Day 19: Getting Started with Frida Tools

What is FRIDA?

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

Quite frankly, FRIDA is awesome and I have been hooked ever since I first tried it. Today we will just get up and running with the basics, it’s super easy.

Modes of Operation

Injected

Most of the time, however, you want to spawn an existing program, attach to a running program, or hijack one as it’s being spawned, and then run your instrumentation logic inside of it. As this is such a common way to use Frida, it is what most of our documentation focuses on. This functionality is provided by frida-core, which acts as a logistics layer that packages up GumJS into a shared library that it injects into existing software, and provides a two-way communication channel for talking to your scripts, if needed, and later unload them. Beside this core functionality, frida-core also lets you enumerate installed apps, running processes, and connected devices. The connected devices are typically iOS and Android devices where frida-server is running. That component is essentially just a daemon that exposes frida-core over TCP, listening on localhost:27042 by default.

Embedded

It is sometimes not possible to use Frida in Injected mode, for example on jailed iOS and Android systems. For such cases we provide you with frida-gadget, a shared library that you’re supposed to embed inside the program that you want to instrument. By simply loading the library it will allow you to interact with it remotely, using existing Frida-based tools like frida-trace. It also supports a fully autonomous approach where it can run scripts off the filesystem without any outside communication.

Read more about Gadget here.

Preloaded

Perhaps you’re familiar with LD_PRELOAD, or DYLD_INSERT_LIBRARIES? Wouldn’t it be cool if there was JS_PRELOAD? This is where frida-gadget, the shared library discussed in the previous section, is really useful when configured to run autonomously by loading a script from the filesystem.

Read more about Gadget here.

Tools

Frida also comes with command line tools, two of which we will use today, frida-ps and frida-trace.

Installation

pip install frida-tools

Check for Processes to Attach To

frida-ps

We see that syslog is running, so we attach to it and instrument functions that write, the reason I chose write is because syslog logs and therefore we can assume writes. If you are looking at other apps you might look for conn (connection), sock (sock) and insert (dbs) etc, think about what the app might do or reverse/review any source code you can get hold of. Also check guides, API references, man pages etc to get an idea of what to instrument.

Attaching

frida-trace -i "write*" rsyslogd

As you can see we now get an output when the instrumented functions are used. This is the tip of the iceberg but we now have a lot more visibility into our process than before.

In the next post on Frida we will write our own program to attach to mobile apps and get deeper into peeling back the layers. Until then explore the Frida docs and have fun.