Frida detection is a common Android reverse engineering technique that is often used to prevent applications from being reverse engineered. If you encounter Frida detection, here are some things you can try to bypass it:
-
Use Magisk Hide module: Magisk is a powerful Android root tool, and it comes with a Magisk Hide module that can help you hide root permissions. This can help you bypass Frida detection.
-
Use the Xposed framework: The Xposed framework can help you implement some advanced Android reverse engineering techniques, including bypassing Frida detection. You can use Xposed modules to hide your application information.
-
Use Frida Gadget: Frida Gadget is a small app for Frida detection that can help you bypass detection. Using it with Frida can help you achieve advanced Android reverse engineering.
apk case analysis
When the process is found to exit when using frida to attach, we first check where the process ends
function hook_dlopen() {
Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
{
onEnter: function (args) {
var pathptr = args[0];
if (pathptr !== undefined && pathptr != null) {
var path = ptr(pathptr).readCString();
console.log("load " + path);
}
}
}
);
}
Through dlopen, it can be found that the process ends at the execution of the module libnative-lib.so
Analyze the module libnative-lib.so, find the key location
There are two places to exit the process. The function check_loop detects frida by looking up key strings in the maps memory.
void __fastcall __noreturn check_loop(void *a1)
{
for ( i = 0; ; ++i )
{
fd = open("/proc/self/maps", 0);
if ( fd >= 1 )
{
while ( read(fd, buf, 0x200u) >= 1 )
{
v11 = buf;
v10 = "frida";
haystack = buf;
needle = "frida";
if ( strstr(buf, "frida") )
{
v1 = getpid();
kill(v1, 9);
}
if ( sscanf(buf, "%x-%lx %4s %lx %*s %*s %s", &buf[516], &buf[512], &v5, &v4, s) == 5
&& v5 == 114
&& v6 == 112
&& !v4 )
{
strlen(s);
}
}
}
close(fd);
sleep(1u);
}
}Mark the exit positions of these two processes through breakpoints to facilitate subsequent return and viewing
There are two places to modify, direct IDA keypath nop to repackage, or use frida hook. Next, use frida hook to nop the two key points to end the process
1.nop drop the exit call at 0x9498
2.nop kill at 0x92C2
The implementation code is as follows
//指令输出
function dis(address, number) {
for (var i = 0; i < number; i++) {
var ins = Instruction.parse(address);
console.log("address:" + address + "--dis:" + ins.toString());
address = ins.next;
}
}
/*call_function
static void call_function(const char* function_name __unused,
linker_ctor_function_t function,
const char* realpath __unused //加载的当前模块路径
)
}*/
function hook() {
//call_function("DT_INIT", init_func_, get_realpath());
var linkermodule = Process.getModuleByName("linker");
var call_function_addr = null;
var symbols = linkermodule.enumerateSymbols();
for (var i = 0; i < symbols.length; i++) {
var symbol = symbols[i];
if (symbol.name.indexOf("__dl__ZL13call_functionPKcPFviPPcS2_ES0_") != -1) {
call_function_addr = symbol.address;
}
}
Interceptor.attach(call_function_addr, {
onEnter: function (args) {
var type = ptr(args[0]).readUtf8String();
var address = args[1];
var sopath = ptr(args[2]).readUtf8String();
console.log("loadso:" + sopath + "--addr:" + address + "--type:" + type);
if (sopath.indexOf("libnative-lib.so") != -1) {
var libnativemodule = Process.getModuleByName("libnative-lib.so");
var base = libnativemodule.base;
//nop kill
// .text:000092BA B loc_92BC
// .text:000092BC ; ---------------------------------------------------------------------------
// .text:000092BC
// .text:000092BC loc_92BC ; CODE XREF: check_loop(void *)+5E↑j
// .text:000092BC BLX getpid
// .text:000092C0 MOVS R1, #9 ; sig
// .text:000092C2 BLX kill
console.log("---------------- nop kill begin -------------")
dis(base.add(0x92BA).add(1), 10);
//方式一修改内存
// Memory.protect(base.add(0x92C2), 4, 'rwx');
// base.add(0x92C2).writeByteArray([0x00, 0xbf, 0x00, 0xbf]);
//方式二修改内存
var patchaddr=base.add(0x92C2);
Memory.patchCode(patchaddr, 4, patchaddr => {
var cw = new ThumbWriter(patchaddr);
cw.putNop();
var cw = new ThumbWriter(patchaddr.add(0x2));
cw.putNop();
cw.flush();
});
console.log("++++++++++++ nop kill end +++++++++++++")
dis(base.add(0x92BA).add(1), 10);
// nop exit
// .text:0000948E CMP R0, #0
// .text:00009490 BEQ loc_949C
// .text:00009492 B loc_9494
// .text:00009494 ; ---------------------------------------------------------------------------
// .text:00009494
// .text:00009494 loc_9494 ; CODE XREF: anti_frida_loop(void)+26↑j
// .text:00009494 MOV.W R0, #0xFFFFFFFF ; status
// .text:00009498 BLX exit
console.log("--------------- nop exit begin -------------")
dis(base.add(0x948E).add(1), 10); //keystone
Memory.protect(base.add(0x9498), 4, 'rwx');
base.add(0x9498).writeByteArray([0x00, 0xbf, 0x00, 0xbf]);
console.log("+++++++++++++++ nop exit end +++++++++++++")
dis(base.add(0x948E).add(1), 10);
}
}
})
}
function main(){
hook();
}
setImmediate(main);Summarize:
There are many ways to bypass Frida detection, here are some possible ways:
1. Use the Frida Bypass plug-in: This is a Frida plug-in that can automatically bypass Frida detection and prevent Frida from monitoring applications.
2. Use the Frida Gadget library: This is a dynamic Frida library that can be injected into Frida at runtime to avoid detection.
3. Modify the application code: By modifying the application code, Frida can not monitor the application.
4. Use anti-detection frameworks: Some anti-detection frameworks can bypass Frida's detection, such as Xposed framework, VirtualXposed, Magisk, etc.
5. Use other tools: In addition to Frida, there are other tools that can be used to monitor applications, such as Xposed, Cydia Substrate, etc. Frida will not be able to monitor the application if these tools are used.