Cheat Sheet for FRIDA

Hi there, I have been playing with the FRIDA framework significantly, these days!

One of the good resources I found online was this four-hour training on FRIDA: Link

So I thought it'd be a good idea to prepare a small cheat sheet of the popular commands and functionalities and share it! Here's a summary of 14 main points I learnt:

(Hi, I'm not really related to this post ^)

NUMBER 1

ATTACH TO A PROCESS, SAY THE PROCESS NAME IS FOO with PID 24

- frida ./foo # spawn’s the app 
- frida foo # attaches to the app 
- frida -p 24 
- frida -p $(pidof pew)

NUMBER 2

ATTACH TO PROCESS AND LOAD A JAVASCRIPT called inject.js

frida foo -l  inject.js

NUMBER 3

CHECK ALL LOADED MODULES IN A PROCESS

- frida foo
- Process.enumerateModulesAsync()

NUMBER 4

GET BASE ADDRESS OF A LOADED MODULE

Process.getModuleByName("libc-2.30.so"); 
{  "base": "0x7fc2edb78000",  
   "name": "libc-2.30.so",  
   "path": "/lib/x86_64-linux-gnu/libc-2.30.so",  
   "size": 1830912
}

NUMBER 5

GET ADDRESS OF A METHOD

> Module.getExportByName(null, "sleep"); 
"0x7fc2edc42d90"

OR

> DebugSymbol.getFunctionByName("sleep"); 
"0x7fc2edc42d90"

NUMBER 6

ATTACH A METHOD BASED ON ADDRESS AND HOOK onEnter AND onLeave

var sleep = Module.getExportByName(null, "sleep"); 
Interceptor.attach(sleep, {  
	onEnter: function(args) {  
		console.log("[*] Sleep from Frida!");  
	},  
	onLeave: function(retval) {  
		console.log("[*] Done sleeping from Frida!");  
	} });
	

(This diagram is from the youtube video by Leon Jacobs)

NUMBER 7

ATTACH A METHOD BASED ON ADDRESS, LOG, AND MODIFY RETURN VALUE

var testPin = DebugSymbol.getFunctionByName("test_pin"); 
Interceptor.attach(testPin, {  
	onLeave: function(retval) {  
		console.log("ret: " + retval);  
	retval.replace(ptr("0x1"));
	}
 });
 

NUMBER 8

CALL A FUNCTION DEFINED WITHIN THE CODE, ON DEMAND

new NativeFunction(address, returnType, argTypes[, abi]);

var testPinPtr = DebugSymbol.getFunctionByName("test_pin"); 
var testPin = new NativeFunction( testPinPtr, "int", ["pointer"]);
var pin = Memory.allocUtf8String("1111"); 
var r = testPin(pin); 
console.log(r);

NUMBER 9

COMMUNICATE WITH INJECTED JAVASCRIPT, USING SEND, AND RECV

//javascript
var answer = 42; 
send(answer); 

# python def incoming(message, data):  
	print(message) 
script.on("message", incoming)

// javascript
recv(function(m) { 
    console.log("message: " + m); }); 
    
# python 
script.on("message", incoming) 
script.load() 
script.post("test")

NUMBER 10

RPC BINDINGS, EXPORTING FUNCTIONS FROM JS SCRIPT TO PYTHON

//Javascript
rpc.exports = {  
	brute: function() {  
		console.log("Brute function");  
	}
 }

#Python
script.exports.brute()

NUMBER 11

TRACE METHOD CALLS USING FRIDA TRACE

This generates intercept-like hooks, supports wildcard resolution, and dumps hooks in _handlers_ folder.

frida-trace foo -i "read*"

NUMBER 12

PATCHING ELF WITH FRIDA GADGET SO FILE

~/code$ patchelf -add-needed ../frida-gadget.so foo 
~/code$ ./foo 
[Frida INFO] Listening on 127.0.0.1 TCP port 27042

~/code$ ldd foo  
linux-vdso.so.1 (0x00007ffdc7962000)  
../frida-gadget.so (0x00007fceeca4b000)  
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fceec884000)  libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fceec87f000)

Note that frida-gadget has a corresponding frida-gadget config file, using which one can change the behaviour (wait/resume) , port etc for the patched so.

NUMBER 13

USING TYPESCRIPT AND MODIFYING THE PRELOADED SCRIPT LIVE

• frida-compile can take typescript and transpile to any target (important for duktape/v8 language support)

• frida-compile exposes the entire NPM ecosĀstem to use inside of agents

• One can use VSCode to write. Node should be pre-installed.

• npm watch monitors for changes and automatically rebuilds resulting in a new _agent.js file.

• Refer to this file in python script.

with open("frida-agent-example/_agent.js", "r") as f:

run ./foo 
run npm run watch 
run python3 tool.py  

(edit index.ts and watch the recompile)

NUMBER 14

CMODULE - COMPILE C CODE IN MEMORY FROM JS, USING TinyCC

const cm = new CModule ('int value() 
	{  return 42; }'); 

const v = new NativeFunction(cm.value, ‘int’, []); 

v(); // 42

Also, FRIDA RPL can load .c file, like this:

>frida foo -l  index.js -C  test.c

Limited headers supported currently. Link

So, that was all! Have we missed covering any interesting feature/command? Do let me know in the comments!

Are you interested in learning about similar concepts? Subscribe to this blog and join the tribe of !nfinite hacks, where we are learning, exploring, and researching interesting concepts in cybersecurity every day!

See you in the next post soon!

Ciao,

Great resources:

• FRIDA Bootcamp training by Leon Jacobs Link (I highly recommend it!)

• https://poxyran.github.io/poxyblog/src/pages/02-11-2019-calling-native-functions-with-frida.html

• https://medium.com/swlh/exploring-native-functions-with-frida-on-android-part-4-22db2c247e29