NorthwaveSecurity / fridax

Fridax enables you to read variables and intercept/hook functions in Xamarin/Mono JIT and AOT compiled iOS/Android applications.
MIT License
164 stars 21 forks source link
ahead-of-time android aot arguments frida functions intercept ios jit just-in-time modify mono variables xamarin


Fridax is a Node package for dealing with Xamarin applications while using the Frida API.
GoalInstallationUsageExamplesIssuesLicense
Built with ❤ by the Northwave Red Team


Goal

In the Northwave Red Team we conduct security penetration tests on, among other things, mobile applications. During almost every mobile application penetration test we want to modify the behaviour of the application in such a way that it bypasses certain checks (e.g. a PIN code check).

Frida is a toolkit that allows us to do exactly that. It is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Using Frida you can, for example, inject and modify code of iOS and Android applications on runtime. However, if the application that is being pentested is a Xamarin application, it becomes more difficult to modify code on runtime, since Xamarin applications are basically wrappers that run a .NET binary.

Fridax to the rescue! Fridax allows you to easily modify the .NET binary inside a Xamarin application on runtime. We've included some example scripts that e.g. modify constructor and function arguments.

Happy hacking!

Installation

Clone this Git repository.

git clone git@github.com:NorthwaveNL/fridax.git

Use the package manager npm to install the dependencies for Fridax.

cd fridax
npm install

Usage

Please check the known issues before your start.

  1. Connect your device (make sure it can be listed).
    • frida-ls-devices
  2. Copy an example script to the scripts folder.
    • cp examples/modify_class_function_argument.js scripts/modify_class_function_argument.js
  3. Adjust some of the config variables in the script (that you copied) to your needs.
    • Update settingClassName, settingMethodName and settingMethodArgCount
  4. Start the application on your device and run your script!
    • ./fridax.js inject --scripts scripts/modify_class_function_argument.js

All options

./fridax.js <command>

Commands:
  ./fridax.js inject [scripts]  Inject the given scripts list.

Options:
  --version   Show version number                                                           [boolean]
  -h, --help  Show help                                                                     [boolean]
  --device    The address of the remote Frida device to connect to (or the string "usb")    [default: "usb"]

Examples:
  ./fridax.js inject --scripts scripts/modify_function_argument.js scripts/intercept_password.js scripts/sql_injection.js

Examples

Example scripts can be found in ./examples. Place an example script in the ./scripts folder to try it out. Using the example scripts, all of the variables/functions in the example class below can be read/intercepted.

namespace CompanyName.ProjectName {

    class Settings {

        // Static int can be read
        public static readonly int secret1 = 1234;

        // Static bool can be read
        public static readonly bool secret2 = false;

        // Static object can be read
        public static readonly ObfuscatedString secret3 = ObfuscatedString("yGVhqI5yzbgYUnCP+ZukDw==");

        // Static string can be read
        public static readonly string secret4 = "SecretValue";

        // Constructor can be intercepted and arguments can be modified
        Settings(string a, string b, string c) {

        }

        // Function can be intercepted and argument can be modified
        GetElement(string id) {

        }

    }

}

For example, to read the public static readonly bool secret2 you can run the command below after copying ./examples/read_static_bool_from_class.js to ./scripts/read_static_bool_from_class.js. You also need to edit the Company.ProjectName.Settings class name and secret2 variable name in that file to your needs. You can find out which names you need by using dnSpy on the Mono binary in the IPA/APK.

./fridax.js inject --scripts scripts/read_static_bool_from_class.js

Issues

Issues or new features can be reported via the GitHub issue tracker. Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.

Known issues

License

Fridax is open-sourced software licensed under the MIT license.