Frida

字数 801 · 2019-07-15

Installation

MacOS

1

pip install frida-tools

1

/Applications/Python\ 3.6/Install\ Certificates.command

Android

Get processor architecture:

1

adb shell getprop ro.product.cpu.abi

Download the latest frida-server for Android from our releases page:

https://github.com/frida/frida/releases

1
2
3
4

$ adb root # might be required
$ adb push frida-server /data/local/tmp/ 
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"

on your desktop:

1

$ frida-ps -U

Genymotion_ARM_Translation

https://github.com/m9rco/Genymotion_ARM_Translation

Usage

frida

1

frida [options] target

-U - connect to USB device
-l SCRIPT - load SCRIPT

frida-ps

1

frida-ps -U

Demo

Enumrate Classes

1
2
3
4
5
6
7
8
9
10
11
12
13

setTimeout(function (){
  Java.perform(function (){
    console.log("\n[*] enumerating classes...");
    Java.enumerateLoadedClasses({
      onMatch: function(_className){
        console.log("[*] found instance of '"+_className+"'");
      },
      onComplete: function(){
        console.log("[*] class enuemration complete");
      }
    });
  });
});

1

frida -U -l enumerate_classes.js android.process.media

Hook Activity

1
2
3
4
5

var AuthActivity = Java.use('com.alipay.sdk.auth.AuthActivity');
AuthActivity.onResume.implementation = function () {
    send('[*] onResume com.alipay.sdk.auth.AuthActivity');
    this.onResume();
};

Hook Constructor

1
2
3
4
5
6

var CustomRequest = Java.use('com.app.net.Request$CustomRequest');
console.log(CustomRequest.$init);
CustomRequest.$init.overload('boolean', 'int', 'java.lang.String').implementation = function (b, i, s) {
  send('[***] $init com.app.net.Request$CustomRequest');
  return this.$init(b, i, s);
};

Enum Methods

1
2
3
4
5

var ApiManager = Java.use('com.app.net.ApiManager');
var methods = ApiManager.class.getDeclaredMethods();
methods.forEach(function(m){
  console.log(m);
});

1
2
3
4
5
6
7

var HashMapNode = Java.use('java.util.HashMap$Node');

var iterator = mHashMap.entrySet().iterator();
while (iterator.hasNext()) {
  var entry = Java.cast(iterator.next(), HashMapNode);
  console.log(entry.getKey(),entry.getValue());
}

Python Template

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

import frida, sys

def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

jscode = """
Java.perform(function () {
  send('start');
  // ...
});
"""
process = frida.get_usb_device().attach('com.app')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()

JavaScript API

https://www.frida.re