/ZygiskFrida

Injects frida gadget using zygisk to bypass anti-tamper checks.

Primary LanguageC++MIT LicenseMIT

ZygiskFrida

Frida is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers

Zygisk part of Magisk allows you to run code in every Android application's Process.

Introduction

ZygiskFrida is a zygisk module allowing you to inject frida gadget in Android applications in a more stealthy way.

  • The gadget is not embedded into the APK itself. So APK Integrity/Signature checks will still pass.
  • The process is not being ptraced like it is with frida-server. Avoiding ptrace based detection.
  • Control about the injection time of the gadget.
  • Allows you to load multiple arbitrary libraries into the process.

This repo also provides a Riru flavor in case you are still using riru with an older magisk version rather than zygisk.

How to use the module

Prerequisites

  • Rooted device/emulator
  • Zygisk available and enabled

Quick start

  • Download the latest release from the Release Page
    If you are using riru instead of zygisk choose the riru-release. Otherwise choose the normal version.
  • Transfer the ZygiskFrida zip file to your device and install it via Magisk.
  • Reboot after install
  • Create the config file and adjust the package name to your target app (replace your.target.application in the commands)
adb shell 'su -c cp /data/local/tmp/frisk/config.json.example /data/local/tmp/frisk/config.json'
adb shell 'su -c sed -i s/com.example.package/your.target.application/ /data/local/tmp/frisk/config.json'
  • Launch your app. It will pause at startup allowing you to attach f.e. frida -U -N your.target.application or frida -U -n Gadget

This assumes that you don't have any other frida server running (f.e. by using MagiskFrida). You can still run it together with frida-server but you would have to configure the gadget to use a different port.

Configuration

This module also supports adding a start up delay that can delay injection of the gadget to avoid checks run at startup time, loading arbitrary libraries and child gating.

Please take a look at the configuration guide for this.

How to build

  • Checkout the project
  • Run ./gradlew :module:assembleRelease
  • The build magisk module should then be in the out directory.

You can also build and install the module to your device directly with ./gradlew :module:flashAndRebootZygiskRelease

Caveats

  • For emulators this will start the gadget in native realm. This means that you will be able to hook Java but not native functions.

Credits