A simple example of bypassing frida anti-debugging

Introduction

Recently, when analyzing an app, I encountered frida anti-debugging. I spent some time learning it simply and gained a lot. I record the process of learning.

Propose a question

frida is a very powerful hook framework. With so many users, naturally, many detection schemes have emerged. This time, the app we encountered detected frida and could be opened normally, but when you use frida -f to start or attach a process, it will crash soon.

Common frida detection

1. Detect the frida-server file name 2. Detect the default port 27042 3. Detect D-Bus 4. Detect /proc/pid/maps mapping file 5. Detect /proc/pid/tast/tid/stat or /proc/pid/tast/tid/status 6. Double process protection

The first two can be bypassed by modifying the name of the frida-server file and changing the default port. Double processes can be started in the -f spawn mode to bypass. Others require hook modification.

Locate

Firstly, for several simple detection methods, I modified the filename, changed the port, and also tried spawn startup, all of which would crash shortly after startup. At this point, I considered other detection methods. First, I used frida to see which so were loaded and where the detection was happening, but it was all in vain.

  function fridaProcess(){
    Java.perform(function () {
      var enumMoudle = Process.enumerateModules();
      for (var i = 0; i < enumMoudle.length; i++){
        console.log("", enumMoudle[i].name)
      }
    });
  }
​
setImmediate(fridaProcess,0)

Since the last open call is made at the bottom when so is loaded, we use frida to hook the open function in the application to see which so or files are read, and we can see that the last breakpoint is at /proc/self/maps.

var pth = Module.findExportByName(null,"open");
  Interceptor.attach(ptr(pth),{
      onEnter:function(args){
          this.filename = args[0];
          console.log("",this.filename.readCString())
          if (this.filename.readCString().indexOf(".so") != -1){
              args[0] = ptr(0)
​
          }
​
      },onLeave:function(retval){
          return retval;
      }
  }

A little deeper

When frida is attached, the corresponding maps file will appear with features like re.frida.server. These are automatically created when using the frida server and contain the frida functionality modules. They can be seen in the output of the hook script when loading so, and the last breakpoint is at frida-agent.so.

Here, we need to bypass this detection. I do this by backing up a normal startup maps file (as mentioned earlier, the app can start normally without crashing when frida is not used).

function main() {
const openPtr = Module.getExportByName('libc.so', 'open');
const open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);
var readPtr = Module.findExportByName("libc.so", "read");
var read = new NativeFunction(readPtr, 'int', ['int', 'pointer', "int"]);
var fakePath = "/data/data/com.app/maps";
var file = new File(fakePath, "w");
var buffer = Memory.alloc(512);
Interceptor.replace(openPtr, new NativeCallback(function (pathnameptr, flag) {
    var pathname = Memory.readUtf8String(pathnameptr);
    var realFd = open(pathnameptr, flag);
    if (pathname.indexOf("maps") >= 0) {
        while (parseInt(read(realFd, buffer, 512)) !== 0) {
            var oneLine = Memory.readCString(buffer);
            if (oneLine.indexOf("tmp") === -1) {
                file.write(oneLine);
            }
        }
        var filename = Memory.allocUtf8String(fakePath);
        return open(filename, flag);
    }
    var fd = open(pathnameptr, flag);
    return fd;
}, 'int', ['pointer', 'int']));
}
setImmediate(main)

Then you can continue debugging.

Summary

This is just a simple example, but indeed, something was learned in the process of bypassing. As long as time is spent on analysis, a breakthrough can always be found.