HackTricks
Search…
Pentesting
Powered By GitBook
Frida Tutorial

Installation

Install frida tools:
1
pip install frida-tools
2
pip install frida
Copied!
Download and install in the android the frida server (Download the latest release). One-liner to restart adb in root mode, connect to it, upload frida-server, give exec permissions and run it in backgroud:
1
adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &"
Copied!
Check if it is working:
1
frida-ps -U #List packages and processes
2
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name
Copied!

Tutorials

Follow the link to read it.
Follow the link to read it.
Follow the link to read it. You can find some Awesome Frida scripts here: https://codeshare.frida.re/

Fast Examples

Here you can find the more basic and interesting functionalities of Frida to make a quick script:

Calling Frida from command line

1
frida-ps -U
2
3
#Basic frida hooking
4
frida -l disableRoot.js -f owasp.mstg.uncrackable1
5
6
#Hooking before starting the app
7
frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
8
#The --no-pause and -f options allow the app to be spawned automatically,
9
#frozen so that the instrumentation can occur, and the automatically
10
#continue execution with our modified code.
Copied!

Basic Python Script

1
import frida, sys
2
3
jscode = open(sys.argv[0]).read()
4
process = frida.get_usb_device().attach('infosecadventures.fridademo')
5
script = process.create_script(jscode)
6
print('[ * ] Running Frida Demo application')
7
script.load()
8
sys.stdin.read()
Copied!

Hooking functions without parameters

Hook the function a() of the class sg.vantagepoint.a.c
1
Java.perform(function () {
2
; rootcheck1.a.overload().implementation = function() {
3
rootcheck1.a.overload().implementation = function() {
4
send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()");
5
return false;
6
};
7
});
Copied!
Hook java exit()
1
var sysexit = Java.use("java.lang.System");
2
sysexit.exit.overload("int").implementation = function(var_0) {
3
send("java.lang.System.exit(I)V // We avoid exiting the application :)");
4
};
Copied!
Hook MainActivity .onStart() & .onCreate()
1
var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
2
mainactivity.onStart.overload().implementation = function() {
3
send("MainActivity.onStart() HIT!!!");
4
var ret = this.onStart.overload().call(this);
5
};
6
mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
7
send("MainActivity.onCreate() HIT!!!");
8
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
9
};
Copied!
Hook android .onCreate()
1
var activity = Java.use("android.app.Activity");
2
activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
3
send("Activity HIT!!!");
4
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
5
};
Copied!

Hooking functions with parameters and retrieving the value

Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data:
1
function getString(data){
2
var ret = "";
3
for (var i=0; i < data.length; i++){
4
ret += data[i].toString();
5
}
6
return ret
7
}
8
var aes_decrypt = Java.use("sg.vantagepoint.a.a");
9
aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
10
send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding");
11
send("Key : " + getString(var_0));
12
send("Encrypted : " + getString(var_1));
13
var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
14
send("Decrypted : " + ret);
15
16
var flag = "";
17
for (var i=0; i < ret.length; i++){
18
flag += String.fromCharCode(ret[i]);
19
}
20
send("Decrypted flag: " + flag);
21
return ret; //[B
22
};
Copied!

Hooking functions and calling them with our input

Hook a function that receives a string and call it with other string (from here)
1
var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class
2
3
my_class.fun.overload("java.lang.String").implementation = function(x){ //hooking the new function
4
var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator
5
console.log("Original arg: " +x );
6
var ret = this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable
7
console.log("Return value: "+ret);
8
return ret;
9
};
Copied!

Getting an already created object of a class

If you want to extract some attribute of a created object you can use this.
In this example you are going to see how to get the object of the class my_activity and how to call the function .secret() that will print a private attribute of the object:
1
Java.choose("com.example.a11x256.frida_test.my_activity" , {
2
onMatch : function(instance){ //This function will be called for every instance found by frida
3
console.log("Found instance: "+instance);
4
console.log("Result of secret func: " + instance.secret());
5
},
6
onComplete:function(){}
7
});
Copied!
Last modified 6mo ago