northwavesecurity / fridax Goto Github PK

Fridax enables you to read variables and intercept/hook functions in Xamarin/Mono JIT and AOT compiled iOS/Android applications.

License: MIT License

JavaScript 100.00%

frida xamarin mono android ios intercept modify functions arguments variables

fridax's Introduction

Fridax is a Node package for dealing with Xamarin applications while using the Frida API.
Goal • Installation • Usage • Examples • Issues • License
_{Built with ❤ by the Northwave Red Team}

Goal

In the Northwave Red Team we conduct security penetration tests on, among other things, mobile applications. During almost every mobile application penetration test we want to modify the behaviour of the application in such a way that it bypasses certain checks (e.g. a PIN code check).

Frida is a toolkit that allows us to do exactly that. It is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Using Frida you can, for example, inject and modify code of iOS and Android applications on runtime. However, if the application that is being pentested is a Xamarin application, it becomes more difficult to modify code on runtime, since Xamarin applications are basically wrappers that run a .NET binary.

Fridax to the rescue! Fridax allows you to easily modify the .NET binary inside a Xamarin application on runtime. We've included some example scripts that e.g. modify constructor and function arguments.

Happy hacking!

Installation

Clone this Git repository.

git clone [email protected]:NorthwaveNL/fridax.git

Use the package manager npm to install the dependencies for Fridax.

cd fridax
npm install

Usage

Please check the known issues before your start.

Connect your device (make sure it can be listed).
- frida-ls-devices
Copy an example script to the scripts folder.
- cp examples/modify_class_function_argument.js scripts/modify_class_function_argument.js
Adjust some of the config variables in the script (that you copied) to your needs.
- Update settingClassName, settingMethodName and settingMethodArgCount
Start the application on your device and run your script!
- ./fridax.js inject --scripts scripts/modify_class_function_argument.js

All options

./fridax.js <command>

Commands:
  ./fridax.js inject [scripts]  Inject the given scripts list.

Options:
  --version   Show version number                                                           [boolean]
  -h, --help  Show help                                                                     [boolean]
  --device    The address of the remote Frida device to connect to (or the string "usb")    [default: "usb"]

Examples:
  ./fridax.js inject --scripts scripts/modify_function_argument.js scripts/intercept_password.js scripts/sql_injection.js

Examples

Example scripts can be found in ./examples. Place an example script in the ./scripts folder to try it out. Using the example scripts, all of the variables/functions in the example class below can be read/intercepted.

namespace CompanyName.ProjectName {

    class Settings {

        // Static int can be read
        public static readonly int secret1 = 1234;

        // Static bool can be read
        public static readonly bool secret2 = false;

        // Static object can be read
        public static readonly ObfuscatedString secret3 = ObfuscatedString("yGVhqI5yzbgYUnCP+ZukDw==");

        // Static string can be read
        public static readonly string secret4 = "SecretValue";

        // Constructor can be intercepted and arguments can be modified
        Settings(string a, string b, string c) {

        }

        // Function can be intercepted and argument can be modified
        GetElement(string id) {

        }

    }

}

For example, to read the public static readonly bool secret2 you can run the command below after copying ./examples/read_static_bool_from_class.js to ./scripts/read_static_bool_from_class.js. You also need to edit the Company.ProjectName.Settings class name and secret2 variable name in that file to your needs. You can find out which names you need by using dnSpy on the Mono binary in the IPA/APK.

./fridax.js inject --scripts scripts/read_static_bool_from_class.js

Issues

Issues or new features can be reported via the GitHub issue tracker. Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.

Known issues

Xamarin app needs to be running before you start this script (see this issue for more information).
You get the error Export not found: mono_aot_get_method. This is due to your application being JIT-compiled. Please use the example scripts that are prefixed with jit_ instead of aot_ (AOT-compiled). See issue #3 for more information.

License

Fridax is open-sourced software licensed under the MIT license.

fridax's People

Contributors

Stargazers

Watchers

fridax's Issues

take a look

https://github.com/iddoeldor/mplus

BTW, very nice logo !

Remove the "X" and give it to Frida :)

cann

fridax install error with macOS v11.5.1 / node v16.4.2 / frida 15.0.13

Hi,

Similar to some closed issues, I'm hitting an error about binding.gyp being missing which may be related to the combination of node and frida versions I'm using

My frida install is otherwise fully functional (both npm install frida and compiling frida-node from git source)

It would be helpful if you could state which OS / node / frida version combinations are known to work with fridax?

npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm ERR! code 1
npm ERR! path /Users/hubert/fridax/node_modules/frida
npm ERR! command failed
npm ERR! command sh -c prebuild-install || node-gyp rebuild
npm ERR! prebuild-install WARN install No prebuilt binaries found (target=16.4.2 runtime=node arch=x64 libc= platform=darwin)
npm ERR! gyp info it worked if it ends with ok
npm ERR! gyp info using [email protected]
npm ERR! gyp info using [email protected] | darwin | x64
npm ERR! gyp info find Python using Python version 3.9.6 found at "/usr/local/opt/[email protected]/bin/python3.9"
npm ERR! (node:70687) [DEP0150] DeprecationWarning: Setting process.config is deprecated. In the future the property will be read-only.
npm ERR! (Use `node --trace-deprecation ...` to show where the warning was created)
npm ERR! gyp info spawn /usr/local/opt/[email protected]/bin/python3.9
npm ERR! gyp info spawn args [
npm ERR! gyp info spawn args   '/Users/hubert/node_modules/node-gyp/gyp/gyp_main.py',
npm ERR! gyp info spawn args   'binding.gyp',
npm ERR! gyp info spawn args   '-f',
npm ERR! gyp info spawn args   'make',
npm ERR! gyp info spawn args   '-I',
npm ERR! gyp info spawn args   '/Users/hubert/fridax/node_modules/frida/build/config.gypi',
npm ERR! gyp info spawn args   '-I',
npm ERR! gyp info spawn args   '/Users/hubert/node_modules/node-gyp/addon.gypi',
npm ERR! gyp info spawn args   '-I',
npm ERR! gyp info spawn args   '/Users/hubert/Library/Caches/node-gyp/16.4.2/include/node/common.gypi',
npm ERR! gyp info spawn args   '-Dlibrary=shared_library',
npm ERR! gyp info spawn args   '-Dvisibility=default',
npm ERR! gyp info spawn args   '-Dnode_root_dir=/Users/hubert/Library/Caches/node-gyp/16.4.2',
npm ERR! gyp info spawn args   '-Dnode_gyp_dir=/Users/hubert/node_modules/node-gyp',
npm ERR! gyp info spawn args   '-Dnode_lib_file=/Users/hubert/Library/Caches/node-gyp/16.4.2/<(target_arch)/node.lib',
npm ERR! gyp info spawn args   '-Dmodule_root_dir=/Users/hubert/fridax/node_modules/frida',
npm ERR! gyp info spawn args   '-Dnode_engine=v8',
npm ERR! gyp info spawn args   '--depth=.',
npm ERR! gyp info spawn args   '--no-parallel',
npm ERR! gyp info spawn args   '--generator-output',
npm ERR! gyp info spawn args   'build',
npm ERR! gyp info spawn args   '-Goutput_dir=.'
npm ERR! gyp info spawn args ]
npm ERR! gyp: binding.gyp not found (cwd: /Users/hubert/fridax/node_modules/frida) while trying to load binding.gyp
npm ERR! gyp ERR! configure error
npm ERR! gyp ERR! stack Error: `gyp` failed with exit code: 1
npm ERR! gyp ERR! stack     at ChildProcess.onCpExit (/Users/hubert/node_modules/node-gyp/lib/configure.js:351:16)
npm ERR! gyp ERR! stack     at ChildProcess.emit (node:events:394:28)
npm ERR! gyp ERR! stack     at Process.ChildProcess._handle.onexit (node:internal/child_process:290:12)
npm ERR! gyp ERR! System Darwin 20.6.0
npm ERR! gyp ERR! command "/usr/local/Cellar/node/16.4.2/bin/node" "/Users/hubert/node_modules/.bin/node-gyp" "rebuild"
npm ERR! gyp ERR! cwd /Users/hubert/fridax/node_modules/frida
npm ERR! gyp ERR! node -v v16.4.2
npm ERR! gyp ERR! node-gyp -v v7.1.2
npm ERR! gyp ERR! not ok

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/hubert/.npm/_logs/2021-08-17T13_50_57_678Z-debug.log

Can't find mono runtime

I'm trying to hook a Xamarin-based iOS app and am getting the following error:

~/t/s/s/f/fridax > ./fridax.js inject --device usb --scripts scripts/aot_modify_class_function_argument.js
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on iPhone.
? Which application do you want to inject? XXXXX
[*] Happy hacking.
[*] Attached to application (session: 74911).
[*] Injected a test script (this runs from within the injected application)!
Error: Can't find Mono runtime!
    at <anonymous> (vendors/frida-mono-api/mono-module.js:33)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (vendors/frida-mono-api/mono-api.js:2)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (vendors/frida-mono-api/index.js:1)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (scripts/aot_modify_class_function_argument.js:1)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at r (node_modules/browser-pack/_prelude.js:1)
    at <eval> (/script2.js:1246)

I've looked at #1 and the issue was fixed but I'm still having the issue. I've tried poking around but am just getting started with frida. Things I've tried:

looking for mono using Process.enumerateModulesSync()
looking for mono using Process.enumerateExports()
hooking dlopen and looking for any import of mono

but nothing shows up. Is there anything else I can do to troubleshoot the issue? Sadly I can't share the ipa.

Unable to install

I have the same issue as #13 and I think it's tied to your toolset rather then node-gyp. You need to include binding.gyp file in your project directory (a sort of Makefile). Tried on two environments (Host - MacOS Catalina, Guest - Kali Linux)

┌──(kali㉿kali)-[/tmp/fridax]
└─$ pwd                                                                                                       130 ⨯ 1 ⚙
/tmp/fridax
                                                                                                                        
┌──(kali㉿kali)-[/tmp/fridax]
└─$ npm --version                                                                                                   1 ⚙
7.0.3

┌──(kali㉿kali)-[/tmp/fridax]
└─$ rm -rf node_modules package-lock.json && npm i                                                                  1 ⚙
npm ERR! code 1
npm ERR! path /tmp/fridax/node_modules/frida
npm ERR! command failed
npm ERR! command sh -c prebuild-install || node-gyp rebuild
npm ERR! gyp info it worked if it ends with ok
npm ERR! gyp info using [email protected]
npm ERR! gyp info using [email protected] | linux | x64
npm ERR! gyp info find Python using Python version 3.8.4 found at "/usr/bin/python3"
npm ERR! gyp info spawn /usr/bin/python3
npm ERR! gyp info spawn args [
npm ERR! gyp info spawn args   '/usr/share/nodejs/node-gyp/gyp/gyp_main.py',
npm ERR! gyp info spawn args   'binding.gyp',
npm ERR! gyp info spawn args   '-f',
npm ERR! gyp info spawn args   'make',
npm ERR! gyp info spawn args   '-I',
npm ERR! gyp info spawn args   '/tmp/fridax/node_modules/frida/build/config.gypi',
npm ERR! gyp info spawn args   '-I',
npm ERR! gyp info spawn args   '/usr/share/nodejs/node-gyp/addon.gypi',
npm ERR! gyp info spawn args   '-I',
npm ERR! gyp info spawn args   '/usr/include/nodejs/common.gypi',
npm ERR! gyp info spawn args   '-Dlibrary=shared_library',
npm ERR! gyp info spawn args   '-Dvisibility=default',
npm ERR! gyp info spawn args   '-Dnode_root_dir=/usr/include/nodejs',
npm ERR! gyp info spawn args   '-Dnode_gyp_dir=/usr/share/nodejs/node-gyp',
npm ERR! gyp info spawn args   '-Dnode_lib_file=/usr/include/nodejs/<(target_arch)/node.lib',
npm ERR! gyp info spawn args   '-Dmodule_root_dir=/tmp/fridax/node_modules/frida',
npm ERR! gyp info spawn args   '-Dnode_engine=v8',
npm ERR! gyp info spawn args   '--depth=.',
npm ERR! gyp info spawn args   '--no-parallel',
npm ERR! gyp info spawn args   '--generator-output',
npm ERR! gyp info spawn args   'build',
npm ERR! gyp info spawn args   '-Goutput_dir=.'
npm ERR! gyp info spawn args ]
npm ERR! gyp: binding.gyp not found (cwd: /tmp/fridax/node_modules/frida) while trying to load binding.gyp
npm ERR! gyp ERR! configure error 
npm ERR! gyp ERR! stack Error: `gyp` failed with exit code: 1
npm ERR! gyp ERR! stack     at ChildProcess.onCpExit (/usr/share/nodejs/node-gyp/lib/configure.js:354:16)
npm ERR! gyp ERR! stack     at ChildProcess.emit (events.js:314:20)
npm ERR! gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:275:12)
npm ERR! gyp ERR! System Linux 5.7.0-kali1-amd64
npm ERR! gyp ERR! command "/usr/bin/node" "/usr/share/nodejs/node-gyp/bin/node-gyp.js" "rebuild"
npm ERR! gyp ERR! cwd /tmp/fridax/node_modules/frida
npm ERR! gyp ERR! node -v v12.19.0
npm ERR! gyp ERR! node-gyp -v v7.0.0
npm ERR! gyp ERR! not ok

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/kali/.npm/_logs/2020-12-01T12_42_46_721Z-debug.log

Updating frida version in fridax

Hi, i saw your tool and i am very impressed with it.
However, while i was practicing on hooking xamarin apps using fridax, i came across an error which relates to the version of frida in your package.
Current major version of frida is 14 and it seems that fridax (npm install) is installing frida 12 still; hence the error while starting up fridax

The error message:
[] Awaiting storage initialization.
[] Awaiting USB device.
[*] Up and running on iPhone.

(frida:3997): Frida-CRITICAL **: 17:02:09.205: file ../../../frida-core/lib/interfaces/session.vala: line 167: uncaught error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “re.frida.HostSession12” on object at path /re/frida/HostSession (g-dbus-error-quark, 19)
zsh: segmentation fault ./fridax.js inject --scripts scripts/modify_class_function_argument.js

Reference: frida/frida#1484

my frida version;
frida --version
14.2.12

iDevice frida:
14.2.12

Stuck at device.enumerateApplications() when using frida 15.0.3

Hi, thanks for the nice tools
i have an issue when fridax.js stuck in applications = await device.enumerateApplications() when using frida 15.0.3. However, the JS will run normally when using frida 14.2.18.

using frida 15.0.3:

./fridax.js inject  --scripts  scripts/jit_modify_class_function_argument.js 
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on SM-G5XXX.

and it stays like that forever.

using frida 14.2.18:

./fridax.js inject  --scripts  scripts/jit_modify_class_function_argument.js 
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on SM-G5XXX.
? Which application do you want to inject? 
  App1
  App2
  App3
❯ App4
  
(Move up and down to reveal more choices)

fridax version = 1.0.0
frida-server already running = yes
xamarin app already launched = yes
expected behavior = fridax can be run in current version of frida (frida 15.0.X)

Error: Cant find mono!

Hello,

Thanks for this project, it looks like this is what I was looking for.

I'm running into an issue when trying to run a script:

node fridax.js inject --scripts read_class_static_string_variable
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on Phone.
? Which application do you want to inject? Gadget
[*] Attached to application (session: 23972).
[*] Injected a test script (this runs from within the injected application)!
Error: Cant find mono!
    at node_modules/frida-mono-api/src/mono-module.js:7
    at o (node_modules/browser-pack/_prelude.js:1)
    at node_modules/frida-mono-api/src/mono-api.js:2
    at o (node_modules/browser-pack/_prelude.js:1)
    at /script2.js:119
    at o (node_modules/browser-pack/_prelude.js:1)
    at scripts/read_class_static_string_variable.js:1
    at o (node_modules/browser-pack/_prelude.js:1)
    at r (node_modules/browser-pack/_prelude.js:1)
[*] Happy hacking.

What I did was:

Patch the APK using Objection
Install the APK on the phone (real device)
Start the APK
Start Objection so that the app is running
Run node fridax.js inject

Any idea of what could be wrong ?

How to get a variables properties

Hello,

I have the below sample code

class Person
{
  private string name; // field

  public string Name   // property
  {
    get { return name; }   // get method
    set { name = value; }  // set method
  }
}

And I found that in compilation, the set method is called as "set_Name(string)"; however, when I try the below code to fetch and modify the data, the console logs an empty argument -no error is returned that shows that the method does not exist- . Can someone tell me what I am doing wrong?

import { MonoApiHelper, MonoApi } from '../vendors/frida-mono-api'
import ClassHelper from '../libraries/class_helper'
var settingClassName = "Person";
var settingMethodName = "set_Name";
var settingMethodArgCount = 1;

// The root AppDomain is the initial domain created by the runtime when it is initialized. Programs execute on this AppDomain.
const domain = MonoApi.mono_get_root_domain()

// Get a reference to a certain class within the Xamarin application.
var classInformation = ClassHelper.getClassByName(settingClassName);

// Attach interceptor and fish out the first method argument
MonoApiHelper.Intercept(classInformation, settingMethodName, {
    onEnter: function(args) {
        console.log("Entered " + settingMethodName + " with " + settingMethodArgCount + " argument(s).");
        console.log("Value of `string id`: " + MonoApiHelper.StringToUtf8(args[0]));
    },
    onLeave: function onLeave(log, retval, state) {
        console.log("Left " + settingMethodName + ".");
    }
})

console.log(`'jit_modify_class_function_argument.js' attached and ready.`)

Add support for flutter AOT compiled app

Any plan to make it support to hook Android apps written in Flutter?

Unable to install fridax because binding.gyp not found - Windwos & Linux

Installation prerequisites in windows (10):

Microsoft Visual Studio
Microsoft Visual Studio Build Tools
Desktop development with C++
Python Stable Version
Nodejs Stable Version
node-gyp - Node.js native addon build tool
Git

I installed all prerequisites according to their latest version. But after installation I faced many problems. One of the problems I encountered was the following error:

...
gyp: binding.gyp not found (cwd: C:\Users\lnatl\Desktop\fridax) while trying to load binding.gyp
gyp ERR! configure error
gyp ERR! stack Error: gyp failed with exit code: 1
...

I found out that these problems are related to node-gyp. So I tried all the solutions available for Windows operating system Like:

Downgrading Python to version 2
Install Microsoft Build Tools
Specifying the MSVS version for NPM
Installing the node-gyp several times globally
Installing node native modules
node-gyp configure and rebuild
npm cache clean --force
Mandatory introduction of the Python path due to the use of different versions of Python.

And in the end, I reviewed and implemented most of the issues related to this address:
https://github.com/nodejs/node-gyp/issues
The only thing I noticed was that the python version has nothing to do with the gyp node problem. Also, the 2015, 2017 and 2019 versions of Microsoft Visual Studio are better compatible with the node-gyp (according to the experience of people who used the node-gyp).So I decided to install Visual Studio version 2017 (15.9.2) and Visual Studio Build Tools version 2017 (15.9.51). Also, I already had Python version 3.10.5 installed, and since the problem was not with Python, I did not make any changes in the installation of Python with different versions.But the result was still the same.what should i do? After a lot of frustration, I might get better results in Linux. So I installed Ubuntu version 20.04.1 on a virtual machine.

Installation prerequisites in Linux (Ubuntu v20.04):

nodejs latest version!
node-gyp - Node.js native addon build tool
By default, Python is identified with version 3. If for any reason it is not installed, install one of the following versions:
Python v3.7, v3.8, v3.9, or v3.10
A proper C/C++ compiler toolchain, like GCC
Build-essential Meta-Package
Git

In this environment, I also received the same errors for the following path:

...
gyp: binding.gyp not found (cwd: /home/lnatl/Desktop/fridax) while trying to load binding.gyp
gyp ERR! configure error 
gyp ERR! stack Error: `gyp` failed with exit code: 1
...

Also for the Frida module which was being installed in the node_modules folder:

...
npm ERR! gyp: binding.gyp not found (cwd: /tmp/fridax/node_modules/frida) while trying to load binding.gyp
npm ERR! gyp ERR! configure error 
npm ERR! gyp ERR! stack Error: `gyp` failed with exit code: 1
...

fridax $ npm install

> [email protected] install /Users/.../fridax/node_modules/frida
> prebuild-install || node-gyp rebuild

prebuild-install WARN install No prebuilt binaries found (target=14.7.0 runtime=node arch=x64 libc= platform=darwin)
gyp: binding.gyp not found (cwd: /Users/.../fridax/node_modules/frida) while trying to load binding.gyp
gyp ERR! configure error 
gyp ERR! stack Error: `gyp` failed with exit code: 1
gyp ERR! stack     at ChildProcess.onCpExit (/usr/local/lib/node_modules/npm/node_modules/node-gyp/lib/configure.js:351:16)
gyp ERR! stack     at ChildProcess.emit (events.js:314:20)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:276:12)
gyp ERR! System Darwin 19.6.0
gyp ERR! command "/usr/local/Cellar/node/14.7.0/bin/node" "/usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /Users/.../fridax/node_modules/frida
gyp ERR! node -v v14.7.0
gyp ERR! node-gyp -v v5.1.0
gyp ERR! not ok 
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] install: `prebuild-install || node-gyp rebuild`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the [email protected] install script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/.../.npm/_logs/2020-10-22T09_55_37_804Z-debug.log

Export not found: `mono_aot_get_method` in JIT-compiled APK

Hello,

I can't get the modify_class_function_argument.js script to work.

I'm working with this app: https://github.com/xamarin/xamarin-forms-samples/tree/master/WebServices/TodoREST

I'm trying to intercerpt the GetTasksAsync function of the TodoItemManager:

using System;
using System.Collections.Generic;
using System.Threading.Tasks;

namespace TodoREST
{
	public class TodoItemManager
	{
		IRestService restService;

		public TodoItemManager (IRestService service)
		{
			restService = service;
		}

		public Task<List<TodoItem>> GetTasksAsync ()
		{
			return restService.RefreshDataAsync ();	
		}

		public Task SaveTaskAsync (TodoItem item, bool isNewItem = false)
		{
			return restService.SaveTodoItemAsync (item, isNewItem);
		}

		public Task DeleteTaskAsync (TodoItem item)
		{
			return restService.DeleteTodoItemAsync (item.ID);
		}
	}
}

Source for the class: https://github.com/xamarin/xamarin-forms-samples/blob/master/WebServices/TodoREST/TodoREST/Data/TodoItemManager.cs

I'm using this script:

import { MonoApiHelper, MonoApi } from '../vendors/frida-mono-api'
import ClassHelper from '../libraries/class_helper'

// Intercept settings
var settingClassName = "TodoREST.TodoItemManager";
var settingMethodName = "GetTasksAsync";
var settingMethodArgCount = 0;

// The root AppDomain is the initial domain created by the runtime when it is initialized. Programs execute on this AppDomain.
const domain = MonoApi.mono_get_root_domain()

console.log('domain: ' + classInformation);

// Get a reference to a certain class within the Xamarin application.
var classInformation = ClassHelper.getClassByName(settingClassName);

console.log('classInformation: ' + classInformation);

// Get the pointer to the ahead-of-time (AOT) compiled method
let methodInformation = MonoApiHelper.ClassGetMethodFromName(classInformation, settingMethodName, settingMethodArgCount)

console.log('methodInformation: ' + methodInformation);

// Allocate enough memory for MonoError initialization
let monoErrorMemory = Memory.alloc(32) 

// Get the pointer to the method
let nativeMethodPointer = MonoApi.mono_aot_get_method(domain, methodInformation, monoErrorMemory)

// Attach interceptor and fish out the first method argument
Interceptor.attach(nativeMethodPointer, {
    onEnter: function(args) {
        console.log("Entered " + settingMethodName + " with " + settingMethodArgCount + " argument(s).");
        console.log("Value of `string id`: " + MonoApiHelper.StringToUtf8(args[3]));

        args[3] = MonoApiHelper.StringNew('This is the replaced value of `string c`.', domain);
    },
    onLeave: function onLeave(log, retval, state) {
        console.log("Left " + settingMethodName + ".");
    }
})

console.log(`'modify_function_argument.js' attached and ready.`)

The stacktrace I'm getting:

node fridax.js inject --scripts scripts/todo-modify.js
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on Android Emulator 5554.
? Which application do you want to inject? TodoREST
[*] Happy hacking.
[*] Attached to application (session: 3803).
[*] Injected a test script (this runs from within the injected application)!
domain: undefined
classInformation: 0x98f63330
methodInformation: 0x84b95058
Error: Export not found: mono_aot_get_method
    at vendors/frida-mono-api/mono-api.js:799
    at scripts/todo-modify.js:45
    at o (node_modules/browser-pack/_prelude.js:1)
    at r (node_modules/browser-pack/_prelude.js:1)
    at /script2.js:1217
^C[*] Script unloaded.
[*] Script unloaded.```

If you need more info let me know.

northwavesecurity / fridax Goto Github PK

fridax's Introduction

Goal

Installation

Usage

Examples

Issues

License

fridax's People

Contributors

Stargazers

Watchers

Forkers

fridax's Issues

Installation prerequisites in windows (10):

Installation prerequisites in Linux (Ubuntu v20.04):

Recommend Projects

Recommend Topics

Recommend Org

Jobs