Introducing Frida

      Nessun commento su Introducing Frida

Greetings friends, it’s been a while since I worked as a penetration tester and my main job is to test mobile applications and my favorite tool is Frida, so I decided to write an article about it.

What is Frida?

Frida is a dynamic binary instrumentation framework available for multiple platforms. It is a very powerful tool that can be used to inspect and modify the memory. The following links are very helpful to dig deeper into this great tool:
– https://frida.re/docs/home/
– https://learnfrida.info/

Installation

Install Frida it’s a very simple process, it is possible to use pip in the following way:
pip install frida-tools

Demo1

For the first demo, we will use the following c program. As you can notice from the source code it’s a very simple program that asks for two numbers as input and returns the sum of these two

After downloading the program we need to compile and execute it.

  • gcc example.c -o example
  • ./example

At this point, we can use Frida to attach to the process

At this point, we can use the following API to store the binary reference in a variable.

var bin = Process.enumerateModulesSync()[0]

Then we can inspect what functions are used using the following API enumerateSymbolsSync

Module.enumerateSymbolsSync(bin.name)

The focus of this demo is on the add function in order to change the behavior, to do that we will use the API interceptor that allows us to inspect or modify the flow of the function.

Intercept the function argument
Interceptor.attach(ptr(0x10368deb0),{
onEnter(args){
console.log("The function add is invoke")
console.log("Arg 0", args[0].toInt32())
console.log("Arg 1", args[1].toInt32())
}
})
The next step is to modify the behavior of the function

Modify the return value

Interceptor.attach(ptr(0x10368deb0),{
onEnter(args){
console.log("The function add is invoke")
console.log("Arg 0", args[0].toInt32())
console.log("Arg 1", args[1].toInt32())
}
onLeave(retval){
return retval.replace(10)
}
})

now the function will return always 10

It is also possible to achieve this result by using the replace method to “rewrite” the function and change its behavior
var add = Module.findExportByName(null, 'add');
Interceptor.replace(add, new NativeCallback(function (arg1,arg2) {
console.log(arg1,arg2)
return arg1 * arg2;
}, 'int', ['int', 'int']));

All the snippet code are available here

For any question feel free to contact me