DEVHIDE
Login Or Sign up

How can I display function calls of an Android application using Frid?

508 Views Asked by At

I have an android application. How can I print the function call stack of this application using fried? I need readable references to which function and from which class it was called. The application is written in Java + Kotlin. I used frida-trace, but when I wrote in the filter the function I needed, which definitely exists, it displayed this to me.

frida-trace -U -f org.mozilla.firefox -i "checkRequest*"
Started tracing 0 functions. Press Ctrl+C to stop.

And if I used what they write in the examples, for example the send method, then it displays non-Java functions and don’t understand what

frida-trace -U -f org.mozilla.firefox -i "*send*"
Instrumenting...                                                        
_ZN4aidl7android5media24BpResourceManagerService17sendCapacityErrorEiilRKNSt3__110shared_ptrINS1_22IResourceManagerClientEEERKNS3_6vectorINS_3com7samsung7android5media15MediaInfoParcelENS3_9allocatorISE_EEEE: Loaded handler at "/home/teammrpa/__handlers__/libmedia.so/_ZN4aidl7android5media24BpResour_a5adc3e0.js"
_ZN4aidl7android5media30IResourceManagerServiceDefault17sendCapacityErrorEiilRKNSt3__110shared_ptrINS1_22IResourceManagerClientEEERKNS3_6vectorINS_3com7samsung7android5media15MediaInfoParcelENS3_9allocatorISE_EEEE: Loaded handler at "/home/teammrpa/__handlers__/libmedia.so/_ZN4aidl7android5media30IResourc_d783483c.js"
_ZN7android13MediaRecorder11sendCommandEiii: Loaded handler at "/home/teammrpa/__handlers__/libmedia.so/_ZN7android13MediaRecorder11send_54e1e7bb.js"
_ZN7android14MtpEventPacket11sendRequestEP11usb_request: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android14MtpEventPacket11sen_93bad13a.js"
_ZN7android9MtpServer14sendStoreAddedEj: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android9MtpServer14sendStoreAddedEj.js"
_ZN7android9MtpDevice8sendDataEv: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android9MtpDevice8sendDataEv.js"
_ZN7android18MtpFfsCompatHandle8sendFileE14mtp_file_range: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android18MtpFfsCompatHandle8_37263f12.js"
_ZN7android9MtpServer21sendObjectInfoChangedEj: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android9MtpServer21sendObjec_f93a69c2.js"
_ZN7android12MtpDevHandle8sendFileE14mtp_file_range: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android12MtpDevHandle8sendFi_e48bebb3.js"
_ZN7android9MtpServer17sendObjectRemovedEj: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android9MtpServer17sendObjec_4c09ad98.js"
_ZN7android9MtpDevice14sendObjectInfoEPNS_13MtpObjectInfoE: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android9MtpDevice14sendObjec_714e59c5.js"
_ZN7android9MtpServer15sendObjectAddedEj: Loaded handler at "/home/teammrpa/__handlers__/libmtp.so/_ZN7android9MtpServer15sendObjectAddedEj.js"
...
Started tracing 176 functions. Press Ctrl+C to stop.                    
           /* TID 0x723b */
   297 ms  _ZN7android11GraphicsEnv18sendGpuStatsLockedENS_12GpuStatsInfo3ApiEbl()
           /* TID 0x7239 */
   302 ms  _ZN7android3gui7BitTube11sendObjectsEPS1_PKvmm()
   302 ms     | sendto(sockfd=0x6d, len=0x7959f5d550, flags=0xd8, dest_addr=0x4040, addrlen=0x0)
           /* TID 0x7202 */
   404 ms  _ZN7android13InputConsumer18sendFinishedSignalEjb()
   404 ms     | _ZN7android13InputConsumer27sendUnchainedFinishedSignalEjb()
   404 ms     |    | _ZN7android12InputChannel11sendMessageEPKNS_12InputMessageE()
   404 ms     |    |    | __sendto_chk()
   404 ms     |    |    |    | sendto(sockfd=0x8f, len=0x7ff84226d0, flags=0x18, dest_addr=0x4040, addrlen=0x0)
           /* TID 0x724d */
   436 ms  sendmsg(sockfd=0xa7, msg=0x79e7d5e3e0, flags=0x40)
           /* TID 0x7250 */
   535 ms  _ZN12FwmarkClient4sendEP13FwmarkCommandiP17FwmarkConnectInfo()
   535 ms     | sendmsg(sockfd=0xc6, msg=0x79e65fa750, flags=0x0)
   536 ms  _ZN12FwmarkClient4sendEP13FwmarkCommandiP17FwmarkConnectInfo()
   536 ms     | sendmsg(sockfd=0xc6, msg=0x79e65fa750, flags=0x0)
   537 ms  _ZN12FwmarkClient4sendEP13FwmarkCommandiP17FwmarkConnectInfo()
   537 ms     | sendmsg(sockfd=0xcd, msg=0x79e65fa750, flags=0x0)
   538 ms  _ZN12FwmarkClient4sendEP13FwmarkCommandiP17FwmarkConnectInfo()
   538 ms     | sendmsg(sockfd=0xcd, msg=0x79e65fa750, flags=0x0)

. ChatGPT also tried to write a script for me, but it doesn’t output anything at all.

android security reverse-engineering frida
Original Q&A
1

There are 1 best solutions below

0
On

If you want to trace Java/Kotlin methods you use the wrong arguments. -i "checkRequest*" captures only C/native methods.

For capturing Java methods of any class that start with checkRequest you need to use -j "*!checkRequest*".

The star before ! is the class name filter the part after the method name filter.

See also the frida-trace examples at the Frida web page.

For getting the Java stack trace AFIR Frida does not offer a direct method (in Frida trace you can only see the call stack if the hooked methods). But you can edit the generated handler js files.

You should be able to get a Java stack trace by raising a Java exception using Frida and then catch it directly to get the exception with included stack trace.

Related Questions in ANDROID

Related Questions in SECURITY

Related Questions in REVERSE-ENGINEERING

Related Questions in FRIDA

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.