Skip to content

Stealth patch for Frida, stealth knowledge collection

Notifications You must be signed in to change notification settings

AsenOsen/frida-stealth

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 

Repository files navigation

Stealth patch for Frida!

FIRST OF ALL! Tired of Frida getting detected all the time?
Try my revolutionary(duh) approach based on injecting code into system Android libraries.

The patch set was inspired by this repo - https://github.com/JsHookApp/Frida-Patchs. This patch hides most of frida traces in system:

  • default port number changed
  • unix socket names (named pipes) does not contain "frida" no more
  • all thread names does not contain "frida" no more
  • frida-gum main loop renamed
  • GLib main loop renamed
  • SELinux context names

How to apply patch?

Get latest Frida version with all submodules:

git clone --recurse-submodules https://github.com/frida/frida.git

Apply patches:

cd frida/frida-core && git apply --reject --whitespace=fix ../../frida-core/patch.patch
cd frida/frida-gum && git apply --reject --whitespace=fix ../../frida-gum/patch.patch

How to build Frida with patch? (Android Arm64 example)

  1. Download Android NDK. Easiest way to do it - via Android Studio SDK Manager: pick the NDK version 25.2.9519653.
  2. In root frida folder:
    • Build: ANDROID_NDK_ROOT="$ANDROID_HOME/ndk/25.2.9519653" make core-android-arm64
    • Run the script to hide frida symbols in compiled binaries:
      • Install requirements: pip install lief
      • Run python src/anti-anti-frida.py PATH for following PATH list (you may pass unneeded components):
        • Agent library: build/tmp-android-arm64/frida-core/lib/agent/frida-agent.so
        • Gadget library: build/tmp-android-arm64/frida-core/lib/gadget/frida-gadget.so
        • Frida Inject: build/frida-android-arm64/bin/frida-inject
        • Frida Portal: build/frida-android-arm64/bin/frida-portal
        • Frida Server: build/frida-android-arm64/bin/frida-server
    • Copy needed binaries to Android Device and enjoy the patch!

Advices how to achive even more stealthy mode

  1. Use ZygiskFrida(https://github.com/lico-n/ZygiskFrida) to avoid process being ptraced. Important notice: use this module for Kitsune Magisk (https://github.com/HuskyDG/magisk-files). Do not use ZygiskFrida with usual Magisk - module will not work.
  2. When using ZygiskFrida, use patched frida-gadget.so!
  3. Use frida scripts from this repo - https://github.com/apkunpacker/AntiFrida_Bypass - to hide any other possible traces of frida/magisk in memory.
  4. Consider some uncommon techniques like patching system libraries.

Releases

No releases published

Packages

No packages published