Greetings friends, it’s been a while since I worked as a penetration tester and my main job is to test mobile applications and my favorite tool is Frida, so I decided to write an article about it.
What is Frida?
Frida is a dynamic binary instrumentation framework available for multiple platforms. It is a very powerful tool that can be used to inspect and modify the memory. The following links are very helpful to dig deeper into this great tool:
– https://frida.re/docs/home/
– https://learnfrida.info/
Installation
Install Frida it’s a very simple process, it is possible to use pip in the following way:
pip install frida-tools
Demo1
For the first demo, we will use the following c program. As you can notice from the source code it’s a very simple program that asks for two numbers as input and returns the sum of these two
After downloading the program we need to compile and execute it.
- gcc example.c -o example
- ./example
At this point, we can use Frida to attach to the process
At this point, we can use the following API to store the binary reference in a variable.
var bin = Process.enumerateModulesSync()[0]
Then we can inspect what functions are used using the following API enumerateSymbolsSync
Module.enumerateSymbolsSync(bin.name)
The focus of this demo is on the add function in order to change the behavior, to do that we will use the API interceptor that allows us to inspect or modify the flow of the function.
Interceptor.attach(ptr(0x10368deb0),{
onEnter(args){
console.log("The function add is invoke")
console.log("Arg 0", args[0].toInt32())
console.log("Arg 1", args[1].toInt32())
}
})
Modify the return value
Interceptor.attach(ptr(0x10368deb0),{
onEnter(args){
console.log("The function add is invoke")
console.log("Arg 0", args[0].toInt32())
console.log("Arg 1", args[1].toInt32())
}
onLeave(retval){
return retval.replace(10)
}
})
now the function will return always 10
var add = Module.findExportByName(null, 'add');
Interceptor.replace(add, new NativeCallback(function (arg1,arg2) {
console.log(arg1,arg2)
return arg1 * arg2;
}, 'int', ['int', 'int']));
All the snippet code are available here
For any question feel free to contact me