Configuration de Frida sur iOS

Reading time: 9 minutes

Installation de Frida

Étapes pour installer Frida sur un appareil jailbreaké :

1. Ouvrez l'application Cydia/Sileo.
2. Allez dans Gérer -> Sources -> Modifier -> Ajouter.
3. Entrez "https://build.frida.re" comme URL.
4. Accédez à la nouvelle source Frida ajoutée.
5. Installez le package Frida.

Si vous utilisez Corellium, vous devrez télécharger la version de Frida depuis https://github.com/frida/frida/releases (frida-gadget-[yourversion]-ios-universal.dylib.gz) et décompresser et copier à l'emplacement dylib demandé par Frida, par exemple : /Users/[youruser]/.cache/frida/gadget-ios.dylib

Après l'installation, vous pouvez utiliser sur votre PC la commande frida-ls-devices et vérifier que l'appareil apparaît (votre PC doit pouvoir y accéder).
Exécutez également frida-ps -Uia pour vérifier les processus en cours d'exécution du téléphone.

Frida sans appareil jailbreaké et sans patcher l'application

Consultez cet article de blog sur la façon d'utiliser Frida sur des appareils non jailbreakés sans patcher l'application : https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07

Installation du client Frida

Installez frida tools :

pip install frida-tools
pip install frida

Avec le serveur Frida installé et l'appareil en cours d'exécution et connecté, vérifiez si le client fonctionne :

frida-ls-devices  # List devices
frida-ps -Uia     # Get running processes

Frida Trace

# Functions
## Trace all functions with the word "log" in their name
frida-trace -U <program> -i "*log*"
frida-trace -U <program> -i "*log*" | swift demangle # Demangle names

# Objective-C
## Trace all methods of all classes
frida-trace -U <program> -m "*[* *]"

## Trace all methods with the word "authentication" from classes that start with "NE"
frida-trace -U <program> -m "*[NE* *authentication*]"

# Plug-In
## To hook a plugin that is momentarely executed prepare Frida indicating the ID of the Plugin binary
frida-trace -U -W <if-plugin-bin> -m '*[* *]'

Obtenez toutes les classes et méthodes

• Auto complétion : Exécutez simplement frida -U <program>

• Obtenez toutes les classes disponibles (filtrer par chaîne)

// frida -U <program> -l /tmp/script.js

var filterClass = "filterstring"

if (ObjC.available) {
for (var className in ObjC.classes) {
if (ObjC.classes.hasOwnProperty(className)) {
if (!filterClass || className.includes(filterClass)) {
console.log(className)
}
}
}
} else {
console.log("Objective-C runtime is not available.")
}

• Obtenez toutes les méthodes d'une classe (filtrer par chaîne)

// frida -U <program> -l /tmp/script.js

var specificClass = "YourClassName"
var filterMethod = "filtermethod"

if (ObjC.available) {
if (ObjC.classes.hasOwnProperty(specificClass)) {
var methods = ObjC.classes[specificClass].$ownMethods
for (var i = 0; i < methods.length; i++) {
if (!filterMethod || methods[i].includes(filterClass)) {
console.log(specificClass + ": " + methods[i])
}
}
} else {
console.log("Class not found.")
}
} else {
console.log("Objective-C runtime is not available.")
}

• Appeler une fonction

// Find the address of the function to call
const func_addr = Module.findExportByName("<Prog Name>", "<Func Name>")
// Declare the function to call
const func = new NativeFunction(
func_addr,
"void",
["pointer", "pointer", "pointer"],
{}
)

var arg0 = null

// In this case to call this function we need to intercept a call to it to copy arg0
Interceptor.attach(wg_log_addr, {
onEnter: function (args) {
arg0 = new NativePointer(args[0])
},
})

// Wait untill a call to the func occurs
while (!arg0) {
Thread.sleep(1)
console.log("waiting for ptr")
}

var arg1 = Memory.allocUtf8String("arg1")
var txt = Memory.allocUtf8String("Some text for arg2")
wg_log(arg0, arg1, txt)

console.log("loaded")

Frida Fuzzing

Frida Stalker

From the docs: Stalker est le moteur de traçage de Frida. Il permet de suivre les threads, capturant chaque fonction, chaque bloc, même chaque instruction qui est exécutée.

Vous avez un exemple implémentant Frida Stalker dans https://github.com/poxyran/misc/blob/master/frida-stalker-example.py

Ceci est un autre exemple pour attacher Frida Stalker chaque fois qu'une fonction est appelée :

console.log("loading")
const wg_log_addr = Module.findExportByName("<Program>", "<function_name>")
const wg_log = new NativeFunction(
wg_log_addr,
"void",
["pointer", "pointer", "pointer"],
{}
)

Interceptor.attach(wg_log_addr, {
onEnter: function (args) {
console.log(`logging the following message: ${args[2].readCString()}`)

Stalker.follow({
events: {
// only collect coverage for newly encountered blocks
compile: true,
},
onReceive: function (events) {
const bbs = Stalker.parse(events, {
stringify: false,
annotate: false,
})
console.log(
"Stalker trace of write_msg_to_log: \n" +
bbs.flat().map(DebugSymbol.fromAddress).join("\n")
)
},
})
},
onLeave: function (retval) {
Stalker.unfollow()
Stalker.flush() // this is important to get all events
},
})

Fpicker

fpicker est une suite de fuzzing basée sur Frida qui offre une variété de modes de fuzzing pour le fuzzing en processus, tels qu'un mode AFL++ ou un mode de traçage passif. Il devrait fonctionner sur toutes les plateformes prises en charge par Frida.

• Installer fpicker & radamsa

# Get fpicker
git clone https://github.com/ttdennis/fpicker
cd fpicker

# Get Frida core devkit and prepare fpicker
wget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz
# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xz
tar -xf ./*tar.xz
cp libfrida-core.a libfrida-core-[yourOS].a #libfrida-core-macos.a

# Install fpicker
make fpicker-[yourOS] # fpicker-macos
# This generates ./fpicker

# Install radamsa (fuzzer generator)
brew install radamsa

• Préparer le FS :

# From inside fpicker clone
mkdir -p examples/wg-log # Where the fuzzing script will be
mkdir -p examples/wg-log/out # For code coverage and crashes
mkdir -p examples/wg-log/in # For starting inputs

# Create at least 1 input for the fuzzer
echo Hello World > examples/wg-log/in/0

• Script de Fuzzer (examples/wg-log/myfuzzer.js):

// Import the fuzzer base class
import { Fuzzer } from "../../harness/fuzzer.js"

class WGLogFuzzer extends Fuzzer {
constructor() {
console.log("WGLogFuzzer constructor called")

// Get and declare the function we are going to fuzz
var wg_log_addr = Module.findExportByName(
"<Program name>",
"<func name to fuzz>"
)
var wg_log_func = new NativeFunction(
wg_log_addr,
"void",
["pointer", "pointer", "pointer"],
{}
)

// Initialize the object
super("<Program nane>", wg_log_addr, wg_log_func)
this.wg_log_addr = wg_log_addr // We cannot use "this" before calling "super"

console.log("WGLogFuzzer in the middle")

// Prepare the second argument to pass to the fuzz function
this.tag = Memory.allocUtf8String("arg2")

// Get the first argument we need to pass from a call to the functino we want to fuzz
var wg_log_global_ptr = null
console.log(this.wg_log_addr)
Interceptor.attach(this.wg_log_addr, {
onEnter: function (args) {
console.log("Entering in the function to get the first argument")
wg_log_global_ptr = new NativePointer(args[0])
},
})

while (!wg_log_global_ptr) {
Thread.sleep(1)
}
this.wg_log_global_ptr = wg_log_global_ptr
console.log("WGLogFuzzer prepare ended")
}

// This function is called by the fuzzer with the first argument being a pointer into memory
// where the payload is stored and the second the length of the input.
fuzz(payload, len) {
// Get a pointer to payload being a valid C string (with a null byte at the end)
var payload_cstring = payload.readCString(len)
this.payload = Memory.allocUtf8String(payload_cstring)

// Debug and fuzz
this.debug_log(this.payload, len)
// Pass the 2 first arguments we know the function needs and finally the payload to fuzz
this.target_function(this.wg_log_global_ptr, this.tag, this.payload)
}
}

const f = new WGLogFuzzer()
rpc.exports.fuzzer = f

• Compiler le fuzzer :

# From inside fpicker clone
## Compile from "myfuzzer.js" to "harness.js"
frida-compile examples/wg-log/myfuzzer.js -o harness.js

• Appeler le fuzzer fpicker en utilisant radamsa :

# Indicate fpicker to fuzz a program with the harness.js script and which folders to use
fpicker -v --fuzzer-mode active -e attach -p <Program to fuzz> -D usb -o examples/wg-log/out/ -i examples/wg-log/in/ -f harness.js --standalone-mutator cmd --mutator-command "radamsa"
# You can find code coverage and crashes in examples/wg-log/out/

Logs & Crashes

Vous pouvez vérifier la console macOS ou le log cli pour consulter les logs macOS.
Vous pouvez également vérifier les logs d'iOS en utilisant idevicesyslog.
Certains logs omettront des informations en ajoutant <private>. Pour afficher toutes les informations, vous devez installer un profil depuis https://developer.apple.com/bug-reporting/profiles-and-logs/ pour activer ces informations privées.

Si vous ne savez pas quoi faire :

vim /Library/Preferences/Logging/com.apple.system.logging.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Enable-Private-Data</key>
<true/>
</dict>
</plist>

killall -9 logd

Vous pouvez vérifier les plantages dans :

• iOS
• Réglages → Confidentialité → Analyses et améliorations → Données d'analyse
• /private/var/mobile/Library/Logs/CrashReporter/
• macOS :
• /Library/Logs/DiagnosticReports/
• ~/Library/Logs/DiagnosticReports

Frida Android Tutorials

Frida Tutorial

References

• https://www.briskinfosec.com/blogs/blogsdetail/Getting-Started-with-Frida