("Key       : " + getString(var_0))
send("Encrypted : " + getString(var_1))
var ret = this.a.overload("[B", "[B").call(this, var_0, var_1)
send("Decrypted : " + ret)

var flag = ""
for (var i = 0; i < ret.length; i++) {
flag += String.fromCharCode(ret[i])
}
send("Decrypted flag: " + flag)
return ret //[B
}

Hooking funksies en hulle aanroep met ons inset

Hook 'n funksie wat 'n string ontvang en roep dit aan met 'n ander string (van here)

javascript
var string_class = Java.use("java.lang.String") // get a JS wrapper for java's String class

my_class.fun.overload("java.lang.String").implementation = function (x) {
//hooking the new function
var my_string = string_class.$new("My TeSt String#####") //creating a new String by using `new` operator
console.log("Original arg: " + x)
var ret = this.fun(my_string) // calling the original function with the new String, and putting its return value in ret variable
console.log("Return value: " + ret)
return ret
}

Kry 'n reeds geskepte objek van 'n klas

As jy 'n attribuut van 'n geskepte objek wil uittrek, kan jy dit gebruik.

In hierdie voorbeeld gaan jy sien hoe om die objek van die klas my_activity te kry en hoe om die funksie .secret() aan te roep wat 'n privaat attribuut van die objek sal afdruk:

javascript
Java.choose("com.example.a11x256.frida_test.my_activity", {
onMatch: function (instance) {
//This function will be called for every instance found by frida
console.log("Found instance: " + instance)
console.log("Result of secret func: " + instance.secret())
},
onComplete: function () {},
})

Ander Frida-handleidings

Verwysings

tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks