The installation of hook framework frida and a simple practical case

1. Download address

2. Two other installation methods

1.Install from prebuilt binaries

This is the recommended way to get started. All you need to do is:

pip install frida-tools # CLI tools
pip install frida       # Python bindings
npm install frida       # Node.js bindings

You may also download pre-built binaries for various operating systems from Frida's releases page on GitHub.

2.Build your own binaries


For running the Frida CLI tools, i.e. frida, frida-ls-devices, frida-ps, frida-kill, frida-trace, and frida-discover, you need Python plus a few packages:

pip3 install colorama prompt-toolkit pygments



macOS and iOS

First make a trusted code-signing certificate. You can use the guide at in the sections "Create a certificate in the System Keychain" and "Trust the certificate for code signing". You can use the name frida-cert instead of gdb-cert if you'd like.

Next export the name of the created certificate to the environment variables MAC_CERTID and IOS_CERTID, and run make:

export MAC_CERTID=frida-cert
export IOS_CERTID=frida-cert

To ensure that macOS accepts the newly created certificate, restart the taskgated daemon:

sudo killall taskgated



(Requires Visual Studio 2017.)

3. Simple and practical

Get the current process of the front-end Activity of android phone

The content of get "front" is as follows:

import frida
rdev = frida.get_remote_device()
front_app = rdev.get_frontmost_application()
print front_app

Enumerate all processes of android phone

The content of enum? is as follows:

import frida
rdev = frida.get_remote_device()
processes = rdev.enumerate_processes()
for process in processes:
    print process

Enumerates all modules loaded by a process and the exported functions in the modules

import frida
rdev = frida.get_remote_device()
session = rdev.attach("")  #If there are two identical process names, rdev.attach(pid) can be used
modules = session.enumerate_modules()
for module in modules:
    print module
    export_funcs = module.enumerate_exports()
    print "\tfunc_name\tRVA"
    for export_func in export_funcs:
        print "\t%s\t%s"%(,hex(export_func.relative_address))

The native function of hook android

import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("")
scr = """
Interceptor.attach(Module.findExportByName("" , "open"), {
    onEnter: function(args) {

script = session.create_script(scr)
def on_message(message ,data):
    print message
script.on("message" , on_message)

java layer functions of hook android

The following code is hook wechat (test version is 6.3.13, different versions have different class names due to random generation of confusing names or code changes)
The random number generating function of class makes wechat guessing random (type=2), while the color shaker is always 6 points (type=5)

import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("")

scr = """
Java.perform(function () {
var ay = Java.use("");
ay.pu.implementation = function(){
    var type = arguments[0];
    if (type == 2)
    return this.pu(type);
    return 5;


script = session.create_script(scr)
def on_message(message ,data):
    print message
script.on("message" , on_message)

Inject dex into android process through frida

import frida, sys, optparse, re
def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))

jscode = """
Java.perform(function () {
    var currentApplication = Java.use("").currentApplication();
    var context = currentApplication.getApplicationContext();
    var pkgName = context.getPackageName();
    var dexPath = "%s";
    var entryClass = "%s";
    console.log("inject " + dexPath +" to " + pkgName + " successfully!")
    console.log("call entry successfully!")

def checkRequiredArguments(opts, parser):
    missing_options = []
    for option in parser.option_list:
        if re.match(r'^\[REQUIRED\]', and eval('opts.' + option.dest) == None:
    if len(missing_options) > 0:
        parser.error('Missing REQUIRED parameters: ' + str(missing_options))

if __name__ == "__main__":
    usage = "usage: python %prog [options] arg\n\n" \
            "example: python %prog -p " \
            "-f /data/local/tmp/test.apk " \
            "-e com.parker.test.DexMain/main " \
            "\"hello fridex!\""
    parser = optparse.OptionParser(usage)
    parser.add_option("-p", "--package", dest="pkg", type="string",
                      help="[REQUIRED]package name of the app to be injected.")
    parser.add_option("-f", "--file", dest="dexPath", type="string",
                      help="[REQUIRED]path of the dex")
    parser.add_option("-e", "--entry", dest="entry", type="string",
                      help="[REQUIRED]the entry function Name.")

    (options, args) = parser.parse_args()
    checkRequiredArguments(options, parser)
    if len(args) == 0:
        arg = ""
        arg = args[0]

    pkgName = options.pkg
    dexPath = options.dexPath
    entry = options.entry.split("/")
    if len(entry) > 1:
        entryClass = entry[0]
        entryFunction = entry[1]
        entryClass = entry[0]
        entryFunction = "main"

    process = frida.get_usb_device(1).attach(pkgName)
    jscode = jscode%(dexPath, entryClass, entryFunction, arg)
    script = process.create_script(jscode)
    script.on('message', on_message)
    print('[*] Running fridex')

Implementation of trace program call stack by injecting and throwing exception code

In the eighth chapter of the book, it is introduced to write exception code through repackaging for stack trace, but it is more troublesome and more convenient to use frida injection.

Tags: Python Java Android Session

Posted on Mon, 03 Feb 2020 10:16:23 -0500 by JoeZar