Frida handbook
Frida handbook
Learn about binary instrumentation with the Frida toolkit.
About the Book
This book is about binary instrumentation using the Frida toolkit. Frida is an open-source binary instrumentation framework developed by @oleavr.
We will learn about binary instrumentation under Linux, MacOs and Windows systems, what it is and how it can be useful for us as well as how to work with the Frida toolkit in a practical way. The book includes basic examples and descriptions of Frida's APIs as well as more complex examples such as parsing structs, obtaining decrypted text and CModule.
Table of Contents
-
1 Introduction
- 1.1 Handbook structure
-
2 What we will need
- 2.1 System requirements
- 2.2 Software requirements
- 2.3 Programming language requirements
-
3 Binary instrumentation and Frida
- 3.1 Application and code-level instrumentation
- 3.2 Frida: a binary instrumentation toolkit
- 3.3 Instrumentation tool structure under Frida
- 3.4 Frida architecture basics
-
4 Frida usage basics
- 4.1 JavaScript vs TypeScript
- 4.2 An overview of Frida API
-
4.3 Main features
- 4.3.1 Stalker: a code tracing engine
- 4.3.2 Hooks and the Interceptor API
-
4.4 frida-tools
- 4.4.1 Frida command line interface
- 4.4.2 frida-trace
-
5 Dealing with data types with Frida
-
5.1 Dealing with strings: Reading and allocation
- 5.1.1 Practical use case: Reading a WinAPI UTF16 string parameter
-
5.2 Numbers
- 5.2.1 Numerical arguments passed by value.
- 5.2.2 Numerical values by reference
- 5.2.3 Writing numbers
- 5.3 Pointers
- 5.4 Pointer to offsets
-
5.5 Getting pointers to exports
- 5.5.1 findExportByName vs getExportByName
- 5.6 Pointer to ArrayBuffers
- 5.7 Hexdump: getting a picture from a memory region
-
5.8 Writing our first agent.
- 5.8.1 Writing the control script
- 5.9 Injecting our scripts using Frida’s command line
- 5.10 Remote instrumentation
-
5.1 Dealing with strings: Reading and allocation
-
6 Intermediate usage
- 6.1 Defining globals in Frida’s REPL
- 6.2 Following child processes
-
6.3 Creating NativeFunctions
- 6.3.1 Using NativeFunction to call system APIs
- 6.4 Modifying return values
- 6.5 Access values after usage
- 6.6 CryptDecrypt: A practical case.
- 6.7 Modifying values before execution
- 6.8 Undoing instrumentation
-
6.9 std::string
- 6.9.1 std::vector in MSVC
- 6.10 Operating with ArrayBuffers
-
7 Advanced usage
-
7.1 NOP functions
- 7.1.1 Using the replace API
- 7.1.2 Patching memory
-
7.2 Memory scanning
- 7.2.1 Reacting on memory patterns
-
7.3 Using custom libraries (DLL/.so)
- 7.3.1 Creating a custom DLL
- 7.3.2 Using our custom library
- 7.4 Reading and writing registers
-
7.5 Reading structs
- 7.5.1 Reading from a user-controlled struct.
- 7.6 SYSCALL struct
- 7.7 WINAPI struct.
- 7.8 Tips for calculating structure offsets
-
7.9 CModule
- 7.9.1 CModule: A practical use case
- 7.9.2 CModule: Reading return values
- 7.9.3 CModule vs JavaScript agent performance
- 7.9.4 CModule: Sharing state between JS and C
-
7.10 Sharing state between two CModule objects
- 7.10.1 Notifying from C code
- 7.11 CModule boilerplates
-
7.12 Stalker
- 7.12.1 Getting a thread id
- 7.12.2 Stalker: Tracing from a known function call
- 7.12.3 Tracing instructions
- 7.12.4 Getting RET addresses
-
7.1 NOP functions
-
8 MacOS
- 8.1 ObjC
- 8.2 Intercepting NSURL InitWithString
- 8.3 Obj-C: Intercepting fileExistsAtPath
- 8.4 ObjC: Methods with multiple arguments.
- 8.5 ObjC: Reading a CFDataRef
- 8.6 Getting CryptoKit’s AES.GCM.seal data before encryption
- 8.7 Swift.String
-
9 Android instrumentation
-
9.1 Setting up the environment
- 9.1.1 Android emulator
- 9.1.2 frida-server
- 9.1.3 Java API
-
9.2 Java.perform() API
- 9.2.1 Instrumenting Android applications
- 9.2.2 Reading values
- 9.2.3 Replacing return values
- 9.2.4 Replacing arguments
- 9.2.5 Instrumenting constructors
- 9.2.6 Bytearray values
-
9.3 Method overloads
- 9.3.1 Stacktraces
-
9.4 Frida detection mechanisms
- 9.4.1 /data/local/tmp/frida-server
- 9.4.2 /proc/self/maps
-
9.1 Setting up the environment
-
10 r2frida
-
- 10.0.1 Testing r2frida
-
10.1 Tracing functions
- 10.1.1 Tracing functions from imports/exports
- 10.1.2 Tracing functions by using offsets
- 10.2 Disassembling functions in memory
- 10.3 Replace return values
- 10.4 Replacing return values (hijacking)
- 10.5 Allocating strings
- 10.6 Calling functions
-
-
11 Optimizing our Frida setup
- 11.1 Building an optimized Frida agent
-
12 A real-world use case: Building an anti-cheat with Frida
- 12.1 Background
-
12.2 Anti-cheat Requirements
- 12.2.1 Timenudge
- 12.3 Quick environment setup
- 12.4 Anti-cheat architecture
-
12.5 Extending the banlist
- 12.5.1 Monitoring userinfo changes
- 12.5.2 Predicting timenudge values
-
12.6 Optimizing G_RunFrame calls
- 12.6.1 Persistence across map changes
- 12.6.2 Conclusions
- 13 Resources
The Leanpub 60 Day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.
You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!
So, there's no reason not to click the Add to Cart button, is there?
See full terms...
Earn $8 on a $10 Purchase, and $16 on a $20 Purchase
We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.
(Yes, some authors have already earned much more than that on Leanpub.)
In fact, authors have earnedover $13 millionwriting, publishing and selling on Leanpub.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them