search

AsenOsen / frida-stealth

Stealth patch for Frida, stealth knowledge collection
45 stars 17 forks source link
anti-detection frida frida-detection patch stealth stealth-mode

readme

Stealth patch for Frida!

FIRST OF ALL! Tired of Frida getting detected all the time?
Try my revolutionary(duh) approach based on injecting code into system Android libraries.

The patch set was inspired by this repo - https://github.com/JsHookApp/Frida-Patchs. This patch hides most of frida traces in system:

How to apply patch?

Get latest Frida version with all submodules:

git clone --recurse-submodules https://github.com/frida/frida.git

Apply patches:

cd frida/frida-core && git apply --reject --whitespace=fix ../../frida-core/patch.patch
cd frida/frida-gum && git apply --reject --whitespace=fix ../../frida-gum/patch.patch

How to build Frida with patch? (Android Arm64 example)

  1. Download Android NDK. Easiest way to do it - via Android Studio SDK Manager: pick the NDK version 25.2.9519653.
  2. In root frida folder:
    • Build: ANDROID_NDK_ROOT="$ANDROID_HOME/ndk/25.2.9519653" make core-android-arm64
    • Run the script to hide frida symbols in compiled binaries:
      • Install requirements: pip install lief
      • Run python src/anti-anti-frida.py PATH for following PATH list (you may pass unneeded components):
        • Agent library: build/tmp-android-arm64/frida-core/lib/agent/frida-agent.so
        • Gadget library: build/tmp-android-arm64/frida-core/lib/gadget/frida-gadget.so
        • Frida Inject: build/frida-android-arm64/bin/frida-inject
        • Frida Portal: build/frida-android-arm64/bin/frida-portal
        • Frida Server: build/frida-android-arm64/bin/frida-server
    • Copy needed binaries to Android Device and enjoy the patch!

Advices how to achive even more stealthy mode

  1. Use ZygiskFrida(https://github.com/lico-n/ZygiskFrida) to avoid process being ptraced. Important notice: use this module for Kitsune Magisk (https://github.com/HuskyDG/magisk-files). Do not use ZygiskFrida with usual Magisk - module will not work.
  2. When using ZygiskFrida, use patched frida-gadget.so!
  3. Use frida scripts from this repo - https://github.com/apkunpacker/AntiFrida_Bypass - to hide any other possible traces of frida/magisk in memory.
  4. Consider some uncommon techniques like patching system libraries.