Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
0 likes965 views
This document provides a comprehensive guide on using Frida for runtime debugging on Android, including installation steps, commands for starting and utilizing Frida for various tasks, and instructions for setting up a vulnerable environment. It also discusses methods for identifying and hooking functions within applications, with examples of scripts and code for effective usage. Additionally, it includes links to resources such as documentation and example applications to facilitate learning and application of the techniques described.
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
- 1. Frida Runtime Debugging By: Bhargav Gajera, Vitthal Shinde
- 2. Installation Android: Download Link: https://github.com/frida/frida/releases Push it in Android Path : “/data/local/tmp/” System: Command: pip install frida-tools Refer : https://pypi.org/project/frida/
- 3. Installation Easy Way: Command: frida-push ● pip install frida-push ● It will identify your device’s architecture from adb ● Download the appropriate server ● Install it ● Run it
- 4. Start using Frida Android ADB: Command: /data/local/tmp/frida-server & Base System: Command: frida -U -f “<PackageName>” --no-pause
- 5. Start using Frida Want to attach Quickly on whatever is running on screen ? Base System: Command: frida -U -F
- 6. Codeshare What is it ? Ans: Repo for universal method hooks & bypass URL: https://codeshare.frida.re/browse How do I use it ? Command: frida -U -f “<PackageName>” --codeshare <URI> --no-pause
- 7. Docs All the documentation is listed under: ● URL: https://frida.re/docs/home/ Javascript API docs are available under: ● URL: https://frida.re/docs/javascript-api/
- 8. Frida and Scripts 1. Interactive way ➢ Write scripts inside terminal. 2. Attach scripts ➢ Write scripts in file and pass it as argument. 3. Python ➢ Create python file to do the same
- 9. Frida Interactive Command: frida -U -f “<PackageName>” --no-pause ➢ An interactive shell will spawn ➢ Write your code in shell
- 10. Frida with JS File Command: frida -U -f “<PackageName>” -l “<JSFile>” --no-pause ➢ Write your javascript code in a file. ➢ Use “-l” option to provide file in argument. ➢ Code will execute side by side of the application execution.
- 11. Frida with Python File Command: python <PythonFile>.py ➢ Import frida in python code. ➢ Use inbuilt frida functions to: ○ Get USB device ○ Spawn targeted application ○ Attach to it’s PID ○ Create script ○ Load the script ○ Resume the application execution
- 12. Setup Vulnerable Environment ● App : InsecureBankv2 ○ Link: https://github.com/dineshshetty/Android-InsecureBankv2 ● Server : Inside Directory “AndroLabServer” ○ Install pip requirements ○ # python app.py
- 13. Setup Vulnerable Environment ● Configure the application ○ Navigate to More -> Preferences ○ Give ip of your base system where app.py is running ● Login Credentials : ○ dinesh/Dinesh@123$ ○ jack/Jack@123$
- 14. Find Loaded classes Code : Java.perform(function(){ Java.enumerateLoadedClasses({ "onMatch": function(className){ console.log(className) }, "onComplete":function() {} }) });
- 15. Find Loaded classes These many classes ? Really ??
- 16. Find Loaded classes with known names Java.perform(function(){ Java.enumerateLoadedClasses({ onMatch:function(className) { if(className.toLowerCase().lastIndexOf("<Identifier>")>0) { console.log(className); } }, onComplete:function() {} }); });
- 17. Find Loaded classes with known names
- 18. Identify Classes being used ● How to Identify which class contains method when an event is called ? ○ Enumerate classes before event. ○ Enumerate classes after event. ○ Find newly loaded classes
- 19. Hooking Functions Java.perform(function(){ var varName = Java.use("<className>"); varName.funName.implementation=function() { console.log(“Function Called”) } })
- 20. Identify Functions being called ● How to Identify which method is being invoked ? Newbie's way: ➢ Hook suspicious methods and add console.log()
- 21. Identify Functions being called If you are hooking all suspicious functions...
- 22. Identify Functions being called ● How to Identify which method is being invoked ? Professional’s way: ➢ Hook all methods of a class and ○ Log whenever it is being called ○ Log all Arguments ○ Log Return value
- 23. Identify Functions being called ● Script be Like...
- 24. Hooking Overloaded Functions Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { // Your implementation. } })
- 25. Implement custom function Further we will see… ● Dive deep into creating custom logic. ● How can we overwrite original function. ● How to create variable of desired classes. ● How to use such variables and use it to get information from hooked function. ● etc, etc, etc...
- 26. Using --no-pause Command: frida -U -f <Package> --no-pause ● Will immediately spawn and start execution of the application ● Load the script side by side ● What if the function mentioned in script executes before scripts is loaded?
- 27. Without --no-pause Command: frida -U -f <Package> -l <script> ● Will create a process of the application. ● Will hold the execution of first frame of the application ● We can load the script by pasting it now in the terminal. ● Use “ %resume ” to continue the execution.
- 28. Analyzing hooked function Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { console.log(“Function called”); console.log(“Arguments are : ”,args); }}) ;