By default, frida's gadget will attach a debugger to the target process.
To bypass or detect this behavior, we can use the following script to bypass the debugger detection and inject it before the app has the time to detect for a debugger.
Interceptor.attach(Module.findExportByName(null, "ptrace"), function (args) {
console.log("ptrace called");
});Frida Server default listening port is 27042. In some case, an app will check if the port 27042 is open.
To bypass or detect this behavior, we can change the listen port to another port.
frida-server -l 0.0.0.0:27043By default, Frida communicates with the client using WebSocket. In some case, an app will pretend to be a WebSocket and act like a client.
To bypass or detect this behavior, we can set the ORIGIN to any string.
# On frida-server
frida-server -l 0.0.0.0:27043 --origin=AKANE
# On client
frida-ps -H device_ip:27043 --origin=AKANE
Alternatively, we can set CERTIFICATE to make sure the frida communication is only performed in TLS.
# On frida-server
frida-server -l 0.0.0.0:27043 --certificate=certificate.pem
# On client
frida-ps -H device_ip:27043 --certificate=certificate.pem
When frida gadget is injected to a process, it will leave some Artifacts especially in the memory.
To bypass or detect this behavior, we can use a customized frida-server such as:
It is recommended that you build the frida yourself so that any string artifacts are changed incase the developer already flagged the binaries in the repo release.
There are lots of way to detect frida gadgets which might be overwhelming, one of them is Debugger Detection.
But let's say found a way to inject a library to the target process, then you can use the frida's gumjs.
It injects the script directly through the memory without needing a gadget.\
Compile AndroGum using NDK and use the library to inject a script.
Don't forget to download libfrida-gumjs.a and put it in the same dir as Android.mk.