Hi there, I have been playing with the FRIDA framework significantly, these days!
One of the good resources I found online was this four-hour training on FRIDA: Link
So I thought it'd be a good idea to prepare a small cheat sheet of the popular commands and functionalities and share it! Here's a summary of 14 main points I learnt:
(Hi, I'm not really related to this post ^)
NUMBER 1
ATTACH TO A PROCESS, SAY THE PROCESS NAME IS FOO with PID 24
- frida ./foo # spawn’s the app
- frida foo # attaches to the app
- frida -p 24
- frida -p $(pidof pew)NUMBER 2
ATTACH TO PROCESS AND LOAD A JAVASCRIPT called inject.js
frida foo -l inject.jsNUMBER 3
CHECK ALL LOADED MODULES IN A PROCESS
- frida foo
- Process.enumerateModulesAsync()
NUMBER 4
GET BASE ADDRESS OF A LOADED MODULE
Process.getModuleByName("libc-2.30.so");
{ "base": "0x7fc2edb78000",
"name": "libc-2.30.so",
"path": "/lib/x86_64-linux-gnu/libc-2.30.so",
"size": 1830912
}
NUMBER 5
GET ADDRESS OF A METHOD
> Module.getExportByName(null, "sleep");
"0x7fc2edc42d90"
OR
> DebugSymbol.getFunctionByName("sleep");
"0x7fc2edc42d90"
NUMBER 6
ATTACH A METHOD BASED ON ADDRESS AND HOOK onEnter AND onLeave
var sleep = Module.getExportByName(null, "sleep");
Interceptor.attach(sleep, {
onEnter: function(args) {
console.log("[*] Sleep from Frida!");
},
onLeave: function(retval) {
console.log("[*] Done sleeping from Frida!");
} });
(This diagram is from the youtube video by Leon Jacobs)
NUMBER 7
ATTACH A METHOD BASED ON ADDRESS, LOG, AND MODIFY RETURN VALUE
var testPin = DebugSymbol.getFunctionByName("test_pin");
Interceptor.attach(testPin, {
onLeave: function(retval) {
console.log("ret: " + retval);
retval.replace(ptr("0x1"));
}
});
NUMBER 8
CALL A FUNCTION DEFINED WITHIN THE CODE, ON DEMAND
new NativeFunction(address, returnType, argTypes[, abi]);
var testPinPtr = DebugSymbol.getFunctionByName("test_pin");
var testPin = new NativeFunction( testPinPtr, "int", ["pointer"]);
var pin = Memory.allocUtf8String("1111");
var r = testPin(pin);
console.log(r);
NUMBER 9
COMMUNICATE WITH INJECTED JAVASCRIPT, USING SEND, AND RECV
//javascript
var answer = 42;
send(answer);
# python def incoming(message, data):
print(message)
script.on("message", incoming)// javascript
recv(function(m) {
console.log("message: " + m); });
# python
script.on("message", incoming)
script.load()
script.post("test")NUMBER 10
RPC BINDINGS, EXPORTING FUNCTIONS FROM JS SCRIPT TO PYTHON
//Javascript
rpc.exports = {
brute: function() {
console.log("Brute function");
}
}
#Python
script.exports.brute()NUMBER 11
TRACE METHOD CALLS USING FRIDA TRACE
This generates intercept-like hooks, supports wildcard resolution, and dumps hooks in _handlers_ folder.
frida-trace foo -i "read*"NUMBER 12
PATCHING ELF WITH FRIDA GADGET SO FILE
~/code$ patchelf -add-needed ../frida-gadget.so foo
~/code$ ./foo
[Frida INFO] Listening on 127.0.0.1 TCP port 27042
~/code$ ldd foo
linux-vdso.so.1 (0x00007ffdc7962000)
../frida-gadget.so (0x00007fceeca4b000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fceec884000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fceec87f000)Note that frida-gadget has a corresponding frida-gadget config file, using which one can change the behaviour (wait/resume) , port etc for the patched so.
NUMBER 13
USING TYPESCRIPT AND MODIFYING THE PRELOADED SCRIPT LIVE
frida-compile can take typescript and transpile to any target (important for duktape/v8 language support)
frida-compile exposes the entire NPM ecosĀstem to use inside of agents
One can use VSCode to write. Node should be pre-installed.
npm watch monitors for changes and automatically rebuilds resulting in a new _agent.js file.
Refer to this file in python script.
with open("frida-agent-example/_agent.js", "r") as f:run ./foo
run npm run watch
run python3 tool.py (edit index.ts and watch the recompile)
NUMBER 14
CMODULE - COMPILE C CODE IN MEMORY FROM JS, USING TinyCC
const cm = new CModule ('int value()
{ return 42; }');
const v = new NativeFunction(cm.value, ‘int’, []);
v(); // 42Also, FRIDA RPL can load .c file, like this:
>frida foo -l index.js -C test.cLimited headers supported currently. Link
So, that was all! Have we missed covering any interesting feature/command? Do let me know in the comments!
Are you interested in learning about similar concepts? Subscribe to this blog and join the tribe of !nfinite hacks, where we are learning, exploring, and researching interesting concepts in cybersecurity every day!
See you in the next post soon!
Ciao,
Great resources:
FRIDA Bootcamp training by Leon Jacobs Link (I highly recommend it!)