Dynamic Instrumentation Toolkit – Frida

Last Release: 07/04/2019     Last Commit: 07/03/2019

Dynamic Instrumentation Toolkit – Frida

Introduction

Frida is a free and open-source dynamic instrumentation toolkit, that allows developers, reverse-engineers, and security researchers to monitor and debug running processes. It also enables programmers, software and security professionals to execute their own JS scripts into other processes running on:

  • Windows, Linux, Android, iOS or macOS.

Frida Banner

IDA is a commercial reverse-engineering tool. The pun “FRIDA” came up, both as in “Free IDA”, but also as in the Norwegian female names Ida and Frida, where Frida could be Ida’s sister, as IDA is a static analysis tool and Frida is a dynamic analysis toolkit.

Frida: A World  Class Dynamic Instrumentation Toolkit

It lets you inject snippets of JavaScript into native apps on Windows, Mac, Linux, iOS and Android. Frida also provides you with some simple tools built on top of the Frida API.

In other words, it allows you to inject your own code and to programmatically and interactively inspect and change running processes. Frida doesn’t need access to source code and can be used on iOS and Android devices that aren’t jailbroken or rooted. It lets you do all of this through APIs available from Objective-C, which are also exposed to higher-level languages through bindings.

Features:

  • Scriptable: You can inject your own scripts into black box processes to execute custom debugging logic. Hook any function, spy on crypto APIs or trace private application code, no source code needed.
  • Multi-platform (portable): Works on Windows, macOS, GNU/Linux, iOS, Android, and QNX (Node.js binding, Python package from PyPI,  Swift bindings, .NET bindings, Qt/Qml bindings, or C API).
  • Battle-tested: It has a comprehensive test-suite and has gone through years of rigorous testing across a broad range of use-cases.
  • Free and open-source: Frida is and will always be free software.
Frida’s core is written in C and injects Google’s V8 engine into the target processes, where your JS gets executed with full access to memory, hooking functions and even calling native functions inside the process. There’s a bi-directional communication channel that is used to talk between your app (Python) and the JS running inside the target process.

Frida Toolkit

  • Frida CLI : REPL interface that aims to emulate a lot of the nice features of IPython (or Cycript), which tries to get you closer to your code for rapid prototyping and easy debugging.
  • frida-ps : command-line tool for listing processes (very useful when interacting with a remote system).
  • frida-trace : tool for dynamically tracing function calls.
  • frida-discover : tool for discovering internal functions in a program, which can then be traced by using frida-trace.
  • frida-ls-devices : command-line tool for listing attached devices (very useful when interacting with multiple devices).
  • frida-kill : command-line tool for killing processes.

Operation modes

Frida provides dynamic instrumentation through its instrumentation core Gum, written in C. With few lines of C you can run a piece of JavaScript inside a runtime that has full access to Gum’s APIs. That allows you to hook functions, enumerate loaded libraries (their imported and exported functions), read and write memory, scan memory for patterns, etc.

  • Injected:
    1. Spawn an existing program (create and execute child process)
    2. Hijack a process when its spawned
    3. Attach/Hooking to running program
    4. Requires Root/Admin priv
  • Embedded:
    1. Useful in non-jailbroken iOS / non-root Android (frida-gadget library)
  • Preloaded

r2frida: Radare2 and Frida better together

Having Frida integrate with Radare means you can are now able to attach to remote iOS processes or spawn an application by simply plugging-in the USB cable. R2Frida provides the interface to import all the symbolic and Objective-C information from Frida into Radare, providing a much richer disassembly experience.
 You can examine the target process using Radare’s powerful command line interface and static analysis. At the same time, you can use the dynamic, real-time features of Frida to inspect and manipulate the app while it runs from the inside. The combined tool, R2Frida, lowers the entry barrier for Frida users and opens a new horizon of possibilities for Radare users.

Install

Requirements for Frida’s CLI tools:

  • Python 3.x+
  • GNU/Linux, Windows or macOS

Install with pip:

$ pip install frida-tools # CLI tools
$ pip install frida       # Python bindings
$ npm install frida       # Node.js bindings

For manual installation grab other binaries from Frida’s GitHub releases page.

Useful commands & basic examples

To see all available options just type -h. For example:

$ frida-trace -h

Useful commands:

  • frida-ps : List all running process names and PIDs
  • frida-ps -Uai : List all running process names on a USB device
  • frida-ls-devices : This command lists all the attached devices
  • frida –U process-name : Attach to any process

Frida: frida-trace options (iOS)

Quick tracing example:

$ pip install frida-tools
$ frida-trace -i "recv*" -i "read*" *twitter*
recv: Auto-generated handler: …/recv.js
# (snip)
recvfrom: Auto-generated handler: …/recvfrom.js
Started tracing 21 functions. Press Ctrl+C to stop.
39 ms recv()
112 ms recvfrom()
128 ms recvfrom()
129 ms rec

In this example, Frida injected itself into Twitter, enumerated the loaded shared libraries and hooked all the functions whose names start with either recv or read.

Documentation Box
Download Box