Table of Contents

Binary instrumentation and Frida

• Application and code-level instrumentation
• Frida: a binary instrumentation toolkit
  • Supported architectures and systems
• Instrumentation tool structure under Frida
• Frida architecture basics

Frida usage basics

• JavaScript vs TypeScript
• An overview of Frida API
• Main features
  • Stalker: a code tracing engine
  • Hooks and the Interceptor API
• frida-tools
  • Frida command line interface
  • frida-trace
• Dealing with data types with Frida
• Dealing with strings: Reading and allocation
  • Practical use case: Reading a WinAPI UTF16 string parameter
• Numbers
  • Numerical arguments passed by value.
  • Numerical values by reference
  • Writing numbers
• Pointers
• Pointer to offsets
• Getting pointers to exports
  • findExportByName vs getExportByName
• Pointer to ArrayBuffers
  • Size of pointers
• Hexdump: getting a picture from a memory region
• Writing our first agent.
  • Writing the control script
• Injecting our scripts using Frida's command line
• Remote instrumentation

Intermediate usage

• Defining globals in Frida's REPL
• Following child processes
• Creating NativeFunctions
  • Using NativeFunction to call system APIs
• Modifying return values
• Access values after usage
• CryptDecrypt: A practical case.
• Modifying values before execution
• Undoing instrumentation
• std::string
• std::vector
  • std::vector in MSVC++
• Operating with ArrayBuffers

Advanced usage

• NOP functions
  • Using the replace API
  • Patching memory
• Memory scanning
  • Memory scanning: Reacting on memory patterns
• Using custom libraries (DLL/.so)
  • Creating a custom DLL
  • Using our custom library
• Reading and writing registers
• Reading structs
  • Reading from a user-controlled struct.
• SYSCALL struct
• WINAPI struct.
• Tips for calculating structure offsets
• CModule
  • CModule: A practical use case
  • CModule: Reading return values
  • CModule vs JavaScript agent performance
  • CModule: Sharing state between JS and C
  • CModule: Sharing state between two CModule objects
  • CModule: Notifying from C code
• CModule boilerplates
• Stalker
  • Getting a thread id
  • Stalker: Tracing from a known function call
  • Tracing instructions
  • Getting RET addresses

MacOS

• ObjC
• Intercepting NSURL InitWithString
• Obj-C: Intercepting fileExistsAtPath
• ObjC: Methods with multiple arguments.
• ObjC: Reading a CFDataRef
• Getting CryptoKit's AES.GCM.seal data before encryption
• Swift.String

Android and Java API

• Setting up the environment
  • frida-server
  • Java API
• Java.perform()
  • Reading method parameters
  • Replacing return values
  • Replacing arguments
  • Instrumenting constructors
  • []byte arrays
  • Method overloading
  • Stacktraces
• Anti-Frida mechanisms
  • frida-server
  • /proc/self/maps

r2frida

• Testing r2frida's setup
• Tracing functions
  • Tracing functions from imports/exports
  • Tracing functions by using offsets
• Disassembling functions in memory
• Replacing return values
• Allocating strings
• Calling functions

Optimizing our Frida setup

• Building an optimized Frida agent