Frida - A dynamic instrumentation toolkit
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API. More.
Installation and set up
Download it:
pip install frida-tools
pip install frida
wget https://github.com/frida/frida/releases/download/15.1.14/frida-server-15.1.14-android-x86.xz
Unzip the file with extension xz:
Make sure we're connected to the device:
Upload frida file to the device:
We go to the path where we have stored the file:
We list contents, see frida-server file, and we change permissions:
Now we can run the binary:
From another terminal we can see processes running on the device:
Install Burp Certificate in Frida
Our goal is to install it at: /system/etc/security/cacerts. Here we can find stored Authority certificates and it 's the place where we will install Burp certificate.
First, we open Burp > Proxy > Options > Proxy Listener and we click on "Import / Export CA Certificate". We save it in DER format to a folder accessible from kali. We can give it the name: cacert.der.
Second, we convert der format to pem:
Now, we extract the hash that we will use later on to name the certificate.
It returns (for instance): 9a5ba575.
Let's change the name to cacert.pem:
To act as root we'll run:
And to mount again the units:
Netx step will be to upload the certificate 9a5ba575.0 to the SD Card:
Let's go to that directory and move the file to our preferred location:
Change permissions to the file:
chmod 644 /system/etc/security/cacerts/9a5ba575.0
In Burp now we need a Proxy Listener. We will indicate the Host-Only IP that we have in our kali. For instance: 192.168.156.107. Port: 8080.
And in the wifi settings of the virtual device running on GenyMotion (for instance a Galaxy6), we need to indicate this same IP on Host-Only mode from our kali.
Basic commands
# Display active processes, and installed
frida-ps -Ua
# Restaurate class loaders
Java.perform(function() {
var application = Java.use("android.com.application");
var classloader;
application.attach.overload('android.content.Context').implementation = function(context) {
var result = this.attach(context);
classloader = context.getClassLoader();
Java.classFactory.loader = classloader;
return result;
}
})
# Enumerate classes loaded in memory
Java.perform(function() {
Java.enumerateLoadedClasses
({
"onMatch": function(className) {
console.log(className)
},
"onComplete": function(){]
})
})
# Enumerate classes loaded in memory linked to a specific <package>
Java.enumerateLoadedClasses
({
"onMatch": function(className) {
if(className.includes("<package>")) {
console.log(className);
}
},
"onComplete": function(){]
});
# Android version installed on device
Java.androidVersion
# Execute a method of an Activity
Java.choose("<Name and path of the activity>"), {
onMatch: function(instance) {
// This function will be called for every instance found by frida console.log (Found instance: "+ instance).
instace.<Method name>/<function()>;
},
onComplete: function(){}
});
# Save an Activity in a variable
var NameofVariable = Java.use(com.android.application.<nameOfActivity>);
# Execute a script js from Frida
frida -U com.android.applicationName -l instance.js
# Modify the implementation of a function
var activity = Java.use(com.droidhem.basketball.adapters.Game);
activity.normalshoot.implementation = function(x,y){
//print the original arguments
console.log("Dentro de normalshoot");
this.score.value += 10000;
// in the original code:
// this.score += 2;
}