Getting Process information

Basic information

The Process module gives us all the information about the process, such as imported modules, memory ranges, etc.

Let’s see some of the functions provided to get familiar with Frida

1
2
3
4
5
6
 [Local::ls]-> Process.id
 10831
 [Local::ls]-> Process.arch
 "x64"
 [Local::ls]-> Process.platform
 "linux"

Getting imported modules

One of the most essential features we may want is to enumerate what is being imported and where it is located

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
 [Local::ls]-> Process.enumerateModulesSync()
 [
     {
         "base": "0x55b1a5a93000",
         "name": "ls",
         "path": "/bin/ls",
         "size": 2232320
     },
     {
         "base": "0x7ffefc7eb000",
         "name": "linux-vdso.so.1",
         "path": "linux-vdso.so.1",
         "size": 0
     },
     {
         "base": "0x7f5a6c51c000",
         "name": "libselinux.so.1",
         "path": "/lib/x86_64-linux-gnu/libselinux.so.1",
         "size": 2252800
     },
     ...
 ]

As we can see the result is shown in a convenient json format. This is particularly useful as we are in a JavaScript context, therefore json is an object and we can access its properties directly:

1
2
3
4
 [Local::ls]-> var modules = Process.enumerateModulesSync();
 undefined
 [Local::ls]-> console.log('The module \'' + modules[0].name + '\' is located at ' + modules[0].base)
 The module 'ls' is located at 0x55b1a5a93000

Get memory regions

Lets say we are inspecting a process and we want to know all the memory regions that have read, write and execution permissions enabled

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 [Local::PID::11740]-> Process.enumerateRangesSync({protection:'rwx', coalesce:true})
 [
     {
         "base": "0x7fbc52940000",
         "file": {
             "offset": 253952,
             "path": "/lib/x86_64-linux-gnu/libc-2.27.so",
             "size": 0
         },
         "protection": "rwx",
         "size": 12288
     },
     {
         "base": "0x7fbc52945000",
         "file": {
             "offset": 274432,
             "path": "/lib/x86_64-linux-gnu/libc-2.27.so",
             "size": 0
         },
         "protection": "rwx",
         "size": 4096
     },
     {
         "base": "0x7fbc529e6000",
         "file": {
             "offset": 933888,
             "path": "/lib/x86_64-linux-gnu/libc-2.27.so",
             "size": 0
         },
         "protection": "rwx",
         "size": 4096
     }
 ]

The coalesce:true parameter joins all contiguous memory regions with same permissions in a single entry on the returned object. Disabling that option we’ll get an entry for each memory page with the selected permissions

We can use the character ‘-‘ as a wildcard permission, f.e. if we want to search all executable memory regions but we don’t care about it being readable or writable we can use Process.enumerateRangesSync({protection:’–x’, coalesce:true})