Feb 21, 20213 min
Hi there, I have been playing with the FRIDA framework significantly, these days!
One of the good resources I found online was this four-hour training on FRIDA: Link
So I thought it'd be a good idea to prepare a small cheat sheet of the popular commands and functionalities and share it! Here's a summary of 14 main points I learnt:
(Hi, I'm not really related to this post ^)
- frida ./foo # spawn’s the app
- frida foo # attaches to the app
- frida -p 24
- frida -p $(pidof pew)
frida foo -l inject.js
- frida foo
- Process.enumerateModulesAsync()
Process.getModuleByName("libc-2.30.so");
{ "base": "0x7fc2edb78000",
"name": "libc-2.30.so",
"path": "/lib/x86_64-linux-gnu/libc-2.30.so",
"size": 1830912
}
> Module.getExportByName(null, "sleep");
"0x7fc2edc42d90"
OR
> DebugSymbol.getFunctionByName("sleep");
"0x7fc2edc42d90"
var sleep = Module.getExportByName(null, "sleep");
Interceptor.attach(sleep, {
onEnter: function(args) {
console.log("[*] Sleep from Frida!");
},
onLeave: function(retval) {
console.log("[*] Done sleeping from Frida!");
} });
(This diagram is from the youtube video by Leon Jacobs)
var testPin = DebugSymbol.getFunctionByName("test_pin");
Interceptor.attach(testPin, {
onLeave: function(retval) {
console.log("ret: " + retval);
retval.replace(ptr("0x1"));
}
});
new NativeFunction(address, returnType, argTypes[, abi]);
var testPinPtr = DebugSymbol.getFunctionByName("test_pin");
var testPin = new NativeFunction( testPinPtr, "int", ["pointer"]);
var pin = Memory.allocUtf8String("1111");
var r = testPin(pin);
console.log(r);
//javascript
var answer = 42;
send(answer);
# python def incoming(message, data):
print(message)
script.on("message", incoming)
// javascript
recv(function(m) {
console.log("message: " + m); });
# python
script.on("message", incoming)
script.load()
script.post("test")
//Javascript
rpc.exports = {
brute: function() {
console.log("Brute function");
}
}
#Python
script.exports.brute()
This generates intercept-like hooks, supports wildcard resolution, and dumps hooks in _handlers_ folder.
frida-trace foo -i "read*"
~/code$ patchelf -add-needed ../frida-gadget.so foo
~/code$ ./foo
[Frida INFO] Listening on 127.0.0.1 TCP port 27042
~/code$ ldd foo
linux-vdso.so.1 (0x00007ffdc7962000)
../frida-gadget.so (0x00007fceeca4b000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fceec884000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fceec87f000)
Note that frida-gadget has a corresponding frida-gadget config file, using which one can change the behaviour (wait/resume) , port etc for the patched so.
frida-compile can take typescript and transpile to any target (important for duktape/v8 language support)
frida-compile exposes the entire NPM ecosĀstem to use inside of agents
One can use VSCode to write. Node should be pre-installed.
npm watch monitors for changes and automatically rebuilds resulting in a new _agent.js file.
Refer to this file in python script.
with open("frida-agent-example/_agent.js", "r") as f:
run ./foo
run npm run watch
run python3 tool.py
(edit index.ts and watch the recompile)
const cm = new CModule ('int value()
{ return 42; }');
const v = new NativeFunction(cm.value, ‘int’, []);
v(); // 42
Also, FRIDA RPL can load .c file, like this:
>frida foo -l index.js -C test.c
Limited headers supported currently. Link
So, that was all! Have we missed covering any interesting feature/command? Do let me know in the comments!
Are you interested in learning about similar concepts? Subscribe to this blog and join the tribe of !nfinite hacks, where we are learning, exploring, and researching interesting concepts in cybersecurity every day!
See you in the next post soon!
Ciao,
Great resources:
FRIDA Bootcamp training by Leon Jacobs Link (I highly recommend it!)
https://poxyran.github.io/poxyblog/src/pages/02-11-2019-calling-native-functions-with-frida.html
https://medium.com/swlh/exploring-native-functions-with-frida-on-android-part-4-22db2c247e29