Global
we expose a set of api which are mainly short hands wrappers of frida api, functions to exchange data with the ui and perform operations while scripting.
addWatcher
addWatcher(0xc4d8ff30);
Add a memory watcher which will trigger dwarf ui and break the thread when a memory address got read or write
breakpoint
breakpoint();
In a standard hook it has no effect but, if you want to go outside the context (i.e tracer) you could find it useful to break the thread and control through ui
deleteHook
deleteHook(key);
Remove an hook by key. Could be a pointer if the hook is native, a module if it’s OnLoad or a string pointer or a string java class method etc
enumerateExports
enumerateExports(moduleName);
Enumerate exports for the given module name
enumerateImports
enumerateImports(moduleName);
Enumerate imports for the given module name
enumerateJavaClasses
enumerateJavaClasses();
Start enumeration of java classes async and send data to the ui
enumerateJavaMethods
enumerateJavaMethods();
Start enumeration of java methods async and send data to the ui
enumerateModules
enumerateModules();
Enumerate loaded modules
enumerateRanges
enumerateRanges();
Enumerate mapped ranges with all permissions
enumerateSymbols
enumerateSymbols(moduleName);
Enumerate symbols for the given module name
findExport
findExport('target_function'); findExport('target_function', 'target_module.so');
shortcut of frida api Module.findExportByName with the advantage to accept only 1 argument. if module is not set, default will be ‘libc’ on android and ‘libSystem.b.dylib’ for ios
findModule
findModule('target_module.so');
shortcut of frida api Process.findModuleBy|Name|Address
getAddressTs
getAddressTs(0xdb884dc2);
Check the data pointed by a pointer. ptr is an integer or an hexadecimal numeric string “0x1000”.
return an array with 2 values. First one representing the type of the data: 0: string, 1: pointer, 2: int, -1: error. Second one is the data
getRange
getRange(0xdb884dc2);
return a frida range object for the given address
getSymbolByAddress
getSymbolByAddress(0xdb884dc2);
return debug symbol for the given address
hookAllJavaMethods
hookAllJavaMethods('com.android.targetClass');
hook all the java methods of the given class
hookJava
hookJava('com.android.targetClass'); hookJava('com.android.targetClass.myMethod');
a shortcut to hook either a java constructor or method (all overloads)
hookJavaOnLoad
hookJavaOnLoad('com.android.targetClass');
breakpoint during loading cycle of the given class
hookNative
// breakpoint open hookNative(api.findExport('open'));
a shortcut to frida api Interceptor.attach() which pause the thread and let you debug through dwarf. Eventually, a logic (function()) can be added as second argument to perform additional stuffs and prevent the thread to be sleeped
hookNativeOnLoad
// breakpoint on open hookNativeOnLoad('libtarget.so');
hook a native module before initialization (works only on Android)
isAddressWatched
isAddressWatched(0xd6c8fd9a);
Return a boolean indicating if the address is currently watched
injectBlob
injectBlob(name, blobAsHex);
Uses syscall memfd create to map an fd in memory which can be dlopened. Provide a custom name for the fd and the bytes as hex string of the binary to inject
javaBacktrace
javaBacktrace();
A shortcut for java backtrace
nativeBacktrace
nativeBacktrace();
release
release(); release(1274);
Release a thread id and resume execution. (basically, unpause the thread after an hook is hit). Release all of them if no arg is specified
removeWatcher
removeWatcher(0xcfd4aab4);
Remove memory watcher from the given pointer
restart
restart();
Restart the application from main. This logic is only built for Android at the moment
setData
setData(key, value);
An api suggested by a friend to send data straight to the UI. You can check an example usage here
startJavaTracer
startJavaTracer(classes, callbacks); const classes = ['com.targerclass.first', 'com.targetclass.second']; // use ui startJavaTracer(classes); // use custom callbacks startJavaTracer(classes, { onEnter: function(args) { }, onLeave: function(ret) { return 'patched'; } });
Start tracing the given java classes
startNativeTracer
startNativeTracer(callback); startNativeTracer(function() { console.log(this.context); console.log(this.instruction); if (this.instruction.mnemonic === 'svc') { breakpoint(); } else if (this.context.pc === 0x10000) { this.stop(); } });
Start a native tracer which receive a callback each time an instruction got executed with context and instruction available in this object
stopJavaTracer
stopJavaTracer();
Stop the java tracer
fs
fs class exposes functions from wrapped libc api, such as popen etc. and allows file manipulation.
fclose
fgets
fileno
fputs
fopen
getline
popen
pclose
// real example from base library // both fopen/popen accept path and perm as string in params var f = fs.fopen('/path/to/my_file', 'r'); var buf = fs.allocateRw(Process.pointerSize); var len = fs.allocateRw(Process.pointerSize); var read; var lines = ""; while ((read = fs.getline(buf, len, f)) !== -1) { lines += Memory.readUtf8String(Memory.readPointer(buf)); } fs.fclose(f);
allocateRw
var buf = fs.allocateRw(1024);
allocate memory in the heap with read and write perm
readStringFromFile
var available_options = fs.readStringFromFile(this.PATH_OPTIONS).split('\n');
read the whole content of a file path and return it’s content as string
readStringFromFp
read the whole content of a file pointer (from fopen i.e) and return it’s content as string
writeStringToFile
fs.writeStringToFile("/path/to/file", "content");
write the content of arg1 in the path specified in arg0. Eventually, you can pass a third param boolean to append the content to an existing file
Thread
all functions from frida Thread are available.
new
Thread.new(function() { // do stuffs });
spawn a new thread using posix C api pthread_create
onCreate
Thread.onCreate(function(targetFunction) { // do stuffs });
get notified whenever a thread is being started with target function, so you can attach it