Beginning Frida: by example
Frida, https://frida.re/, is one of those awesome tools that you think to youself is a must know, and never find time to invest to learn.
The moment I invested more than five minutes I got caught. Oh-my-god, what a solution. Thanks Ole (Frida’s creator) because this is magic :)
Hooking and instrumentation
Not going to provide a detailed description about hooking or instrumentation. If you don’t know what these terms mean, please do check this and this.
But what is really important, related to Frida, is that instrumenting a binary is EASY. The learning curve to be able to perform productive and effective stuff is really short, so if I have to mention the most relevant capability in Frida is giving a completely ignorant user the opportunity of doing magic.
Hooking is the technique that allows us to intercept a function (typically a syscall) and do stuff, finally invoking the real function or syscall.
In this post we will an easy hook of the “write” function. But when dealing with complex applications, instrumentation (as the art and technique of instrumenting an application from outside) evolves to a difficult discipline that requires a deep knowledge in the guts of the application and, potentially, the operating system.
With Frida all those difficulties are easier to deal with.
Our test application
This is a very basic application that will just print, ten times, a hard-coded hash to a file called example.txt.
Imagine this is a log file with several hashes added to it. In the beginning, there was no problem as this log file was extremely confidential and we restricted the access. Only an authorized user deals with it.
But today, our organizations is bigger and the person who has the authorization has more complex tasks to attend, so we hire juniors to watch this log and open incidences and tickets. BUT these hashes are extremely…
