1. Download address
2. Two other installation methods
1.Install from prebuilt binaries
This is the recommended way to get started. All you need to do is:
pip install frida-tools # CLI tools pip install frida # Python bindings npm install frida # Node.js bindings
You may also download pre-built binaries for various operating systems from Frida's releases page on GitHub.
2.Build your own binaries
Dependencies
For running the Frida CLI tools, i.e. frida, frida-ls-devices, frida-ps, frida-kill, frida-trace, and frida-discover, you need Python plus a few packages:
pip3 install colorama prompt-toolkit pygments
Linux
make
macOS and iOS
First make a trusted code-signing certificate. You can use the guide at https://sourceware.org/gdb/wiki/PermissionsDarwin in the sections "Create a certificate in the System Keychain" and "Trust the certificate for code signing". You can use the name frida-cert instead of gdb-cert if you'd like.
Next export the name of the created certificate to the environment variables MAC_CERTID and IOS_CERTID, and run make:
export MAC_CERTID=frida-cert export IOS_CERTID=frida-cert make
To ensure that macOS accepts the newly created certificate, restart the taskgated daemon:
sudo killall taskgated
Windows
frida.sln
(Requires Visual Studio 2017.)
3. Simple and practical
Get the current process of the front-end Activity of android phone
get_front_app.py
The content of get "front" app.py is as follows:
import frida rdev = frida.get_remote_device() front_app = rdev.get_frontmost_application() print front_app 12341234
Enumerate all processes of android phone
enum_process.py
The content of enum? Process.py is as follows:
import frida rdev = frida.get_remote_device() processes = rdev.enumerate_processes() for process in processes: print process 1234512345
Enumerates all modules loaded by a process and the exported functions in the modules
import frida rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") #If there are two identical process names, rdev.attach(pid) can be used modules = session.enumerate_modules() for module in modules: print module export_funcs = module.enumerate_exports() print "\tfunc_name\tRVA" for export_func in export_funcs: print "\t%s\t%s"%(export_func.name,hex(export_func.relative_address)) 1234567891012345678910
The native function of hook android
import frida import sys rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") scr = """ Interceptor.attach(Module.findExportByName("libc.so" , "open"), { onEnter: function(args) { send("open("+Memory.readCString(args[0])+","+args[1]+")"); }, onLeave:function(retval){ } }); """ script = session.create_script(scr) def on_message(message ,data): print message script.on("message" , on_message) script.load() sys.stdin.read() 12345678910111213141516171819201234567891011121314151617181920
java layer functions of hook android
The following code is hook wechat (test version is 6.3.13, different versions have different class names due to random generation of confusing names or code changes)
The random number generating function of com.tencent.mm.sdk.platformtools.ay class makes wechat guessing random (type=2), while the color shaker is always 6 points (type=5)
import frida import sys rdev = frida.get_remote_device() session = rdev.attach("com.tencent.mm") scr = """ Java.perform(function () { var ay = Java.use("com.tencent.mm.sdk.platformtools.ay"); ay.pu.implementation = function(){ var type = arguments[0]; send("type="+type); if (type == 2) { return this.pu(type); } else { return 5; } }; }); """ script = session.create_script(scr) def on_message(message ,data): print message script.on("message" , on_message) script.load() sys.stdin.read() 123456789101112131415161718192021222324252627282930123456789101112131415161718192021222324252627282930
Inject dex into android process through frida
import frida, sys, optparse, re def on_message(message, data): if message['type'] == 'send': print("[*] ".format(message['payload'])) else: print(message) jscode = """ Java.perform(function () { var currentApplication = Java.use("android.app.ActivityThread").currentApplication(); var context = currentApplication.getApplicationContext(); var pkgName = context.getPackageName(); var dexPath = "%s"; var entryClass = "%s"; Java.openClassFile(dexPath).load(); console.log("inject " + dexPath +" to " + pkgName + " successfully!") Java.use(entryClass).%s("%s"); console.log("call entry successfully!") }); """ def checkRequiredArguments(opts, parser): missing_options = [] for option in parser.option_list: if re.match(r'^\[REQUIRED\]', option.help) and eval('opts.' + option.dest) == None: missing_options.extend(option._long_opts) if len(missing_options) > 0: parser.error('Missing REQUIRED parameters: ' + str(missing_options)) if __name__ == "__main__": usage = "usage: python %prog [options] arg\n\n" \ "example: python %prog -p com.android.launcher " \ "-f /data/local/tmp/test.apk " \ "-e com.parker.test.DexMain/main " \ "\"hello fridex!\"" parser = optparse.OptionParser(usage) parser.add_option("-p", "--package", dest="pkg", type="string", help="[REQUIRED]package name of the app to be injected.") parser.add_option("-f", "--file", dest="dexPath", type="string", help="[REQUIRED]path of the dex") parser.add_option("-e", "--entry", dest="entry", type="string", help="[REQUIRED]the entry function Name.") (options, args) = parser.parse_args() checkRequiredArguments(options, parser) if len(args) == 0: arg = "" else: arg = args[0] pkgName = options.pkg dexPath = options.dexPath entry = options.entry.split("/") if len(entry) > 1: entryClass = entry[0] entryFunction = entry[1] else: entryClass = entry[0] entryFunction = "main" process = frida.get_usb_device(1).attach(pkgName) jscode = jscode%(dexPath, entryClass, entryFunction, arg) script = process.create_script(jscode) script.on('message', on_message) print('[*] Running fridex') script.load() sys.stdin.read() 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666712345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
Implementation of trace program call stack by injecting and throwing exception code
In the eighth chapter of the book, it is introduced to write exception code through repackaging for stack trace, but it is more troublesome and more convenient to use frida injection.