Successfully reported this slideshow.

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

0

Share

Upcoming SlideShare
Log Analysis
Log Analysis
Loading in …3
×
1 of 29
1 of 29

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

0

Share

The speaker is going to conduct a hands-on instrumentation workshop on android using Frida. Frida is a popular instrumentation framework that is really helpful in the dynamic analysis of Android apps.

https://nsconclave.net-square.com/dynamic-instrumentation.html

The speaker is going to conduct a hands-on instrumentation workshop on android using Frida. Frida is a popular instrumentation framework that is really helpful in the dynamic analysis of Android apps.

https://nsconclave.net-square.com/dynamic-instrumentation.html

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

  1. 1. Frida Runtime Debugging By: Bhargav Gajera, Vitthal Shinde
  2. 2. Installation Android: Download Link: https://github.com/frida/frida/releases Push it in Android Path : “/data/local/tmp/” System: Command: pip install frida-tools Refer : https://pypi.org/project/frida/
  3. 3. Installation Easy Way: Command: frida-push ● pip install frida-push ● It will identify your device’s architecture from adb ● Download the appropriate server ● Install it ● Run it
  4. 4. Start using Frida Android ADB: Command: /data/local/tmp/frida-server & Base System: Command: frida -U -f “<PackageName>” --no-pause
  5. 5. Start using Frida Want to attach Quickly on whatever is running on screen ? Base System: Command: frida -U -F
  6. 6. Codeshare What is it ? Ans: Repo for universal method hooks & bypass URL: https://codeshare.frida.re/browse How do I use it ? Command: frida -U -f “<PackageName>” --codeshare <URI> --no-pause
  7. 7. Docs All the documentation is listed under: ● URL: https://frida.re/docs/home/ Javascript API docs are available under: ● URL: https://frida.re/docs/javascript-api/
  8. 8. Frida and Scripts 1. Interactive way ➢ Write scripts inside terminal. 2. Attach scripts ➢ Write scripts in file and pass it as argument. 3. Python ➢ Create python file to do the same
  9. 9. Frida Interactive Command: frida -U -f “<PackageName>” --no-pause ➢ An interactive shell will spawn ➢ Write your code in shell
  10. 10. Frida with JS File Command: frida -U -f “<PackageName>” -l “<JSFile>” --no-pause ➢ Write your javascript code in a file. ➢ Use “-l” option to provide file in argument. ➢ Code will execute side by side of the application execution.
  11. 11. Frida with Python File Command: python <PythonFile>.py ➢ Import frida in python code. ➢ Use inbuilt frida functions to: ○ Get USB device ○ Spawn targeted application ○ Attach to it’s PID ○ Create script ○ Load the script ○ Resume the application execution
  12. 12. Setup Vulnerable Environment ● App : InsecureBankv2 ○ Link: https://github.com/dineshshetty/Android-InsecureBankv2 ● Server : Inside Directory “AndroLabServer” ○ Install pip requirements ○ # python app.py
  13. 13. Setup Vulnerable Environment ● Configure the application ○ Navigate to More -> Preferences ○ Give ip of your base system where app.py is running ● Login Credentials : ○ dinesh/Dinesh@123$ ○ jack/Jack@123$
  14. 14. Find Loaded classes Code : Java.perform(function(){ Java.enumerateLoadedClasses({ "onMatch": function(className){ console.log(className) }, "onComplete":function() {} }) });
  15. 15. Find Loaded classes These many classes ? Really ??
  16. 16. Find Loaded classes with known names Java.perform(function(){ Java.enumerateLoadedClasses({ onMatch:function(className) { if(className.toLowerCase().lastIndexOf("<Identifier>")>0) { console.log(className); } }, onComplete:function() {} }); });
  17. 17. Find Loaded classes with known names
  18. 18. Identify Classes being used ● How to Identify which class contains method when an event is called ? ○ Enumerate classes before event. ○ Enumerate classes after event. ○ Find newly loaded classes
  19. 19. Hooking Functions Java.perform(function(){ var varName = Java.use("<className>"); varName.funName.implementation=function() { console.log(“Function Called”) } })
  20. 20. Identify Functions being called ● How to Identify which method is being invoked ? Newbie's way: ➢ Hook suspicious methods and add console.log()
  21. 21. Identify Functions being called If you are hooking all suspicious functions...
  22. 22. Identify Functions being called ● How to Identify which method is being invoked ? Professional’s way: ➢ Hook all methods of a class and ○ Log whenever it is being called ○ Log all Arguments ○ Log Return value
  23. 23. Identify Functions being called ● Script be Like...
  24. 24. Hooking Overloaded Functions Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { // Your implementation. } })
  25. 25. Implement custom function Further we will see… ● Dive deep into creating custom logic. ● How can we overwrite original function. ● How to create variable of desired classes. ● How to use such variables and use it to get information from hooked function. ● etc, etc, etc...
  26. 26. Using --no-pause Command: frida -U -f <Package> --no-pause ● Will immediately spawn and start execution of the application ● Load the script side by side ● What if the function mentioned in script executes before scripts is loaded?
  27. 27. Without --no-pause Command: frida -U -f <Package> -l <script> ● Will create a process of the application. ● Will hold the execution of first frame of the application ● We can load the script by pasting it now in the terminal. ● Use “ %resume ” to continue the execution.
  28. 28. Analyzing hooked function Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { console.log(“Function called”); console.log(“Arguments are : ”,args); }}) ;
  29. 29. Show Time... ● DEMO...

×