Skip to content

Instantly share code, notes, and snippets.

View oleavr's full-sized avatar

Ole André Vadla Ravnås oleavr

1.6k followers · 14 following
View GitHub Profile
@oleavr
oleavr / qnx-probe-physical-memory.c
Last active February 12, 2024 15:17
How to probe the total amount of physical memory on QNX
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/syspage.h>
int
main(int argc, char *argv[])
{
struct asinfo_entry *entries = SYSPAGE_ENTRY(asinfo);
size_t count = SYSPAGE_ENTRY_SIZE(asinfo) / sizeof(struct asinfo_entry);
@oleavr
oleavr / dump-stack.js
Last active January 30, 2024 15:03
ArtStackVisitor example
const Java = require('frida-java-bridge');
const { getApi, withRunnableArtThread, ArtStackVisitor, translateMethod } = require('frida-java-bridge/lib/android');
Java.perform(() => {
const AccountManager = Java.use('android.accounts.AccountManager');
const m = AccountManager.getAccounts;
m.implementation = function (...args) {
console.log('getAccounts() called from: ' + JSON.stringify(captureBacktrace(), null, 2));
return m.apply(this, args);
@oleavr
oleavr / frida-core-1.0.vapi
Last active January 20, 2024 03:15
The frida-core API consumed by bindings like frida-python, frida-qml, etc.
[CCode (cheader_filename = "frida-core.h", cprefix = "Frida", lower_case_cprefix = "frida_")]
namespace Frida {
public static void init ();
public static void shutdown ();
public static void deinit ();
public static unowned GLib.MainContext get_main_context ();
public class DeviceManager : GLib.Object {
public DeviceManager ();
@oleavr
oleavr / _FridaCommonJSIntegration.md
Last active January 8, 2024 16:21
How to consume npm modules from Frida agent scripts

Install Node.js 5.x, then:

npm install frida co uuid

and run:

node app.js
@oleavr
oleavr / simpleceptor-arm.ts
Created May 19, 2020 02:22
Simplified Interceptor reimplemented in TypeScript
const THUMB_HOOK_REDIRECT_SIZE = 8;
const THUMB_BIT_REMOVAL_MASK = ptr(1).not();
const trampolines: NativePointer[] = [];
const replacements: NativePointer[] = [];
export function makeTrampoline(target: NativePointer): NativePointer {
const targetAddress = target.and(THUMB_BIT_REMOVAL_MASK);
const trampoline = Memory.alloc(Process.pageSize);
@oleavr
oleavr / trust-manager.js
Created June 8, 2017 13:49
How to implement an X509TrustManager using Frida
'use strict';
var TrustManager;
var manager;
Java.perform(function () {
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
TrustManager = Java.registerClass({
name: 'com.example.TrustManager',
@oleavr
oleavr / jit-example.js
Created January 27, 2019 20:18
Frida JIT example
'use strict';
const slowCallback = new NativeCallback(value => {
console.log('slowCallback hit');
return 43;
}, 'int', ['int']);
const fastCallback = Memory.alloc(Process.pageSize);
Memory.patchCode(fastCallback, 128, code => {
const cw = new X86Writer(code, { pc: fastCallback });
@oleavr
oleavr / 00-frida-footprint.md
Last active July 5, 2023 14:24
Frida features vs binary footprint

All config.mk features enabled on linux-armhf

3.8M frida-inject
2.6M frida-portal
3.2M frida-server

 15M frida-agent.so
 15M frida-gadget.so
@oleavr
oleavr / 00-README.md
Last active June 16, 2023 02:11
Frida devkit examples

frida-gum-example.c

$ clang -Wall -Os -pipe -g3 frida-gum-example.c -o frida-gum-example -L. -lfrida-gum -lresolv -Wl,-dead_strip -Wl,-no_compact_unwind
$ ./frida-gum-example
[*] open("/etc/hosts")
[*] close(3)
[*] open("/etc/fstab")
[*] close(-1)
[*] listener got 4 calls

[*] listener still has 4 calls

@oleavr
oleavr / frida-logging.md
Last active April 7, 2023 08:53
Frida logging hacks

Frida logging helper

For adding temporary logging to help understand behavior. For when it is impractical to use Frida to instrument Frida.

Choose one of these and copy-paste it into e.g. lib/interfaces/session.vala, then use log_event ("name='%s'", name); to log.

When something appears to be hanging, try applying: x-async-debug.patch.