Hoja de Referencia de Frida¶
Descripción General¶
Frida es un kit de herramientas de instrumentación dinámica para desarrolladores, ingenieros inversos e investigadores de seguridad. Permite inyectar JavaScript o su propia biblioteca en aplicaciones nativas en Windows, macOS, GNU/Linux, iOS, Android y QNX. Frida proporciona potentes capacidades para manipulación en tiempo de ejecución, interceptación de API y análisis dinámico de aplicaciones.
⚠️ Advertencia: Utilice Frida solo en aplicaciones que posea o para las que tenga permiso explícito de prueba. El uso no autorizado puede violar los términos de servicio o las leyes locales.
Instalación¶
Instalación del Paquete Python¶
# Install Frida via pip (recommended)
pip install frida-tools
# Install specific version
pip install frida-tools==12.11.18
# Upgrade to latest version
pip install --upgrade frida-tools
Instalación Específica por Plataforma¶
Linux¶
# Ubuntu/Debian
sudo apt update
sudo apt install python3-pip
pip3 install frida-tools
# Arch Linux
sudo pacman -S python-pip
pip install frida-tools
# CentOS/RHEL
sudo yum install python3-pip
pip3 install frida-tools
macOS¶
# Using Homebrew
brew install python3
pip3 install frida-tools
# Using MacPorts
sudo port install python39 +universal
pip3 install frida-tools
Windows¶
# Using Python installer
python -m pip install frida-tools
# Using Chocolatey
choco install python3
pip install frida-tools
Configuración de Dispositivos Móviles¶
Android¶
# Download Frida server for Android
wget https://github.com/frida/frida/releases/download/16.0.8/frida-server-16.0.8-android-arm64.xz
unxz frida-server-16.0.8-android-arm64.xz
# Push to device and set permissions
adb push frida-server-16.0.8-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
# Run Frida server on device
adb shell su -c "/data/local/tmp/frida-server &"
iOS¶
# Install via Cydia (jailbroken devices)
# Add Frida repository: https://build.frida.re
# Or install via SSH
ssh root@<device-ip>
apt update
apt install re.frida.server
Uso Básico¶
Descubrimiento de Procesos¶
# List running processes
frida-ps
# List processes on USB device
frida-ps -U
# List processes on remote device
frida-ps -H <host>:<port>
# List applications (Android/iOS)
frida-ps -Uai
# List installed applications
frida-ps -Ua
Interceptación Básica¶
# Attach to running process by name
frida -n "target_app" -l script.js
# Attach to process by PID
frida -p 1234 -l script.js
# Spawn and attach to application
frida -f com.example.app -l script.js --no-pause
# Interactive REPL mode
frida -n "target_app"
Ejecución de Scripts¶
# Execute JavaScript file
frida -n "target_app" -l hook_script.js
# Execute inline JavaScript
frida -n "target_app" -e "console.log('Hello from Frida');"
# Execute with USB device
frida -U -f com.example.app -l script.js
# Execute with remote device
frida -H 192.168.1.100:27042 -f com.example.app -l script.js
Referencia de Comandos¶
| Comando | Descripción |
|---|---|
frida-ps |
Listar procesos en ejecución |
frida-ps -U |
Listar procesos en dispositivo USB |
frida-ps -Uai |
Listar aplicaciones en dispositivo USB |
frida -n <name> |
Adjuntar al proceso por nombre |
frida -p <pid> |
Adjuntar al proceso por PID |
frida -f <app> |
Spawn and attach to application |
frida -l <script> |
Cargar archivo JavaScript |
frida -e <code> |
Ejecutar JavaScript en línea |
frida-trace |
Trazar llamadas de función |
frida-discover |
Descubre funciones internas |
frida-kill |
Matar scripts de Frida |
Conceptos Básicos de la API de JavaScript¶
Operaciones de Memoria¶
// Read memory
var addr = ptr("0x12345678");
var value = Memory.readU32(addr);
console.log("Value:", value);
// Write memory
Memory.writeU32(addr, 0xdeadbeef);
// Allocate memory
var buffer = Memory.alloc(1024);
Memory.writeUtf8String(buffer, "Hello World");
// Search memory
var pattern = "48 8b 05 ?? ?? ?? ??";
var matches = Memory.scanSync(ptr("0x400000"), 0x1000, pattern);
Interceptación de Funciones¶
// Hook function by address
Interceptor.attach(ptr("0x12345678"), \\\\{
onEnter: function(args) \\\\{
console.log("Function called with args:", args[0], args[1]);
this.arg0 = args[0];
\\\\},
onLeave: function(retval) \\\\{
console.log("Function returned:", retval);
retval.replace(ptr("0x1"));
\\\\}
\\\\});
// Hook function by name (with Module)
var targetModule = Process.getModuleByName("libc.so");
var mallocAddr = targetModule.getExportByName("malloc");
Interceptor.attach(mallocAddr, \\\\{
onEnter: function(args) \\\\{
console.log("malloc called with size:", args[0].toInt32());
\\\\}
\\\\});
Resolución de Módulos y Símbolos¶
// List loaded modules
Process.enumerateModules().forEach(function(module) \\\\{
console.log(module.name, module.base, module.size);
\\\\});
// Get module by name
var module = Process.getModuleByName("libssl.so");
console.log("Base address:", module.base);
// Enumerate exports
module.enumerateExports().forEach(function(exp) \\\\{
console.log(exp.name, exp.address);
\\\\});
// Find symbol
var symbol = Module.findExportByName("libc.so", "strcmp");
console.log("strcmp address:", symbol);
Uso Avanzado¶
Interceptación de Aplicaciones Android¶
// Hook Android Java methods
Java.perform(function() \\\\{
var MainActivity = Java.use("com.example.MainActivity");
MainActivity.checkLicense.implementation = function() \\\\{
console.log("License check bypassed");
return true;
\\\\};
// Hook constructor
MainActivity.$init.implementation = function() \\\\{
console.log("MainActivity constructor called");
return this.$init();
\\\\};
// Hook with multiple overloads
var String = Java.use("java.lang.String");
String.equals.overload("java.lang.Object").implementation = function(obj) \\\\{
var result = this.equals(obj);
console.log("String.equals called:", this.toString(), "==", obj.toString(), "->", result);
return result;
\\\\};
\\\\});
Interceptación de Aplicaciones iOS¶
// Hook Objective-C methods
if (ObjC.available) \\\\{
var NSString = ObjC.classes.NSString;
var method = NSString["- isEqualToString:"];
Interceptor.attach(method.implementation, \\\\{
onEnter: function(args) \\\\{
var self = ObjC.Object(args[0]);
var other = ObjC.Object(args[2]);
console.log("NSString isEqualToString:", self.toString(), "==", other.toString());
\\\\}
\\\\});
// Hook class methods
var UIApplication = ObjC.classes.UIApplication;
var sharedApplication = UIApplication["+ sharedApplication"];
Interceptor.attach(sharedApplication.implementation, \\\\{
onLeave: function(retval) \\\\{
console.log("UIApplication sharedApplication called");
\\\\}
\\\\});
\\\\}
Bypass de SSL Pinning¶
// Android SSL pinning bypass
Java.perform(function() \\\\{
// Hook TrustManagerImpl
var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) \\\\{
console.log("SSL verification bypassed for: " + host);
return untrustedChain;
\\\\};
// Hook HttpsURLConnection
var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(hostnameVerifier) \\\\{
console.log("Default hostname verifier bypassed");
\\\\};
\\\\});
Bypass de Detección de Root¶
// Android root detection bypass
Java.perform(function() \\\\{
// Hook common root detection methods
var RootBeer = Java.use("com.scottyab.rootbeer.RootBeer");
RootBeer.isRooted.implementation = function() \\\\{
console.log("Root detection bypassed");
return false;
\\\\};
// Hook file existence checks
var File = Java.use("java.io.File");
File.exists.implementation = function() \\\\{
var path = this.getAbsolutePath();
if (path.indexOf("su") !== -1||path.indexOf("busybox") !== -1) \\\\{
console.log("Blocked file check for:", path);
return false;
\\\\}
return this.exists();
\\\\};
\\\\});
Análisis de Protocolos Personalizados¶
// Hook network functions
var send = Module.findExportByName("libc.so", "send");
var recv = Module.findExportByName("libc.so", "recv");
Interceptor.attach(send, \\\\{
onEnter: function(args) \\\\{
var sockfd = args[0].toInt32();
var buf = args[1];
var len = args[2].toInt32();
console.log("Send on socket", sockfd, "length", len);
console.log(hexdump(buf, \\\\{ length: len, ansi: true \\\\}));
\\\\}
\\\\});
Interceptor.attach(recv, \\\\{
onLeave: function(retval) \\\\{
if (retval.toInt32() > 0) \\\\{
console.log("Received", retval.toInt32(), "bytes");
console.log(hexdump(this.context.r1, \\\\{ length: retval.toInt32(), ansi: true \\\\}));
\\\\}
\\\\}
\\\\});
Herramientas de Frida¶
frida-trace¶
Would you like me to continue with the remaining sections?```bash
Trace all functions in a module¶
frida-trace -n "target_app" -i "libssl.so!*"
Trace specific functions¶
frida-trace -n "target_app" -i "malloc" -i "free"
Trace with custom handler¶
frida-trace -n "target_app" -i "strcmp" --runtime=v8
Trace Java methods (Android)¶
frida-trace -U -f com.example.app -j '!*encrypt'
Trace Objective-C methods (iOS)¶
frida-trace -U -f com.example.app -m '[ encrypt]'
### frida-discoverbash
Discover internal functions¶
frida-discover -n "target_app" -a libssl.so
Discover with specific patterns¶
frida-discover -n "target_app" -a libssl.so -s "SSL_*"
Output to file¶
frida-discover -n "target_app" -a libssl.so -o discovered_functions.txt
### frida-ls-devicesbash
List available devices¶
frida-ls-devices
List with details¶
frida-ls-devices -l
## Automation Scriptspython
!/usr/bin/env python3¶
import frida import sys
def on_message(message, data): if message['type'] == 'send': print(f"[*] \\{message['payload']\\}") else: print(message)
Connect to device¶
device = frida.get_usb_device()
List and analyze multiple apps¶
apps = ['com.example.app1', 'com.example.app2', 'com.example.app3']
for app_id in apps: try: print(f"[+] Analyzing \\{app_id\\}") session = device.attach(app_id)
script_code = """
Java.perform(function() \\\\{
console.log("Analyzing: " + Java.use("android.app.Application").currentApplication().getPackageName());
\\\\});
"""
script = session.create_script(script_code)
script.on('message', on_message)
script.load()
input("Press Enter to continue to next app...")
session.detach()
except Exception as e:
print(f"[-] Error with \\\\{app_id\\\\}: \\\\{e\\\\}")
### Batch Process Analysispython
!/usr/bin/env python3¶
import frida import time
ssl_bypass_script = """ Java.perform(function() \\{ console.log("[+] Starting SSL bypass");
// Multiple SSL bypass techniques
var techniques = [
function() \\\\{
var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) \\\\{
console.log("[+] SSL verification bypassed for: " + host);
return untrustedChain;
\\\\};
\\\\},
function() \\\\{
var X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
var TrustManager = Java.registerClass(\\\\{
name: "com.frida.TrustManager",
implements: [X509TrustManager],
methods: \\\\{
checkClientTrusted: function(chain, authType) \\\\{\\\\},
checkServerTrusted: function(chain, authType) \\\\{\\\\},
getAcceptedIssuers: function() \\\\{ return []; \\\\}
\\\\}
\\\\});
\\\\}
];
techniques.forEach(function(technique, index) \\\\{
try \\\\{
technique();
console.log("[+] SSL bypass technique " + (index + 1) + " applied");
\\\\} catch (e) \\\\{
console.log("[-] SSL bypass technique " + (index + 1) + " failed: " + e);
\\\\}
\\\\});
\\}); """
def test_ssl_bypass(package_name): try: device = frida.get_usb_device() session = device.attach(package_name) script = session.create_script(ssl_bypass_script) script.load()
print(f"[+] SSL bypass applied to \\\\{package_name\\\\}")
time.sleep(5)
session.detach()
return True
except Exception as e:
print(f"[-] Failed to apply SSL bypass to \\\\{package_name\\\\}: \\\\{e\\\\}")
return False
if name == "main":
if len(sys.argv) != 2:
print("Usage: python3 ssl_bypass.py
test_ssl_bypass(sys.argv[1])
### Automated SSL Pinning Testpython
!/usr/bin/env python3¶
import frida import requests import json
Frida script to extract API endpoints¶
api_extraction_script = """ Java.perform(function() \\{ var URL = Java.use("java.net.URL"); URL.\(init.overload("java.lang.String").implementation = function(url) \\\\{ console.log("[API] URL accessed: " + url); send(\\\\{"type": "url", "data": url\\\\}); return this.\)init(url); \\};
var HttpURLConnection = Java.use("java.net.HttpURLConnection");
HttpURLConnection.setRequestMethod.implementation = function(method) \\\\{
console.log("[API] HTTP Method: " + method);
send(\\\\{"type": "method", "data": method\\\\});
return this.setRequestMethod(method);
\\\\};
\\}); """
def on_message(message, data): if message['type'] == 'send': payload = message['payload'] if payload['type'] == 'url': # Send to Burp Suite for further analysis burp_data = \\{ 'url': payload['data'], 'timestamp': time.time() \\} # Add to Burp Suite scope or send to Collaborator print(f"[+] New API endpoint discovered: \\{payload['data']\\}")
Setup Frida session¶
device = frida.get_usb_device() session = device.attach("com.example.app") script = session.create_script(api_extraction_script) script.on('message', on_message) script.load()
input("Press Enter to stop...")
## Integration Examplespython
!/usr/bin/env python3¶
import frida from zapv2 import ZAPv2
Initialize ZAP¶
zap = ZAPv2(proxies=\\{'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'\\})
Frida script to route traffic through ZAP¶
proxy_script = """ Java.perform(function() \\{ var System = Java.use("java.lang.System"); System.setProperty("http.proxyHost", "127.0.0.1"); System.setProperty("http.proxyPort", "8080"); System.setProperty("https.proxyHost", "127.0.0.1"); System.setProperty("https.proxyPort", "8080");
console.log("[+] Proxy settings configured for ZAP");
\\}); """
def setup_zap_integration(package_name): device = frida.get_usb_device() session = device.attach(package_name) script = session.create_script(proxy_script) script.load()
print(f"[+] ZAP integration setup for \\\\{package_name\\\\}")
print(f"[+] ZAP Spider: \\\\{zap.spider.scan('http://target-api.com')\\\\}")
return session
Usage¶
session = setup_zap_integration("com.example.app")
input("Press Enter to stop...")
session.detach()
### Burp Suite Integrationbash
Check if Frida server is running on device¶
adb shell ps|grep frida
Restart Frida server¶
adb shell su -c "pkill frida-server" adb shell su -c "/data/local/tmp/frida-server &"
Check port forwarding¶
adb forward --list adb forward tcp:27042 tcp:27042
Test connection¶
frida-ps -U
### OWASP ZAP Integrationbash
Android: Ensure proper permissions¶
adb shell su -c "chmod 755 /data/local/tmp/frida-server" adb shell su -c "chown root:root /data/local/tmp/frida-server"
iOS: Check Frida installation¶
ssh root@
Reinstall if necessary¶
ssh root@## Troubleshootingjavascript
// Add comprehensive error handling
try \\{
Java.perform(function() \\{
// Your code here
\\});
\\} catch (e) \\{
console.log("Error in Java.perform:", e);
console.log("Stack trace:", e.stack);
\\}
// Use console.log for debugging console.log("Debug: Variable value is", someVariable);
// Check if classes exist before using
if (Java.available) \\{
try \\{
var MyClass = Java.use("com.example.MyClass");
console.log("MyClass found");
\\} catch (e) \\{
console.log("MyClass not found:", e);
\\}
\\}
### Common Connection Issuesjavascript
// Cache frequently used classes
var cachedClasses = \\{\\};
function getClass(className) \\{
if (!cachedClasses[className]) \\{
cachedClasses[className] = Java.use(className);
\\}
return cachedClasses[className];
\\}
// Use efficient memory operations var buffer = Memory.alloc(1024); // Allocate once // Reuse buffer instead of allocating repeatedly
// Minimize console output in production var DEBUG = false; function debugLog(message) \\{ if (DEBUG) \\{ console.log(message); \\} \\} ```### Permission Issues https://frida.re/docs/### Script Debugging https://github.com/frida/frida### Performance Optimization https://frida.re/docs/javascript-api/## Resources https://codeshare.frida.re/- Documentación Oficial de Fridahttps://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial- Repositorio de GitHub de Frida