Advanced Frida Usage Part 7 – Frida Memory Operations

Introduction

Welcome to part 7 of our Advanced Frida Usage series. In Part 6 of our Frida blog posts, we went over Utilising writers for different CPU architectures. X86Writer for X86 and Arm64Writer for AArch64 CPU architecture.

In this blog post, we will discuss how to use Frida for memory manipulation operations using Javascript API and analysis of Native Android libraries. Some of the Javascript Frida API functions used for memory operations are Memory.scan, Memory.scanSync, Memory.alloc, Memory.copy, Memory.dup, Memory.protect and Memory.patchCode.

In this tutorial, we will focus on some of the API’s used for scanning, reading and writing, copying, and patching process memory.

You can find the APK files at: https://github.com/8kSec/Blog-resources/tree/main/Frida-Series

Analysis

In this blog, we will use a simple Android application that compares two static strings. If the two strings match, Memory is Hooked is displayed, else Hello, World! is displayed.

				
					#include 
#include 

extern "C"
JNIEXPORT jstring JNICALL
Java_com_ksec_eightksec_MainActivity_stringFromJNI(JNIEnv *env, jobject /* this */) {
    // store two comparison strings in memory
    const char *stringOne = "Memory Hooked";
    const char *stringTwo = "Hello, World!";;
    if (strcmp(stringOne, stringTwo) == 0) {
        return env->NewStringUTF(stringOne);
    } else {
        return env->NewStringUTF(stringTwo);
    }
}
				
			

Memory Scanning

The Memory.scan() API in Frida allows the scanning of the target process memory for specific patterns of interest such as strings, binary data, and other structured data.

The API allows scanning a region of memory starting from the specified address of the target process to a specified range(size).

In our example, we will scan for ELF Magic Header specific byte sequence found at the beginning of ELF files. The Magic Header byte sequence is 0x7f454c46 in hex format.