• Stars
    star
    1,159
  • Rank 40,259 (Top 0.8 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created over 9 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Radare2 and Frida better together.

r2frida

Radare2 and Frida better together.

ci

Description

This is a self-contained plugin for radare2 that allows to instrument remote processes using frida.

The radare project brings a complete toolchain for reverse engineering, providing well maintained functionalities and extend its features with other programming languages and tools.

Frida is a dynamic instrumentation toolkit that makes it easy to inspect and manipulate running processes by injecting your own JavaScript, and optionally also communicate with your scripts.

Features

  • Run unmodified Frida scripts (Use the :. command)
  • Execute snippets in C, Javascript or TypeScript in any process
  • Can attach, spawn or launch in local or remote systems
  • List sections, symbols, exports, protocols, classes, methods
  • Search for values in memory inside the agent or from the host
  • Replace method implementations or create hooks with short commands
  • Load libraries and frameworks in the target process
  • Support Dalvik, Java, ObjC, Swift and C interfaces
  • Manipulate file descriptors and environment variables
  • Send signals to the process, continue, breakpoints
  • The r2frida io plugin is also a filesystem fs and debug backend
  • Automate r2 and frida using r2pipe
  • Read/Write process memory
  • Call functions, syscalls and raw code snippets
  • Connect to frida-server via usb or tcp/ip
  • Enumerate apps and processes
  • Trace registers, arguments of functions
  • Tested on x64, arm32 and arm64 for Linux, Windows, macOS, iOS and Android
  • Doesn't require frida to be installed in the host (no need for frida-tools)
  • Extend the r2frida commands with plugins that run in the agent
  • Change page permissions, patch code and data
  • Resolve symbols by name or address and import them as flags into r2
  • Run r2 commands in the host from the agent
  • Use r2 apis and run r2 commands inside the remote target process.
  • Native breakpoints using the :db api
  • Access remote filesystems using the r_fs api.

Installation

The recommended way to install r2frida is via r2pm:

$ r2pm -ci r2frida

Binary builds that don't require compilation will be soon supported in r2pm and r2env. Meanwhile feel free to download the last builds from the Releases page.

Compilation

Dependencies

  • radare2
  • pkg-config (not required on windows)
  • curl or wget
  • make, gcc
  • npm, nodejs (will be soon removed)

In GNU/Debian you will need to install the following packages:

$ sudo apt install -y make gcc libzip-dev nodejs npm curl pkg-config git

Instructions

$ git clone https://github.com/nowsecure/r2frida.git
$ cd r2frida
$ make
$ make user-install

Windows

  • Unzip the radare2 release zip in the root directory of the r2frida source
  • rename it to radare2 (instead of radare2-x.y.z)
  • To make the VS compiler available in PATH run this batch (or r2's preconfigure.bat)
[Visual Studio Path]\VC\Auxiliary\Build\vcvarsall.bat [Your arch]
.\build.bat install

Usage

For testing, use r2 frida://0, as attaching to the pid0 in frida is a special session that runs in local. Now you can run the :? command to get the list of commands available.

$ r2 'frida://?'
r2 frida://[action]/[link]/[device]/[target]
* action = list | apps | attach | spawn | launch
* link   = local | usb | remote host:port
* device = '' | host:port | device-id
* target = pid | appname | process-name | program-in-path | abspath
Local:
* frida://?                        # show this help
* frida://                         # list local processes
* frida://0                        # attach to frida-helper (no spawn needed)
* frida:///usr/local/bin/rax2      # abspath to spawn
* frida://rax2                     # same as above, considering local/bin is in PATH
* frida://spawn/$(program)         # spawn a new process in the current system
* frida://attach/(target)          # attach to target PID in current host
USB:
* frida://list/usb//               # list processes in the first usb device
* frida://apps/usb//               # list apps in the first usb device
* frida://attach/usb//12345        # attach to given pid in the first usb device
* frida://spawn/usb//appname       # spawn an app in the first resolved usb device
* frida://launch/usb//appname      # spawn+resume an app in the first usb device
Remote:
* frida://attach/remote/10.0.0.3:9999/558 # attach to pid 558 on tcp remote frida-server
Environment: (Use the `%` command to change the environment at runtime)
  R2FRIDA_SAFE_IO=0|1              # Workaround a Frida bug on Android/thumb
  R2FRIDA_DEBUG=0|1                # Used to debug argument parsing behaviour
  R2FRIDA_COMPILER_DISABLE=0|1     # Disable the new frida typescript compiler (`:. foo.ts`)
  R2FRIDA_AGENT_SCRIPT=[file]      # path to file of the r2frida agent

Examples

$ r2 frida://0     # same as frida -p 0, connects to a local session

You can attach, spawn or launch to any program by name or pid, The following line will attach to the first process named rax2 (run rax2 - in another terminal to test this line)

$ r2 frida://rax2  # attach to the first process named `rax2`
$ r2 frida://1234  # attach to the given pid

Using the absolute path of a binary to spawn will spawn the process:

$ r2 frida:///bin/ls
[0x00000000]> :dc        # continue the execution of the target program

Also works with arguments:

$ r2 frida://"/bin/ls -al"

For USB debugging iOS/Android apps use these actions. Note that spawn can be replaced with launch or attach, and the process name can be the bundleid or the PID.

$ r2 frida://spawn/usb/         # enumerate devices
$ r2 frida://spawn/usb//        # enumerate apps in the first iOS device
$ r2 frida://spawn/usb//Weather # Run the weather app

Commands

These are the most frequent commands, so you must learn them and suffix it with ? to get subcommands help.

:i        # get information of the target (pid, name, home, arch, bits, ..)
.:i*      # import the target process details into local r2
:?        # show all the available commands
:dm       # list maps. Use ':dm|head' and seek to the program base address
:iE       # list the exports of the current binary (seek)
:dt fread # trace the 'fread' function
:dt-*     # delete all traces

Plugins

r2frida plugins run in the agent side and are registered with the r2frida.pluginRegister API.

See the plugins/ directory for some more example plugin scripts.

[0x00000000]> cat example.js
r2frida.pluginRegister('test', function(name) {
  if (name === 'test') {
    return function(args) {
      console.log('Hello Args From r2frida plugin', args);
      return 'Things Happen';
    }
  }
});
[0x00000000]> :. example.js   # load the plugin script

The :. command works like the r2's . command, but runs inside the agent.

:. a.js  # run script which registers a plugin
:.       # list plugins
:.-test  # unload a plugin by name
:.. a.js # eternalize script (keeps running after detach)

Termux

If you are willing to install and use r2frida natively on Android via Termux, there are some caveats with the library dependencies because of some symbol resolutions. The way to make this work is by extending the LD_LIBRARY_PATH environment to point to the system directory before the termux libdir.

$ LD_LIBRARY_PATH=/system/lib64:$LD_LIBRARY_PATH r2 frida://...

Troubleshooting

Ensure you are using a modern version of r2 (preferibly last release or git).

Run r2 -L | grep frida to verify if the plugin is loaded, if nothing is printed use the R2_DEBUG=1 environment variable to get some debugging messages to find out the reason.

If you have problems compiling r2frida you can use r2env or fetch the release builds from the GitHub releases page, bear in mind that only MAJOR.MINOR version must match, this is r2-5.7.6 can load any plugin compiled on any version between 5.7.0 and 5.7.8.

Design

 +---------+
 | radare2 |     The radare2 tool, on top of the rest
 +---------+
      :
 +----------+
 | io_frida |    r2frida io plugin
 +----------+
      :
 +---------+
 |  frida  |     Frida host APIs and logic to interact with target
 +---------+
      :
  +-------+
  |  app  |      Target process instrumented by Frida with Javascript
  +-------+

Credits

This plugin has been developed by pancake aka Sergi Alvarez (the author of radare2) for NowSecure.

I would like to thank Ole André for writing and maintaining Frida as well as being so kind to proactively fix bugs and discuss technical details on anything needed to make this union to work. Kudos

More Repositories

1

fsmon

monitor filesystem on iOS / OS X / Android / FirefoxOS / Linux
C
881
star
2

secure-mobile-development

A Collection of Secure Mobile Development Best Practices
CSS
552
star
3

node-applesign

NodeJS module and commandline utility for re-signing iOS applications (IPA files).
JavaScript
420
star
4

frida-cycript

Cycript fork powered by Frida.
C
374
star
5

android-forensics

Open source Android Forensics app and framework
Java
360
star
6

owasp-password-strength-test

OWASP Password Strength Test for Node.js
JavaScript
237
star
7

frida-trace

Trace APIs declaratively through Frida.
JavaScript
217
star
8

airspy

AirSpy - Frida-based tool for exploring and tracking the evolution of Apple's AirDrop protocol implementation on i/macOS, from the server's perspective. Released during BH USA 2019 Training https://www.nowsecure.com/event/advanced-frida-and-radare-a-hackers-delight/
TypeScript
143
star
9

samsung-ime-rce-poc

Samsung Remote Code Execution as System User
Python
121
star
10

cybertruckchallenge19

Android security workshop material taught during the CyberTruck Challenge 2019 (Detroit USA).
Java
95
star
11

dirtycow

radare2 IO plugin for Linux and Android. Modifies files owned by other users via dirtycow Copy-On-Write cache vulnerability
C
92
star
12

r2lldb

radare2-lldb integration
Python
62
star
13

mobile-incident-response

Mobile Incident Response Book
CSS
59
star
14

frida-uikit

Inspect and manipulate UIKit-based GUIs through Frida.
JavaScript
52
star
15

frida-uiwebview

Inspect and manipulate UIWebView-hosted GUIs through Frida.
JavaScript
46
star
16

nscrypto-cpp

A C++11 library providing simple API for public-key encryption
C
46
star
17

frida-fs

Create a stream from a filesystem resource.
TypeScript
45
star
18

frida-screenshot

Grab screenshots using Frida.
TypeScript
40
star
19

android-rce-multidex-and-zip-files

PoC code for android RCE with multidex and ZIP files
Python
40
star
20

r2frida-book

The radare2 + frida book for Mobile Application assessment
CSS
39
star
21

ipa-extract-info

Extract the Info.plist from an IPA
JavaScript
37
star
22

nowsecure-action

The NowSecure Action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language
TypeScript
37
star
23

mjolner

Cycript backend powered by Frida.
JavaScript
25
star
24

frida-remote-stream

Create an outbound stream over a message transport.
TypeScript
18
star
25

frida-panic

Easy crash-reporting for Frida-based applications.
JavaScript
17
star
26

datagrid-gtk3

MVC framework for working with the Gtk3 TreeView widget
Python
16
star
27

androguard

Fork of https://github.com/androguard/androguard w/ bug fixes tests
Python
13
star
28

node-nscrypto

Node.js bindings for nscrypto-cpp
C++
11
star
29

mobile-security-report

The NowSecure Mobile Security Report
CSS
10
star
30

frida-memory-stream

Create a stream from one or more memory regions.
TypeScript
10
star
31

node-macho-entitlements

NodeJS library to extract the entitlements from MACH-O or FAT-MACH-O binaries
JavaScript
10
star
32

node-fatmacho

fat mach-o file-format parsers
JavaScript
9
star
33

nowsecure-sbom-action

Generate a Mobile SBOM for an application and submit to the Dependency submission API
9
star
34

disk-buffer

Disk buffer as a writable stream
JavaScript
8
star
35

nsq-bundle

JavaScript
8
star
36

macho-is-encrypted

Check if your Mach-O bin is encrypted
JavaScript
6
star
37

epf-parser

Parse iTunes Enterprise Partner Feeds.
JavaScript
6
star
38

nowsecure-platform-cli

CLI tool for starting Nowsecure auto security assessments for Android and iOS mobile app
JavaScript
5
star
39

level-throttle

A key-based throttling mechanism for levelup-compliant data stores.
JavaScript
5
star
40

iojs-cydia

Builder for the io.js packages for Cydia
Makefile
4
star
41

interval-to-ltgt

Convert an interval string to a levelup style ltgt object
JavaScript
4
star
42

macho-ts

TypeScript
4
star
43

goidevice

Golang bindings for the libimobiledevice library.
Go
4
star
44

apt-packages-diff

Rust
3
star
45

gitlabci

Dockerfile
3
star
46

auto-gitlab-plugin

Dockerfile
3
star
47

ipa-extract-exec

Extract the executable from an IPA file along with helpful meta data.
JavaScript
3
star
48

auto-jenkins-plugin

NowSecure Auto Security Test Jenkins Plugin
Java
2
star
49

cybertruckchallenge22

Android security workshop material taught during the CyberTruck Challenge 2022 (Michigan USA).
Java
2
star
50

NowSecure-Android-Root-Detection-Test-App

Test app for NowSecure Root Detection Bypass tutorial
2
star
51

auto-azure-extension

Azure DevOps Extension for NowSecure Auto Security Test
TypeScript
2
star
52

test-apks

2
star
53

Exploiting-Android-WebViews-with-Frida

Kotlin
1
star
54

auto-circleci-plugin

NowSecure Auto Security Test CircleCI Plugin
Java
1
star
55

bitrise-step-nowsecure-auto-analysis

Shell
1
star