Fridax is a Node package for dealing with Xamarin applications while using the Frida API.
Goal
•
Installation
•
Usage
•
Examples
•
Issues
•
License
Built with ❤ by the Northwave Red Team
In the Northwave Red Team we conduct security penetration tests on, among other things, mobile applications. During almost every mobile application penetration test we want to modify the behaviour of the application in such a way that it bypasses certain checks (e.g. a PIN code check).
Frida is a toolkit that allows us to do exactly that. It is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Using Frida you can, for example, inject and modify code of iOS and Android applications on runtime. However, if the application that is being pentested is a Xamarin application, it becomes more difficult to modify code on runtime, since Xamarin applications are basically wrappers that run a .NET binary.
Fridax to the rescue! Fridax allows you to easily modify the .NET binary inside a Xamarin application on runtime. We've included some example scripts that e.g. modify constructor and function arguments.
Happy hacking!
Clone this Git repository.
git clone git@github.com:NorthwaveNL/fridax.git
Use the package manager npm to install the dependencies for Fridax.
cd fridax
npm install
Please check the known issues before your start.
frida-ls-devices
cp examples/modify_class_function_argument.js scripts/modify_class_function_argument.js
settingClassName
, settingMethodName
and settingMethodArgCount
./fridax.js inject --scripts scripts/modify_class_function_argument.js
All options
./fridax.js <command>
Commands:
./fridax.js inject [scripts] Inject the given scripts list.
Options:
--version Show version number [boolean]
-h, --help Show help [boolean]
--device The address of the remote Frida device to connect to (or the string "usb") [default: "usb"]
Examples:
./fridax.js inject --scripts scripts/modify_function_argument.js scripts/intercept_password.js scripts/sql_injection.js
Example scripts can be found in ./examples
. Place an example script in the ./scripts
folder to try it out. Using the example scripts, all of the variables/functions in the example class below can be read/intercepted.
namespace CompanyName.ProjectName {
class Settings {
// Static int can be read
public static readonly int secret1 = 1234;
// Static bool can be read
public static readonly bool secret2 = false;
// Static object can be read
public static readonly ObfuscatedString secret3 = ObfuscatedString("yGVhqI5yzbgYUnCP+ZukDw==");
// Static string can be read
public static readonly string secret4 = "SecretValue";
// Constructor can be intercepted and arguments can be modified
Settings(string a, string b, string c) {
}
// Function can be intercepted and argument can be modified
GetElement(string id) {
}
}
}
For example, to read the public static readonly bool secret2
you can run the command below after copying ./examples/read_static_bool_from_class.js
to ./scripts/read_static_bool_from_class.js
. You also need to edit the Company.ProjectName.Settings
class name and secret2
variable name in that file to your needs. You can find out which names you need by using dnSpy on the Mono binary in the IPA/APK.
./fridax.js inject --scripts scripts/read_static_bool_from_class.js
Issues or new features can be reported via the GitHub issue tracker. Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.
Known issues
Export not found: mono_aot_get_method
. This is due to your application being JIT-compiled. Please use the example scripts that are prefixed with jit_
instead of aot_
(AOT-compiled). See issue #3 for more information.Fridax is open-sourced software licensed under the MIT license.