RMS - Early instrumentation issue
balramrexwal opened this issue ยท 13 comments
I am trying to bypass Frida Script running in Memory and Frida Server Detection by using AntiFrida App. Anti Frida App has two detections as CHECk FRIDA SERVER and CHECK FRIDA IN MEMORY.
I am able to bypass it using Frida CLI but not by Using RMS tool.
Using RMS,When Frida Server and is Spawn to Device, its shows both in RED as shown below:
Using RMS,When Frida Server and Spawn by adding Script to it (Adding Script in Custom-Scripts Folder and Spawing),It shows only GREEN in check in memory as shown below:
It cannot bypass Frida Server, I am not able to find the issue because using same script in Frida CLI it bypass both Dection in Memory and server(shows GREEN).
Script is
setTimeout(function(){
Java.perform(function (){
console.log("[*] Script loaded") var MainActivity = Java.use("org.owasp.mstg.antifrida.MainActivity")
MainActivity.checkMemory.overload().implementation = function() {
console.log("[*] bypass frida mrmory function invoked")
return false
}
var MainActivity = Java.use("org.owasp.mstg.antifrida.MainActivity")
MainActivity.setFridaServerTextView.overload().implementation = function() {
console.log("[*] bypass frida server function invoked")
return false
}
}); });
Decrypted Java File of Anti Frida MainActivity is. here:https://pastebin.com/NdwfvzjK
Is there any issue in Applying this script or in script(using same script in FRIDA CLI it bypasses both DETECTIONs)
Please help to resolve this issue
Hey it's a very interesting case.
I think that RMS runs the script too late (when the check is already done).
Can you kindly share the APK? I'll be happy to perform a check and improve the tool.
If you want to have a look directly, the logic is inside the mobilesecurity.py file (Device section).
Best
yeah,sure https://we.tl/t-R7SQcVo19N
Hey @balramrexwal
your bypass is wrong. Check this code:
Java.perform(function () {
var classname = "org.owasp.mstg.antifrida.MainActivity";
var classmethod = "PortScanFrida";
var hookclass = Java.use(classname);
//public boolean PortScanFrida(java.lang.String) throws java.net.UnknownHostException
hookclass.PortScanFrida.overload("java.lang.String").implementation = function (v0) {
send("CALLED: " + classname + "." + classmethod + "()\n");
var ret = this.PortScanFrida(v0);
var s="";
s=s+"HOOK: " + classname + "." + classmethod + "()\n";
s=s+"IN: "+v0+"\n";
s=s+"OUT: "+ret+"\n";
send(s);
return false;
};
});
Java.perform(function () {
var classname = "org.owasp.mstg.antifrida.MainActivity";
var classmethod = "checkMemory";
var hookclass = Java.use(classname);
//public boolean checkMemory()
hookclass.checkMemory.overload().implementation = function () {
send("CALLED: " + classname + "." + classmethod + "()\n");
var ret = this.checkMemory();
var s="";
s=s+"HOOK: " + classname + "." + classmethod + "()\n";
s=s+"IN: "+""+"\n";
s=s+"OUT: "+ret+"\n";
send(s);
return false;
};
});
The above FRIDA script works very well but I don't know if there is a smarter way to bypass all the checks I only had a very quick look at the MainActivity via the HOOK LAB view.
NOTE: RMS is very useful in this case because it helps you to focus your attention only on classes and methods that have been loaded in memory ๐
Anyway, I confirm that if you load the script at startup it does not work immediately. You have to click the buttons in order to perform a second sessions of checks.
Unfortunately RMS evaluates the script too late (when the first session of checks has already been performed).
This is the affected code (mobilesecurity.py):
session = None
if mode == "Spawn":
pid = device.spawn([package_name])
session = device.attach(pid)
print('[*] Process Spawned')
if mode == "Attach":
session = device.attach(package_name)
print('[*] Process Attached')
script = session.create_script(frida_code) <-- 1. JS API
#script.set_log_handler(log_handler)
script.on('message', on_message)
script.load() <-- 2. script loaded
# loading js api
api = script.exports
if mode == "Spawn":
device.resume(pid) <-- 3. APP resumed
# loading FRIDA startup script if exists
if frida_script:
api.loadcustomfridascript(frida_script) <-- 4. custom script loaded
# DEBUG print(frida_script, file=sys.stdout)
Any ideas for a faster injection?
Thanks @m0bilesecurity ,
Script provided by you, works,
That's what i m trying to tell you, You got it correctly,
loading the script at startup it does not work immediately. On click the buttons in order to perform a second sessions of checks.
Can you fix this issue of script is loading late in Upcoming updates
Unfortunately RMS evaluates the script too late
is this apk public?
Hey @enovella
Yes I asked @balramrexwal to post the APK. Here is the link: https://we.tl/t-R7SQcVo19N
More info and source code: https://github.com/b-mueller/frida-detection-demo
@m0bilesecurity Transfer expired
@enovella reuploaded here: https://we.tl/t-j6epcwmNTW ๐๐ป
Hey, could you reupload apk?
Hey @punishell
Here is the apk: https://we.tl/t-sSfe87JzDw
thanks! @m0bilesecurity, this framework is life saver ๐
@punishell many thanks ๐
Feel free to improve it via a Pull Request ๐
Hey, could you reupload apk?