Learn Pentesting like a Pro!

Share this post

How to hijack Android OS calls with Frida

pentesting.academy

How to hijack Android OS calls with Frida

Learn how to intercept Android system calls

pentesting.academy
Jul 14, 2022
Share this post

How to hijack Android OS calls with Frida

pentesting.academy

When we are performing a pentest on an Android app, sometimes is useful to get the parameters that the application is sending through a function or even hijack some specific function to return other values.

Let's see in this article how we can intercept and even hijack any method from a given Android APK.

First, you can retrieve the package name with this command:

adb shell pm list packages

The method that you are interested to hijack, you can retrieve it doing reverse engineering, targeting for a specific common method or even getting it from adb logcat.

The following frida standalone script will intercept and dump any call to the internal function javax.crypto.Mac.doFinal. In this example, we only dump the parameters and after that redirect the program flow to the original function.

Usage:

Usage: %0 <package name> <method>
Example: %0 com.android...... javax.crypto.Mac.doFinal
#!/usr/bin/python3
# Intercepts and dumps all parameters of method given in the command line
# DEFENSAHACKER Academy

import frida, sys

CODE = r'''
Java.perform(() => {
    // We overload javax.crypto.Mac.doFinal()

    const method = Java.use('javax.crypto.Mac');
    method.doFinal.overloads.forEach(f => {
        f.implementation = function(...args) {
            var hexkey= "";
            console.log(`[*] [${new Date().toString()}] javax.crypto.Mac.doFinal() called! Args: ${args.join(', ')}`);
            console.log("[-] Number of args: " + args.length);
            console.log("[-] length(args[0])= " + args[0].length);
            for (var i = 0; i < args[0].length; i++) {
                hexkey = hexkey + String.fromCharCode(args[0][i]);
            }
            console.log("[-] input string= " + hexkey);
            console.log('');
            // We develop an original method.
            f.call(this, ...args);
        }
    })
})
'''

if __name__ == '__main__':
    if len(sys.argv) != 3:
        print ("Usage: %0 <package name> <method>" %sys.argv[0])
        print ("Example: %0 com.android...... javax.crypto.Mac.doFinal" %sys.argv[0])
        sys.exit(1)
    package= sys.argv[1]
    method=  sys.argv[2];
    device = frida.get_usb_device()
    print("[*] Spawing process %s\n" %package)
    pid = device.spawn([package])
    session = device.attach(pid)
    session.enable_jit()
    script = session.create_script(CODE)
    device.resume(pid)
    script.load()
    sys.stdin.read()

From the above code, feel free to change the call we are intercepting to any other you are researching.

Share this post

How to hijack Android OS calls with Frida

pentesting.academy
Comments
TopNew

No posts

Ready for more?

© 2023 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing