└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # useful-android-frida-snippets
  2 | Useful Android Frida code snippets. (Utili frammenti di Frida per androidi)
  3 | 
  4 | Some of the snippets aren't made by me. Credits goes to the authors.
  5 | 
  6 | <details>
  7 | <summary>Basic js frida script template</summary>
  8 | 
  9 | ~~~js
 10 | Java.perform(function() {
 11 | 
 12 | 	// code goes here
 13 | 
 14 |     console.log("Done.");
 15 | });
 16 | 
 17 | ~~~
 18 | 
 19 | </details>
 20 | 
 21 | ---
 22 | 
 23 | <details>
 24 | <summary>Print class members and methods</summary>
 25 | 
 26 | ~~~js
 27 | console.log('Loaded class members and methods', Object.getOwnPropertyNames(Java.use('com.example.SomeClass').__proto__).join('\n\t'));
 28 | ~~~
 29 | 
 30 | </details>
 31 | 
 32 | <details>
 33 | <summary>Print webview loaded url</summary>
 34 | 
 35 | ~~~js
 36 | Java.use("android.webkit.WebView").loadUrl.overload("java.lang.String").implementation = function (s) {
 37 |     console.log('webview loaded url = ', s.toString());
 38 |     this.loadUrl.overload("java.lang.String").call(this, s);
 39 | };
 40 | ~~~
 41 | 
 42 | </details>
 43 | 
 44 | 
 45 | <details>
 46 | <summary>Get application context</summary>
 47 | 
 48 | ~~~js
 49 | function getApplicationContext() {
 50 |   return Java.use('android.app.ActivityThread').currentApplication().getApplicationContext().getContentResolver();
 51 | }
 52 | ~~~
 53 | 
 54 | </details>
 55 | 
 56 | <details>
 57 | <summary>Print application android_id</summary>
 58 | 
 59 | ~~~js
 60 | function logAndroidId() {
 61 |   console.log('android_id = ', Java.use('android.provider.Settings$Secure').getString(Java.use('android.app.ActivityThread').currentApplication().getApplicationContext().getContentResolver(), 'android_id'));
 62 | }
 63 | ~~~
 64 | 
 65 | </details>
 66 | 
 67 | <details>
 68 | <summary>Print shared preferences updates</summary>
 69 | 
 70 | ~~~js
 71 | var shared_pref_class = Java.use('android.app.SharedPreferencesImpl$EditorImpl');
 72 | 
 73 | shared_pref_class.putString.overload('java.lang.String', 'java.lang.String').implementation = function(k, v) {
 74 |     console.log('Shared preference updated: ', k, '=', v);
 75 |     return this.putString(k, v);
 76 | }
 77 | 
 78 | shared_pref_class.putInt.overload('java.lang.String', 'int').implementation = function(k, v) {
 79 |     console.log('Shared preference updated: ', k, '=', v);
 80 |     return this.putInt(k, v);
 81 | }
 82 | 
 83 | 
 84 | shared_pref_class.putFloat.overload('java.lang.String', 'float').implementation = function(k, v) {
 85 |     console.log('Shared preference updated: ', k, '=', v);
 86 |     return this.putFloat(k, v);
 87 | }
 88 | 
 89 | shared_pref_class.putBoolean.overload('java.lang.String', 'boolean').implementation = function(k, v) {
 90 |     console.log('Shared preference updated: ', k, '=', v);
 91 |     return this.putBoolean(k, v);
 92 | }
 93 | 
 94 | shared_pref_class.putLong.overload('java.lang.String', 'long').implementation = function(k, v) {
 95 |     console.log('Shared preference updated: ', k, '=', v);
 96 |     return this.putLong(k, v);
 97 | }
 98 | 
 99 | shared_pref_class.putStringSet.overload('java.lang.String', java.util.Set).implementation = function(k, v) {
100 |     console.log('Shared preference updated: ', k, '=', v);
101 |     return this.putStringSet(k, v);
102 | }
103 | ~~~
104 | 
105 | 
106 | 
107 | </details>
108 | 
109 | <details>
110 | <summary>Create java array</summary>
111 | 
112 | ~~~js
113 | var byteArr1 = Java.array('byte', [ 13, 37, 42 ]);
114 | ~~~
115 | 
116 | </details>
117 | 
118 | <details>
119 | <summary>Get hex string from byte array</summary>
120 | 
121 | ~~~js
122 | function byteArrayToHexString(array, size) {
123 |     if (array == null) return 'null';
124 | 
125 |     var result = [];
126 |     for (var i = 0; i < size; ++i) {
127 |         result.push(('0' + (array[i] & 0xFF).toString(16)).slice(-2));
128 |     }
129 |     return result.join('');
130 | }
131 | 
132 | byteArrayToHexString(byteArr1, byteArr1.length);
133 | ~~~
134 | 
135 | </details>
136 | 
137 | <details>
138 | <summary>Get ascii string from byte array</summary>
139 | 
140 | ~~~js
141 | function byteArrayToAscii(array, size) {
142 | 		if (array == null) return 'null';
143 | 
144 | 	    var result = [];
145 | 	    for (var i = 0; i < size; ++i) {
146 | 	        result.push(String.fromCharCode(
147 | 	            parseInt(
148 | 	                ('0' + (array[i] & 0xFF).toString(16)).slice(-2),
149 | 	                16
150 | 	            )
151 | 	        ));
152 | 	    }
153 | 	    return result.join('');
154 | 	}
155 |     
156 | byteArrayToAscii(byteArr1, byteArr1.length);
157 | ~~~
158 | 
159 | </details>
160 | 
161 | <details>
162 | <summary>Print secret crypto keys bytes</summary>
163 | 
164 | ~~~js
165 | function byteArrayToHexString(array, size) {
166 |     if (array == null) return 'null';
167 | 
168 |     var result = [];
169 |     for (var i = 0; i < size; ++i) {
170 |         result.push(('0' + (array[i] & 0xFF).toString(16)).slice(-2));
171 |     }
172 |     return result.join('');
173 | }
174 | 
175 | var SecretKeySpec_class = Java.use('javax.crypto.spec.SecretKeySpec');
176 | 
177 | SecretKeySpec_class.$init.overload('[B', 'java.lang.String').implementation = function(p0, p1) {
178 |     console.log('SecretKeySpec =', byteArrayToHexString(p0, p0.length), 'algo =', p1);
179 |     return this.$init(p0, p1);
180 | };
181 | 
182 | SecretKeySpec_class.$init.overload('[B', 'int', 'int', 'java.lang.String').implementation = function(p0, p1, p2, p3) {
183 |     console.log('SecretKeySpec =', byteArrayToHexString(p0, p0.length), 'offset =', p1, 'size =', p2, 'algo =', p4);
184 |     return this.$init(p0, p1, p2, p3);
185 | };
186 | ~~~
187 | 
188 | </details>
189 | 
190 | <details>
191 | <summary>Print all strings created at runtime</summary>
192 | 
193 | ~~~js
194 | ['java.lang.StringBuilder', 'java.lang.StringBuffer'].forEach(function(clazz, i) {
195 |   var func = 'toString';
196 |   Java.use(clazz)[func].implementation = function() {
197 |     var ret = this[func]();
198 |     console.log('String created: ' + ret);
199 |     return ret;
200 |   }   
201 | }); 
202 | ~~~
203 | 
204 | </details>
205 | 
206 | <details>
207 | <summary>Print stacktrace in this point</summary>
208 | 
209 | ~~~js
210 | Java.perform(function() {
211 |     var jAndroidLog = Java.use("android.util.Log"), jException = Java.use("java.lang.Exception");
212 |     console.log(jAndroidLog.getStackTraceString( jException.$new()));
213 | }); 
214 | ~~~
215 | 
216 | </details>
217 | 
218 | 
219 | TODO:
220 | 
221 | Add things from 
222 | 
223 | * https://gitlab.com/roxanagogonea/frida-scripts/blob/master/data-storage/sqlite-database.js
224 | * https://gitlab.com/roxanagogonea/frida-scripts/blob/master/data-storage/log.js
225 | * https://gitlab.com/roxanagogonea/frida-scripts/blob/master/network/http-connection.js
226 | * https://gitlab.com/roxanagogonea/frida-scripts/blob/master/network/read-write.js
227 | * https://gitlab.com/roxanagogonea/frida-scripts/blob/master/network/ssl-pinning.js
228 | 


--------------------------------------------------------------------------------