Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apk: Allow injecting and configuring the Frida Gadget #167

Merged
merged 2 commits into from
Oct 19, 2024
Merged

apk: Allow injecting and configuring the Frida Gadget #167

merged 2 commits into from
Oct 19, 2024

Conversation

tchebb
Copy link
Contributor

@tchebb tchebb commented Oct 8, 2024
edited
Loading

Add a new -g/--gadget flag, which when passed causes frida-apk to inject the given Frida Gadget shared library. Along with the library itself, a wrap.sh file is injected that LD_PRELOADs the gadget, which Android allows because we also make the app debuggable. The injected gadget can be configured with a new -c/--gadget-config flag, which overrides arbitrary entries in the injected gadget config file.

This contribution is on behalf of my company.

@tchebb tchebb changed the title Inject gadget apk: Allow injecting and configuring the Frida Gadget Oct 8, 2024
@s1341
Copy link

s1341 commented Oct 9, 2024

Could you give an example of this's usage?

@oleavr oleavr force-pushed the main branch 2 times, most recently from d9c9911 to bfaa242 Compare October 17, 2024 13:00
@tchebb
Copy link
Contributor Author

tchebb commented Oct 18, 2024

Yep! To make an app debuggable, you run frida-apk as before with no arguments:

$ frida-apk Magisk-v28.0.apk
$ aapt d xmltree Magisk-v28.0.d.apk AndroidManifest.xml | grep android:debuggable
      A: android:debuggable(0x0101000f)=(type 0x12)0xffffffff

But now, you also have the option of passing -g <gadget-path> to inject the given Frida Gadget shared library into the APK along with a wrap.sh script that causes the app to always load the gadget on launch (using LD_PRELOAD—no bytecode patching needed):

$ frida-apk -g frida-gadget-16.5.2-android-arm64.so Magisk-v28.0.apk
$ aapt d xmltree Magisk-v28.0.d.apk AndroidManifest.xml | grep android:debuggable
      A: android:debuggable(0x0101000f)=(type 0x12)0xffffffff
$ unzip -l Magisk-v28.0.d.apk | tail
     2463  10-18-2024 13:18   res/zV.9.png
      956  10-18-2024 13:18   res/zc.xml
      448  10-18-2024 13:18   res/zp.xml
      464  10-18-2024 13:18   res/zq.xml
  1564588  10-18-2024 13:18   resources.arsc
       62  10-18-2024 13:18   lib/arm64-v8a/wrap.sh
       54  10-18-2024 13:18   lib/arm64-v8a/libfridagadget.config.so
 25662288  09-26-2024 16:14   lib/arm64-v8a/libfridagadget.so
---------                     -------
 45261353                     967 files

Now, whenever the app launches, the gadget will run in its default configuration and pause the process, waiting for Frida to attach. You can use the -c option to override individual entries in the "interaction" JSON configuration object: frida-apk -g frida-gadget-16.5.2-android-arm64.so -c on_load=resume Magisk-v28.0.apk, for example, will produce an APK that starts without waiting for Frida to attach, but still runs the gadget.

Happy to provide more details if you'd like. Is there a manual or documentation for frida-apk somewhere? I wanted to add exactly this information, but I couldn't find any existing documentation at all.

tchebb added 2 commits October 19, 2024 19:40
@tchebb @oleavr
apk: Allow injection of Frida gadget
66f1afc 
Add a new -g/--gadget flag, which when passed causes frida-apk to inject
the given Frida Gadget shared library. Along with the library itself, a
wrap.sh file[1] is injected that LD_PRELOADs the gadget, which Android
allows because we also make the app debuggable.

[1]: https://developer.android.com/ndk/guides/wrap-script
@tchebb @oleavr
apk: Allow gadget config file customization from CLI
34c43ef 
Add a -c/--gadget-config flag, valid when --gadget is also in use, that
adds arbitrary entries to the injected gadget's config file's
"interaction" section[1].

[1]: https://frida.re/docs/gadget/
@oleavr oleavr merged commit af32002 into frida:main Oct 19, 2024
3 checks passed
@oleavr
Copy link
Member

oleavr commented Oct 19, 2024

Thanks! 🙌

Regarding documentation, feel free to open a PR on frida-website -- we have some docs for some of the CLI tools in frida-tools, but not yet this one.

@tchebb tchebb deleted the inject-gadget branch October 21, 2024 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tchebb @s1341 @oleavr