Turkish - Ht
HackTricks Training Twitter Linkedin Sponsor

Frida Tutorial

Frida Öğretici

AWS hacklemeyi sıfırdan kahraman seviyesine öğrenin htARTE (HackTricks AWS Kırmızı Takım Uzmanı) ile!

HackTricks'i desteklemenin diğer yolları:

Bounty ipucu: Intigriti'ye kaydolun, hackerlar tarafından oluşturulan bir premium bounty platformu! Bugün https://go.intigriti.com/hacktricks adresinde bize katılın ve $100,000'e kadar ödüller kazanmaya başlayın!

LogoRegister - IntigritiRegister - Intigriti

Kurulum

frida araçlarını kurun:

pip install frida-tools
pip install frida

Frida sunucusunu android cihaza indirin ve yükleyin (En son sürümü indirin). Adb'yi kök modunda yeniden başlatmak, ona bağlanmak, frida sunucusunu yüklemek, yürütme izinleri vermek ve arka planda çalıştırmak için tek satırlık komut:

adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &"

Çalışıp çalışmadığını kontrol edin:

frida-ps -U #List packages and processes
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name

Öğreticiler

Öğretici 1

Kaynak: https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1 APK: https://github.com/t0thkr1s/frida-demo/releases Kaynak Kodu: https://github.com/t0thkr1s/frida-demo

Okumak için linke tıklayın.

Öğretici 2

Kaynak: https://11x256.github.io/Frida-hooking-android-part-2/ (Bölümler 2, 3 ve 4) APK'lar ve Kaynak Kodu: https://github.com/11x256/frida-android-examples

Okumak için linke tıklayın.

Öğretici 3

Kaynak: https://joshspicer.com/android-frida-1 APK: https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk

Okumak için linke tıklayın.

Daha fazla Harika Frida betiği burada bulunabilir: https://codeshare.frida.re/

Hızlı Örnekler

Komut satırından Frida'yı çağırmak

frida-ps -U

#Basic frida hooking
frida -l disableRoot.js -f owasp.mstg.uncrackable1

#Hooking before starting the app
frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
#The --no-pause and -f options allow the app to be spawned automatically,
#frozen so that the instrumentation can occur, and the automatically
#continue execution with our modified code.

Temel Python Scripti

import frida

# Define the script to be injected
script_code = """
Java.perform(function () {
    // Your code here
});
"""

# Attach to the target process
session = frida.attach("com.example.app")

# Create a script from the script code
script = session.create_script(script_code)

# Load the script into the target process
script.load()

# Detach from the target process
session.detach()
import frida

# Enjekte edilecek scripti tanımla
script_code = """
Java.perform(function () {
    // Buraya kodunuzu yazın
});
"""

# Hedef sürece bağlan
session = frida.attach("com.example.app")

# Script kodundan bir script oluştur
script = session.create_script(script_code)

# Scripti hedef sürece yükle
script.load()

# Hedef süreçten ayrıl
session.detach()
import frida, sys

jscode = open(sys.argv[0]).read()
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()

Parametresiz fonksiyonları kancalamak

sg.vantagepoint.a.c sınıfının a() fonksiyonunu kancala.

Java.perform(function () {
;  rootcheck1.a.overload().implementation = function() {
rootcheck1.a.overload().implementation = function() {
send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
return false;
};
});

Frida Tutorial: Hooking exit() Method in Java

In this tutorial, we will learn how to hook the exit() method in Java using Frida. By hooking this method, we can intercept the application's exit process and perform additional actions or manipulate the behavior of the application.

Prerequisites

Before we begin, make sure you have the following:

  • A rooted Android device or an emulator

  • Frida installed on your machine

  • Basic knowledge of JavaScript and Java

Step 1: Setting up the Environment

First, we need to set up the environment for our Frida script. Create a new file called hook_exit.js and open it in a text editor.

Step 2: Writing the Frida Script

In the hook_exit.js file, we will write the Frida script to hook the exit() method. Here's an example script:

Java.perform(function() {
    var System = Java.use('java.lang.System');
    var Runtime = Java.use('java.lang.Runtime');

    // Hook the exit() method
    System.exit.implementation = function() {
        console.log('exit() method hooked');

        // Perform additional actions or manipulate the behavior here

        // Call the original exit() method
        this.exit.apply(this, arguments);
    };
});

In this script, we use the Java.perform() function to perform our hooking logic. We then use the Java.use() function to get references to the System and Runtime classes.

Next, we hook the exit() method by replacing its implementation with our own function. Inside the hooked function, we can perform additional actions or manipulate the behavior of the application.

Finally, we call the original exit() method using this.exit.apply(this, arguments) to ensure the application exits properly.

Step 3: Running the Frida Script

To run the Frida script, follow these steps:

  1. Connect your Android device or emulator to your machine.

  2. Open a terminal and navigate to the directory where the hook_exit.js file is located.

  3. Run the following command to start the Frida server:

    frida-server

  4. Install the target application on your device or emulator.

  5. Run the following command to attach the Frida script to the target application:

    frida -U -l hook_exit.js <package_name>

    Replace <package_name> with the package name of the target application.

  6. The Frida script will be injected into the target application, and you will see the message "exit() method hooked" in the console.

Conclusion

In this tutorial, we learned how to hook the exit() method in Java using Frida. By hooking this method, we can intercept the application's exit process and perform additional actions or manipulate the behavior of the application.

var sysexit = Java.use("java.lang.System");
sysexit.exit.overload("int").implementation = function(var_0) {
send("java.lang.System.exit(I)V  // We avoid exiting the application  :)");
};

Frida Tutorial: Hook MainActivity .onStart() & .onCreate()

In this tutorial, we will learn how to use Frida to hook the .onStart() and .onCreate() methods of the MainActivity class in an Android app.

Prerequisites

Before we begin, make sure you have the following:

  • Frida installed on your machine

  • An Android device or emulator

  • The target app installed on the device or emulator

Step 1: Set Up the Environment

First, we need to set up the environment by installing Frida on our machine. You can find the installation instructions for your specific operating system on the Frida website.

Once Frida is installed, make sure your Android device or emulator is connected to your machine.

Step 2: Identify the Target App

Next, we need to identify the target app that we want to hook. You can find the package name of the app by looking at the AndroidManifest.xml file or by using a tool like adb:

adb shell pm list packages

Step 3: Write the Frida Script

Now, let's write the Frida script to hook the .onStart() and .onCreate() methods of the MainActivity class. Create a new file called hook.js and add the following code:

Java.perform(function() {
    var MainActivity = Java.use('com.example.app.MainActivity');

    MainActivity.onStart.implementation = function() {
        console.log('MainActivity.onStart() hooked');
        this.onStart();
    };

    MainActivity.onCreate.implementation = function() {
        console.log('MainActivity.onCreate() hooked');
        this.onCreate();
    };
});

Step 4: Run the Frida Script

To run the Frida script, open a terminal and navigate to the directory where the hook.js file is located. Then, run the following command:

frida -U -l hook.js -f <package_name> --no-pause

Replace <package_name> with the package name of the target app.

Step 5: Test the Hook

Finally, launch the target app on your Android device or emulator. You should see the log messages MainActivity.onStart() hooked and MainActivity.onCreate() hooked in the terminal where you ran the Frida script.

Congratulations! You have successfully hooked the .onStart() and .onCreate() methods of the MainActivity class using Frida.

Conclusion

In this tutorial, we learned how to use Frida to hook the .onStart() and .onCreate() methods of the MainActivity class in an Android app. This technique can be useful for analyzing and modifying the behavior of Android apps during runtime.

var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
mainactivity.onStart.overload().implementation = function() {
send("MainActivity.onStart() HIT!!!");
var ret = this.onStart.overload().call(this);
};
mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
send("MainActivity.onCreate() HIT!!!");
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
};

Frida Tutorial: Hook Android .onCreate()

In this tutorial, we will learn how to hook the .onCreate() method in an Android application using Frida. By hooking this method, we can intercept and modify the behavior of the application during its initialization process.

Prerequisites

Before we begin, make sure you have the following:

  • An Android device or emulator

  • Frida installed on your machine

  • Basic knowledge of JavaScript and Android development

Steps

  1. Launch the target application on your Android device or emulator.

  2. Open a terminal and start the Frida server by running the following command:

    frida-server

  3. Create a new JavaScript file, for example hook.js, and add the following code:

    Java.perform(function() {
    var targetClass = Java.use('com.example.TargetClass');
    targetClass.onCreate.implementation = function() {
        console.log('Hooked .onCreate()');
        // Add your custom code here
        this.onCreate();
    };
});

    In the above code, replace 'com.example.TargetClass' with the fully qualified name of the class containing the .onCreate() method that you want to hook.

  4. Save the hook.js file.

  5. In the terminal, navigate to the directory where the hook.js file is located.

  6. Run the following command to start the Frida script:

    frida -U -l hook.js -f com.example.targetapp

    Replace com.example.targetapp with the package name of the target application.

  7. If everything is set up correctly, you should see the message Hooked .onCreate() in the terminal.

  8. Now, when the target application's .onCreate() method is called, your custom code will be executed.

Conclusion

By hooking the .onCreate() method in an Android application using Frida, you can gain control over the application's initialization process and modify its behavior as desired. This technique can be useful for various purposes, such as debugging, reverse engineering, or security analysis.

var activity = Java.use("android.app.Activity");
activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
send("Activity HIT!!!");
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
};

Parametreleri olan fonksiyonları kancalamak ve değeri almak

Bir şifre çözme fonksiyonunu kancalamak. Girdiyi yazdır, orijinal fonksiyonu çağırarak girdiyi çöz ve son olarak düz metni yazdır:

function getString(data){
var ret = "";
for (var i=0; i < data.length; i++){
ret += data[i].toString();
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a");
aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
send("Key       : " + getString(var_0));
send("Encrypted : " + getString(var_1));
var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
send("Decrypted : " + ret);

var flag = "";
for (var i=0; i < ret.length; i++){
flag += String.fromCharCode(ret[i]);
}
send("Decrypted flag: " + flag);
return ret; //[B
};

Fonksiyonları kancalamak ve kendi girdimizle çağırmak

Bir dize alan bir fonksiyonu kancala ve başka bir dizeyle çağır (buradan alınan linkten alınan örnek üzerinden).

var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class

my_class.fun.overload("java.lang.String").implementation = function(x){ //hooking the new function
var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator
console.log("Original arg: " +x );
var ret =  this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable
console.log("Return value: "+ret);
return ret;
};

Bir sınıfın zaten oluşturulmuş bir nesnesini almak

Bir oluşturulmuş nesnenin bazı özelliklerini çıkarmak isterseniz, bunu kullanabilirsiniz.

Bu örnekte, my_activity sınıfının nesnesini nasıl alacağınızı ve nesnenin bir özel özelliğini yazdıracak olan .secret() fonksiyonunu nasıl çağıracağınızı göreceksiniz:

Java.choose("com.example.a11x256.frida_test.my_activity" , {
onMatch : function(instance){ //This function will be called for every instance found by frida
console.log("Found instance: "+instance);
console.log("Result of secret func: " + instance.secret());
},
onComplete:function(){}
});

Diğer Frida öğreticileri

Bug bounty ipucu: Intigriti'ye kaydolun, hackerlar tarafından oluşturulan bir premium bug bounty platformuna! Bugün https://go.intigriti.com/hacktricks adresine katılın ve $100,000'e kadar ödüller kazanmaya başlayın!

LogoRegister - IntigritiRegister - Intigriti
htARTE (HackTricks AWS Red Team Expert) ile sıfırdan kahraman olmak için AWS hackleme öğrenin!

HackTricks'ı desteklemenin diğer yolları:

PreviousExploiting a debuggeable applicationNextFrida Tutorial 1

Last updated