📲
Android Reversing with Frida for Examiners...
📲
Android Reversing with Frida for Examiners...
Authors:
M. Williamson
C. Atha
Android Reversing for Examiners
Setting Up
Prerequisites
Our Target: Private Photo Vault
Lab
[1] Lab setup and initial app exploration
[2] Perform static analysis to locate some functions of interest
[3] Deploy method hooks using frida REPL
[4a] Moar Static Analysis
[4b] Cast a wide net with DBI
[4c] PIN bruteforce
Bonus Labs
Ready for more?
Frida-tools Reference
Installation & Common Flags
frida
frida-ps
frida-trace
Other Processes Reference
Extracting an APK specimen from the device
Troubleshooting frida connectivity
What's Next
Recommended Toolkits and Scripts
Additional Resources / Questions
Contact Us
Powered by GitBook

frida-ps

Frida-ps, included with the standard frida tools suite, is a helpful way of listing running apps on your target device. Out of the box, an iPhone will have hundreds of running processes at first boot. Thankfully, frida-ps provides several command line options to make this process easier.

Remember to utilize the-U flag to tell Frida you want to see apps on the device connected via USB / emulator. If you don't, you'll instead see processes running on your host machine.

Examples:

List running apps (-a)
List all installed apps (-a -i)
List all running processes
List running apps (-a)
C:\>frida-ps -U -a
  PID  Name                      Identifier
-----  ------------------------  ---------------------------------------
 1797  AnalyticsService          org.android_x86.analytics
 1411  Android Keyboard (AOSP)   com.android.inputmethod.latin
 6765  Android Setup             com.google.android.setupwizard
 1285  Android System            android
20054  Blocked Numbers Storage   com.android.providers.blockednumber
20054  Contacts Storage          com.android.providers.contacts
19534  Download Manager          com.android.providers.downloads
 5617  ES File Explorer          com.estrongs.android.pop
 5438  External Storage          com.android.externalstorage
 5399  Files                     com.android.documentsui
 1285  Fused Location            com.android.location.fused
 5102  Gallery                   com.android.gallery3d
 1792  Google App                com.google.android.googlequicksearchbox
15496  Google Partner Setup      com.google.android.partnersetup
 6219  Google Play Store         com.android.vending
 1874  Google Play services      com.google.android.gms
 6274  Google Services Framew…   com.google.android.gsf
20089  MTP Host                  com.android.mtp
19534  Media Storage             com.android.providers.media
 1510  Mobile Data               com.android.phone
 1510  Mobile Network Configur…  com.android.providers.telephony
 5477  Package installer         com.google.android.packageinstaller
 6551  Photo Vault               com.enchantedcloud.photovault
 1832  Quickstep                 com.android.launcher3
 1285  Settings Storage          com.android.providers.settings
 1422  System UI                 com.android.systemui
 3360  Terminal Emulator         com.termoneplus
20054  User Dictionary           com.android.providers.userdictionary
List all installed apps (-a -i)
C:\>frida-ps -U -a -i
  PID  Name                         Identifier
-----  ---------------------------  ----------------------------------------------------
 1797  AnalyticsService             org.android_x86.analytics
 1411  Android Keyboard (AOSP)      com.android.inputmethod.latin
 6765  Android Setup                com.google.android.setupwizard
 1285  Android System               android
20054  Blocked Numbers Storage      com.android.providers.blockednumber
20054  Contacts Storage             com.android.providers.contacts
19534  Download Manager             com.android.providers.downloads
 5617  ES File Explorer             com.estrongs.android.pop
 5438  External Storage             com.android.externalstorage
 5399  Files                        com.android.documentsui
 1285  Fused Location               com.android.location.fused
 5102  Gallery                      com.android.gallery3d
 1792  Google App                   com.google.android.googlequicksearchbox
15496  Google Partner Setup         com.google.android.partnersetup
 6219  Google Play Store            com.android.vending
 1874  Google Play services         com.google.android.gms
 6274  Google Services Framew…      com.google.android.gsf
20089  MTP Host                     com.android.mtp
19534  Media Storage                com.android.providers.media
 1510  Mobile Data                  com.android.phone
 1510  Mobile Network Configur…     com.android.providers.telephony
 5477  Package installer            com.google.android.packageinstaller
 6551  Photo Vault                  com.enchantedcloud.photovault
 1832  Quickstep                    com.android.launcher3
 1285  Settings Storage             com.android.providers.settings
 1422  System UI                    com.android.systemui
 3360  Terminal Emulator            com.termoneplus
20054  User Dictionary              com.android.providers.userdictionary
    -  Android Easter Egg           com.android.egg
    -  Android Services Library     com.google.android.ext.services
    -  Android Setup                com.google.android.apps.restore
    -  Android Shared Library       com.google.android.ext.shared
    -  Android System WebView       com.google.android.webview
    -  Basic Daydreams              com.android.dreams.basic
    -  Bluetooth                    com.android.bluetooth
    -  Bluetooth MIDI Service       com.android.bluetoothmidiservice
    -  Bookmark Provider            com.android.bookmarkprovider
    -  BusyBox Free                 stericson.busybox
    -  Calculator                   com.android.calculator2
    -  Calendar                     com.android.calendar
    -  Calendar Storage             com.android.providers.calendar
    -  Calibration                  org.zeroxlab.util.tscal
    -  Call Log Backup/Restore      com.android.calllogbackup
    -  Camera                       com.android.camera2
    -  CaptivePortalLogin           com.android.captiveportallogin
    -  CarrierDefaultApp            com.android.carrierdefaultapp
    -  Cell Broadcasts              com.android.cellbroadcastreceiver
    -  Certificate Installer        com.android.certinstaller
    -  Chrome                       com.android.chrome
    -  Clock                        com.android.deskclock
    -  Companion Device Mana…       com.android.companiondevicemanager
    -  Contacts                     com.android.contacts
    -  Corner display cutout        com.android.internal.display.cutout.emulation.corner
    -  Dark                         com.android.systemui.theme.dark
    -  Default Print Service        com.android.bips
    -  Dev Tools                    com.android.development
    -  Double display cutout        com.android.internal.display.cutout.emulation.double
    -  Downloads                    com.android.providers.downloads.ui
    -  Emergency information        com.android.emergency
    -  Gmail                        com.google.android.gm
    -  Google Account Manager       com.google.android.gsf.login
    -  Google Backup Transport      com.google.android.backuptransport
    -  Google Calendar Sync         com.google.android.syncadapters.calendar
    -  Google Contacts Sync         com.google.android.syncadapters.contacts
    -  Google One Time Init         com.google.android.onetimeinitializer
    -  HTML Viewer                  com.android.htmlviewer
    -  Input Devices                com.android.inputdevices
    -  Intent Filter Verification…  com.android.statementservice
    -  Key Chain                    com.android.keychain
    -  Live Wallpaper Picker        com.android.wallpaper.livepicker
    -  Market Feedback Agent        com.google.android.feedback
    -  MmsService                   com.android.mms.service
    -  Music                        org.lineageos.eleven
    -  NotePad                      com.example.android.notepad
    -  PacProcessor                 com.android.pacprocessor
    -  Package Access Helper        com.android.defcontainer
    -  Phone                        com.android.dialer
    -  Print Service Recommen…      com.google.android.printservice.recommendation
    -  Print Spooler                com.android.printspooler
    -  ProxyHandler                 com.android.proxyhandler
    -  RSS Reader                   com.example.android.rssreader
    -  Settings                     com.android.settings
    -  Settings Suggestions         com.android.settings.intelligence
    -  Shell                        com.android.shell
    -  Sim App Dialog               com.android.simappdialog
    -  Simple message receiver      com.android.basicsmsreceiver
    -  Storage Manager              com.android.storagemanager
    -  SuperSU                      eu.chainfire.supersu
    -  System Tracing               com.android.traceur
    -  Tall display cutout          com.android.internal.display.cutout.emulation.tall
    -  Taskbar                      com.farmerbb.taskbar.androidx86
    -  VpnDialogs                   com.android.vpndialogs
    -  Work profile setup           com.android.managedprovisioning
    -  com.android.backupcon…       com.android.backupconfirm
    -  com.android.carrierconfig    com.android.carrierconfig
    -  com.android.cts.ctsshim      com.android.cts.ctsshim
    -  com.android.cts.priv.cts…    com.android.cts.priv.ctsshim
    -  com.android.providers.p…     com.android.providers.partnerbookmarks
    -  com.android.sharedstor…      com.android.sharedstoragebackup
    -  com.android.wallpaperb…      com.android.wallpaperbackup
    -  com.android.wallpapercr…     com.android.wallpapercropper
    -  com.android.wallpaperpi…     com.android.wallpaperpicker
    -  com.google.android.gms…      com.google.android.gms.setup
List all running processes
C:\>frida-ps -U
  PID  Name
-----  --------------------------------------------------
 3678  adbd
 1130  [email protected]
 1131  [email protected]
 1132  [email protected]
 1133  [email protected]
 1134  [email protected]
 1135  [email protected]
 1136  [email protected]
 1137  [email protected]
 1138  [email protected]
 1139  [email protected]
 1140  [email protected]
 1128  [email protected]
20054  android.process.acore
19534  android.process.media
 1141  audioserver
 1148  cameraserver
 6622  com.android.chrome:sandboxed_process0
 5399  com.android.documentsui
 5438  com.android.externalstorage
 5102  com.android.gallery3d
 1411  com.android.inputmethod.latin
 1832  com.android.launcher3
20089  com.android.mtp
 1510  com.android.phone
 1422  com.android.systemui
 6219  com.android.vending
 6551  com.enchantedcloud.photovault
 5617  com.estrongs.android.pop
 1874  com.google.android.gms
 1768  com.google.android.gms.persistent
 6835  com.google.android.gms.unstable
 1792  com.google.android.googlequicksearchbox:interactor
18157  com.google.android.googlequicksearchbox:search
 5477  com.google.android.packageinstaller
15496  com.google.android.partnersetup
 6765  com.google.android.setupwizard
 6274  com.google.process.gservices
 3360  com.termoneplus
 1149  drmserver
11689  frida-helper-32
11670  frida-server
 1162  gatekeeperd
 1129  healthd
 1059  hwservicemanager
 1150  incidentd
    1  init
 1044  init
 1045  init
 1151  installd
 1189  ip6tables-restore
 1188  iptables-restore
 1152  keystore
 6024  libestool2.so
 1142  lmkd
11672  logcat
 1057  logd
 1181  mdnsd
 1160  media.codec
 1154  media.extractor
 1155  media.metrics
 1153  mediadrmserver
 1156  mediaserver
 1124  netd
 1797  org.android_x86.analytics
 1163  perfprofd
 1161  rild
 1058  servicemanager
 1145  sh
 3388  sh
 3424  sh
11667  sh
 1157  statsd
 1158  storaged
 1147  su
 3405  su
 3406  su
 3411  su
 3418  su
 1143  surfaceflinger
 1285  system_server
 1144  thermalserviced
 1164  tombstoned
 1046  ueventd
 1102  v86d
 1060  vndservicemanager
 1117  vold
 1458  webview_zygote
 1159  wificond
 1406  wpa_supplicant
 1126  zygote
 1125  zygote64

Locating an app with frida-ps

Locate a specific app using frida-ps

If you are finding yourself needing to know an app's identifier, frida-ps can be a good way to find it. It will also get us the application's current Process ID (PID) if it's running.

On your host machine, open a Command Prompt.

Type frida-ps -U -a. These switches will limit our list greatly and make it easier to spot our target.

For more info on frida-ps, see frida-ps.

In the case of Photo Vault, the bundle identifier is com.enchantedcloud.photovault. You may optionally note down the PID (Process ID) however, the application identifier is primarily what we are after since we may re-launch the app several times throughout the lab (resulting in a different PID).

Great, now we’ve established our application identifier, and can see that it is running. We also know that since frida-ps gave us the data we needed, we indeed have connectivity between the host machine and frida-server on the device (or emulator).

Frida-tools Reference - Previous
frida
Next - Frida-tools Reference
frida-trace
Last updated 1 year ago