From c272d6290392773e447fba5e4897ffd471dac737 Mon Sep 17 00:00:00 2001 From: Jean-Marie 'Histausse' Mineau Date: Fri, 11 Jul 2025 19:27:03 +0200 Subject: [PATCH] frida --- 0_preamble/notations.typ | 2 ++ 2_background/X_android.typ | 8 ++++---- 2_background/X_tools.typ | 11 +++++++++-- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/0_preamble/notations.typ b/0_preamble/notations.typ index c102007..a8bcf84 100644 --- a/0_preamble/notations.typ +++ b/0_preamble/notations.typ @@ -1,4 +1,5 @@ #let ADB = link()[ADB] +#let API = link()[API] #let APK = link()[APK] #let ART = link()[ART] #let AXML = link()[AXML] @@ -18,6 +19,7 @@ [Acronyms], [Meanings], ), ADB, [Android Debug Bridge, a tool to connect to an Android emulator of smartphone to run commands, start applications, send events and perform other operations for testing and debuging purpose ], + API, [Application Programming Interface, in the Android echosystem, it is a set of classes with known method signatures that can be called by an application to interact with the Android framework ], APK, [Android Package, the file format used to install application on Android. The APK format is an extention of the #JAR format ], ART, [Android RunTime, the runtime environement that execute an Android application. The ART is the successor of the older Dalvik Virtual Machine ], AXML, [Android #XML. The specific flavor of #XML used by Android. The main specificity of AXML is that it can be compile in a binary version inside an APK ], diff --git a/2_background/X_android.typ b/2_background/X_android.typ index f061284..d101bd2 100644 --- a/2_background/X_android.typ +++ b/2_background/X_android.typ @@ -1,4 +1,4 @@ -#import "../lib.typ": todo, APK, JAR, AXML, ART, SDK, JNI, NDK, DEX, XML +#import "../lib.typ": todo, APK, JAR, AXML, ART, SDK, JNI, NDK, DEX, XML, API == Android @@ -76,7 +76,7 @@ The `R.java` file allows the developer to refere to ressources with readable nam The source code is then compile. The most common programming langages used for Android application are Java and Kotlin. Both are first compiled to java bytecode in `.class` files using the langage compiler. -To allow access to the Android API, the `.class` are linked during the compilation to an `android.jar` file that contains classes with the same signatures as the one in the Android API for the targeted SDK. +To allow access to the Android #API, the `.class` are linked during the compilation to an `android.jar` file that contains classes with the same signatures as the one in the Android #API for the targeted SDK. The `.class` files are the converted to #DEX files using `d8`. During those steeps, both the original langage compiler and `d8` can perform optimizations on the classes. @@ -120,9 +120,9 @@ In the course of a componant live cicle, the system will call specifics methods Those methods are to be overrident by the classes defined in the application if they are specific action to be perfomed. For instance, an activitymight compute some values in `onCreate()`, called when the activity is created, save the value of those variable to the file system in `onStop()`, called when the acitivity stop being visible to the user, and recover the saved values in `onRestart()`, called when the user navigate back to the activity. -In addition to the componants declared in the manifest that act as entry points, the Android API heavily relies on callbacks. +In addition to the componants declared in the manifest that act as entry points, the Android #API heavily relies on callbacks. The most obvious cases are for the user interface, for example a button will call a callback method defined by the application when clicked. -Other part of the API also rely on non-linear execution, for example when an application send an itent (see @sec:bg-sandbox), the intent sent in responce is transmitted to back to the application by calling another method. +Other part of the #API also rely on non-linear execution, for example when an application send an itent (see @sec:bg-sandbox), the intent sent in responce is transmitted to back to the application by calling another method. ==== Application Isolation and Interprocess Communication diff --git a/2_background/X_tools.typ b/2_background/X_tools.typ index 22853de..0f9edd9 100644 --- a/2_background/X_tools.typ +++ b/2_background/X_tools.typ @@ -1,4 +1,4 @@ -#import "../lib.typ": todo, APK, IDE, SDK, DEX, ADB, ART, eg, XML, AXML +#import "../lib.typ": todo, APK, IDE, SDK, DEX, ADB, ART, eg, XML, AXML, API == Android Reverse Engineering Tools @@ -69,6 +69,13 @@ Compared to Soot, it has a modernize interface and architecture, but it is not y === Frida -Fidra#footnote[https://frida.re/] is a dynamic intrumentation toolki. +Fidra#footnote[https://frida.re/] is a dynamic intrumentation toolkit. +It allows the reverse engineer to inject and run javascript code inside a running application. +To instrument an application, the frida server must be running as root on the phone, or the frida librairy must be injected inside the #APK file before installing it. +Frida defines a javascript wrapper arround the Java Native Interface (JNI) used by native code to interact with Java classes and the Android i#API. +In addition to allowing interaction with Java objects from the application and the Android API, this wrapper provide the option to replace a method implementation by a javascript function (that itself can call the original method implementation if needed). +This make Frida a powerfull tool capable of collecting runtime informations or modifying the behavior of an application as needed. +The main drawback of using Frida is that it is a known tools easily detected by applications. +Malware might implement countermeasures that avoid running malicious payload in presence of Frida.