hacktricks/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
2022-05-01 13:25:53 +00:00

8.7 KiB

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Installation

Install frida tools:

pip install frida-tools
pip install frida

Download and install in the android the frida server (Download the latest release).
One-liner to restart adb in root mode, connect to it, upload frida-server, give exec permissions and run it in backgroud:

adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &" 

Check if it is working:

frida-ps -U #List packages and processes
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name

Tutorials

Tutorial 1

From: https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1
APK: https://github.com/t0thkr1s/frida-demo/releases
Source Code: https://github.com/t0thkr1s/frida-demo

Follow the link to read it.

Tutorial 2

From: https://11x256.github.io/Frida-hooking-android-part-2/ (Parts 2, 3 & 4)
APKs and Source code: https://github.com/11x256/frida-android-examples

Follow the link to read it.

Tutorial 3

From: https://joshspicer.com/android-frida-1
APK: https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk

Follow the link to read it.
You can find some Awesome Frida scripts here: https://codeshare.frida.re/

Fast Examples

Here you can find the more basic and interesting functionalities of Frida to make a quick script:

Calling Frida from command line

frida-ps -U

#Basic frida hooking
frida -l disableRoot.js -f owasp.mstg.uncrackable1

#Hooking before starting the app
frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
#The --no-pause and -f options allow the app to be spawned automatically,
#frozen so that the instrumentation can occur, and the automatically
#continue execution with our modified code.

Basic Python Script

import frida, sys

jscode = open(sys.argv[0]).read()
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()

Hooking functions without parameters

Hook the function a() of the class sg.vantagepoint.a.c

Java.perform(function () {
;  rootcheck1.a.overload().implementation = function() {
  rootcheck1.a.overload().implementation = function() {
    send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
    return false;
  };
});

Hook java exit()

var sysexit = Java.use("java.lang.System");
  sysexit.exit.overload("int").implementation = function(var_0) {
    send("java.lang.System.exit(I)V  // We avoid exiting the application  :)");
  };

Hook MainActivity .onStart() & .onCreate()

var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
  mainactivity.onStart.overload().implementation = function() {
    send("MainActivity.onStart() HIT!!!");
    var ret = this.onStart.overload().call(this);
  };
  mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
    send("MainActivity.onCreate() HIT!!!");
    var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
  };

Hook android .onCreate()

  var activity = Java.use("android.app.Activity");
  activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
    send("Activity HIT!!!");
    var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
  };

Hooking functions with parameters and retrieving the value

Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data:

  function getString(data){
      var ret = "";
      for (var i=0; i < data.length; i++){
          ret += data[i].toString();
        }
      return ret
    } 
  var aes_decrypt = Java.use("sg.vantagepoint.a.a");
  aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
    send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
    send("Key       : " + getString(var_0));
    send("Encrypted : " + getString(var_1));
    var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
    send("Decrypted : " + ret);

    var flag = "";
    for (var i=0; i < ret.length; i++){
      flag += String.fromCharCode(ret[i]);
    }
    send("Decrypted flag: " + flag);
    return ret; //[B
  };

Hooking functions and calling them with our input

Hook a function that receives a string and call it with other string (from here)

var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class

my_class.fun.overload("java.lang.String").implementation = function(x){ //hooking the new function
  var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator 
  console.log("Original arg: " +x );
  var ret =  this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable
  console.log("Return value: "+ret);
  return ret;
};

Getting an already created object of a class

If you want to extract some attribute of a created object you can use this.

In this example you are going to see how to get the object of the class my_activity and how to call the function .secret() that will print a private attribute of the object:

Java.choose("com.example.a11x256.frida_test.my_activity" , {
  onMatch : function(instance){ //This function will be called for every instance found by frida
    console.log("Found instance: "+instance);
    console.log("Result of secret func: " + instance.secret());
  },
  onComplete:function(){}
});
Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.