Learn about binary instrumentation with the Frida toolkit.
About the Book
This book is about binary instrumentation using the Frida toolkit. Frida is an open-source binary instrumentation framework developed by @oleavr.
We will learn about binary instrumentation under Linux, MacOs and Windows systems, what it is and how it can be useful for us as well as how to work with the Frida toolkit in a practical way. The book includes basic examples and descriptions of Frida's APIs as well as more complex examples such as parsing structs, obtaining decrypted text and CModule.
- 1.1 Handbook structure
2 What we will need
- 2.1 System requirements
- 2.2 Software requirements
- 2.3 Programming language requirements
3 Binary instrumentation and Frida
- 3.1 Application and code-level instrumentation
- 3.2 Frida: a binary instrumentation toolkit
- 3.3 Instrumentation tool structure under Frida
- 3.4 Frida architecture basics
4 Frida usage basics
- 4.2 An overview of Frida API
4.3 Main features
- 4.3.1 Stalker: a code tracing engine
- 4.3.2 Hooks and the Interceptor API
- 4.4.1 Frida command line interface
- 4.4.2 frida-trace
5 Dealing with data types with Frida
5.1 Dealing with strings: Reading and allocation
- 5.1.1 Practical use case: Reading a WinAPI UTF16 string parameter
- 5.2.1 Numerical arguments passed by value.
- 5.2.2 Numerical values by reference
- 5.2.3 Writing numbers
- 5.3 Pointers
- 5.4 Pointer to offsets
5.5 Getting pointers to exports
- 5.5.1 findExportByName vs getExportByName
- 5.6 Pointer to ArrayBuffers
- 5.7 Hexdump: getting a picture from a memory region
5.8 Writing our first agent.
- 5.8.1 Writing the control script
- 5.9 Injecting our scripts using Frida’s command line
- 5.10 Remote instrumentation
- 5.1 Dealing with strings: Reading and allocation
6 Intermediate usage
- 6.1 Defining globals in Frida’s REPL
- 6.2 Following child processes
6.3 Creating NativeFunctions
- 6.3.1 Using NativeFunction to call system APIs
- 6.4 Modifying return values
- 6.5 Access values after usage
- 6.6 CryptDecrypt: A practical case.
- 6.7 Modifying values before execution
- 6.8 Undoing instrumentation
- 6.9.1 std::vector in MSVC
- 6.10 Operating with ArrayBuffers
7 Advanced usage
7.1 NOP functions
- 7.1.1 Using the replace API
- 7.1.2 Patching memory
7.2 Memory scanning
- 7.2.1 Reacting on memory patterns
7.3 Using custom libraries (DLL/.so)
- 7.3.1 Creating a custom DLL
- 7.3.2 Using our custom library
- 7.4 Reading and writing registers
7.5 Reading structs
- 7.5.1 Reading from a user-controlled struct.
- 7.6 SYSCALL struct
- 7.7 WINAPI struct.
- 7.8 Tips for calculating structure offsets
- 7.9.1 CModule: A practical use case
- 7.9.2 CModule: Reading return values
- 7.9.4 CModule: Sharing state between JS and C
7.10 Sharing state between two CModule objects
- 7.10.1 Notifying from C code
- 7.11 CModule boilerplates
- 7.12.1 Getting a thread id
- 7.12.2 Stalker: Tracing from a known function call
- 7.12.3 Tracing instructions
- 7.12.4 Getting RET addresses
- 7.1 NOP functions
- 8.1 ObjC
- 8.2 Intercepting NSURL InitWithString
- 8.3 Obj-C: Intercepting fileExistsAtPath
- 8.4 ObjC: Methods with multiple arguments.
- 8.5 ObjC: Reading a CFDataRef
- 8.6 Getting CryptoKit’s AES.GCM.seal data before encryption
- 8.7 Swift.String
9 Android instrumentation
9.1 Setting up the environment
- 9.1.1 Android emulator
- 9.1.2 frida-server
- 9.1.3 Java API
9.2 Java.perform() API
- 9.2.1 Instrumenting Android applications
- 9.2.2 Reading values
- 9.2.3 Replacing return values
- 9.2.4 Replacing arguments
- 9.2.5 Instrumenting constructors
- 9.2.6 Bytearray values
9.3 Method overloads
- 9.3.1 Stacktraces
9.4 Frida detection mechanisms
- 9.4.1 /data/local/tmp/frida-server
- 9.4.2 /proc/self/maps
- 9.1 Setting up the environment
- 10.0.1 Testing r2frida
10.1 Tracing functions
- 10.1.1 Tracing functions from imports/exports
- 10.1.2 Tracing functions by using offsets
- 10.2 Disassembling functions in memory
- 10.3 Replace return values
- 10.4 Replacing return values (hijacking)
- 10.5 Allocating strings
- 10.6 Calling functions
11 Optimizing our Frida setup
- 11.1 Building an optimized Frida agent
12 A real-world use case: Building an anti-cheat with Frida
- 12.1 Background
12.2 Anti-cheat Requirements
- 12.2.1 Timenudge
- 12.3 Quick environment setup
- 12.4 Anti-cheat architecture
12.5 Extending the banlist
- 12.5.1 Monitoring userinfo changes
- 12.5.2 Predicting timenudge values
12.6 Optimizing G_RunFrame calls
- 12.6.1 Persistence across map changes
- 12.6.2 Conclusions
- 13 Resources
The Leanpub 60-day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
80% Royalties. Earn $16 on a $20 book.
We pay 80% royalties. That's not a typo: you earn $16 on a $20 sale. If we sell 5000 non-refunded copies of your book or course for $20, you'll earn $80,000.
(Yes, some authors have already earned much more than that on Leanpub.)
In fact, authors have earnedover $12 millionwriting, publishing and selling on Leanpub.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.