SlideShare a Scribd company logo

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

ā€¢
ā€¢
NSConclave
NSConclave

The speaker is going to conduct a hands-on instrumentation workshop on android using Frida. Frida is a popular instrumentation framework that is really helpful in the dynamic analysis of Android apps. https://nsconclave.net-square.com/dynamic-instrumentation.html

Technology
1 of 29
Frida Runtime Debugging By: Bhargav Gajera, Vitthal Shinde
Installation Android: Download Link: https://github.com/frida/frida/releases Push it in Android Path : ā€œ/data/local/tmp/ā€ System: Command: pip install frida-tools Refer : https://pypi.org/project/frida/
Installation Easy Way: Command: frida-push ā— pip install frida-push ā— It will identify your deviceā€™s architecture from adb ā— Download the appropriate server ā— Install it ā— Run it
Start using Frida Android ADB: Command: /data/local/tmp/frida-server & Base System: Command: frida -U -f ā€œ<PackageName>ā€ --no-pause
Start using Frida Want to attach Quickly on whatever is running on screen ? Base System: Command: frida -U -F
Codeshare What is it ? Ans: Repo for universal method hooks & bypass URL: https://codeshare.frida.re/browse How do I use it ? Command: frida -U -f ā€œ<PackageName>ā€ --codeshare <URI> --no-pause
Docs All the documentation is listed under: ā— URL: https://frida.re/docs/home/ Javascript API docs are available under: ā— URL: https://frida.re/docs/javascript-api/
Frida and Scripts 1. Interactive way āž¢ Write scripts inside terminal. 2. Attach scripts āž¢ Write scripts in ļ¬le and pass it as argument. 3. Python āž¢ Create python ļ¬le to do the same
Frida Interactive Command: frida -U -f ā€œ<PackageName>ā€ --no-pause āž¢ An interactive shell will spawn āž¢ Write your code in shell
Frida with JS File Command: frida -U -f ā€œ<PackageName>ā€ -l ā€œ<JSFile>ā€ --no-pause āž¢ Write your javascript code in a ļ¬le. āž¢ Use ā€œ-lā€ option to provide ļ¬le in argument. āž¢ Code will execute side by side of the application execution.
Frida with Python File Command: python <PythonFile>.py āž¢ Import frida in python code. āž¢ Use inbuilt frida functions to: ā—‹ Get USB device ā—‹ Spawn targeted application ā—‹ Attach to itā€™s PID ā—‹ Create script ā—‹ Load the script ā—‹ Resume the application execution
Setup Vulnerable Environment ā— App : InsecureBankv2 ā—‹ Link: https://github.com/dineshshetty/Android-InsecureBankv2 ā— Server : Inside Directory ā€œAndroLabServerā€ ā—‹ Install pip requirements ā—‹ # python app.py
Setup Vulnerable Environment ā— Conļ¬gure the application ā—‹ Navigate to More -> Preferences ā—‹ Give ip of your base system where app.py is running ā— Login Credentials : ā—‹ dinesh/Dinesh@123$ ā—‹ jack/Jack@123$
Find Loaded classes Code : Java.perform(function(){ Java.enumerateLoadedClasses({ "onMatch": function(className){ console.log(className) }, "onComplete":function() {} }) });
Find Loaded classes These many classes ? Really ??
Find Loaded classes with known names Java.perform(function(){ Java.enumerateLoadedClasses({ onMatch:function(className) { if(className.toLowerCase().lastIndexOf("<Identiļ¬er>")>0) { console.log(className); } }, onComplete:function() {} }); });
Find Loaded classes with known names
Identify Classes being used ā— How to Identify which class contains method when an event is called ? ā—‹ Enumerate classes before event. ā—‹ Enumerate classes after event. ā—‹ Find newly loaded classes
Hooking Functions Java.perform(function(){ var varName = Java.use("<className>"); varName.funName.implementation=function() { console.log(ā€œFunction Calledā€) } })
Identify Functions being called ā— How to Identify which method is being invoked ? Newbie's way: āž¢ Hook suspicious methods and add console.log()
Identify Functions being called If you are hooking all suspicious functions...
Identify Functions being called ā— How to Identify which method is being invoked ? Professionalā€™s way: āž¢ Hook all methods of a class and ā—‹ Log whenever it is being called ā—‹ Log all Arguments ā—‹ Log Return value
Identify Functions being called ā— Script be Like...
Hooking Overloaded Functions Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { // Your implementation. } })
Implement custom function Further we will seeā€¦ ā— Dive deep into creating custom logic. ā— How can we overwrite original function. ā— How to create variable of desired classes. ā— How to use such variables and use it to get information from hooked function. ā— etc, etc, etc...
Using --no-pause Command: frida -U -f <Package> --no-pause ā— Will immediately spawn and start execution of the application ā— Load the script side by side ā— What if the function mentioned in script executes before scripts is loaded?
Without --no-pause Command: frida -U -f <Package> -l <script> ā— Will create a process of the application. ā— Will hold the execution of ļ¬rst frame of the application ā— We can load the script by pasting it now in the terminal. ā— Use ā€œ %resume ā€ to continue the execution.
Analyzing hooked function Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { console.log(ā€œFunction calledā€); console.log(ā€œArguments are : ā€,args); }}) ;
Show Time... ā— DEMO...

Recommended

DBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse Engineering
Sahil Dhar
Ā 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
AbhishekJaiswal270
Ā 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
Ā 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
Ā 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
Ā 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
Ā 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
Ā 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
Ā 

Recommended

DBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse EngineeringDBI-Assisted Android Application Reverse Engineering
DBI-Assisted Android Application Reverse Engineering
Sahil Dhar
Ā 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
AbhishekJaiswal270
Ā 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
Ā 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
Ā 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
Ā 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
Ā 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
Ā 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
Ā 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738
Ā 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
Ā 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
Ā 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
Ā 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
Ā 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
Ā 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
Ā 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Sri Manakula Vinayagar Engineering College
Ā 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
Ā 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
Opersys inc.
Ā 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
Jaeju Kim
Ā 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
Ā 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
Ā 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
Ā 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
Ā 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
Ā 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
Ā 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
Ā 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
Ā 
åŸŗäŗŽ FRIDA ēš„å…Øå¹³å°é€†å‘åˆ†ęž
åŸŗäŗŽ FRIDA ēš„å…Øå¹³å°é€†å‘åˆ†ęžåŸŗäŗŽ FRIDA ēš„å…Øå¹³å°é€†å‘åˆ†ęž
åŸŗäŗŽ FRIDA ēš„å…Øå¹³å°é€†å‘åˆ†ęž
CC
Ā 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
Opersys inc.
Ā 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
Adityamd4
Ā 

More Related Content

What's hot

Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
Ā 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
Ā 

What's hot (20)

Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
Ā 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Ā 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Ā 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Ā 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Ā 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Ā 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
Ā 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Ā 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Ā 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
Ā 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
Ā 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Ā 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Ā 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Ā 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ā 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Ā 
Nmap basics
Nmap basicsNmap basics
Nmap basics
Ā 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
Ā 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Ā 
åŸŗäŗŽ FRIDA ēš„å…Øå¹³å°é€†å‘åˆ†ęž
åŸŗäŗŽ FRIDA ēš„å…Øå¹³å°é€†å‘åˆ†ęžåŸŗäŗŽ FRIDA ēš„å…Øå¹³å°é€†å‘åˆ†ęž
åŸŗäŗŽ FRIDA ēš„å…Øå¹³å°é€†å‘åˆ†ęž
Ā 

Similar to Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin
Ā 
OpenShift Origin Community Day (Boston) Writing Cartridges V2 by Jhon Honce
OpenShift Origin Community Day (Boston) Writing Cartridges V2 by Jhon Honce OpenShift Origin Community Day (Boston) Writing Cartridges V2 by Jhon Honce
OpenShift Origin Community Day (Boston) Writing Cartridges V2 by Jhon Honce
Diane Mueller
Ā 
Speed up your development environment PHP + Nginx + Fedora + PG
Speed up your development environment PHP + Nginx + Fedora + PGSpeed up your development environment PHP + Nginx + Fedora + PG
Speed up your development environment PHP + Nginx + Fedora + PG
Marcus SĆ”
Ā 
Movable Type 5.2 Overview at MTDDC 2012
Movable Type 5.2 Overview at MTDDC 2012Movable Type 5.2 Overview at MTDDC 2012
Movable Type 5.2 Overview at MTDDC 2012
Yuji Takayama
Ā 
Node.js basics
Node.js basicsNode.js basics
Node.js basics
Ben Lin
Ā 
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Amazon Web Services
Ā 

Similar to Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde (20)

Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
Ā 
MOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdfMOBILE PENTESTING Frida.pdf
MOBILE PENTESTING Frida.pdf
Ā 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
Ā 
Deploying Symfony | symfony.cat
Deploying Symfony | symfony.catDeploying Symfony | symfony.cat
Deploying Symfony | symfony.cat
Ā 
MobileConf 2021 Slides: Let's build macOS CLI Utilities using Swift
MobileConf 2021 Slides: Let's build macOS CLI Utilities using SwiftMobileConf 2021 Slides: Let's build macOS CLI Utilities using Swift
MobileConf 2021 Slides: Let's build macOS CLI Utilities using Swift
Ā 
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
Ā 
OpenShift Origin Community Day (Boston) Writing Cartridges V2 by Jhon Honce
OpenShift Origin Community Day (Boston) Writing Cartridges V2 by Jhon Honce OpenShift Origin Community Day (Boston) Writing Cartridges V2 by Jhon Honce
OpenShift Origin Community Day (Boston) Writing Cartridges V2 by Jhon Honce
Ā 
Fastlane
FastlaneFastlane
Fastlane
Ā 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Ā 
Speed up your development environment PHP + Nginx + Fedora + PG
Speed up your development environment PHP + Nginx + Fedora + PGSpeed up your development environment PHP + Nginx + Fedora + PG
Speed up your development environment PHP + Nginx + Fedora + PG
Ā 
Movable Type 5.2 Overview at MTDDC 2012
Movable Type 5.2 Overview at MTDDC 2012Movable Type 5.2 Overview at MTDDC 2012
Movable Type 5.2 Overview at MTDDC 2012
Ā 
Node.js basics
Node.js basicsNode.js basics
Node.js basics
Ā 
Pyramid Deployment and Maintenance
Pyramid Deployment and MaintenancePyramid Deployment and Maintenance
Pyramid Deployment and Maintenance
Ā 
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Ā 
Grunt & Front-end Workflow
Grunt & Front-end WorkflowGrunt & Front-end Workflow
Grunt & Front-end Workflow
Ā 
Containerized IDEs.pdf
Containerized IDEs.pdfContainerized IDEs.pdf
Containerized IDEs.pdf
Ā 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
Ā 
EuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingEuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears Training
Ā 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
Ā 
Helpful pre commit hooks for Python and Django
Helpful pre commit hooks for Python and DjangoHelpful pre commit hooks for Python and Django
Helpful pre commit hooks for Python and Django
Ā 

More from NSConclave

More from NSConclave (20)

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
Ā 
Create a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionCreate a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the Extension
Ā 
IOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachIOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's Approach
Ā 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native Library
Ā 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
Ā 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
Ā 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
Ā 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)
Ā 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js Deserialization
Ā 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
Ā 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
Ā 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization Attacks
Ā 
Sandboxing
SandboxingSandboxing
Sandboxing
Ā 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
Ā 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
Ā 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
Ā 
Markdown
MarkdownMarkdown
Markdown
Ā 
Docker 101
Docker 101Docker 101
Docker 101
Ā 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren Shah
Ā 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
Ā 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Ā 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(ā˜Žļø+971_581248768%)**%*]'#abortion pills for sale in dubai@
Ā 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
Ā 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Ā 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
Ā 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
Ā 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
Ā 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
Ā 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Ā 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Ā 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Ā 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Ā 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Ā 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Ā 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Ā 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
Ā 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Ā 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Ā 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Ā 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Ā 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Ā 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Ā 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Ā 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ā 

Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde

  • 1. Frida Runtime Debugging By: Bhargav Gajera, Vitthal Shinde
  • 2. Installation Android: Download Link: https://github.com/frida/frida/releases Push it in Android Path : ā€œ/data/local/tmp/ā€ System: Command: pip install frida-tools Refer : https://pypi.org/project/frida/
  • 3. Installation Easy Way: Command: frida-push ā— pip install frida-push ā— It will identify your deviceā€™s architecture from adb ā— Download the appropriate server ā— Install it ā— Run it
  • 4. Start using Frida Android ADB: Command: /data/local/tmp/frida-server & Base System: Command: frida -U -f ā€œ<PackageName>ā€ --no-pause
  • 5. Start using Frida Want to attach Quickly on whatever is running on screen ? Base System: Command: frida -U -F
  • 6. Codeshare What is it ? Ans: Repo for universal method hooks & bypass URL: https://codeshare.frida.re/browse How do I use it ? Command: frida -U -f ā€œ<PackageName>ā€ --codeshare <URI> --no-pause
  • 7. Docs All the documentation is listed under: ā— URL: https://frida.re/docs/home/ Javascript API docs are available under: ā— URL: https://frida.re/docs/javascript-api/
  • 8. Frida and Scripts 1. Interactive way āž¢ Write scripts inside terminal. 2. Attach scripts āž¢ Write scripts in ļ¬le and pass it as argument. 3. Python āž¢ Create python ļ¬le to do the same
  • 9. Frida Interactive Command: frida -U -f ā€œ<PackageName>ā€ --no-pause āž¢ An interactive shell will spawn āž¢ Write your code in shell
  • 10. Frida with JS File Command: frida -U -f ā€œ<PackageName>ā€ -l ā€œ<JSFile>ā€ --no-pause āž¢ Write your javascript code in a ļ¬le. āž¢ Use ā€œ-lā€ option to provide ļ¬le in argument. āž¢ Code will execute side by side of the application execution.
  • 11. Frida with Python File Command: python <PythonFile>.py āž¢ Import frida in python code. āž¢ Use inbuilt frida functions to: ā—‹ Get USB device ā—‹ Spawn targeted application ā—‹ Attach to itā€™s PID ā—‹ Create script ā—‹ Load the script ā—‹ Resume the application execution
  • 12. Setup Vulnerable Environment ā— App : InsecureBankv2 ā—‹ Link: https://github.com/dineshshetty/Android-InsecureBankv2 ā— Server : Inside Directory ā€œAndroLabServerā€ ā—‹ Install pip requirements ā—‹ # python app.py
  • 13. Setup Vulnerable Environment ā— Conļ¬gure the application ā—‹ Navigate to More -> Preferences ā—‹ Give ip of your base system where app.py is running ā— Login Credentials : ā—‹ dinesh/Dinesh@123$ ā—‹ jack/Jack@123$
  • 14. Find Loaded classes Code : Java.perform(function(){ Java.enumerateLoadedClasses({ "onMatch": function(className){ console.log(className) }, "onComplete":function() {} }) });
  • 15. Find Loaded classes These many classes ? Really ??
  • 16. Find Loaded classes with known names Java.perform(function(){ Java.enumerateLoadedClasses({ onMatch:function(className) { if(className.toLowerCase().lastIndexOf("<Identiļ¬er>")>0) { console.log(className); } }, onComplete:function() {} }); });
  • 17. Find Loaded classes with known names
  • 18. Identify Classes being used ā— How to Identify which class contains method when an event is called ? ā—‹ Enumerate classes before event. ā—‹ Enumerate classes after event. ā—‹ Find newly loaded classes
  • 19. Hooking Functions Java.perform(function(){ var varName = Java.use("<className>"); varName.funName.implementation=function() { console.log(ā€œFunction Calledā€) } })
  • 20. Identify Functions being called ā— How to Identify which method is being invoked ? Newbie's way: āž¢ Hook suspicious methods and add console.log()
  • 21. Identify Functions being called If you are hooking all suspicious functions...
  • 22. Identify Functions being called ā— How to Identify which method is being invoked ? Professionalā€™s way: āž¢ Hook all methods of a class and ā—‹ Log whenever it is being called ā—‹ Log all Arguments ā—‹ Log Return value
  • 23. Identify Functions being called ā— Script be Like...
  • 24. Hooking Overloaded Functions Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { // Your implementation. } })
  • 25. Implement custom function Further we will seeā€¦ ā— Dive deep into creating custom logic. ā— How can we overwrite original function. ā— How to create variable of desired classes. ā— How to use such variables and use it to get information from hooked function. ā— etc, etc, etc...
  • 26. Using --no-pause Command: frida -U -f <Package> --no-pause ā— Will immediately spawn and start execution of the application ā— Load the script side by side ā— What if the function mentioned in script executes before scripts is loaded?
  • 27. Without --no-pause Command: frida -U -f <Package> -l <script> ā— Will create a process of the application. ā— Will hold the execution of ļ¬rst frame of the application ā— We can load the script by pasting it now in the terminal. ā— Use ā€œ %resume ā€ to continue the execution.
  • 28. Analyzing hooked function Java.perform(function(){ var varName = Java.use("class path"); varName.funName.overload(<args_type>).implementation=function(args) { console.log(ā€œFunction calledā€); console.log(ā€œArguments are : ā€,args); }}) ;