Aide-mémoire Frida
Vue d’ensemble
Frida est une boîte à outils d’instrumentation dynamique pour les développeurs, les ingénieurs en rétro-ingénierie et les chercheurs en sécurité. Il permet d’injecter JavaScript ou votre propre bibliothèque dans des applications natives sur Windows, macOS, GNU/Linux, iOS, Android et QNX. Frida offre des capacités puissantes pour la manipulation à l’exécution, le hooking d’API et l’analyse dynamique d’applications.
⚠️ Avertissement : Utilisez Frida uniquement sur des applications dont vous êtes propriétaire ou pour lesquelles vous avez une autorisation explicite de test. Une utilisation non autorisée peut violer les conditions de service ou les lois locales.
Installation
Installation du package Python
# Install Frida via pip (recommended)
pip install frida-tools
# Install specific version
pip install frida-tools==12.11.18
# Upgrade to latest version
pip install --upgrade frida-toolsInstallation spécifique à la plateforme
Linux
# Ubuntu/Debian
sudo apt update
sudo apt install python3-pip
pip3 install frida-tools
# Arch Linux
sudo pacman -S python-pip
pip install frida-tools
# CentOS/RHEL
sudo yum install python3-pip
pip3 install frida-toolsmacOS
# Using Homebrew
brew install python3
pip3 install frida-tools
# Using MacPorts
sudo port install python39 +universal
pip3 install frida-toolsWindows
# Using Python installer
python -m pip install frida-tools
# Using Chocolatey
choco install python3
pip install frida-toolsConfiguration des appareils mobiles
Android
# Download Frida server for Android
wget https://github.com/frida/frida/releases/download/16.0.8/frida-server-16.0.8-android-arm64.xz
unxz frida-server-16.0.8-android-arm64.xz
# Push to device and set permissions
adb push frida-server-16.0.8-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
# Run Frida server on device
adb shell su -c "/data/local/tmp/frida-server &"iOS
# Install via Cydia (jailbroken devices)
# Add Frida repository: https://build.frida.re
# Or install via SSH
ssh root@<device-ip>
apt update
apt install re.frida.serverUtilisation de base
Découverte de processus
# List running processes
frida-ps
# List processes on USB device
frida-ps -U
# List processes on remote device
frida-ps -H <host>:<port>
# List applications (Android/iOS)
frida-ps -Uai
# List installed applications
frida-ps -UaHooking de base
# Attach to running process by name
frida -n "target_app" -l script.js
# Attach to process by PID
frida -p 1234 -l script.js
# Spawn and attach to application
frida -f com.example.app -l script.js --no-pause
# Interactive REPL mode
frida -n "target_app"Exécution de script
# Execute JavaScript file
frida -n "target_app" -l hook_script.js
# Execute inline JavaScript
frida -n "target_app" -e "console.log('Hello from Frida');"
# Execute with USB device
frida -U -f com.example.app -l script.js
# Execute with remote device
frida -H 192.168.1.100:27042 -f com.example.app -l script.jsRéférence des commandes
| Commande | Description |
|---|---|
frida-ps | Lister les processus en cours d’exécution |
frida-ps -U | Lister les processus sur le périphérique USB |
frida-ps -Uai | Lister les applications sur un périphérique USB |
frida -n <name> | Attacher au processus par nom |
frida -p <pid> | Attacher au processus par PID |
frida -f <app> | Spawn et attacher à l’application |
frida -l <script> | Charger le fichier JavaScript |
frida -e <code> | Exécuter du JavaScript en ligne |
frida-trace | Trace des appels de fonction |
frida-discover | Découvrir les fonctions internes |
frida-kill | Tuer les scripts Frida |
Bases de l’API JavaScript
Opérations mémoire
// Read memory
var addr = ptr("0x12345678");
var value = Memory.readU32(addr);
console.log("Value:", value);
// Write memory
Memory.writeU32(addr, 0xdeadbeef);
// Allocate memory
var buffer = Memory.alloc(1024);
Memory.writeUtf8String(buffer, "Hello World");
// Search memory
var pattern = "48 8b 05 ?? ?? ?? ??";
var matches = Memory.scanSync(ptr("0x400000"), 0x1000, pattern);Hooking de fonctions
// Hook function by address
Interceptor.attach(ptr("0x12345678"), \\\\{
onEnter: function(args) \\\\{
console.log("Function called with args:", args[0], args[1]);
this.arg0 = args[0];
\\\\},
onLeave: function(retval) \\\\{
console.log("Function returned:", retval);
retval.replace(ptr("0x1"));
\\\\}
\\\\});
// Hook function by name (with Module)
var targetModule = Process.getModuleByName("libc.so");
var mallocAddr = targetModule.getExportByName("malloc");
Interceptor.attach(mallocAddr, \\\\{
onEnter: function(args) \\\\{
console.log("malloc called with size:", args[0].toInt32());
\\\\}
\\\\});Résolution de modules et de symboles
// List loaded modules
Process.enumerateModules().forEach(function(module) \\\\{
console.log(module.name, module.base, module.size);
\\\\});
// Get module by name
var module = Process.getModuleByName("libssl.so");
console.log("Base address:", module.base);
// Enumerate exports
module.enumerateExports().forEach(function(exp) \\\\{
console.log(exp.name, exp.address);
\\\\});
// Find symbol
var symbol = Module.findExportByName("libc.so", "strcmp");
console.log("strcmp address:", symbol);Utilisation avancée
Hooking d’applications Android
// Hook Android Java methods
Java.perform(function() \\\\{
var MainActivity = Java.use("com.example.MainActivity");
MainActivity.checkLicense.implementation = function() \\\\{
console.log("License check bypassed");
return true;
\\\\};
// Hook constructor
MainActivity.$init.implementation = function() \\\\{
console.log("MainActivity constructor called");
return this.$init();
\\\\};
// Hook with multiple overloads
var String = Java.use("java.lang.String");
String.equals.overload("java.lang.Object").implementation = function(obj) \\\\{
var result = this.equals(obj);
console.log("String.equals called:", this.toString(), "==", obj.toString(), "->", result);
return result;
\\\\};
\\\\});Hooking d’applications iOS
// Hook Objective-C methods
if (ObjC.available) \\\\{
var NSString = ObjC.classes.NSString;
var method = NSString["- isEqualToString:"];
Interceptor.attach(method.implementation, \\\\{
onEnter: function(args) \\\\{
var self = ObjC.Object(args[0]);
var other = ObjC.Object(args[2]);
console.log("NSString isEqualToString:", self.toString(), "==", other.toString());
\\\\}
\\\\});
// Hook class methods
var UIApplication = ObjC.classes.UIApplication;
var sharedApplication = UIApplication["+ sharedApplication"];
Interceptor.attach(sharedApplication.implementation, \\\\{
onLeave: function(retval) \\\\{
console.log("UIApplication sharedApplication called");
\\\\}
\\\\});
\\\\}Contournement du SSL Pinning
// Android SSL pinning bypass
Java.perform(function() \\\\{
// Hook TrustManagerImpl
var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) \\\\{
console.log("SSL verification bypassed for: " + host);
return untrustedChain;
\\\\};
// Hook HttpsURLConnection
var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(hostnameVerifier) \\\\{
console.log("Default hostname verifier bypassed");
\\\\};
\\\\});Contournement de la détection de root
// Android root detection bypass
Java.perform(function() \\\\{
// Hook common root detection methods
var RootBeer = Java.use("com.scottyab.rootbeer.RootBeer");
RootBeer.isRooted.implementation = function() \\\\{
console.log("Root detection bypassed");
return false;
\\\\};
// Hook file existence checks
var File = Java.use("java.io.File");
File.exists.implementation = function() \\\\{
var path = this.getAbsolutePath();
if (path.indexOf("su") !== -1||path.indexOf("busybox") !== -1) \\\\{
console.log("Blocked file check for:", path);
return false;
\\\\}
return this.exists();
\\\\};
\\\\});Analyse de protocole personnalisé
// Hook network functions
var send = Module.findExportByName("libc.so", "send");
var recv = Module.findExportByName("libc.so", "recv");
Interceptor.attach(send, \\\\{
onEnter: function(args) \\\\{
var sockfd = args[0].toInt32();
var buf = args[1];
var len = args[2].toInt32();
console.log("Send on socket", sockfd, "length", len);
console.log(hexdump(buf, \\\\{ length: len, ansi: true \\\\}));
\\\\}
\\\\});
Interceptor.attach(recv, \\\\{
onLeave: function(retval) \\\\{
if (retval.toInt32() > 0) \\\\{
console.log("Received", retval.toInt32(), "bytes");
console.log(hexdump(this.context.r1, \\\\{ length: retval.toInt32(), ansi: true \\\\}));
\\\\}
\\\\}
\\\\});Outils Frida
frida-trace```bash
Trace all functions in a module
frida-trace -n “target_app” -i “libssl.so!*“
Trace specific functions
frida-trace -n “target_app” -i “malloc” -i “free”
Trace with custom handler
frida-trace -n “target_app” -i “strcmp” —runtime=v8
Trace Java methods (Android)
frida-trace -U -f com.example.app -j ’*!encrypt’
Trace Objective-C methods (iOS)
frida-trace -U -f com.example.app -m ’[ encrypt]’
```bash
# Discover internal functions
frida-discover -n "target_app" -a libssl.so
# Discover with specific patterns
frida-discover -n "target_app" -a libssl.so -s "SSL_*"
# Output to file
frida-discover -n "target_app" -a libssl.so -o discovered_functions.txt
```### frida-ls-devices
```bash
# List available devices
frida-ls-devices
# List with details
frida-ls-devices -l
```## Scripts d'Automatisation
```python
#!/usr/bin/env python3
import frida
import sys
def on_message(message, data):
if message['type'] == 'send':
print(f"[*] \\\\{message['payload']\\\\}")
else:
print(message)
# Connect to device
device = frida.get_usb_device()
# List and analyze multiple apps
apps = ['com.example.app1', 'com.example.app2', 'com.example.app3']
for app_id in apps:
try:
print(f"[+] Analyzing \\\\{app_id\\\\}")
session = device.attach(app_id)
script_code = """
Java.perform(function() \\\\{
console.log("Analyzing: " + Java.use("android.app.Application").currentApplication().getPackageName());
\\\\});
"""
script = session.create_script(script_code)
script.on('message', on_message)
script.load()
input("Press Enter to continue to next app...")
session.detach()
except Exception as e:
print(f"[-] Error with \\\\{app_id\\\\}: \\\\{e\\\\}")
```### Analyse de Processus par Lot
```python
#!/usr/bin/env python3
import frida
import time
ssl_bypass_script = """
Java.perform(function() \\\\{
console.log("[+] Starting SSL bypass");
// Multiple SSL bypass techniques
var techniques = [
function() \\\\{
var TrustManagerImpl = Java.use("com.android.org.conscrypt.TrustManagerImpl");
TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) \\\\{
console.log("[+] SSL verification bypassed for: " + host);
return untrustedChain;
\\\\};
\\\\},
function() \\\\{
var X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
var TrustManager = Java.registerClass(\\\\{
name: "com.frida.TrustManager",
implements: [X509TrustManager],
methods: \\\\{
checkClientTrusted: function(chain, authType) \\\\{\\\\},
checkServerTrusted: function(chain, authType) \\\\{\\\\},
getAcceptedIssuers: function() \\\\{ return []; \\\\}
\\\\}
\\\\});
\\\\}
];
techniques.forEach(function(technique, index) \\\\{
try \\\\{
technique();
console.log("[+] SSL bypass technique " + (index + 1) + " applied");
\\\\} catch (e) \\\\{
console.log("[-] SSL bypass technique " + (index + 1) + " failed: " + e);
\\\\}
\\\\});
\\\\});
"""
def test_ssl_bypass(package_name):
try:
device = frida.get_usb_device()
session = device.attach(package_name)
script = session.create_script(ssl_bypass_script)
script.load()
print(f"[+] SSL bypass applied to \\\\{package_name\\\\}")
time.sleep(5)
session.detach()
return True
except Exception as e:
print(f"[-] Failed to apply SSL bypass to \\\\{package_name\\\\}: \\\\{e\\\\}")
return False
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 ssl_bypass.py <package_name>")
sys.exit(1)
test_ssl_bypass(sys.argv[1])
```### Test Automatisé de SSL Pinning
```python
#!/usr/bin/env python3
import frida
import requests
import json
# Frida script to extract API endpoints
api_extraction_script = """
Java.perform(function() \\\\{
var URL = Java.use("java.net.URL");
URL.$init.overload("java.lang.String").implementation = function(url) \\\\{
console.log("[API] URL accessed: " + url);
send(\\\\{"type": "url", "data": url\\\\});
return this.$init(url);
\\\\};
var HttpURLConnection = Java.use("java.net.HttpURLConnection");
HttpURLConnection.setRequestMethod.implementation = function(method) \\\\{
console.log("[API] HTTP Method: " + method);
send(\\\\{"type": "method", "data": method\\\\});
return this.setRequestMethod(method);
\\\\};
\\\\});
"""
def on_message(message, data):
if message['type'] == 'send':
payload = message['payload']
if payload['type'] == 'url':
# Send to Burp Suite for further analysis
burp_data = \\\\{
'url': payload['data'],
'timestamp': time.time()
\\\\}
# Add to Burp Suite scope or send to Collaborator
print(f"[+] New API endpoint discovered: \\\\{payload['data']\\\\}")
# Setup Frida session
device = frida.get_usb_device()
session = device.attach("com.example.app")
script = session.create_script(api_extraction_script)
script.on('message', on_message)
script.load()
input("Press Enter to stop...")
```## Exemples d'Intégration
```python
#!/usr/bin/env python3
import frida
from zapv2 import ZAPv2
# Initialize ZAP
zap = ZAPv2(proxies=\\\\{'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'\\\\})
# Frida script to route traffic through ZAP
proxy_script = """
Java.perform(function() \\\\{
var System = Java.use("java.lang.System");
System.setProperty("http.proxyHost", "127.0.0.1");
System.setProperty("http.proxyPort", "8080");
System.setProperty("https.proxyHost", "127.0.0.1");
System.setProperty("https.proxyPort", "8080");
console.log("[+] Proxy settings configured for ZAP");
\\\\});
"""
def setup_zap_integration(package_name):
device = frida.get_usb_device()
session = device.attach(package_name)
script = session.create_script(proxy_script)
script.load()
print(f"[+] ZAP integration setup for \\\\{package_name\\\\}")
print(f"[+] ZAP Spider: \\\\{zap.spider.scan('http://target-api.com')\\\\}")
return session
# Usage
session = setup_zap_integration("com.example.app")
input("Press Enter to stop...")
session.detach()
```### Intégration avec Burp Suite
```bash
# Check if Frida server is running on device
adb shell ps|grep frida
# Restart Frida server
adb shell su -c "pkill frida-server"
adb shell su -c "/data/local/tmp/frida-server &"
# Check port forwarding
adb forward --list
adb forward tcp:27042 tcp:27042
# Test connection
frida-ps -U
```### Intégration avec OWASP ZAP
```bash
# Android: Ensure proper permissions
adb shell su -c "chmod 755 /data/local/tmp/frida-server"
adb shell su -c "chown root:root /data/local/tmp/frida-server"
# iOS: Check Frida installation
ssh root@<device-ip> "dpkg -l|grep frida"
# Reinstall if necessary
ssh root@<device-ip> "apt remove re.frida.server && apt install re.frida.server"
```## Dépannage
```javascript
// Add comprehensive error handling
try \\\\{
Java.perform(function() \\\\{
// Your code here
\\\\});
\\\\} catch (e) \\\\{
console.log("Error in Java.perform:", e);
console.log("Stack trace:", e.stack);
\\\\}
// Use console.log for debugging
console.log("Debug: Variable value is", someVariable);
// Check if classes exist before using
if (Java.available) \\\\{
try \\\\{
var MyClass = Java.use("com.example.MyClass");
console.log("MyClass found");
\\\\} catch (e) \\\\{
console.log("MyClass not found:", e);
\\\\}
\\\\}
```### Problèmes de Connexion Courants
```javascript
// Cache frequently used classes
var cachedClasses = \\\\{\\\\};
function getClass(className) \\\\{
if (!cachedClasses[className]) \\\\{
cachedClasses[className] = Java.use(className);
\\\\}
return cachedClasses[className];
\\\\}
// Use efficient memory operations
var buffer = Memory.alloc(1024); // Allocate once
// Reuse buffer instead of allocating repeatedly
// Minimize console output in production
var DEBUG = false;
function debugLog(message) \\\\{
if (DEBUG) \\\\{
console.log(message);
\\\\}
\\\\}
```### Problèmes de Permissions
https://frida.re/docs/##
# Débogage de Script
https://github.com/frida/frida##
# Optimisation des Performances
https://frida.re/docs/javascript-api/#
# Ressources
https://codeshare.frida.re/- [Documentation Officielle de Frida](https://learnfrida.info/)https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/frida-tutorial- [Dépôt GitHub de Frida](https://book.hacktricks.xyz/mobile-pentesting/ios-pentesting/ios-hooking-with-frida)