How to hook methods with specific arguments in Frida?

Question

I am using Frida for android dynamic analysis. The question is that how can I watch all the methods in runtime and filter them by arguments or even return value?

For example, I want to find all method that starts with "bark" and then dumps backtrace, return value, and other arguments.

Answer 1

For hooking a bunch of functions with Frida you can use frida-trace .

Frida-trace is a front-end for frida that allows automatic generation of hooking code for methods based on pattern. Once you have started frida-trace it creates a folder named __handlers__ where all the generated hooking code is placed (one for each method). Once the hooking code has been generated frida-trace will not overwrite it which means you can adapt the code to your need.

The frida-trace command-line argument for hooking an Java/Android method is -j . You always have to specify a class name and a method name and optional the search options.

For example the term -j '*!*certificate*' will hook all classes (first star before ! ) and all methods that contain the case sensitive string certificate .

The frida-trace documentation uses the term -j '*!*certificate*/isu' which sets the options to isu :

• s = signature (I am not 100% sure but my guess is that it allows you to not only search for the method name but also for argument types)
• i = ignoring case
• u = user-defined classes, ignoring system classes (classes from the Android Java API)

For example, I want to find all method that starts with "bark" and then dumps backtrace, return value, and other arguments.

For searchinf for bark in all classes you have to start frida-trace this way: frida-trace -j "*!bark*" . The generated hooking code will print all arguments and also return values.

If you want to also see the stack trace you have to modify the generated hooking code and add the code for printing stack trace as shown in this answer .

Alternatively you can hook more methods. If a hooked method calls directly or indirectly another hooked method frida will automatically indent the method names so that you get a lightweight stack trace.

Unfortunately I have experienced apps where not all classes seem to be loaded at the beginning of the app start. On such apps frida-trace will not recognize all classes of the app when attaching to it. In such a case it helps to manually execute the function you want to test (force it to be loaded) and afterwards attach frida-trace to it.

Answer 2

Java.perform(function () {
// ClassName = Name of the class you're targeting. E.g for android os 'android.app.Activity'

var class2overload = Java.use("ClassName")

 class2overload.foo.overload('java.lang.String', 'java.lang.String').implementation =  function (arg1, arg2) {
            console.log("Params: " + arg1 + arg2);
            return this.foo(arg1, arg2);

        }

});

You need to doe some RE on the functions you want to hook. This is the general way of hooking functions in frida, but its up to you to determine which functions you think are important in the Android environment.