r2frida 😃

Frida{.pagelogo} A lot of the examples from this section has been obtained following examples from the youtube video linked below - > nowsecure/r2frida

  • Api documentation can be found on the Frida site

  • You can run js normally by \. ./path/to/script.js

Tips

Misc tips

  • Use the following syntax to trace. Example: \dtf write iZi (this was tested against node. Write is the symbol being hooked)

  • 🚀 af Analyze function while using r2frida. asciinema

  • 🚀 Example: Find classname from method asciinema

  • 🚀 Example: Interact with an applicaiton asciinema

Load a binary

Attach to a running process

On the host

  • r2 frida://Twitter
  • r2 frida://<pid>

On the device

  • r2 frida://<device_id>Twitter
  • r2 frida://<device_id><pid>

Spawn a process

On the host

  • r2 frida:///bin/ls
  • r2 "frida:///bin/ls -la" supply arguments

On a device

  • r2 frida://<device_id>//your.package.name

Frida commands

The commands here can be found using \? or =! when a binary is loaded using frida.

  • \? Show this help
  • \?V Show target Frida version
  • \/[j] <string|hexpairs> Search hex/string pattern in memory ranges (see search.in=?)

    • The regions to be searched can be modied using e search.in=?

    • 🚀 \/ search in memory. Example: asciinema

  • \/w[j] string Search wide string
  • \/v[1248][j] value Search for a value honoring e cfg.bigendian of given width

  • \e search.in=? r2fridas own search configuration

    ``` Specify which memory ranges to search in, possible values:

        perm:---        filter by permissions (default: 'perm:r--')
    current         search the range containing current offset
    path:pattern    search ranges mapping paths containing 'pattern'

    ```

  • \i Show target information

    • \i To make sure that r2 is configured properly, run .\i*

  • \ii[*] List imports

    • 🚀 \ii*Use this along with e asm.emustr=1 to conduct better analysis asciinema

  • \il List libraries

    • Use \il. to show current location

  • \is[*] <lib> List exports/entrypoints of lib

    • Use .\is* to import all exported symbols of a library as flags

  • \isa[*][j] (<lib>) <sym> Show address of symbol

    • \isa if exported multiple times with different addresses, all of them are shown

    • \isaj shows more information in its output. Use ~{} to pretty print

    • \ic <class> List Objective-C classes or methods of \<class>

    • 🚀 \ic helps you analyze classes and methods. asciinema

    • In the output for \ic, the + is for class methods, - for instance methods

    • \ip <protocol> List Objective-C protocols or methods of \<protocol>

    • \ip is similar to \ic but for Objective-C protocols

    • \fd[*j] <address> Inverse symbol resolution
    • \fd will reverse resolve a symbol.
    • \dd[-][fd] ([newfd]) List, dup2 or close filedescriptors

    • 📼 \dd Useful for getting data from STDIN or write STDOUT to a file. Useful for debugging applications that take input from STDIN. Spawn the process for this so that the process is suspended. To resume a suspended process, use \resume video

    • \dm[.|j|*] Show memory regions

    • 🚀 \dm Show memory maps. asciinema

    • \dm. Show the map containing the current offset

    • \dma <size> Allocate \<size> bytes on the heap, address is returned
    • \dmas <string> Allocate a string inited with \<string> on the heap

    • 🚀 \dmas Example of writing strings to the heap asciinema

    • \dmad <addr> <size> Allocate \<size> bytes on the heap, copy contents from \<addr>
    • \dmal List live heap allocations created with dma[s]
    • \dma- (<addr>...) Kill the allocations at (or all of them without param)
    • \dmp <addr> <size> <perms> Change page at \<address> with \<size>, protection \<perms> (rwx)

    • \dmp Change page permissions

    • \dp Show current pid

    • 🚀 Example showing \dp, \dpt and \dr. asciinema

    • \dpt Show threads
    • \dr Show thread registers (see dpt)
    • \env [k[=v]] Get/set environment variable

    • 🚀 \env can be used to manipulate or override environment variables. asciinema

    • \dl libname Dlopen a library

    • 📼 \dl Can be used to inject libraries. youtube

    • \dl2 libname [main] Inject library using Frida's >= 8.2 new API
    • \dt <addr> .. Trace list of addresses
    • \dt- Clear all tracing
    • \dtr <addr> (<regs>...) Trace register values
    • \dtf <addr> [fmt] Trace address with format (^ixzO) (see dtf?)

    Usage: dtf [format] || dtf [addr] [fmt] ^ = trace onEnter instead of onExit + = show backtrace on trace x = show hexadecimal argument i = show decimal argument z = show pointer to string O = show pointer to ObjC object - > 🚀 \dtf Lets us trace functions, methods etc. asciinema

    • \dtf can be used to trace a symbol, a function, or an address (could be middle of a function). By default it prints backtrace, but can also get values of specified registers.

  • \dtSf[*j] [sym|addr] Trace address or symbol using the stalker (Frida >= 10.3.13)

    • 📼 \dtSf Helpful in tracing a function and any other functions it calls. Solving the RHME3 qualifier whitebox challenge using dtSf

    • .\dtSf* [sym|addr] to save all the output into the radare2 trace sdb. This can then be accessed using the dt command.

    • \dtSf to only stalk code from the program, and not any other extended libraries, configure \e stalker.in = app

    • \dtS[*j] seconds Trace all threads for given seconds using the stalker
    • \di[0,1,-1] [addr] Intercept and replace return value of address

    • \di Highjack program execution

    • \dx [hexpairs] Inject code and execute it (TODO)
    • \dxc [sym|addr] [args..] Call the target symbol with given args

    • \dxc Call function by a symbol name or address passing the given arguments. The result can be inspected using r2. video

    • \e[?] [a[=b]] List/get/set config evaluable vars

    • \e patch.code=true Can also be used to patch code dynamically. Followed by wx [something] @ offset

    Usage: e [var[=value]]Evaluable vars patch.code = true search.in = perm:r-- search.quiet = false stalker.event = compile stalker.timeout = 300 stalker.in = raw

    • \e stalker.event=?

    ``` Specify the event to use when stalking, possible values:

        call            trace calls
    ret             trace returns
    exec            trace every instruction
    block           trace basic block execution (every time)
    compile         trace basic blocks once (this is the default)

    ```

  • \. script Run script

  • \<space\> code.. Evaluate Cycript code
  • \eval code.. Evaluate Javascript code in agent side
  • \dc Continue
  • \db Breakpoints

    • 🚀 \db does not set a real break point, but instead uses frida probes to suspend when that particular place is reached. asciinema

Resources, writeups etc

Spearing data in mobile memory: Building a better R2Frida memory search

Videos

r2con2017 - r2frida /by @mrmacete

r2con2017 - r2frida /by @mrmacete

Extending r2frida

Plugins

📼 Some details can be found here