📲
Android Reversing with Frida for Examiners...
📲
Android Reversing with Frida for Examiners...
Authors:
M. Williamson
C. Atha
Android Reversing for Examiners
Setting Up
Prerequisites
Our Target: Private Photo Vault
Lab
[1] Lab setup and initial app exploration
[2] Perform static analysis to locate some functions of interest
[3] Deploy method hooks using frida REPL
[4a] Moar Static Analysis
[4b] Cast a wide net with DBI
[4c] PIN bruteforce
Bonus Labs
Ready for more?
Frida-tools Reference
Installation & Common Flags
frida
frida-ps
frida-trace
Other Processes Reference
Extracting an APK specimen from the device
Troubleshooting frida connectivity
What's Next
Recommended Toolkits and Scripts
Additional Resources / Questions
Contact Us
Powered by GitBook

frida

Launching the REPL is accomplished from the commandline. Once frida has been installed, you can verify whether or not it is functioning by typing frida with no arguments.

Spawning vs. attaching

Frida has the ability to either spawn a new process (using the specified app identifier) or attach to one that's already running. Which one you choose will be dependent on the app you are reversing and what particular task you are pursuing.

Spawning
Attaching
Spawning

To spawn a new process, we use the CLI argument -f <app id>, for example: frida -f com.app.name

When spawning a new process, frida immediately will pause execution of the app. The intent here is to give you a chance to apply method hooks before anything happens in the application. You can type %resume to continue execution, but be warned that apps will generally force close if execution halts for more than a few seconds.

You can turn off the pausing behaviour using the --no-pause CLI flag.

Attaching

To attach to an existing app, you can either:

  • Attach to an app using its pid. To find this, use frida-ps.

  • Attach to an app using its application identifier. To find this, use frida-ps.

  • Attach to the frontmost (focused) application, with CLI flag -F

​

Loading a script locally

If you have a .js file which you would like to inject, such as the raptor tracing or enum scripts, the way to do this regardless of which platform you are on is by appending the CLI argument -l <script name>

Recommended Scripts

For almost every app, I recommend creating a "base script" that works for you. For me, I generally start with the Raptor tracing scripts. (See: https://github.com/0xdea/frida-scripts )

Frida-tools Reference - Previous
Installation & Common Flags
Next - Frida-tools Reference
frida-ps
Last updated 1 year ago
Contents
Spawning vs. attaching
Loading a script locally
Recommended Scripts