Author: admin

Bypassing Anti-Tampering: Advanced Frida ARM64 Techniques for Native Libraries
Introduction to Native Anti-Tampering and Frida

Modern Android applications, particularly those handling sensitive data or incorporating license checks, often implement robust anti-tampering mechanisms. A significant portion of these defenses resides within native libraries (.so files), compiled for specific architectures like ARM64. Bypassing these native checks is a critical skill for penetration testers and security researchers seeking to understand application logic, identify vulnerabilities, or validate security controls. Frida, a dynamic instrumentation toolkit, stands out as an indispensable tool for this purpose due to its unparalleled ability to inject custom JavaScript into running processes and manipulate native code execution.

While Frida’s capabilities for Java-layer hooking are well-known, its true power extends to native binaries. This article delves into advanced Frida techniques specifically tailored for ARM64 native libraries, focusing on how to effectively analyze, hook, and bypass anti-tampering logic.

The ARM64 Challenge: Understanding the Architecture

Working with native ARM64 code requires a foundational understanding of its architecture, especially its calling conventions and register usage. Unlike x86/x64, ARM64 (AArch64) uses a register-based calling convention where the first eight arguments to a function are passed in general-purpose registers x0 through x7. Subsequent arguments are pushed onto the stack. The return value is typically placed in x0.
- General Purpose Registers: x0–x30 (64-bit), w0–w30 (32-bit subset)
- Link Register (LR): x30, holds the return address
- Stack Pointer (SP): sp, points to the top of the stack
- Frame Pointer (FP): x29, often used to point to the base of the current stack frame
Understanding these conventions is paramount when intercepting function calls, as it dictates how you’ll access and manipulate arguments and return values within your Frida scripts.

Prerequisites and Setup

Before diving into advanced techniques, ensure you have the necessary environment configured:
- Rooted Android Device or Emulator: Required for running frida-server.
- ADB (Android Debug Bridge): For pushing files and interacting with the device.
- Frida-Server: The appropriate frida-server binary for your device’s architecture (e.g., frida-server-16.x.x-android-arm64).
- Frida-Tools: Installed on your host machine (pip install frida-tools).
- Disassembler/Decompiler: Ghidra or IDA Pro for static analysis of the native library.
- Dex2Jar/Jadx-GUI: For decompiling the APK to understand Java-native interactions.
Setting up Frida-Server:
```
adb push /path/to/frida-server /data/local/tmp/frida-serveradb shell
```
May 30, 2026
Advanced Frida Scripting: Automating Android Class & Method Signature Extraction Introduction to Frida for Android Penetration Testing Frida, a dynamic instrumentation toolkit, stands as an indispensable tool in the arsenal of any serious Android penetration tester or reverse engineer. It allows you to inject JavaScript or your own library into native apps on various platforms, enabling you to inspect, hook, and modify code and data at runtime. This capability is crucial for understanding application behavior, bypassing security controls, and discovering hidden functionalities, especially when dealing with obfuscated applications where static analysis falls short. While Frida’s basic hooking capabilities are well-documented, its true power emerges in more advanced scenarios, such as automating the discovery of application internals. One common challenge in Android app reverse engineering is identifying relevant classes and, more importantly, their methods along with their full signatures (return types and argument types). This knowledge is fundamental for effective hooking and understanding the application’s attack surface. The Challenge of Runtime Class and Method Discovery Traditional static analysis tools, like decompilers (e.g., Jadx, APKTool), provide source code approximations. However, they can often struggle with dynamically loaded classes, highly obfuscated code, or reflection-heavy implementations. Furthermore, manually sifting through thousands of classes and methods in a large application to find specific points of interest is tedious and inefficient. The goal of dynamic analysis with Frida is to overcome these limitations by inspecting the application’s memory space and loaded code at the exact moment it’s running. Extracting method signatures is particularly important. A method’s name alone isn’t enough to accurately hook it if it’s overloaded. Knowing the exact types of arguments it expects and its return type ensures precise targeting and allows for correct manipulation of data during runtime. This article will guide you through advanced Frida scripting techniques to automate this extraction process. Prerequisites: Setting Up Your Frida Environment Before diving into the scripts, ensure you have a working Frida environment. This typically involves: A rooted Android device or emulator. frida-server running on the Android device, matching your device’s architecture and Frida-tools version. frida-tools installed on your host machine (pip install frida-tools). We will assume a basic understanding of Frida and how to attach it to a target Android application. Enumerating All Loaded Classes with Frida The first step in discovering application internals is often to get a bird’s-eye view of all classes currently loaded into the Java Virtual Machine (JVM). Frida provides a convenient API for this: Java.enumerateLoadedClasses(). Frida Script: Listing All Loaded Classes Java.perform(function() { console.log("[*] Enumerating all loaded classes..."); Java.enumerateLoadedClasses({ onMatch: function(className) { // Filter classes if you want, e.g., by package name // if (className.startsWith("com.example.targetapp.")) { console.log("[+] Found class: " + className); // } }, onComplete: function() { console.log("[*] Class enumeration complete."); } });}); To run this script: frida -U -f com.example.targetapp -l enumerate_classes.js --no-pause Replace com.example.targetapp with the package name of your target application and enumerate_classes.js with the name you saved the script as. This will output a comprehensive list of all classes loaded, including framework classes, library classes, and most importantly, your application’s own classes. This list serves as a starting point for more targeted analysis. Diving Deeper: Detailed Method Signature Extraction with Reflection Once you’ve identified interesting classes, the next logical step is to extract their methods along with their complete signatures. While Java.use('ClassName').$ownMethods can list method names, it doesn’t provide parameter types or return types directly, especially for overloaded methods. To get full signatures, we leverage Java’s reflection API through Frida. We can obtain the underlying java.lang.Class object for our target class and then use methods like getDeclaredMethods() and getDeclaredConstructors(). These methods return arrays of java.lang.reflect.Method and java.lang.reflect.Constructor objects, respectively. From these objects, we can extract detailed information such as return types, method names, and parameter types. Frida Script: Detailed Method Signature Extraction with Reflection Java.perform(function() { console.log("[*] Starting Android Class and Method Signature Extraction"); // --- CONFIGURATION --- // Replace with your target class. You can find this using Java.enumerateLoadedClasses(). // For broad scanning, you could iterate through loaded classes and apply a package filter. var targetClassName = "com.example.androidapp.MainActivity"; // EXAMPLE: Change this! // --- END CONFIGURATION --- try { // Obtain a wrapper for the target class var targetClass = Java.use(targetClassName); console.log("--------------------------------------------------"); console.log("[*] Analyzing Class: " + targetClassName); console.log("--------------------------------------------------"); // Get the underlying java.lang.Class object from the wrapper var clazz = targetClass.$class; // --- Constructors --- console.log("n[+] Constructors:"); var constructors = clazz.getDeclaredConstructors(); if (constructors.length === 0) { console.log(" No declared constructors found."); } constructors.forEach(function(constructor) { var params = constructor.getParameterTypes(); var paramNames = params.map(function(p) { return p.getName(); }).join(", "); // Example output: com.example.androidapp.MainActivity(android.content.Context) console.log(" " + constructor.getName() + "(" + paramNames + ")"); }); // --- Methods --- console.log("n[+] Methods:"); var methods = clazz.getDeclaredMethods(); if (methods.length === 0) { console.log(" No declared methods found."); } methods.forEach(function(method) { var returnType = method.getReturnType().getName(); var params = method.getParameterTypes(); var paramNames = params.map(function(p) { return p.getName(); }).join(", "); // Example output: void onCreate(android.os.Bundle) console.log(" " + returnType + " " + method.getName() + "(" + paramNames + ")"); }); console.log("n[*] Analysis complete for " + targetClassName); } catch (e) { console.error("[!] Error analyzing class " + targetClassName + ": " + e.message); console.log("[!] It's possible the class is not loaded yet or doesn't exist. Try to interact with the app first."); console.log("[*] Consider using Java.enumerateLoadedClasses() to find correct class names."); }}); Running the Frida Script and Interpreting Results Save the above script as, for example, extract_signatures.js. Before running, remember to replace "com.example.androidapp.MainActivity" with an actual class name from your target application that you wish to analyze. frida -U -f com.example.targetapp -l extract_signatures.js --no-pause > output.txt The --no-pause flag tells Frida to start the application and immediately execute the script without waiting for user input. The > output.txt redirects the console output to a file, which is highly recommended for large outputs. The output will clearly list all declared constructors and methods, each with its full signature. For example: [*] Analyzing Class: com.example.androidapp.MainActivity[+] Constructors: com.example.androidapp.MainActivity()[+] Methods: void onCreate(android.os.Bundle) void onResume() java.lang.String getAppVersion() boolean checkPermission(java.lang.String) Advanced Use Cases and Further Exploration This automated signature extraction forms the backbone for various advanced penetration testing scenarios: API Discovery: Quickly map out the internal APIs of an application, identifying functions that might handle sensitive data or perform critical operations. Targeted Hooking: With exact method signatures, you can create precise hooks to observe arguments, modify return values, or bypass checks with greater accuracy. Obfuscation Bypass: Even if methods are obfuscated in the static bytecode, their runtime reflection properties can reveal their true parameter and return types, aiding in deobfuscation efforts. Automated Exploit Development: Combine this with other Frida features to automate the generation of exploit payloads by understanding the exact function calls and data structures. Broader Scanning: You can modify the script to iterate through Java.enumerateLoadedClasses(), filter by package prefix (e.g., className.startsWith("com.yourcompany.")), and then apply the signature extraction logic to every class within a specific package. Conclusion Mastering advanced Frida scripting for automated class and method signature extraction is a powerful skill for any Android penetration tester. By leveraging Frida’s JavaScript environment and Java’s reflection capabilities, you can efficiently overcome common challenges in dynamic analysis, providing deep insights into an application’s runtime behavior. This foundational technique empowers you to perform more effective, targeted, and automated security assessments, pushing the boundaries of what’s possible in mobile app reverse engineering. May 30, 2026
Frida for Android ARM64: Mastering Native Library Hooking Step-by-Step Introduction to Native Library Hooking on Android ARM64 with Frida Android applications often rely on native libraries (typically .so files) written in C/C++ for performance-critical operations, cryptographic functions, or to obscure sensitive logic. Reverse engineering and manipulating these native components, especially on ARM64 architectures, is a crucial skill for security researchers and penetration testers. Frida, a dynamic instrumentation toolkit, provides unparalleled capabilities for this task. This guide will walk you through the process of mastering native library hooking on Android ARM64 using Frida, from identifying targets to intercepting and modifying function calls. Prerequisites and Setup Before diving into the code, ensure you have the following: An Android device or emulator (rooted) running an ARM64 architecture. ADB (Android Debug Bridge) installed and configured on your host machine. Python 3 installed on your host machine. Frida tools installed on your host: pip install frida-tools Frida server pushed and running on your Android device. Download the correct ARM64 server from Frida Releases and push it: adb push frida-server-/data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &" A decompiler/disassembler like Ghidra or IDA Pro (optional but highly recommended for complex scenarios). Understanding Android Native Libraries and ARM64 Native libraries interact with Java code via the Java Native Interface (JNI). When a Java method is declared native, its implementation resides in a .so file. On ARM64, the calling convention typically passes the first eight arguments in registers (x0 to x7) and subsequent arguments on the stack. The return value is usually in x0. Understanding this is key to correctly interpreting function arguments and return values in your Frida hooks. Finding Your Target Function Identifying the function you want to hook is the first critical step. There are two main scenarios: 1. Exported Functions Many native libraries export their JNI functions and sometimes other helper functions. You can find these using readelf or nm on the .so file itself: adb pull /data/app//lib/arm64/libyourlib.so .readelf -Ws libyourlib.sonm -D libyourlib.so Look for symbols that match JNI naming conventions (e.g., Java_com_example_app_NativeClass_nativeMethod) or other clear function names. 2. Non-Exported (Internal) Functions Often, the most interesting functions are not exported. In such cases, you need to use a decompiler/disassembler (like Ghidra or IDA Pro) to reverse engineer the library. Load the .so file into your tool, locate the JNI wrapper function, and then trace calls to internal functions. Note down the offset of the target function relative to the module’s base address. Basic Native Hooking: Exported Functions Let’s start with a simple example: hooking an exported function. Suppose we have a native function named my_exported_function. import fridaimport sysdef on_message(message, data):print(f"[+] {message}")def hook_exported_function(package_name, library_name, function_name):script_code = f"""Interceptor.attach(Module.findExportByName('{library_name}', '{function_name}'), {{onEnter: function (args) {{console.log(`[+] Called {function_name} with arguments:`);console.log(`x0: ${{args[0]}}`);console.log(`x1: ${{args[1]}}`);}},onLeave: function (retval) {{console.log(`[+] {function_name} returned: ${{retval}}`);}}}});"""device = frida.get_usb_device()pid = device.spawn([package_name])session = device.attach(pid)script = session.create_script(script_code)script.on("message", on_message)script.load()device.resume(pid)print(f"[+] Hooked {function_name} in {library_name}. Press Ctrl+D or Ctrl+C to stop.")sys.stdin.read()session.detach()if __name__ == "__main__": # Replace with your target app and library nameshook_exported_function("com.example.myapp", "libmyapp.so", "my_exported_function") This script attaches to the target process, finds the exported function, and prints its arguments (x0 and x1) and return value. Advanced Hooking: Non-Exported Functions by Offset When dealing with internal functions, you need their memory offset within the library. Assume through reverse engineering, you found an internal function at offset 0x12345 from the base of libmyapp.so. import fridaimport sysdef on_message(message, data):print(f"[+] {message}")def hook_offset_function(package_name, library_name, offset):script_code = f"""var module_base = Module.findBaseAddress('{library_name}');if (module_base) {{var target_address = module_base.add({offset});console.log(`[+] {library_name} base address: ${{module_base}}`);console.log(`[+] Target function address: ${{target_address}}`);Interceptor.attach(target_address, {{onEnter: function (args) {{console.log(`[+] Called internal function at offset 0x{offset:x} with arguments:`);console.log(`x0: ${{args[0]}}`);console.log(`x1: ${{args[1]}}`);// You can read memory pointed by args[N] or modify them// For example, reading a string at args[0]:// console.log(`String at x0: ${{args[0].readUtf8String()}}`);}},onLeave: function (retval) {{console.log(`[+] Internal function at offset 0x{offset:x} returned: ${{retval}}`);// Modify return value, e.g., always return 1:// retval.replace(ptr(1));}}}});}} else {{console.error(`[-] Could not find module: {library_name}`);}}"""device = frida.get_usb_device()pid = device.spawn([package_name])session = device.attach(pid)script = session.create_script(script_code)script.on("message", on_message)script.load()device.resume(pid)print(f"[+] Hooked internal function at offset 0x{offset:x} in {library_name}. Press Ctrl+D or Ctrl+C to stop.")sys.stdin.read()session.detach()if __name__ == "__main__": # Replace with your target app, library, and offsethook_offset_function("com.example.myapp", "libmyapp.so", 0x12345) This script first finds the base address of libmyapp.so and then adds the known offset to calculate the exact memory address of the target function. The onEnter and onLeave callbacks allow you to inspect and modify arguments and return values. Working with Function Arguments and Return Values (ARM64 Specifics) On ARM64, the first eight parameters are passed in registers x0 to x7. You access these in Frida’s onEnter callback via args[0] to args[7]. The return value is typically in x0 and can be accessed and modified via retval in the onLeave callback. For example, to read a `char*` string passed as the first argument, you’d use args[0].readUtf8String(). Practical Example: Bypassing a Simple Native Check Imagine a native function, say checkLicense(), which returns 0 for a valid license and -1 for an invalid one. We want to always make it return 0. import fridaimport sysdef on_message(message, data):print(f"[+] {message}")def bypass_license_check(package_name, library_name, function_name_or_offset, is_offset=False):script_code = f"""var target_addr;if ({is_offset}) {{var module_base = Module.findBaseAddress('{library_name}');if (!module_base) {{console.error(`[-] Could not find module: {library_name}`);return;}}target_addr = module_base.add({function_name_or_offset});}} else {{target_addr = Module.findExportByName('{library_name}', '{function_name_or_offset}');if (!target_addr) {{console.error(`[-] Could not find exported function: {function_name_or_offset}`);return;}}}}console.log(`[+] Targeting function at address: ${{target_addr}}`);Interceptor.attach(target_addr, {{onEnter: function (args) {{console.log(`[+] Bypassing {function_name_or_offset} check. Args[0]: ${{args[0]}}`);}},onLeave: function (retval) {{console.log(`[+] Original return value: ${{retval}}`);retval.replace(ptr(0)); // Force return 0 (success)console.log(`[+] Modified return value to: 0`);}}}});"""device = frida.get_usb_device()pid = device.spawn([package_name])session = device.attach(pid)script = session.create_script(script_code)script.on("message", on_message)script.load()device.resume(pid)print(f"[+] Bypassing license check for {function_name_or_offset}. Press Ctrl+D or Ctrl+C to stop.")sys.stdin.read()session.detach()if __name__ == "__main__": # Example: hooking an exported function called checkLicensebypass_license_check("com.example.myapp", "libmyapp.so", "checkLicense", False) # Example: hooking an internal function at offset 0xABCDEbypass_license_check("com.example.myapp", "libmyapp.so", 0xABCDE, True) This script demonstrates how to conditionally handle both exported and offset-based functions, and more importantly, how to manipulate the return value in the onLeave callback to bypass a check. The retval.replace(ptr(0)); line is the core of the bypass. Conclusion Frida is an incredibly powerful tool for dynamic instrumentation of Android native libraries on ARM64. By understanding how to identify target functions (exported or internal), calculate their addresses, and leverage Frida’s Interceptor, you can gain deep insights into application behavior, analyze data flows, and even bypass security mechanisms. This step-by-step guide provides a solid foundation for your advanced Android penetration testing and reverse engineering endeavors. Remember to always use these techniques responsibly and ethically. May 30, 2026
From APK to Runtime: Complete Guide to Android Class & Method Enumeration with Frida Introduction: The Power of Runtime Analysis in Android Penetration Testing Analyzing Android applications for vulnerabilities often begins with static analysis of the APK file. Tools like JADX or Ghidra allow us to decompile DEX bytecode into Java or Smali, revealing the app’s structure and logic. However, static analysis has its limitations: dynamic class loading, obfuscation techniques, and runtime-dependent logic can obscure critical information. This is where dynamic analysis, particularly with a powerful instrumentation toolkit like Frida, becomes indispensable. Frida allows us to inject custom scripts into running processes, giving us unparalleled control and visibility into the application’s runtime behavior. This guide will deep dive into using Frida to enumerate Android classes and methods at runtime. This technique is crucial for understanding an app’s internal workings, identifying potential attack surfaces, and preparing for more advanced hooking scenarios. We’ll cover everything from setting up your environment to writing advanced scripts for comprehensive enumeration. Setting Up Your Frida Environment Before we begin enumerating, ensure your Frida environment is properly configured. You’ll need: A rooted Android device or emulator (or a non-rooted device with ADB access to inject Frida server). Frida server running on the Android device. Frida client (frida-tools) installed on your host machine. Installing Frida Tools on Your Host pip install frida-tools Deploying Frida Server to Android Download the appropriate Frida server binary for your Android device’s architecture (e.g., frida-server-*-android-arm64) from the official Frida GitHub releases. Then, push it to your device and run it: adb push frida-server /data/local/tmp/frida-serveradb shellchmod 755 /data/local/tmp/frida-serveradb shell"/data/local/tmp/frida-server &" Verify Frida server is running and accessible from your host: frida-ps -U This command should list all running processes on your Android device. Enumerating Loaded Classes at Runtime The first step in understanding an application’s internal structure dynamically is to list all classes currently loaded into its Java Virtual Machine (JVM). Frida provides a powerful JavaScript API for this: Java.enumerateLoadedClasses(). Basic Class Enumeration Script Let’s create a simple Frida script (e.g., enumerate_classes.js) to list all loaded classes for a target application. For this example, we’ll target a generic Android application like ‘com.android.settings’. // enumerate_classes.jsJava.perform(function () { console.log("[*] Enumerating loaded classes..."); Java.enumerateLoadedClasses({ onMatch: function (className) { console.log("[+] Found class: " + className); }, onComplete: function () { console.log("[*] Class enumeration complete."); } });}); Now, attach this script to the target application: frida -U -l enumerate_classes.js -f com.android.settings --no-pause You will observe a flood of class names in your console. This includes Android framework classes, third-party library classes, and importantly, the application’s own classes. Filtering for Application-Specific Classes Listing all classes can be overwhelming. Typically, we are interested in classes belonging to the application itself. We can refine our script to filter based on package names. // filter_app_classes.jsJava.perform(function () { var targetPackage = "com.your.app.package"; // Replace with the actual package name of your target app console.log("[*] Enumerating classes for package: " + targetPackage + "..."); Java.enumerateLoadedClasses({ onMatch: function (className) { if (className.startsWith(targetPackage)) { console.log("[+] Found app class: " + className); } }, onComplete: function () { console.log("[*] App class enumeration complete."); } });}); To run this, replace com.your.app.package with the actual package name of your target application (e.g., if you’re analyzing a banking app, it might be com.example.bankapp). Enumerating Methods of a Specific Class Once you’ve identified an interesting class, the next logical step is to discover its methods. This reveals the functionalities exposed by that class. Frida allows us to instantiate a Java class (or get a handle to an existing one) and then inspect its methods. Inspecting Class Methods The core technique involves using Java.use() to get a JavaScript wrapper for a Java class, and then inspecting its prototype or using Object.getOwnPropertyNames() to list its methods. // enumerate_methods.jsJava.perform(function () { var targetClassName = "android.app.Activity"; // Example: a common Android framework class // var targetClassName = "com.your.app.package.SomeActivity"; // Or your app's class try { var targetClass = Java.use(targetClassName); console.log("[+] Methods for class: " + targetClassName); var methods = targetClass.class.getDeclaredMethods(); for (var i = 0; i < methods.length; i++) { var method = methods[i]; console.log(" - " + method.getName() + "(" + method.getParameterTypes().map(function(t){ return t.getName(); }).join(", ") + ")"); } } catch (e) { console.error("[-] Error enumerating methods for " + targetClassName + ": " + e.message); }}); To run this: frida -U -l enumerate_methods.js -f com.android.settings --no-pause This script will print out the names and parameters of all declared methods for android.app.Activity. If you target an application-specific class, you’ll see its custom methods. Handling Method Overloads Java allows method overloading (multiple methods with the same name but different parameter signatures). When you get a method handle from Java.use(), Frida typically gives you an array of method references for overloaded methods, or a single reference if there’s no overload. // enumerate_overloads.jsJava.perform(function () { var targetClassName = "android.util.Log"; // Class with known overloads try { var targetClass = Java.use(targetClassName); console.log("[+] Examining overloads for class: " + targetClassName); // Example: Log.d() has multiple overloads var debugMethods = targetClass.d.overloads; if (debugMethods) { console.log(" [*] Found " + debugMethods.length + " overloads for Log.d():"); for (var i = 0; i < debugMethods.length; i++) { console.log(" - Overload " + i + ":"); console.log(" Arguments: " + JSON.stringify(debugMethods[i].argumentTypes.map(function(t){ return t.className; }))); console.log(" Return Type: " + debugMethods[i].returnType.className); } } else { console.log(" [-] No explicit overloads found for Log.d()."); } // Another way to list all methods using Object.getOwnPropertyNames var classMethods = Object.getOwnPropertyNames(targetClass.__proto__); console.log(" [*] All property names (including methods):"); classMethods.forEach(function(methodName) { if (typeof targetClass[methodName] === 'function') { console.log(" - Method: " + methodName); } }); } catch (e) { console.error("[-] Error examining " + targetClassName + ": " + e.message); }}); Run it against a process: frida -U -l enumerate_overloads.js -f com.android.settings --no-pause This script demonstrates how to access specific method overloads and also provides an alternative way to list all methods using Object.getOwnPropertyNames on the class prototype. Advanced Enumeration Techniques and Tips Dynamically Loaded Classes Some applications load classes dynamically at runtime, for instance, through DexClassLoader. If you don’t see a class immediately, it might be loaded later. You can monitor class loading events using Java.onLoad() or by hooking `android.app.DexClassLoader`’s `loadClass` method. Dealing with Obfuscation Obfuscation (e.g., with ProGuard or R8) renames classes and methods to short, meaningless names (e.g., a.b.c). While this makes static analysis harder, runtime enumeration still reveals the actual class and method names in the running JVM. However, understanding their purpose still requires careful inspection. Automating Discovery For large applications, manually inspecting every class and method is impractical. Consider writing scripts to: **Search for keywords:** Look for classes/methods containing terms like “crypto,” “encrypt,” “decrypt,” “password,” “token,” “auth,” “secret,” “ssl,” “http,” “api,” etc. **Identify common security patterns:** Look for known vulnerable methods or suspicious API calls. **Dump all methods of *all* application classes:** Combine the filtering and method enumeration scripts to get a comprehensive list. Here’s a snippet for keyword searching across all app classes: // search_keywords.jsJava.perform(function () { var targetPackage = "com.your.app.package"; // Replace with your target app package var keywords = ["crypto", "encrypt", "decrypt", "secret", "token", "password", "auth"]; console.log("[*] Searching for keywords in classes and methods for: " + targetPackage + "..."); Java.enumerateLoadedClasses({ onMatch: function (className) { if (className.startsWith(targetPackage)) { keywords.forEach(function(keyword) { if (className.toLowerCase().includes(keyword)) { console.log("[+] Keyword '" + keyword + "' found in class name: " + className); } }); try { var targetClass = Java.use(className); var methods = targetClass.class.getDeclaredMethods(); for (var i = 0; i < methods.length; i++) { var method = methods[i]; var methodName = method.getName(); keywords.forEach(function(keyword) { if (methodName.toLowerCase().includes(keyword)) { console.log("[+] Keyword '" + keyword + "' found in method: " + className + "." + methodName); } }); } } catch (e) { // Handle cases where a class might be loaded but not fully initialized or accessible // console.log(" [-] Could not access methods for class: " + className); } } }, onComplete: function () { console.log("[*] Keyword search complete."); } });}); This script can be a starting point for more sophisticated automated analysis. Conclusion Frida’s ability to dynamically enumerate Android classes and methods is an indispensable tool in the arsenal of any penetration tester or security researcher. It bridges the gap between static analysis and runtime behavior, revealing the true operational landscape of an application. By mastering these enumeration techniques, you gain a profound understanding of an app’s internal logic, paving the way for targeted hooking, bypasses, and exploit development. Remember to always use these powerful tools responsibly and ethically. May 30, 2026
Mastering Frida: Programmatically Listing Android’s Live Classes and Their Methods Introduction to Dynamic Android Class Enumeration with Frida In the realm of Android application penetration testing and reverse engineering, understanding the internal architecture of an application at runtime is paramount. Static analysis can reveal much, but the true behavior and loaded components often only emerge during dynamic execution. Frida, a powerful dynamic instrumentation toolkit, provides an unparalleled ability to interact with and manipulate running applications. One of its most fundamental and incredibly useful capabilities is the programmatic enumeration of live Java classes and their methods loaded within an Android application’s process. This article delves into the techniques for using Frida to list all loaded Java classes, filter them for relevance, and then inspect the methods of specific classes. This process is crucial for identifying interesting attack surfaces, understanding custom SDKs, and preparing for targeted hooking. Prerequisites Before diving into the Frida scripts, ensure you have the following: A rooted Android device or an emulator. Frida server running on the Android device. Frida tools installed on your host machine (pip install frida-tools). Basic familiarity with JavaScript and Android application structure. Frida’s Java API for Dynamic Analysis Frida exposes a robust JavaScript API that allows direct interaction with the Java VM running within the target process. The core functions we’ll use are: Java.perform(function() { ... });: This is the entry point for all Java-related Frida scripts, ensuring the Java VM is ready. Java.enumerateLoadedClassesSync();: This function returns an array of strings, where each string is the fully qualified name of a Java class currently loaded in the VM. The Sync suffix indicates it’s a synchronous operation. Java.use('className');: This function allows you to obtain a wrapper object for a specific Java class, enabling you to inspect its properties and methods, and to hook them. Listing All Loaded Classes The first step in exploring an application’s runtime components is to get a complete list of all currently loaded Java classes. This can be an extensive list, often containing hundreds or even thousands of classes from the Android framework, third-party libraries, and the application itself. Frida Script: Basic Class Enumeration (enum_classes.js) Java.perform(function () { console.log('Enumerating all loaded Java classes...'); var classes = Java.enumerateLoadedClassesSync(); classes.forEach(function(className) { console.log('[+] ' + className); }); console.log('Finished enumerating ' + classes.length + ' classes.');}); Executing the Script To run this script against an Android application (e.g., a simple test app with package com.example.mytestapp), use the following command: frida -U -f com.example.mytestapp -l enum_classes.js --no-pause The -U flag targets a USB-connected device, -f spawns the application, -l loads the script, and --no-pause allows the app to start immediately after injection. You’ll see a flood of class names in your console. Filtering Classes for Relevance While a full list is comprehensive, it’s often overwhelming. We usually want to focus on specific areas: the application’s own classes, or classes from a particular third-party library. Filtering becomes essential. Frida Script: Filtered Class Enumeration (filter_classes.js) This script filters classes based on a desired package prefix. Replace com.example.mytestapp with the package name you are interested in. Java.perform(function () { var targetPackagePrefix = 'com.example.mytestapp'; // Or 'com.google.android' for Google libraries console.log('Enumerating Java classes starting with: ' + targetPackagePrefix); var classes = Java.enumerateLoadedClassesSync(); var filteredClasses = []; classes.forEach(function(className) { if (className.startsWith(targetPackagePrefix)) { filteredClasses.push(className); console.log('[+] ' + className); } }); console.log('Finished enumerating ' + filteredClasses.length + ' filtered classes.');}); Executing the Filtered Script frida -U -f com.example.mytestapp -l filter_classes.js --no-pause This will give you a much more manageable list, focusing on the application’s internal structure. Enumerating Methods of a Specific Class Once you’ve identified an interesting class, the next logical step is to understand what methods it exposes. Frida allows you to reflectively inspect a class’s methods. Understanding Method Enumeration Java methods are essentially properties of a class. In Frida’s JavaScript context, you can use Object.getOwnPropertyNames() to list these properties. However, it’s important to distinguish between static methods (properties of the class constructor itself) and instance methods (properties of the class’s prototype). Additionally, we often want to iterate through the inheritance chain to find all accessible methods. Frida Script: Method Enumeration (enum_methods.js) Java.perform(function () { function enumerateClassMethods(className) { try { var targetClass = Java.use(className); console.log('Methods for class: ' + className); console.log('---------------------------------'); // Enumerate static methods var staticMethods = Object.getOwnPropertyNames(targetClass.$class).filter(function(methodName) { return typeof targetClass[methodName] === 'function'; }); console.log('Static Methods:'); staticMethods.forEach(function(methodName) { if (!methodName.startsWith('$') && methodName !== 'class') { // Filter out Frida's internal methods and 'class' property console.log(' [S] ' + methodName); } }); // Enumerate instance methods var instanceMethods = Object.getOwnPropertyNames(targetClass.prototype).filter(function(methodName) { return typeof targetClass.prototype[methodName] === 'function'; }); console.log('Instance Methods:'); instanceMethods.forEach(function(methodName) { if (!methodName.startsWith('$') && methodName !== 'constructor') { // Filter out Frida's internal methods and 'constructor' console.log(' [I] ' + methodName); } }); console.log('---------------------------------'); } catch (e) { console.error('Error enumerating methods for ' + className + ': ' + e.message); } } // Example: Enumerate methods of android.app.Activity enumerateClassMethods('android.app.Activity'); // Example: Enumerate methods of a class from your target app // enumerateClassMethods('com.example.mytestapp.MainActivity');}); Executing the Method Enumeration Script frida -U -f com.example.mytestapp -l enum_methods.js --no-pause This will output the static and instance methods for the specified class. You’ll notice many methods inherited from `java.lang.Object` and other superclasses. For more targeted analysis, you might filter these out or recursively traverse the prototype chain. Advanced: Combined Class and Method Explorer Let’s combine these concepts into a more powerful script that can enumerate classes within a given package prefix and then list the methods for each of those classes. Frida Script: Combined Explorer (explore_app.js) Java.perform(function () { var targetPackagePrefix = 'com.example.mytestapp'; // SET YOUR TARGET PACKAGE HERE! console.log('Starting dynamic exploration for package: ' + targetPackagePrefix); function enumerateMethods(className) { var methods = []; try { var targetClass = Java.use(className); // Static methods Object.getOwnPropertyNames(targetClass.$class).forEach(function(methodName) { if (typeof targetClass[methodName] === 'function' && !methodName.startsWith('$')) { methods.push(' [S] ' + methodName); } }); // Instance methods Object.getOwnPropertyNames(targetClass.prototype).forEach(function(methodName) { if (typeof targetClass.prototype[methodName] === 'function' && !methodName.startsWith('$')) { methods.push(' [I] ' + methodName); } }); } catch (e) { // console.error(' Error inspecting methods for ' + className + ': ' + e.message); } return methods; } var classes = Java.enumerateLoadedClassesSync(); console.log('Found ' + classes.length + ' total loaded classes.'); var exploredCount = 0; classes.forEach(function(className) { if (className.startsWith(targetPackagePrefix)) { exploredCount++; console.log('n[+] Class: ' + className); var classMethods = enumerateMethods(className); if (classMethods.length > 0) { classMethods.forEach(function(method) { console.log(method); }); } else { console.log(' No specific methods found (might be inherited or internal).'); } } }); console.log('nFinished exploring ' + exploredCount + ' classes within ' + targetPackagePrefix + '.');}); Executing the Combined Explorer frida -U -f com.example.mytestapp -l explore_app.js --no-pause This script provides a comprehensive overview of the application’s custom classes and their declared methods, giving you a detailed blueprint for further analysis or hooking. Practical Use Cases in Penetration Testing Discovering Custom APIs: Identify internal application-specific methods that might handle sensitive data or business logic. Bypassing Security Controls: Find methods related to authentication, authorization, or encryption that could be hooked or tampered with. Understanding Application Flow: By listing methods, you can infer the capabilities and responsibilities of different classes, helping to map out the application’s control flow. Preparing for Targeted Hooks: Once a method of interest is found, you can use its full signature to create precise Frida hooks to observe or modify its behavior. Identifying Obfuscated Code: While obfuscation changes method names, dynamic enumeration still lists the *available* methods, providing a starting point for de-obfuscation or direct interaction. Conclusion Frida’s dynamic class and method enumeration capabilities are indispensable tools for any Android penetration tester or reverse engineer. By programmatically exploring the live components of an application, you gain deep insights into its runtime behavior, identify critical attack vectors, and lay the groundwork for more advanced instrumentation and manipulation. Mastering these techniques transforms abstract static analysis into concrete, actionable dynamic intelligence, empowering you to uncover vulnerabilities and fully understand the inner workings of Android applications. May 30, 2026
Practical Android NDK Reversing: Frida Hooks for JNI_OnLoad and Function Overloads Introduction to Android NDK Reversing with Frida Android applications often leverage the Native Development Kit (NDK) to execute performance-critical code or protect intellectual property in native libraries (.so files). Reverse engineering these native components is a crucial skill for penetration testers and security researchers. While static analysis tools like Ghidra or IDA Pro provide invaluable insights, dynamic analysis with Frida offers unparalleled flexibility to inspect, modify, and intercept native code execution at runtime. This article dives into advanced Frida techniques for Android NDK reversing, focusing on two critical aspects: hooking the JNI_OnLoad function and intercepting overloaded native functions. Mastering these techniques is fundamental for bypassing anti-tampering mechanisms, understanding obfuscated logic, and manipulating application behavior. Understanding JNI_OnLoad: The Native Entry Point Every Java Native Interface (JNI) native library can optionally define a function named JNI_OnLoad. This function, if present, is automatically called by the Java Virtual Machine (JVM) when the native library is loaded (e.g., via System.loadLibrary()). Its primary purpose is to perform initialization tasks, such as registering native methods, caching `jclass` references, or performing anti-tampering checks. For reverse engineers, JNI_OnLoad is a golden target because it often contains setup logic, decryption routines, or crucial anti-reversing initializations that reveal valuable information. Example Native Code (Hypothetical) Consider a simple native library (libnative.so) that performs some initialization in JNI_OnLoad and has a few native functions. // native.cpp #include #include #define LOG_TAG "NativeLib" #define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__) extern "C" JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) { JNIEnv* env; if (vm->GetEnv(reinterpret_cast(&env), JNI_VERSION_1_6) != JNI_OK) { LOGD("Failed to get JNIEnv"); return JNI_ERR; } LOGD("JNI_OnLoad called! Initializing native library..."); // Perform some initialization, e.g., register native methods, check for root, etc. // ... return JNI_VERSION_1_6; } extern "C" JNIEXPORT jstring JNICALL Java_com_example_app_NativeUtils_getString(JNIEnv* env, jobject thiz) { LOGD("getString called"); return env->NewStringUTF("Hello from Native NDK!"); } extern "C" JNIEXPORT jint JNICALL Java_com_example_app_NativeUtils_calculateValue(JNIEnv* env, jobject thiz, jint a, jint b) { LOGD("calculateValue(int, int) called: %d + %d", a, b); return a + b; } extern "C" JNIEXPORT jdouble JNICALL Java_com_example_app_NativeUtils_calculateValue__D(JNIEnv* env, jobject thiz, jdouble x, jdouble y) { LOGD("calculateValue(double, double) called: %.2f * %.2f", x, y); return x * y; } Setting Up Your Frida Environment Before proceeding, ensure you have: A rooted Android device or emulator. ADB (Android Debug Bridge) installed and configured. Frida-server running on the Android device. Frida-tools installed on your host machine (pip install frida-tools). To start frida-server on your device: adb push frida-server /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" Hooking JNI_OnLoad with Frida Since JNI_OnLoad is a standard export, hooking it is straightforward. We’ll use Module.findExportByName() to locate its address and Interceptor.attach() to hook it. Frida Script for JNI_OnLoad /* jni_onload_hook.js */ Java.perform(function() { const moduleName = "libnative.so"; // Replace with your target library name const jniOnLoadPtr = Module.findExportByName(moduleName, "JNI_OnLoad"); if (jniOnLoadPtr) { console.log("[+] Found JNI_OnLoad at: " + jniOnLoadPtr); Interceptor.attach(jniOnLoadPtr, { onEnter: function(args) { console.log("[*] JNI_OnLoad called!"); console.log(" JavaVM*: " + args[0]); console.log(" void* reserved: " + args[1]); // You can get the JNIEnv* from JavaVM* if needed: // var javaVm = new JavaVM(args[0]); // var jniEnv = Memory.readPointer(javaVm.getEnv()); // console.log(" JNIEnv*: " + jniEnv); }, onLeave: function(retval) { console.log("[*] JNI_OnLoad returned: " + retval); // You can modify the return value if JNI_OnLoad performs checks // retval.replace(ptr(JNI_VERSION_1_6)); } }); console.log("[+] JNI_OnLoad hook deployed."); } else { console.log("[-] JNI_OnLoad not found in " + moduleName); } }); Executing the Frida Script frida -U -f com.example.app -l jni_onload_hook.js --no-pause This command attaches Frida to your target Android application (com.example.app), loads the script, and pauses the app until the script is fully loaded and hooks are deployed. When the app starts and loads libnative.so, you will see the `JNI_OnLoad` invocation logged in your console. Hooking Overloaded Native Functions In C++, functions can be overloaded, meaning multiple functions can share the same name but have different parameter lists. When a C++ compiler processes these, it generates unique May 30, 2026
Reverse Engineering Android Apps: A Step-by-Step Frida Guide to Runtime Discovery Introduction to Android App Reverse Engineering with Frida Android application reverse engineering is a critical skill for security researchers, penetration testers, and developers looking to understand application behavior, identify vulnerabilities, or debug complex issues. While static analysis provides valuable insights into an app’s codebase, dynamic analysis — observing and interacting with the app during execution — offers a complete picture of its runtime behavior. Frida, a dynamic instrumentation toolkit, stands out as an indispensable tool for this purpose, allowing us to inject custom scripts into running processes on Android, iOS, Windows, macOS, and Linux. This guide will walk you through using Frida to perform runtime discovery on Android applications, specifically focusing on enumerating loaded classes and their methods. This technique is fundamental for understanding an application’s internal structure and identifying potential points of interest for further analysis or hooking. Prerequisites Before diving into Frida, ensure you have the following tools and setup: Rooted Android Device or Emulator: A rooted device or an emulator (like Genymotion or Android Studio’s AVD) is highly recommended for full Frida capabilities, although some basic functions can work on non-rooted devices if the app is debuggable. ADB (Android Debug Bridge): Essential for interacting with your Android device. Ensure it’s installed and configured correctly on your host machine. Python 3: Frida’s command-line tools and scripting capabilities rely on Python. Frida-tools: The Python package for Frida. Install it via pip. Frida-server: The server component that runs on the Android device and communicates with Frida-tools on your host machine. Setting Up Your Frida Environment 1. Install Frida-tools on Your Host Machine Open your terminal or command prompt and run: pip install frida-tools 2. Download and Push Frida-server to Your Android Device Frida-server needs to match the architecture of your Android device (e.g., arm, arm64, x86, x86_64). You can find the latest releases on Frida’s GitHub page. Determine your device’s architecture using adb shell getprop ro.product.cpu.abi. Download the appropriate frida-server-<version>-android-<arch> file. For example, for an ARM64 device, you’d download frida-server-<version>-android-arm64. Push the downloaded server to your device and set execute permissions: # Example for ARM64: Replace <version> with the actual version number (e.g., 16.1.4) and <arch> with your device's architecture. adb push frida-server-<version>-android-arm64 /data/local/tmp/frida-server adb shell May 30, 2026
Troubleshooting Frida: Why You Can’t See All Android Classes (and How to Fix It) Introduction: The Enigma of Missing Classes in Frida Frida, the dynamic instrumentation toolkit, is an indispensable tool for Android application penetration testers and reverse engineers. Its ability to inject into running processes and hook into Java methods, native functions, and even modify application logic on the fly provides unparalleled insight. One of Frida’s most powerful features is Java.enumerateLoadedClasses(), which allows you to inspect all currently loaded Java classes within an Android application. However, many security researchers often encounter a perplexing issue: not all classes are visible, even if they are clearly part of the application’s functionality. This article delves into the common reasons behind this ‘invisibility’ and provides expert-level techniques to overcome these challenges, ensuring you gain full visibility into an Android app’s class hierarchy. Understanding Android’s Class Loading Mechanism Before we troubleshoot, it’s crucial to understand how Android’s ART (Android Runtime) loads classes. When an Android application starts, the primary DEX (Dalvik Executable) file, usually classes.dex, is loaded. However, modern Android apps often leverage multiple DEX files (multidex) or dynamically load DEX files at runtime from various sources: Secondary DEX Files: Large applications may split their code into multiple DEX files (e.g., classes2.dex, classes3.dex) to overcome the 65K method limit. These are typically loaded by the system or a custom ClassLoader during application startup. Dynamic Code Loading: Apps might download code from a remote server, decrypt an encrypted DEX file from assets, or load plugin architectures. This often involves creating new instances of DexClassLoader or PathClassLoader. Native Code Loading: JNI (Java Native Interface) methods can explicitly load Java classes using functions like FindClass from native libraries. The key takeaway here is that not all classes are loaded at the exact moment Frida attaches or when Java.enumerateLoadedClasses() is initially called. Classes are often loaded on demand, just before they are needed. Common Scenarios for Missing Classes 1. Dynamically Loaded DEX Files Many applications, especially those using module-based architectures, A/B testing frameworks, or asset bundles, load additional DEX files or JARs (which contain DEX code) at runtime. If Frida enumerates classes before these dynamic loaders are invoked, those classes will be absent. 2. Classes Loaded by Native Libraries (JNI) Sophisticated malware or obfuscated applications might hide critical logic within native libraries (.so files). These native libraries can then call JNI functions to explicitly load Java classes and instantiate objects. Frida’s Java.enumerateLoadedClasses() will not detect these until they are loaded via the JNI `FindClass` mechanism. 3. Obfuscated Applications (ProGuard/R8) While not strictly a May 30, 2026
Frida Hooks Explained: How to Enumerate Android Classes & Methods for Dynamic Analysis Introduction to Frida for Android Dynamic Analysis Frida is an indispensable dynamic instrumentation toolkit for developers, security researchers, and penetration testers alike. It allows you to inject snippets of JavaScript or your own library into native apps on various platforms, including Android. This capability enables you to observe and manipulate runtime behavior, making it a powerful tool for reverse engineering, security testing, and debugging. A foundational step in many Android dynamic analysis tasks is understanding the application’s internal structure by enumerating its loaded classes and their respective methods. This guide will walk you through the process of using Frida to programmatically discover all loaded Android classes and then delve into how to inspect the methods within a specific class. This technique is crucial for gaining insight into an application’s architecture, identifying potential hooking points, and understanding how different components interact at runtime. Setting Up Your Dynamic Analysis Environment Before we dive into Frida scripting, ensure your environment is properly set up. You’ll need: An Android device or emulator (rooted is preferred for full control, but Frida works on non-rooted devices for many scenarios if you can inject into a debuggable app or use a custom-built APK). ADB (Android Debug Bridge) installed and configured on your host machine. Frida-tools installed on your host machine (`pip install frida-tools`). The Frida-server binary running on your Android device. Deploying Frida-Server on Android First, download the appropriate Frida-server binary for your Android device’s architecture (e.g., `frida-server-*-android-arm64` for a 64-bit ARM device) from the Frida releases page. Then, push it to your device and execute it: adb push /path/to/frida-server /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &" Verify Frida-server is running by executing frida-ps -U on your host machine. You should see a list of running processes on your Android device. Enumerating All Loaded Android Classes Frida’s JavaScript API exposes the Java object, which provides powerful methods for interacting with the Android Java runtime. One of the most useful for initial reconnaissance is Java.enumerateLoadedClasses(). This function iterates through all Java classes currently loaded into the target application’s runtime and allows you to process their names. Frida Script for Class Enumeration Create a file named enumerate_classes.js with the following content: Java.perform(function() { console.log("[+] Enumerating loaded classes..."); var classes = Java.enumerateLoadedClassesSync(); classes.forEach(function(className) { console.log("Class: " + className); }); console.log("[+] Class enumeration complete.");}); Executing the Class Enumeration Script To run this script against a target application (e.g., a simple test app or a package like com.android.settings), use the frida -U command: frida -U -l enumerate_classes.js -f com.android.settings --no-pause Here’s a breakdown of the command: -U: Connects to a USB device. -l enumerate_classes.js: Loads our Frida script. -f com.android.settings: Spawns the application with the given package name. Replace com.android.settings with your target app’s package. --no-pause: Prevents Frida from pausing the application immediately after injection, allowing it to start normally. You will see a lengthy list of class names printed to your console. This output can be extensive, often hundreds or thousands of classes, including system classes, third-party libraries, and the application’s own classes. Filtering this output (e.g., using grep or adding logic to the script) is often necessary to find relevant application-specific classes. Inspecting Methods of a Specific Android Class Once you’ve identified a class of interest, the next logical step is to enumerate its methods. This reveals the functionalities provided by that class, helping you understand its role and potential interaction points. Frida Script for Method Enumeration Let’s say we want to inspect the methods of the android.widget.Toast class, which is commonly used for displaying short messages. Create a file named enumerate_methods.js: Java.perform(function() { var targetClassName = "android.widget.Toast"; try { var targetClass = Java.use(targetClassName); console.log("[+] Methods for class: " + targetClassName); // Get all own property names, which include methods var methods = Object.getOwnPropertyNames(targetClass.__proto__).filter(function(method) { return method !== 'constructor'; // Filter out the constructor itself }); // Sort for better readability (optional) methods.sort(); methods.forEach(function(methodName) { console.log(" - " + methodName); }); console.log("[+] Method enumeration complete for " + targetClassName + "."); } catch (e) { console.error("[-] Could not find or access class " + targetClassName + ": " + e.message); }}); In this script: Java.use(targetClassName): This is a crucial function that creates a wrapper object around the specified Java class, allowing you to interact with its static and instance members. targetClass.__proto__: Accesses the prototype of the `targetClass` object, which contains its methods. Object.getOwnPropertyNames(): Retrieves an array of all own property names (including methods) defined directly on the prototype. .filter(function(method) { return method !== 'constructor'; }): Filters out the constructor itself, as we’re typically interested in functional methods. Executing the Method Enumeration Script Run the script similar to the previous one: frida -U -l enumerate_methods.js -f com.android.settings --no-pause You will see a list of methods belonging to the android.widget.Toast class printed to the console. For instance, you might see methods like makeText, show, cancel, setGravity, etc. Alternative Method Enumeration (More Comprehensive) While Object.getOwnPropertyNames() is good for directly defined methods, Java classes also inherit methods. For a more comprehensive list that includes inherited methods, you can iterate through the class hierarchy or use Java reflection methods if you have a `java.lang.Class` object. Here’s a snippet demonstrating how to use `getMethods()` via reflection for a `java.lang.Class` instance: Java.perform(function() { var targetClassName = "android.widget.Toast"; try { var Class = Java.use('java.lang.Class'); var System = Java.use('java.lang.System'); var targetClassInstance = System.class.forName(targetClassName); // Get a java.lang.Class object console.log("[+] Comprehensive methods for class: " + targetClassName); var methods = targetClassInstance.getMethods(); methods.forEach(function(method) { console.log(" - " + method.getName() + "(" + method.getParameterTypes().map(function(type) { return type.getName(); }).join(", ") + ")"); }); console.log("[+] Comprehensive method enumeration complete."); } catch (e) { console.error("[-] Error enumerating comprehensive methods: " + e.message); }}); This advanced snippet utilizes the Java reflection API directly to get all public methods (including inherited ones) and their parameter types, providing richer detail. The output will be much more extensive. Practical Applications and Next Steps Enumerating classes and methods is the gateway to deeper dynamic analysis: Understanding Application Flow: By inspecting classes in areas of interest (e.g., login, payment, encryption), you can infer how the application handles sensitive operations. Identifying Hooking Targets: Once a method of interest is found (e.g., a cryptographic function, a root-detection check, an authentication method), you can then write a Frida hook to intercept arguments, modify return values, or bypass its execution entirely. Discovering Hidden Functionality: Sometimes, developers leave in methods or classes that aren’t directly exposed in the UI but can be programmatically invoked. From here, you can proceed to write more specific Frida scripts to hook these identified methods, examine their arguments, modify their return values, or even call them with custom arguments. This initial enumeration step is fundamental for effective Android application penetration testing and reverse engineering. Conclusion Frida provides unparalleled capabilities for dynamic analysis of Android applications. By mastering the techniques of enumerating loaded classes and their methods, you gain significant insight into an app’s runtime behavior and internal structure. This knowledge forms the bedrock for advanced hooking, manipulation, and security testing, empowering you to uncover vulnerabilities and better understand how Android applications function under the hood. May 30, 2026
Frida JNI_OnLoad Bypass Techniques: Defeating Anti-Hooking in Android Native Code Introduction to JNI_OnLoad and its Role in Android Security In Android application penetration testing, understanding the Java Native Interface (JNI) is paramount, especially when dealing with applications that implement robust security measures in native libraries. The JNI_OnLoad function serves as the entry point for native libraries loaded via System.loadLibrary(). It is the very first function executed by the Java Virtual Machine (JVM) within a native library, making it a critical choke point for both legitimate setup and anti-tampering defenses. During its execution, JNI_OnLoad typically performs several key tasks: Native Method Registration: It’s often used to dynamically register native methods with the JVM, allowing Java code to call C/C++ functions. This is done using RegisterNatives. Caching JNIEnv and JavaVM Pointers: The JNI_OnLoad function receives pointers to the JNIEnv and JavaVM interfaces, which are often stored globally for later use by other native functions. Initialization of Native Components: Any required setup for the native library, such as cryptographic contexts, global variables, or thread-local storage, frequently occurs here. Anti-Tampering and Anti-Hooking Checks: Due to its early execution, JNI_OnLoad is a prime candidate for implementing checks against reverse engineering tools, debuggers, and hooking frameworks like Frida. Our focus in this guide is to explore how sophisticated applications leverage JNI_OnLoad for anti-hooking and, more importantly, how we can use Frida to bypass these defenses. The Anti-Hooking Challenge Posed by JNI_OnLoad Developers implementing strong security measures often place their anti-hooking logic within JNI_OnLoad. The rationale is simple: if detection and prevention mechanisms are initialized before any other native code, or even before hooking frameworks can fully establish themselves, they gain an advantage. Common anti-hooking strategies found in JNI_OnLoad include: Dynamic Native Method Registration: Instead of exporting native methods with standard JNI naming conventions (e.g., Java_com_example_app_NativeClass_nativeMethod), applications register them dynamically within JNI_OnLoad. This makes them harder to find and hook using simple symbol lookup. Integrity Checks: The library might calculate checksums (e.g., CRC, MD5, SHA256) of its own critical code sections (like the .text segment) and compare them against known good values. If a discrepancy is found (indicating modification by a hook), the application might terminate or alter its behavior. Frida Detection: Specific checks for Frida’s presence can be embedded. This might involve scanning /proc/self/maps for Frida agent libraries (e.g., frida-agent-32.so), checking for open sockets on Frida’s default gadget port (27042), or looking for characteristic memory patterns. Early Hooking Detection: The library might actively check for hooks on its own critical functions *before* those functions are ever called by Java code. If a hook is detected, it might prevent the function from executing correctly or trigger a tamper response. When these checks are implemented effectively, a standard Frida script that tries to attach to an exported function might be too late, or the application might detect Frida and exit prematurely. Technique 1: Early Interception of JNI_OnLoad Understanding the “Too Late” Problem A common pitfall for newcomers to Frida is attempting to hook a native function (e.g., NativeClass.nativeMethod()) directly using Interceptor.attach(Module.findExportByName( May 30, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
2
3
4
5
6
…
705
			Next Page→

Author: admin

Introduction to Native Anti-Tampering and Frida

The ARM64 Challenge: Understanding the Architecture

Prerequisites and Setup

Setting up Frida-Server:

Introduction to Frida for Android Penetration Testing

The Challenge of Runtime Class and Method Discovery

Prerequisites: Setting Up Your Frida Environment

Enumerating All Loaded Classes with Frida

Frida Script: Listing All Loaded Classes

Diving Deeper: Detailed Method Signature Extraction with Reflection

Frida Script: Detailed Method Signature Extraction with Reflection

Running the Frida Script and Interpreting Results

Advanced Use Cases and Further Exploration

Conclusion

Introduction to Native Library Hooking on Android ARM64 with Frida

Prerequisites and Setup

Understanding Android Native Libraries and ARM64

Finding Your Target Function

1. Exported Functions

2. Non-Exported (Internal) Functions

Basic Native Hooking: Exported Functions

Advanced Hooking: Non-Exported Functions by Offset

Working with Function Arguments and Return Values (ARM64 Specifics)

Practical Example: Bypassing a Simple Native Check

Conclusion

Introduction: The Power of Runtime Analysis in Android Penetration Testing

Setting Up Your Frida Environment

Installing Frida Tools on Your Host

Deploying Frida Server to Android

Enumerating Loaded Classes at Runtime

Basic Class Enumeration Script

Filtering for Application-Specific Classes

Enumerating Methods of a Specific Class

Inspecting Class Methods

Handling Method Overloads

Advanced Enumeration Techniques and Tips

Dynamically Loaded Classes

Dealing with Obfuscation

Automating Discovery

Conclusion

Introduction to Dynamic Android Class Enumeration with Frida

Prerequisites

Frida’s Java API for Dynamic Analysis

Listing All Loaded Classes

Frida Script: Basic Class Enumeration (enum_classes.js)

Executing the Script

Filtering Classes for Relevance

Frida Script: Filtered Class Enumeration (filter_classes.js)

Executing the Filtered Script

Enumerating Methods of a Specific Class

Understanding Method Enumeration

Frida Script: Method Enumeration (enum_methods.js)

Executing the Method Enumeration Script

Advanced: Combined Class and Method Explorer

Frida Script: Combined Explorer (explore_app.js)

Executing the Combined Explorer

Practical Use Cases in Penetration Testing

Conclusion

Introduction to Android NDK Reversing with Frida

Understanding JNI_OnLoad: The Native Entry Point

Example Native Code (Hypothetical)

Setting Up Your Frida Environment

Hooking JNI_OnLoad with Frida

Frida Script for JNI_OnLoad

Executing the Frida Script

Hooking Overloaded Native Functions

Introduction to Android App Reverse Engineering with Frida

Prerequisites

Setting Up Your Frida Environment

1. Install Frida-tools on Your Host Machine

2. Download and Push Frida-server to Your Android Device

Introduction: The Enigma of Missing Classes in Frida

Understanding Android’s Class Loading Mechanism

Common Scenarios for Missing Classes

1. Dynamically Loaded DEX Files

2. Classes Loaded by Native Libraries (JNI)

3. Obfuscated Applications (ProGuard/R8)

Introduction to Frida for Android Dynamic Analysis

Setting Up Your Dynamic Analysis Environment

Frida Script: Basic Class Enumeration (`enum_classes.js`)

Frida Script: Filtered Class Enumeration (`filter_classes.js`)

Frida Script: Method Enumeration (`enum_methods.js`)

Frida Script: Combined Explorer (`explore_app.js`)