Getting started¶
Getting on the road with Frida¶
Frida can be used using bindings on different languages. Python is the most used, but there are bindings for .Net, Node.js and Java supported officially. Also there is the frida-core project that provides the libraries to create bindings for other languages.
The easiest way to get introduced into Frida is using its REPL console that uses the JavaScript API.
First of all we need to learn how to start an application with frida. Once we have installed frida-tools we’ll try to open a binary file (/bin/ls) with frida attached.
# frida /bin/ls
____
/ _ | Frida 12.2.22 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
Spawned `/bin/ls`. Use %resume to let the main thread start executing!
We can also inject frida on a running process. To do that we need to know the PID of the process we want to attach to
# frida -p <PID>
Other useful commands¶
Connecting to a remote frida-server instance - f.e. rooted iOS/Android devices.
- USB connected device
# frida -U [-D <Device ID>]
The device ID is an optional value in case we have multiple devices connected
- Through the network
# frida -R -H <Host or IP>
Modules¶
Frida is a big framework that allows us to dynamically instrumentate a wide variety of process layouts including different architectures or virtual machine - like the Dalvik JVM used in Android. In order to do that Frida provides some abstractions that will help us to interact with the Frida core injected in the process.
These helper abstractions are organized in different modules that server different purpouses:
- Process
- Gives information about the process (PID, architecure it runs on, imported modules, running threads, etc)
- Memory
- Manages interactions with the process memory, from read/write to allocation and permissions.
- Module
- Find functions in the process or its imports
- NativeFunction
- Get functions available within the process to use it from JavaScriipt
- NativeCallback
- Get functions available within the process to use it from JavaScriipt
- Interceptor
- Hook and replace functions, retrieve return values, etc