Skip to content

Instantly share code, notes, and snippets.

View oleavr's full-sized avatar

Ole André Vadla Ravnås oleavr

1.6k followers · 14 following
View GitHub Profile
@oleavr
oleavr / 00-frida-footprint.md
Last active July 5, 2023 14:24
Frida features vs binary footprint

All config.mk features enabled on linux-armhf

3.8M frida-inject
2.6M frida-portal
3.2M frida-server

 15M frida-agent.so
 15M frida-gadget.so
@oleavr
oleavr / vice.js
Last active December 4, 2021 03:19
VICE bridge
const vice = Process.getModuleByName('/usr/lib/c64emu.rgl');
const mainloopOuterLoop = vice.getExportByName('maincpu_mainloop').add(0xf4);
const memStore = new NativeFunction(vice.getExportByName('mem_store'), 'void', ['uint16', 'uint8'], { exceptions: 'propagate' });
const ioPending = Memory.alloc(4);
const ioCallbacks = [];
function poke(address, value) {
schedule(() => { memStore(address, value); });
}
@oleavr
oleavr / scapy.js
Last active July 23, 2020 14:59
How to pronounce “Scapy”, according to macOS
setImmediate(function () {
var NSAutoreleasePool = ObjC.classes.NSAutoreleasePool;
var NSSpeechSynthesizer = ObjC.classes.NSSpeechSynthesizer;
var pool = NSAutoreleasePool.alloc().init();
try {
var synth = NSSpeechSynthesizer.alloc().init();
var voices = NSSpeechSynthesizer.availableVoices();
@oleavr
oleavr / simpleceptor-arm.ts
Created May 19, 2020 02:22
Simplified Interceptor reimplemented in TypeScript
const THUMB_HOOK_REDIRECT_SIZE = 8;
const THUMB_BIT_REMOVAL_MASK = ptr(1).not();
const trampolines: NativePointer[] = [];
const replacements: NativePointer[] = [];
export function makeTrampoline(target: NativePointer): NativePointer {
const targetAddress = target.and(THUMB_BIT_REMOVAL_MASK);
const trampoline = Memory.alloc(Process.pageSize);
@oleavr
oleavr / hello.js
Created February 18, 2020 01:11
Frida Hello World
/*
* Try it on a running process like this:
*
* $ frida gimp-2.10 -l hello.js
*
* This uses the Frida REPL, which supports live-reload.
*/
Interceptor.attach(Module.getExportByName(null, 'open'), {
onEnter: function (args) {
@oleavr
oleavr / dump-stack.js
Last active January 30, 2024 15:03
ArtStackVisitor example
const Java = require('frida-java-bridge');
const { getApi, withRunnableArtThread, ArtStackVisitor, translateMethod } = require('frida-java-bridge/lib/android');
Java.perform(() => {
const AccountManager = Java.use('android.accounts.AccountManager');
const m = AccountManager.getAccounts;
m.implementation = function (...args) {
console.log('getAccounts() called from: ' + JSON.stringify(captureBacktrace(), null, 2));
return m.apply(this, args);
@oleavr
oleavr / jit-example.js
Created January 27, 2019 20:18
Frida JIT example
'use strict';
const slowCallback = new NativeCallback(value => {
console.log('slowCallback hit');
return 43;
}, 'int', ['int']);
const fastCallback = Memory.alloc(Process.pageSize);
Memory.patchCode(fastCallback, 128, code => {
const cw = new X86Writer(code, { pc: fastCallback });
@oleavr
oleavr / frida-logging.md
Last active April 7, 2023 08:53
Frida logging hacks

Frida logging helper

For adding temporary logging to help understand behavior. For when it is impractical to use Frida to instrument Frida.

Choose one of these and copy-paste it into e.g. lib/interfaces/session.vala, then use log_event ("name='%s'", name); to log.

When something appears to be hanging, try applying: x-async-debug.patch.

@oleavr
oleavr / QuakeRESTAPIDemo.md
Last active July 6, 2021 19:04
Quake REST API demo

Build

npm install

Run

$ frida QuakeSpasm --enable-jit -l _agent.js
$ curl -s http://localhost:1337/stats | jq
$ curl -s -X POST http://localhost:1337/attack | jq
@oleavr
oleavr / explore.js
Created January 13, 2018 20:01
Block recv() example
'use strict';
Interceptor.attach(ptr('0x103cdbf40'), {
onEnter: function (args) {
send({ type: 'need-input' });
var operation = recv(function (res) {
args[0] = ptr(res);
});
operation.wait();