Skip to content

Latest commit

 

History

History
113 lines (80 loc) · 4.4 KB

README.md

File metadata and controls

113 lines (80 loc) · 4.4 KB

InjectionForge

InjectionForge logo

Have you ever written a frida script this good, that you wanted to make it permanent? Well, now you can!

InjectionForge is a tool that allows you to convert your frida scripts into either a standalone executable that when called with a PID injects itself and runs the script or a shared library that can be somehow injected to a process and runs the script.

All desktop platforms are supported (Windows, Linux, macOS).

NOTE: To cross-compile for Windows you can use cargo-xwin with target x86_64-pc-windows-msvc.

Usage

You're gonna have to compile the tool yourself as the frida script gets embedded at compile time.

You only need a working cargo installation to compile it, it's quite simple.

You can feed your script either as a string using the FRIDA_CODE environment variable or as a file using the FRIDA_CODE_FILE environment variable.

Standalone executable

The standalone executable is the easiest to use. You just run it with a PID and it will inject itself and run the frida script.

git clone https://github.com/dzervas/injectionforge
FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo run --bin standalone -- 1234

The binary is located at target/debug/standalone (.exe for windows).

Shared library

The shared library is a bit more complicated to use. You have to inject it to a process using a tool like LD_PRELOAD (linux) or rundll32.exe (windows).

git clone https://github.com/dzervas/injectionforge
FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo build --lib
LD_PRELOAD=target/debug/libfrida_deepfreeze_rs.so cat
# rundll32.exe target/debug/frida_deepfreeze_rs.dll,inject_self 1234 (windows equivalent)

The resulting library is located at target/debug/libfrida_deepfreeze_rs.so (.dll for windows). You can inject it using your favorite injector.

There are two exported functions that you can call from the library to inject:

void inject(uint32_t pid); // Run the frida script in the process with the given pid
void inject_self(); // Run the frida script in the process that called the function

By default (so DllMain in windows and .ctor on unix), on load the library will call inject_self() so you can just inject it and it will run the script.

DLL Proxying

There's also the option of generating a DLL ready for DLL Proxying use. That means that you give the DLL myawesome.dll to cargo (using the DLL_PROXY environment variable) and it will generate a DLL myawesome.dll that can replace the original DLL. It will tell the linker that any functions found during compilation (e.g. functions foo and bar exported by the original myawesome.dll) should be redirected to myawesome-orig.dll

That allows you to make your script completely permanent without having to run any extra commands.

NOTE: This only works on Windows (for now?).

git clone https://github.com/dzervas/injectionforge
DLL_PROXY='../myawesome.dll' FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo xwin build --lib --target x86_64-pc-windows-msvc

Android and anti-anti-frida

Since most people ask about Android and anti-anti-frida techniques, I created some dockerfiles to help with that.

To just wrap a frida script in a shared library that can be injected to an Android process (or APK repacking):

git clone https://github.com/dzervas/injectionforge
cd injectionforge
docker build -t injectionforge-android -f Dockerfile.android .
docker run -e FRIDA_CODE_FILE=/script.js -v $(pwd)/target:/injectionforge/target -v $(pwd)/myscript.js:/script.js injectionforge-android

(be sure to change the path to myscript.js)

To use a patched frida to evade some basic anti-frida techniques (based on undetected-frida-patches):

git clone https://github.com/dzervas/injectionforge
cd injectionforge
docker build -t injectionforge-android -f Dockerfile.android .
docker build -t injectionforge-android-undetect -f Dockerfile.android-undetect .
docker run -e FRIDA_CODE_FILE=/script.js -v $(pwd)/target:/injectionforge/target -v $(pwd)/myscript.js:/script.js injectionforge-android-undetect

During the build of Dockerfile.android you can pass args to specify the NDK version and more (check the Dockerfile).