Zum Inhalt

Frida Cheat Blatt

generieren

Überblick

Frida ist ein dynamisches Instrumentierungs-Toolkit für Entwickler, Reverse-Engineer und Sicherheitsforscher. Sie können JavaScript oder Ihre eigene Bibliothek in native Apps unter Windows, macOS, GNU/Linux, iOS, Android und QNX injizieren. Frida bietet leistungsstarke Funktionen für die Laufzeitmanipulation, API-Hooking und dynamische Analyse von Anwendungen.

ZEIT Warning: Verwenden Sie nur Frida auf Anwendungen, die Sie besitzen oder haben ausdrückliche Erlaubnis zu testen. Unberechtigte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.

Installation

Python Paket Installation

```bash

Install Frida via pip (recommended)

pip install frida-tools

Install specific version

pip install frida-tools==12.11.18

Upgrade to latest version

pip install --upgrade frida-tools ```_

Plattformspezifische Installation

Linux

```bash

Ubuntu/Debian

sudo apt update sudo apt install python3-pip pip3 install frida-tools

Arch Linux

sudo pacman -S python-pip pip install frida-tools

CentOS/RHEL

sudo yum install python3-pip pip3 install frida-tools ```_

macOS

```bash

Using Homebrew

brew install python3 pip3 install frida-tools

Using MacPorts

sudo port install python39 +universal pip3 install frida-tools ```_

Windows

```bash

Using Python installer

python -m pip install frida-tools

Using Chocolatey

choco install python3 pip install frida-tools ```_

Mobile Device Setup

Android

```bash

Download Frida server for Android

wget https://github.com/frida/frida/releases/download/16.0.8/frida-server-16.0.8-android-arm64.xz unxz frida-server-16.0.8-android-arm64.xz

Push to device and set permissions

adb push frida-server-16.0.8-android-arm64 /data/local/tmp/frida-server adb shell chmod 755 /data/local/tmp/frida-server

Run Frida server on device

adb shell su -c "/data/local/tmp/frida-server &" ```_

iOS

```bash

Install via Cydia (jailbroken devices)

Add Frida repository: https://build.frida.re

Or install via SSH

ssh root@ apt update apt install re.frida.server ```_

Basisnutzung

Prozessentdeckung

```bash

List running processes

frida-ps

List processes on USB device

frida-ps -U

List processes on remote device

frida-ps -H :

List applications (Android/iOS)

frida-ps -Uai

List installed applications

frida-ps -Ua ```_

Basic Hooking

```bash

Attach to running process by name

frida -n "target_app" -l script.js

Attach to process by PID

frida -p 1234 -l script.js

Spawn and attach to application

frida -f com.example.app -l script.js --no-pause

Interactive REPL mode

frida -n "target_app" ```_

Script Execution

```bash

Execute JavaScript file

frida -n "target_app" -l hook_script.js

Execute inline JavaScript

frida -n "target_app" -e "console.log('Hello from Frida');"

Execute with USB device

frida -U -f com.example.app -l script.js

Execute with remote device

frida -H 192.168.1.100:27042 -f com.example.app -l script.js ```_

Befehlsnummer

Command Description
frida-ps List running processes
frida-ps -U List processes on USB device
frida-ps -Uai List applications on USB device
frida -n <name> Attach to process by name
frida -p <pid> Attach to process by PID
frida -f <app> Spawn and attach to application
frida -l <script> Load JavaScript file
frida -e <code> Execute inline JavaScript
frida-trace Trace function calls
frida-discover Discover internal functions
frida-kill Kill Frida scripts

JavaScript API Grundlagen

Speicherbetrieb

```javascript // Read memory var addr = ptr("0x12345678"); var value = Memory.readU32(addr); console.log("Value:", value);

// Write memory Memory.writeU32(addr, 0xdeadbeef);

// Allocate memory var buffer = Memory.alloc(1024); Memory.writeUtf8String(buffer, "Hello World");

// Search memory var pattern = "48 8b 05 ?? ?? ?? ??"; var matches = Memory.scanSync(ptr("0x400000"), 0x1000, pattern); ```_

Funktion Haken

```javascript // Hook function by address Interceptor.attach(ptr("0x12345678"), \\{ onEnter: function(args) \\{ console.log("Function called with args:", args[0], args[1]); this.arg0 = args[0]; \\}, onLeave: function(retval) \\{ console.log("Function returned:", retval); retval.replace(ptr("0x1")); \\} \\});

// Hook function by name (with Module) var targetModule = Process.getModuleByName("libc.so"); var mallocAddr = targetModule.getExportByName("malloc"); Interceptor.attach(mallocAddr, \\{ onEnter: function(args) \\{ console.log("malloc called with size:", args[0].toInt32()); \\} \\}); ```_

Modul und Symbolauflösung

```javascript // List loaded modules Process.enumerateModules().forEach(function(module) \\{ console.log(module.name, module.base, module.size); \\});

// Get module by name var module = Process.getModuleByName("libssl.so"); console.log("Base address:", module.base);

// Enumerate exports module.enumerateExports().forEach(function(exp) \\{ console.log(exp.name, exp.address); \\});

// Find symbol var symbol = Module.findExportByName("libc.so", "strcmp"); console.log("strcmp address:", symbol); ```_

Erweiterte Nutzung

Android-Anwendung Haken

```javascript // Hook Android Java methods Java.perform(function() \\{ var MainActivity = Java.use("com.example.MainActivity"); MainActivity.checkLicense.implementation = function() \\{ console.log("License check bypassed"); return true; \\};

// Hook constructor
MainActivity.$init.implementation = function() \\\\{
    console.log("MainActivity constructor called");
    return this.$init();
\\\\};

// Hook with multiple overloads
var String = Java.use("java.lang.String");
String.equals.overload("java.lang.Object").implementation = function(obj) \\\\{
    var result = this.equals(obj);
    console.log("String.equals called:", this.toString(), "==", obj.toString(), "->", result);
    return result;
\\\\};

\\}); ```_

iOS Anwendung Haken

```javascript // Hook Objective-C methods if (ObjC.available) \\{ var NSString = ObjC.classes.NSString; var method = NSString["- isEqualToString:"];

Interceptor.attach(method.implementation, \\\\{
    onEnter: function(args) \\\\{
        var self = ObjC.Object(args[0]);
        var other = ObjC.Object(args[2]);
        console.log("NSString isEqualToString:", self.toString(), "==", other.toString());
    \\\\}
\\\\});

// Hook class methods
var UIApplication = ObjC.classes.UIApplication;
var sharedApplication = UIApplication["+ sharedApplication"];

Interceptor.attach(sharedApplication.implementation, \\\\{
    onLeave: function(retval) \\\\{
        console.log("UIApplication sharedApplication called");
    \\\\}
\\\\});

\\} ```_

SSL Pinning Bypass

```javascript // Android SSL pinning bypass Java.perform(function() \\{ // Hook TrustManagerImpl var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl"); TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) \\{ console.log("SSL verification bypassed for: " + host); return untrustedChain; \\};

// Hook HttpsURLConnection
var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(hostnameVerifier) \\\\{
    console.log("Default hostname verifier bypassed");
\\\\};

\\}); ```_

Root Detektion Bypass

```javascript // Android root detection bypass Java.perform(function() \\{ // Hook common root detection methods var RootBeer = Java.use("com.scottyab.rootbeer.RootBeer"); RootBeer.isRooted.implementation = function() \\{ console.log("Root detection bypassed"); return false; \\};

// Hook file existence checks
var File = Java.use("java.io.File");
File.exists.implementation = function() \\\\{
    var path = this.getAbsolutePath();
    if (path.indexOf("su") !== -1||path.indexOf("busybox") !== -1) \\\\{
        console.log("Blocked file check for:", path);
        return false;
    \\\\}
    return this.exists();
\\\\};

\\}); ```_

Analyse des Zollprotokolls

```javascript // Hook network functions var send = Module.findExportByName("libc.so", "send"); var recv = Module.findExportByName("libc.so", "recv");

Interceptor.attach(send, \\{ onEnter: function(args) \\{ var sockfd = args[0].toInt32(); var buf = args[1]; var len = args[2].toInt32();

    console.log("Send on socket", sockfd, "length", len);
    console.log(hexdump(buf, \\\\{ length: len, ansi: true \\\\}));
\\\\}

\\});

Interceptor.attach(recv, \\{ onLeave: function(retval) \\{ if (retval.toInt32() > 0) \\{ console.log("Received", retval.toInt32(), "bytes"); console.log(hexdump(this.context.r1, \\{ length: retval.toInt32(), ansi: true \\})); \\} \\} \\}); ```_

Frida Werkzeuge

frida-trace

```bash

Trace all functions in a module

frida-trace -n "target_app" -i "libssl.so!*"

Trace specific functions

frida-trace -n "target_app" -i "malloc" -i "free"

Trace with custom handler

frida-trace -n "target_app" -i "strcmp" --runtime=v8

Trace Java methods (Android)

frida-trace -U -f com.example.app -j '!*encrypt'

Trace Objective-C methods (iOS)

frida-trace -U -f com.example.app -m '[ encrypt]' ```_

frida-discover

```bash

Discover internal functions

frida-discover -n "target_app" -a libssl.so

Discover with specific patterns

frida-discover -n "target_app" -a libssl.so -s "SSL_*"

Output to file

frida-discover -n "target_app" -a libssl.so -o discovered_functions.txt ```_

frida-ls-devices

```bash

List available devices

frida-ls-devices

List with details

frida-ls-devices -l ```_

Automatisierungsskripte

Batch-Prozessanalyse

```python

!/usr/bin/env python3

import frida import sys

def on_message(message, data): if message['type'] == 'send': print(f"[*] \\{message['payload']\\}") else: print(message)

Connect to device

device = frida.get_usb_device()

List and analyze multiple apps

apps = ['com.example.app1', 'com.example.app2', 'com.example.app3']

for app_id in apps: try: print(f"[+] Analyzing \\{app_id\\}") session = device.attach(app_id)

    script_code = """
    Java.perform(function() \\\\{
        console.log("Analyzing: " + Java.use("android.app.Application").currentApplication().getPackageName());
    \\\\});
    """

    script = session.create_script(script_code)
    script.on('message', on_message)
    script.load()

    input("Press Enter to continue to next app...")
    session.detach()

except Exception as e:
    print(f"[-] Error with \\\\{app_id\\\\}: \\\\{e\\\\}")

```_

Automatischer SSL Pinning Test

```python

!/usr/bin/env python3

import frida import time

ssl_bypass_script = """ Java.perform(function() \\{ console.log("[+] Starting SSL bypass");

// Multiple SSL bypass techniques
var techniques = [
    function() \\\\{
        var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
        TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) \\\\{
            console.log("[+] SSL verification bypassed for: " + host);
            return untrustedChain;
        \\\\};
    \\\\},
    function() \\\\{
        var X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
        var TrustManager = Java.registerClass(\\\\{
            name: "com.frida.TrustManager",
            implements: [X509TrustManager],
            methods: \\\\{
                checkClientTrusted: function(chain, authType) \\\\{\\\\},
                checkServerTrusted: function(chain, authType) \\\\{\\\\},
                getAcceptedIssuers: function() \\\\{ return []; \\\\}
            \\\\}
        \\\\});
    \\\\}
];

techniques.forEach(function(technique, index) \\\\{
    try \\\\{
        technique();
        console.log("[+] SSL bypass technique " + (index + 1) + " applied");
    \\\\} catch (e) \\\\{
        console.log("[-] SSL bypass technique " + (index + 1) + " failed: " + e);
    \\\\}
\\\\});

\\}); """

def test_ssl_bypass(package_name): try: device = frida.get_usb_device() session = device.attach(package_name) script = session.create_script(ssl_bypass_script) script.load()

    print(f"[+] SSL bypass applied to \\\\{package_name\\\\}")
    time.sleep(5)

    session.detach()
    return True
except Exception as e:
    print(f"[-] Failed to apply SSL bypass to \\\\{package_name\\\\}: \\\\{e\\\\}")
    return False

if name == "main": if len(sys.argv) != 2: print("Usage: python3 ssl_bypass.py ") sys.exit(1)

test_ssl_bypass(sys.argv[1])

```_

Integrationsbeispiele

Integration von Burp Suite

```python

!/usr/bin/env python3

import frida import requests import json

Frida script to extract API endpoints

api_extraction_script = """ Java.perform(function() \\{ var URL = Java.use("java.net.URL"); URL.\(init.overload("java.lang.String").implementation = function(url) \\\\{ console.log("[API] URL accessed: " + url); send(\\\\{"type": "url", "data": url\\\\}); return this.\)init(url); \\};

var HttpURLConnection = Java.use("java.net.HttpURLConnection");
HttpURLConnection.setRequestMethod.implementation = function(method) \\\\{
    console.log("[API] HTTP Method: " + method);
    send(\\\\{"type": "method", "data": method\\\\});
    return this.setRequestMethod(method);
\\\\};

\\}); """

def on_message(message, data): if message['type'] == 'send': payload = message['payload'] if payload['type'] == 'url': # Send to Burp Suite for further analysis burp_data = \\{ 'url': payload['data'], 'timestamp': time.time() \\} # Add to Burp Suite scope or send to Collaborator print(f"[+] New API endpoint discovered: \\{payload['data']\\}")

Setup Frida session

device = frida.get_usb_device() session = device.attach("com.example.app") script = session.create_script(api_extraction_script) script.on('message', on_message) script.load()

input("Press Enter to stop...") ```_

OWASP ZAP Integration

```python

!/usr/bin/env python3

import frida from zapv2 import ZAPv2

Initialize ZAP

zap = ZAPv2(proxies=\\{'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'\\})

Frida script to route traffic through ZAP

proxy_script = """ Java.perform(function() \\{ var System = Java.use("java.lang.System"); System.setProperty("http.proxyHost", "127.0.0.1"); System.setProperty("http.proxyPort", "8080"); System.setProperty("https.proxyHost", "127.0.0.1"); System.setProperty("https.proxyPort", "8080");

console.log("[+] Proxy settings configured for ZAP");

\\}); """

def setup_zap_integration(package_name): device = frida.get_usb_device() session = device.attach(package_name) script = session.create_script(proxy_script) script.load()

print(f"[+] ZAP integration setup for \\\\{package_name\\\\}")
print(f"[+] ZAP Spider: \\\\{zap.spider.scan('http://target-api.com')\\\\}")

return session

Usage

session = setup_zap_integration("com.example.app") input("Press Enter to stop...") session.detach() ```_

Fehlerbehebung

Gemeinsame Verbindungsprobleme

```bash

Check if Frida server is running on device

adb shell ps|grep frida

Restart Frida server

adb shell su -c "pkill frida-server" adb shell su -c "/data/local/tmp/frida-server &"

Check port forwarding

adb forward --list adb forward tcp:27042 tcp:27042

Test connection

frida-ps -U ```_

Genehmigungsfragen

```bash

Android: Ensure proper permissions

adb shell su -c "chmod 755 /data/local/tmp/frida-server" adb shell su -c "chown root:root /data/local/tmp/frida-server"

iOS: Check Frida installation

ssh root@ "dpkg -l|grep frida"

Reinstall if necessary

ssh root@ "apt remove re.frida.server && apt install re.frida.server" ```_

Script Debugging

```javascript // Add comprehensive error handling try \\{ Java.perform(function() \\{ // Your code here \\}); \\} catch (e) \\{ console.log("Error in Java.perform:", e); console.log("Stack trace:", e.stack); \\}

// Use console.log for debugging console.log("Debug: Variable value is", someVariable);

// Check if classes exist before using if (Java.available) \\{ try \\{ var MyClass = Java.use("com.example.MyClass"); console.log("MyClass found"); \\} catch (e) \\{ console.log("MyClass not found:", e); \\} \\} ```_

Leistungsoptimierung

```javascript // Cache frequently used classes var cachedClasses = \\{\\}; function getClass(className) \\{ if (!cachedClasses[className]) \\{ cachedClasses[className] = Java.use(className); \\} return cachedClasses[className]; \\}

// Use efficient memory operations var buffer = Memory.alloc(1024); // Allocate once // Reuse buffer instead of allocating repeatedly

// Minimize console output in production var DEBUG = false; function debugLog(message) \\{ if (DEBUG) \\{ console.log(message); \\} \\} ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Frida für dynamische Instrumentierung und Sicherheitstests. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *