{"id":846,"date":"2024-06-13T00:37:06","date_gmt":"2024-06-13T00:37:06","guid":{"rendered":"https:\/\/malwrforensics.com\/en\/?p=846"},"modified":"2024-06-13T02:37:05","modified_gmt":"2024-06-13T02:37:05","slug":"search-app-memory-with-frida","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2024\/06\/13\/search-app-memory-with-frida\/","title":{"rendered":"Search app memory with Frida"},"content":{"rendered":"\n

First, install Frida<\/a> on your local system.<\/p>\n\n\n\n

    \n
  1. pip3 install frida<\/li>\n\n\n\n
  2. pip3 install frida-tools <\/li>\n<\/ol>\n\n\n\n

    Now, we need to download frida-server<\/a>, and copy it on the Android phone. We’ll assume it’s this one: frida-server-16.3.3-linux-arm64.xz<\/a>.<\/p>\n\n\n\n

      \n
    1. unxz frida-server-16.3.3-linux-arm64.xz<\/li>\n\n\n\n
    2. mv frida-server-16.3.3-linux-arm64 frida-server<\/li>\n\n\n\n
    3. adb push frida-server \/data\/local\/tmp<\/li>\n\n\n\n
    4. adb shell<\/li>\n\n\n\n
    5. cd \/data\/local\/tmp<\/li>\n\n\n\n
    6. chmod 755 frida-server<\/li>\n\n\n\n
    7. .\/frida-server<\/li>\n<\/ol>\n\n\n\n

      If you want to run a specific app, execute frida-ps -U -ai and copy the name of the application you want to run. In this example, we’ll use com.your.target.app, but replace it as you see fit.<\/p>\n\n\n\n

      Now that everything is set, we can run frida on the local system. We’ll use the “-U” flag to tell it to check the USB devices.<\/p>\n\n\n\n

      frida -U com.your.target.app<\/em><\/p>\n\n\n\n

      If we want to search the memory, we can use the following JS code (we’ll search for “A A A A”)<\/p>\n\n\n\n

      \n
      \n
      \n
      \n
      \nconst ranges = Process.enumerateRanges('rw-'); ranges.forEach(function(range) {\n    if (range.base > 0x0) { \/\/ if you want to skip certain addresses\n        var flag = 0;\n        try {\n            \/\/ Attempt to read memory at the given address\n            Memory.readByteArray(ptr(range.base), range.size);\n          } catch (e) {\n            flag = 1;\n          }\n        if (flag == 0) {\n            const results = Memory.scanSync(range.base, range.size, \"41 41 41 41\"); \/\/ search for AAAA\n            results.forEach(function(match) {\n            console.log('Found pattern at:', match.address.toString());\n            \/\/Memory.writeU8(ptr(match.address.toString()), 0x42); \/\/ auto patch -> BAAA\n            });\n        }\n    }\n    else {console.log('Skip ', range.base.toString());}\n  });<\/pre>\n<\/div>\n\n\n\n
      If you want to change\/patch the value of a byte, you can use the following command (we’ll assume 0x12345678 is the address where 0x41 0x41 0x41 0x41 was found.<\/p>\n\n\n\n
      Memory.writeU8(ptr(‘0x12345678’), 0x42);<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
      First, install Frida on your local system. Now, we need to download frida-server, and copy it on the Android phone. We’ll assume it’s this one: frida-server-16.3.3-linux-arm64.xz. If you want to run a specific app, execute frida-ps -U -ai and copy the name of the application you want to run. In this example, we’ll use com.your.target.app, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[141,132,140],"class_list":["post-846","post","type-post","status-publish","format-standard","hentry","category-security","tag-adb","tag-android","tag-frida"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"
      First, install Frida on your local system. pip3 install frida pip3 install frida-tools Now, we need to download frida-server, and copy it on the Android phone. We’ll assume it’s this one: frida-server-16.3.3-linux-arm64.xz. unxz frida-server-16.3.3-linux-arm64.xz mv frida-server-16.3.3-linux-arm64 frida-server adb push frida-server \/data\/local\/tmp adb shell cd \/data\/local\/tmp chmod 755 frida-server .\/frida-server If you want to run a specific app, execute frida-ps -U -ai and copy the name of the application you want to run. In this example, we’ll use com.your.target.app, but replace it as you see fit. Now that everything is set, we can run frida on the local system. We’ll use…<\/p>\n","category_list_v2":"Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=846"}],"version-history":[{"count":14,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/846\/revisions"}],"predecessor-version":[{"id":864,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/846\/revisions\/864"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}