Giters

thelumberjhack / ZygiskFrida

Injects frida gadget using zygisk to bypass anti-tamper checks.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ZygiskFrida

Frida is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers

Zygisk part of Magisk allows you to run code in every Android application's Process.

Introduction

ZygiskFrida is a zygisk module allowing you to inject frida gadget in Android applications in a more stealthy way.

  • The gadget is not embedded into the APK itself. So APK Integrity/Signature checks will still pass.
  • The process is not being ptraced like it is with frida-server. Avoiding ptrace based detection.
  • Control about the injection time of the gadget.
  • Allows you to load multiple arbitrary libraries into the process.

This repo also provides a Riru flavor in case you are still using riru with an older magisk version rather than zygisk.

How to use the module

Prerequisites

  • Rooted device/emulator
  • Zygisk available and enabled

Quick start

  • Download the latest release from the Release Page
    If you are using riru instead of zygisk choose the riru-release. Otherwise choose the normal version.
  • Transfer the ZygiskFrida zip file to your device and install it via Magisk.
  • Reboot after install
  • Create the config file and adjust the package name to your target app (replace your.target.application in the commands)
adb shell 'su -c cp /data/local/tmp/re.zyg.fri/config.json.example /data/local/tmp/re.zyg.fri/config.json'
adb shell 'su -c sed -i s/com.example.package/your.target.application/ /data/local/tmp/re.zyg.fri/config.json'
  • Launch your app. It will pause at startup allowing you to attach f.e. frida -U -N your.target.application or frida -U -n Gadget

This assumes that you don't have any other frida server running (f.e. by using MagiskFrida). You can still run it together with frida-server but you would have to configure the gadget to use a different port.

Configuration

This module also supports adding a start up delay that can delay injection of the gadget to avoid checks run at startup time, loading arbitrary libraries and child gating.

Please take a look at the configuration guide for this.

How to build

  • Checkout the project
  • Run ./gradlew :module:assembleRelease
  • The build magisk module should then be in the out directory.

You can also build and install the module to your device directly with ./gradlew :module:flashAndRebootZygiskRelease

Caveats

  • For emulators this will start the gadget in native realm. This means that you will be able to hook Java but not native functions.

Credits

About

Injects frida gadget using zygisk to bypass anti-tamper checks.

License:MIT License

Languages

Language:C++ 85.8%Language:C 13.1%Language:Shell 1.0%Language:Makefile 0.2%