Hands On Frida

While the CLI tools like frida, frida-trace, etc., are quite useful, there might be times when you’d like to build your own tools harnessing the powerful Frida APIs.

Frida API

Java.available: This API is used to check Frida running on android or not. It is to check if you are actually running on Android. For example, you could create 1 SSL bypassing script that first checks if you’re on Android or iOS, and act accordingly .It specify whether the current process has the a Java VM loaded, i.e. Dalvik or ART return boolean (true or false)
Java.androidVersion: This API return the android version of device that we are using.
Java.enumerateLoadedClasses(callback): This API enumerates classes where object specifying onMatch(name, handle): called for each loaded class with a name that may be passed to use() to get a JavaScript wrapper. onComplete(): called when all classes have been enumerated

console.log("[+] Running Frida Script")
console.log("[+] The android version is: " + Java.androidVersion)

Java.enumerateLoadedClasses({
    "onMatch": function(name){
        if(name.includes("com.apphacking.certificatepinning")){
            console.log(name)
        }
    },
    "onComplete": function(){
        console.log("[+] Done")
    },
})

For running the script:

frida -U -f com.apphacking.certificatepinning -l .\\enumLoadedClasses.js --no-pause

-f → Specify the target package. it’s run the apk. If you don’t specify this option, you should manually run this apk. In case of you don’t want to target application pause, you can use --no-pause switch.

-U → Connect to frida server with USB connection.

-l → Load JavaScript script

Java.enumerateClassLoaders(callbacks) : This API enumerates the class loaders in Java VM, which have a callback function, which are onMatch: function (loader) and onComplete: function ()

console.log("[+] Running Frida Script")
console.log("[+] The android version is: " + Java.androidVersion)

Java.enumerateClassLoaders({
    "onMatch": function(loader){
        console.log("Loader: " + loader)
    },
    "onComplete": function(){
        console.log("[+] Done")
    },
})

Enumerate Methods

Java.enumerateMethods()

Untitled
You can use this script too.

Java.perform(function () {
    var targetClass = "com.apphacking.certificatepinning.MainActivity"; // Replace with the desired class name
  
    var targetClassRef = Java.use(targetClass);
    var methods = targetClassRef.class.getDeclaredMethods();
  
    methods.forEach(function (method) {
      console.log(method.toString());
    });
  });

Java.perform(fn): ensure that the current thread is attached to the VM and call fn. and the fnfunction is called . This function calls VM::AttachCurrentThread internally, then executes the JavaScript in the fn callback function to operate the Java runtime, and finally uses VM::DetachCurrentThread to release resources
Java.use(className) : It dynamically get a JavaScript wrapper for className. Wrapper is basically a function that is intended to call one or more other functions.
```
Java.perform(function() { 
        var Test = Java.use("com.example.demotest.xyz");
        console.log( Test.AClassVariable.value );

});
```
Java.scheduleOnMainThread(fn) : The callback function is executed on the VM main thread (UI thread). Operating UI elements in Android requires code execution in the main thread, and scheduleOnMainThread its role is to execute functions in the main thread
Java.openClassFile(filePath) : This APIused for hook dynamic loaded dex.
Java.choose(className, callbacks) : Scan Java heap in memory and enumerate Java object (className) instances. For example, you can use java.lang.String Scan strings in memory. callbacks provide two parameters: onMatch(instance) and onComplete, which are to find the matching object and scan to complete the call.
```
Java.perform(
    function(){
        Java.choose("java.lang.String", {
            onMatch: function(instance){
                console.log(instance.toString())
            },
            onCompelet: function(){
                console.log("[+] Done")
            }
        })
    }
)
```
Java.retain(obj) : duplicates the JavaScript wrapper obj for later use outside replacement method