NSConclave, profile picture
Uploaded byNSConclave
998 views

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

This document provides a comprehensive guide on using Frida for runtime debugging on Android, including installation steps, commands for starting and utilizing Frida for various tasks, and instructions for setting up a vulnerable environment. It also discusses methods for identifying and hooking functions within applications, with examples of scripts and code for effective usage. Additionally, it includes links to resources such as documentation and example applications to facilitate learning and application of the techniques described.

Embed presentation

Frida Runtime Debugging By: Bhargav Gajera, Vitthal Shinde
Installation Android: Download Link: https://github.com/frida/frida/releases Push it in Android Path : “/data/local/tmp/” System: Command: pip install frida-tools Refer : https://pypi.org/project/frida/
Installation Easy Way: Command: frida-push ● pip install frida-push ● It will identify your device’s architecture from adb ● Download the appropriate server ● Install it ● Run it
Start using Frida Android ADB: Command: /data/local/tmp/frida-server & Base System: Command: frida -U -f “<PackageName>” --no-pause
Start using Frida Want to attach Quickly on whatever is running on screen ? Base System: Command: frida -U -F
Codeshare What is it ? Ans: Repo for universal method hooks & bypass URL: https://codeshare.frida.re/browse How do I use it ? Command: frida -U -f “<PackageName>” --codeshare <URI> --no-pause
Docs All the documentation is listed under: ● URL: https://frida.re/docs/home/ Javascript API docs are available under: ● URL: https://frida.re/docs/javascript-api/
Frida and Scripts 1. Interactive way ➢ Write scripts inside terminal. 2. Attach scripts ➢ Write scripts in file and pass it as argument. 3. Python ➢ Create python file to do the same
Frida Interactive Command: frida -U -f “<PackageName>” --no-pause ➢ An interactive shell will spawn ➢ Write your code in shell
Frida with JS File Command: frida -U -f “<PackageName>” -l “<JSFile>” --no-pause ➢ Write your javascript code in a file. ➢ Use “-l” option to provide file in argument. ➢ Code will execute side by side of the application execution.
Frida with Python File Command: python <PythonFile>.py ➢ Import frida in python code. ➢ Use inbuilt frida functions to: ○ Get USB device ○ Spawn targeted application ○ Attach to it’s PID ○ Create script ○ Load the script ○ Resume the application execution
Setup Vulnerable Environment ● App : InsecureBankv2 ○ Link: https://github.com/dineshshetty/Android-InsecureBankv2 ● Server : Inside Directory “AndroLabServer” ○ Install pip requirements ○ # python app.py
Setup Vulnerable Environment ● Configure the application ○ Navigate to More -> Preferences ○ Give ip of your base system where app.py is running ● Login Credentials : ○ dinesh/Dinesh@123$ ○ jack/Jack@123$
Find Loaded classes Code : Java.perform(function(){ Java.enumerateLoadedClasses({ "onMatch": function(className){ console.log(className) }, "onComplete":function() {} }) });
Find Loaded classes These many classes ? Really ??
Find Loaded classes with known names Java.perform(function(){ Java.enumerateLoadedClasses({ onMatch:function(className) { if(className.toLowerCase().lastIndexOf("<Identifier>")>0) { console.log(className); } }, onComplete:function() {} }); });
Find Loaded classes with known names
Identify Classes being used ● How to Identify which class contains method when an event is called ? ○ Enumerate classes before event. ○ Enumerate classes after event. ○ Find newly loaded classes
Hooking Functions Java.perform(function(){ var varName = Java.use("<className>"); varName.funName.implementation=function() { console.log(“Function Called”) } })
Identify Functions being called ● How to Identify which method is being invoked ? Newbie's way: ➢ Hook suspicious methods and add console.log()
Identify Functions being called If you are hooking all suspicious functions...
Identify Functions being called ● How to Identify which method is being invoked ? Professional’s way: ➢ Hook all methods of a class and ○ Log whenever it is being called ○ Log all Arguments ○ Log Return value
Identify Functions being called ● Script be Like...
Hooking Overloaded Functions Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { // Your implementation. } })
Implement custom function Further we will see… ● Dive deep into creating custom logic. ● How can we overwrite original function. ● How to create variable of desired classes. ● How to use such variables and use it to get information from hooked function. ● etc, etc, etc...
Using --no-pause Command: frida -U -f <Package> --no-pause ● Will immediately spawn and start execution of the application ● Load the script side by side ● What if the function mentioned in script executes before scripts is loaded?
Without --no-pause Command: frida -U -f <Package> -l <script> ● Will create a process of the application. ● Will hold the execution of first frame of the application ● We can load the script by pasting it now in the terminal. ● Use “ %resume ” to continue the execution.
Analyzing hooked function Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { console.log(“Function called”); console.log(“Arguments are : ”,args); }}) ;
Show Time... ● DEMO...

More Related Content

PDF
Pwning mobile apps without root or jailbreak
byAbraham Aranguren
 
PPTX
Pentesting Android Apps using Frida (Beginners)
byChandrapal Badshah
 
PDF
継続使用と新規追加したRedmine Plugin
byMei Nakamura
 
PDF
JavaScript for Hackers.pdf
bynafees40
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PPTX
SSRF For Bug Bounties
byOWASP Nagpur
 
PDF
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
byFrans Rosén
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
Pwning mobile apps without root or jailbreak
byAbraham Aranguren
 
Pentesting Android Apps using Frida (Beginners)
byChandrapal Badshah
 
継続使用と新規追加したRedmine Plugin
byMei Nakamura
 
JavaScript for Hackers.pdf
bynafees40
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
SSRF For Bug Bounties
byOWASP Nagpur
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
byFrans Rosén
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 

What's hot

PDF
Dockerを使ったローカルでの開発から本番環境へのデプロイまで
byRyo Nakamaru
 
PDF
Open vSwitchソースコードの全体像
bySho Shimizu
 
PDF
Dockerイメージの理解とコンテナのライフサイクル
byMasahito Zembutsu
 
PDF
Js deobfuscation with JStillery - bsides-roma 2018
byMinded Security
 
PPTX
php and sapi and zendengine2 and...
bydo_aki
 
PDF
What should a hacker know about WebDav?
byMikhail Egorov
 
PDF
Firmware Extraction & Fuzzing - Jatan Raval
byNSConclave
 
PDF
規格書で読むC++11のスレッド
byKohsuke Yuasa
 
PPTX
Intro to Pentesting Jenkins
byBrian Hysell
 
PDF
Securing AEM webapps by hacking them
byMikhail Egorov
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
PDF
DNS hijacking using cloud providers – No verification needed
byFrans Rosén
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PDF
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PPTX
XSS - Do you know EVERYTHING?
byYurii Bilyk
 
Dockerを使ったローカルでの開発から本番環境へのデプロイまで
byRyo Nakamaru
 
Open vSwitchソースコードの全体像
bySho Shimizu
 
Dockerイメージの理解とコンテナのライフサイクル
byMasahito Zembutsu
 
Js deobfuscation with JStillery - bsides-roma 2018
byMinded Security
 
php and sapi and zendengine2 and...
bydo_aki
 
What should a hacker know about WebDav?
byMikhail Egorov
 
Firmware Extraction & Fuzzing - Jatan Raval
byNSConclave
 
規格書で読むC++11のスレッド
byKohsuke Yuasa
 
Intro to Pentesting Jenkins
byBrian Hysell
 
Securing AEM webapps by hacking them
byMikhail Egorov
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
DNS hijacking using cloud providers – No verification needed
byFrans Rosén
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Attacking thru HTTP Host header
bySergey Belov
 
Waf bypassing Techniques
byAvinash Thapa
 
XSS - Do you know EVERYTHING?
byYurii Bilyk
 

Similar to Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

PDF
FRIDA 101 Android
byTony Thomas
 
PDF
Introduction to Frida
byAbhishekJaiswal270
 
PDF
DBI-Assisted Android Application Reverse Engineering
bySahil Dhar
 
PDF
MOBILE PENTESTING Frida.pdf
byAdityamd4
 
PDF
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
byNowSecure
 
PDF
The Hookshot: Runtime Exploitation
byPrathan Phongthiproek
 
PDF
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
byHafez Kamal
 
PDF
Hacking with frida
byn|u - The Open Security Community
 
PPTX
Bypass Security Checking with Frida
bySatria Ady Pradana
 
PDF
Improving DroidBox
byKelwin Yang
 
PDF
Webinar–Mobile Application Hardening Protecting Business Critical Apps
bySynopsys Software Integrity Group
 
PDF
Android application security testing
byMykhailo Antonishyn
 
PPTX
Bypass Security Checking with Frida
bySatria Ady Pradana
 
PDF
Malware Analysis
byMichaelRodriguesdosS1
 
PDF
DIFFDroid_Anto_Joseph_HIP_2016
byAnthony Jose
 
PPTX
Hooking101 - Deeper on iOS Island
byAckcent
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
PDF
BSidesROC 2016 - Jaime Geiger - Android Application Function Hooking With Xposed
byBSidesROC
 
PPTX
Advanced malware analysis training session5 reversing automation
byCysinfo Cyber Security Community
 
PDF
Python debuggers slides
bymattboehm
 
FRIDA 101 Android
byTony Thomas
 
Introduction to Frida
byAbhishekJaiswal270
 
DBI-Assisted Android Application Reverse Engineering
bySahil Dhar
 
MOBILE PENTESTING Frida.pdf
byAdityamd4
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
byNowSecure
 
The Hookshot: Runtime Exploitation
byPrathan Phongthiproek
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
byHafez Kamal
 
Hacking with frida
byn|u - The Open Security Community
 
Bypass Security Checking with Frida
bySatria Ady Pradana
 
Improving DroidBox
byKelwin Yang
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
bySynopsys Software Integrity Group
 
Android application security testing
byMykhailo Antonishyn
 
Bypass Security Checking with Frida
bySatria Ady Pradana
 
Malware Analysis
byMichaelRodriguesdosS1
 
DIFFDroid_Anto_Joseph_HIP_2016
byAnthony Jose
 
Hooking101 - Deeper on iOS Island
byAckcent
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
byRomansh Yadav
 
BSidesROC 2016 - Jaime Geiger - Android Application Function Hooking With Xposed
byBSidesROC
 
Advanced malware analysis training session5 reversing automation
byCysinfo Cyber Security Community
 
Python debuggers slides
bymattboehm
 

More from NSConclave

PPTX
Burp Suite Extension Development
byNSConclave
 
PDF
LDAP Injection
byNSConclave
 
PPTX
Debugging Android Native Library
byNSConclave
 
PDF
Thick Client Testing Basics
byNSConclave
 
PPTX
IOT SECURITY ASSESSMENT Pentester's Approach
byNSConclave
 
PDF
Thick Client Testing Advanced
byNSConclave
 
PDF
RIA Cross Domain Policy
byNSConclave
 
PDF
OSINT: Open Source Intelligence - Rohan Braganza
byNSConclave
 
PDF
Regular Expression Injection
byNSConclave
 
PPTX
Create a Custom Plugin in Burp Suite using the Extension
byNSConclave
 
PDF
Python Deserialization Attacks
byNSConclave
 
PDF
HTML5 Messaging (Post Message)
byNSConclave
 
PDF
NoSql Injection
byNSConclave
 
PDF
Node.js Deserialization
byNSConclave
 
PDF
Docker 101
byNSConclave
 
PDF
RED-TEAM_Conclave
byNSConclave
 
PDF
Log Analysis
byNSConclave
 
PDF
Markdown
byNSConclave
 
PDF
Sandboxing
byNSConclave
 
PDF
Security Architecture Consulting - Hiren Shah
byNSConclave
 
Burp Suite Extension Development
byNSConclave
 
LDAP Injection
byNSConclave
 
Debugging Android Native Library
byNSConclave
 
Thick Client Testing Basics
byNSConclave
 
IOT SECURITY ASSESSMENT Pentester's Approach
byNSConclave
 
Thick Client Testing Advanced
byNSConclave
 
RIA Cross Domain Policy
byNSConclave
 
OSINT: Open Source Intelligence - Rohan Braganza
byNSConclave
 
Regular Expression Injection
byNSConclave
 
Create a Custom Plugin in Burp Suite using the Extension
byNSConclave
 
Python Deserialization Attacks
byNSConclave
 
HTML5 Messaging (Post Message)
byNSConclave
 
NoSql Injection
byNSConclave
 
Node.js Deserialization
byNSConclave
 
Docker 101
byNSConclave
 
RED-TEAM_Conclave
byNSConclave
 
Log Analysis
byNSConclave
 
Markdown
byNSConclave
 
Sandboxing
byNSConclave
 
Security Architecture Consulting - Hiren Shah
byNSConclave
 

Recently uploaded

PDF
December Patch Tuesday
byIvanti
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
The year in review - MarvelClient in 2025
bypanagenda
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
API-First Architecture in Financial Systems
bycyy111112
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

  • 1.
  • 2.
    Installation Android: Download Link: https://github.com/frida/frida/releases Pushit in Android Path : “/data/local/tmp/” System: Command: pip install frida-tools Refer : https://pypi.org/project/frida/
  • 3.
    Installation Easy Way: Command: frida-push ●pip install frida-push ● It will identify your device’s architecture from adb ● Download the appropriate server ● Install it ● Run it
  • 4.
    Start using Frida AndroidADB: Command: /data/local/tmp/frida-server & Base System: Command: frida -U -f “<PackageName>” --no-pause
  • 5.
    Start using Frida Wantto attach Quickly on whatever is running on screen ? Base System: Command: frida -U -F
  • 6.
    Codeshare What is it? Ans: Repo for universal method hooks & bypass URL: https://codeshare.frida.re/browse How do I use it ? Command: frida -U -f “<PackageName>” --codeshare <URI> --no-pause
  • 7.
    Docs All the documentationis listed under: ● URL: https://frida.re/docs/home/ Javascript API docs are available under: ● URL: https://frida.re/docs/javascript-api/
  • 8.
    Frida and Scripts 1.Interactive way ➢ Write scripts inside terminal. 2. Attach scripts ➢ Write scripts in file and pass it as argument. 3. Python ➢ Create python file to do the same
  • 9.
    Frida Interactive Command: frida-U -f “<PackageName>” --no-pause ➢ An interactive shell will spawn ➢ Write your code in shell
  • 10.
    Frida with JSFile Command: frida -U -f “<PackageName>” -l “<JSFile>” --no-pause ➢ Write your javascript code in a file. ➢ Use “-l” option to provide file in argument. ➢ Code will execute side by side of the application execution.
  • 11.
    Frida with PythonFile Command: python <PythonFile>.py ➢ Import frida in python code. ➢ Use inbuilt frida functions to: ○ Get USB device ○ Spawn targeted application ○ Attach to it’s PID ○ Create script ○ Load the script ○ Resume the application execution
  • 12.
    Setup Vulnerable Environment ●App : InsecureBankv2 ○ Link: https://github.com/dineshshetty/Android-InsecureBankv2 ● Server : Inside Directory “AndroLabServer” ○ Install pip requirements ○ # python app.py
  • 13.
    Setup Vulnerable Environment ●Configure the application ○ Navigate to More -> Preferences ○ Give ip of your base system where app.py is running ● Login Credentials : ○ dinesh/Dinesh@123$ ○ jack/Jack@123$
  • 14.
    Find Loaded classes Code: Java.perform(function(){ Java.enumerateLoadedClasses({ "onMatch": function(className){ console.log(className) }, "onComplete":function() {} }) });
  • 15.
    Find Loaded classes Thesemany classes ? Really ??
  • 16.
    Find Loaded classeswith known names Java.perform(function(){ Java.enumerateLoadedClasses({ onMatch:function(className) { if(className.toLowerCase().lastIndexOf("<Identifier>")>0) { console.log(className); } }, onComplete:function() {} }); });
  • 17.
    Find Loaded classeswith known names
  • 18.
    Identify Classes beingused ● How to Identify which class contains method when an event is called ? ○ Enumerate classes before event. ○ Enumerate classes after event. ○ Find newly loaded classes
  • 19.
    Hooking Functions Java.perform(function(){ var varName= Java.use("<className>"); varName.funName.implementation=function() { console.log(“Function Called”) } })
  • 20.
    Identify Functions beingcalled ● How to Identify which method is being invoked ? Newbie's way: ➢ Hook suspicious methods and add console.log()
  • 21.
    Identify Functions beingcalled If you are hooking all suspicious functions...
  • 22.
    Identify Functions beingcalled ● How to Identify which method is being invoked ? Professional’s way: ➢ Hook all methods of a class and ○ Log whenever it is being called ○ Log all Arguments ○ Log Return value
  • 23.
    Identify Functions beingcalled ● Script be Like...
  • 24.
    Hooking Overloaded Functions Java.perform(function(){ varvarName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { // Your implementation. } })
  • 25.
    Implement custom function Furtherwe will see… ● Dive deep into creating custom logic. ● How can we overwrite original function. ● How to create variable of desired classes. ● How to use such variables and use it to get information from hooked function. ● etc, etc, etc...
  • 26.
    Using --no-pause Command: frida-U -f <Package> --no-pause ● Will immediately spawn and start execution of the application ● Load the script side by side ● What if the function mentioned in script executes before scripts is loaded?
  • 27.
    Without --no-pause Command: frida-U -f <Package> -l <script> ● Will create a process of the application. ● Will hold the execution of first frame of the application ● We can load the script by pasting it now in the terminal. ● Use “ %resume ” to continue the execution.
  • 28.
    Analyzing hooked function Java.perform(function(){ varvarName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { console.log(“Function called”); console.log(“Arguments are : ”,args); }}) ;
  • 29.