Learn Pentesting like a Pro!

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
How to hijack Android OS calls with Frida
Copy link
Facebook
Email
Notes
More

How to hijack Android OS calls with Frida

Learn how to intercept Android system calls

DH
Jul 14, 2022

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
How to hijack Android OS calls with Frida
Copy link
Facebook
Email
Notes
More
Share

When we are performing a pentest on an Android app, sometimes is useful to get the parameters that the application is sending through a function or even hijack some specific function to return other values.

Let's see in this article how we can intercept and even hijack any method from a given Android APK.

First, you can retrieve the package name with this command:

adb shell pm list packages

The method that you are interested to hijack, you can retrieve it doing reverse engineering, targeting for a specific common method or even getting it from adb logcat.

The following frida standalone script will intercept and dump any call to the internal function javax.crypto.Mac.doFinal. In this example, we only dump the parameters and after that redirect the program flow to the original function.

Usage:

Usage: %0 <package name> <method>
Example: %0 com.android...... javax.crypto.Mac.doFinal
#!/usr/bin/python3
# Intercepts and dumps all parameters of method given in the command line
# DEFENSAHACKER Academy

import frida, sys

CODE = r'''
Java.perform(() => {
    // We overload javax.crypto.Mac.doFinal()

    const method = Java.use('javax.crypto.Mac');
    method.doFinal.overloads.forEach(f => {
        f.implementation = function(...args) {
            var hexkey= "";
            console.log(`[*] [${new Date().toString()}] javax.crypto.Mac.doFinal() called! Args: ${args.join(', ')}`);
            console.log("[-] Number of args: " + args.length);
            console.log("[-] length(args[0])= " + args[0].length);
            for (var i = 0; i < args[0].length; i++) {
                hexkey = hexkey + String.fromCharCode(args[0][i]);
            }
            console.log("[-] input string= " + hexkey);
            console.log('');
            // We develop an original method.
            f.call(this, ...args);
        }
    })
})
'''

if __name__ == '__main__':
    if len(sys.argv) != 3:
        print ("Usage: %0 <package name> <method>" %sys.argv[0])
        print ("Example: %0 com.android...... javax.crypto.Mac.doFinal" %sys.argv[0])
        sys.exit(1)
    package= sys.argv[1]
    method=  sys.argv[2];
    device = frida.get_usb_device()
    print("[*] Spawing process %s\n" %package)
    pid = device.spawn([package])
    session = device.attach(pid)
    session.enable_jit()
    script = session.create_script(CODE)
    device.resume(pid)
    script.load()
    sys.stdin.read()

From the above code, feel free to change the call we are intercepting to any other you are researching.

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
How to hijack Android OS calls with Frida
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More