RMS - Early instrumentation issue

[balramrexwal]

I am trying to bypass Frida Script running in Memory and Frida Server Detection by using AntiFrida App. Anti Frida App has two detections as CHECk FRIDA SERVER and CHECK FRIDA IN MEMORY.

I am able to bypass it using Frida CLI but not by Using RMS tool. Using RMS,When Frida Server and is Spawn to Device, its shows both in RED as shown below:

Using RMS,When Frida Server and Spawn by adding Script to it (Adding Script in Custom-Scripts Folder and Spawing),It shows only GREEN in check in memory as shown below:

It cannot bypass Frida Server, I am not able to find the issue because using same script in Frida CLI it bypass both Dection in Memory and server(shows GREEN).

Script is

setTimeout(function(){
    Java.perform(function (){
    console.log("[*] Script loaded")   var MainActivity = Java.use("org.owasp.mstg.antifrida.MainActivity")

        MainActivity.checkMemory.overload().implementation = function() {
            console.log("[*] bypass frida mrmory function invoked")
            return false
        }

        var MainActivity = Java.use("org.owasp.mstg.antifrida.MainActivity")

        MainActivity.setFridaServerTextView.overload().implementation = function() {
            console.log("[*] bypass frida server function invoked")
            return false
        }

    });      });

Decrypted Java File of Anti Frida MainActivity is. here:https://pastebin.com/NdwfvzjK

Is there any issue in Applying this script or in script(using same script in FRIDA CLI it bypasses both DETECTIONs) Please help to resolve this issue

[m0bilesecurity]

Hey it's a very interesting case. I think that RMS runs the script too late (when the check is already done).

Can you kindly share the APK? I'll be happy to perform a check and improve the tool. If you want to have a look directly, the logic is inside the mobilesecurity.py file (Device section). Best

[balramrexwal]

yeah,sure https://we.tl/t-R7SQcVo19N

[m0bilesecurity]

Hey @balramrexwal your bypass is wrong. Check this code:

Java.perform(function () {
    var classname = "org.owasp.mstg.antifrida.MainActivity";
    var classmethod = "PortScanFrida";
    var hookclass = Java.use(classname);

    //public boolean PortScanFrida(java.lang.String) throws java.net.UnknownHostException

    hookclass.PortScanFrida.overload("java.lang.String").implementation = function (v0) {
        send("CALLED: " + classname + "." + classmethod + "()\n");
        var ret = this.PortScanFrida(v0);

        var s="";
        s=s+"HOOK: " + classname + "." + classmethod + "()\n";
        s=s+"IN: "+v0+"\n";
        s=s+"OUT: "+ret+"\n";
        send(s);

        return false;
    };
});

Java.perform(function () {
    var classname = "org.owasp.mstg.antifrida.MainActivity";
    var classmethod = "checkMemory";
    var hookclass = Java.use(classname);

    //public boolean checkMemory()

    hookclass.checkMemory.overload().implementation = function () {
        send("CALLED: " + classname + "." + classmethod + "()\n");
        var ret = this.checkMemory();

        var s="";
        s=s+"HOOK: " + classname + "." + classmethod + "()\n";
        s=s+"IN: "+""+"\n";
        s=s+"OUT: "+ret+"\n";
        send(s);

        return false;
    };
});

The above FRIDA script works very well but I don't know if there is a smarter way to bypass all the checks I only had a very quick look at the MainActivity via the HOOK LAB view.

NOTE: RMS is very useful in this case because it helps you to focus your attention only on classes and methods that have been loaded in memory 😉

Anyway, I confirm that if you load the script at startup it does not work immediately. You have to click the buttons in order to perform a second sessions of checks.

Unfortunately RMS evaluates the script too late (when the first session of checks has already been performed).

This is the affected code (mobilesecurity.py):

        session = None
        if mode == "Spawn":
            pid = device.spawn([package_name])
            session = device.attach(pid)
            print('[*] Process Spawned')
        if mode == "Attach":
            session = device.attach(package_name)
            print('[*] Process Attached')

        script = session.create_script(frida_code) <-- 1. JS API
        #script.set_log_handler(log_handler)
        script.on('message', on_message)
        script.load() <-- 2. script loaded

        # loading js api
        api = script.exports

        if mode == "Spawn":
            device.resume(pid) <-- 3. APP resumed

        # loading FRIDA startup script if exists
        if frida_script:
            api.loadcustomfridascript(frida_script) <-- 4. custom script loaded
            # DEBUG print(frida_script, file=sys.stdout)

Any ideas for a faster injection?

[balramrexwal]

Thanks @m0bilesecurity , Script provided by you, works, That's what i m trying to tell you, You got it correctly,

loading the script at startup it does not work immediately. On click the buttons in order to perform a second sessions of checks.

Can you fix this issue of script is loading late in Upcoming updates

Unfortunately RMS evaluates the script too late

[enovella]

is this apk public?

[m0bilesecurity]

Hey @enovella Yes I asked @balramrexwal to post the APK. Here is the link: https://we.tl/t-R7SQcVo19N More info and source code: https://github.com/b-mueller/frida-detection-demo

[enovella]

@m0bilesecurity Transfer expired

[m0bilesecurity]

@enovella reuploaded here: https://we.tl/t-j6epcwmNTW 👌🏻

[punishell]

Hey, could you reupload apk?

[m0bilesecurity]

Hey @punishell Here is the apk: https://we.tl/t-sSfe87JzDw

[punishell]

thanks! @m0bilesecurity, this framework is life saver 👍

[m0bilesecurity]

@punishell many thanks 🙏 Feel free to improve it via a Pull Request 😉

[Mythili0896]

Hey, could you reupload apk?