Have you ever written a frida script this good, that you wanted to make it permanent? Well, now you can!
InjectionForge is a tool that allows you to convert your frida scripts into either a standalone executable that when called with a PID injects itself and runs the script or a shared library that can be somehow injected to a process and runs the script.
All desktop platforms are supported (Windows, Linux, macOS).
NOTE: To cross-compile for Windows you can use cargo-xwin
with target x86_64-pc-windows-msvc
.
You're gonna have to compile the tool yourself as the frida script gets embedded at compile time.
You only need a working cargo installation to compile it, it's quite simple.
You can feed your script either as a string using the FRIDA_CODE
environment
variable or as a file using the FRIDA_CODE_FILE
environment variable.
The standalone executable is the easiest to use. You just run it with a PID and it will inject itself and run the frida script.
git clone https://github.com/dzervas/injectionforge
FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo run --bin standalone -- 1234
The binary is located at target/debug/standalone
(.exe
for windows).
The shared library is a bit more complicated to use. You have to inject it to
a process using a tool like LD_PRELOAD
(linux) or rundll32.exe
(windows).
git clone https://github.com/dzervas/injectionforge
FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo build --lib
LD_PRELOAD=target/debug/libfrida_deepfreeze_rs.so cat
# rundll32.exe target/debug/frida_deepfreeze_rs.dll,inject_self 1234 (windows equivalent)
The resulting library is located at target/debug/libfrida_deepfreeze_rs.so
(.dll
for windows). You can inject it using your favorite injector.
There are two exported functions that you can call from the library to inject:
void inject(uint32_t pid); // Run the frida script in the process with the given pid
void inject_self(); // Run the frida script in the process that called the function
By default (so DllMain
in windows and .ctor
on unix), on load the library
will call inject_self()
so you can just inject it and it will run the script.
There's also the option of generating a DLL ready for DLL Proxying use.
That means that you give the DLL myawesome.dll
to cargo
(using the DLL_PROXY
environment variable) and it will generate a DLL
myawesome.dll
that can replace the original DLL. It will tell the linker
that any functions found during compilation (e.g. functions foo
and bar
exported by the original myawesome.dll
) should be redirected to myawesome-orig.dll
That allows you to make your script completely permanent without having to run any extra commands.
NOTE: This only works on Windows (for now?).
git clone https://github.com/dzervas/injectionforge
DLL_PROXY='../myawesome.dll' FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo xwin build --lib --target x86_64-pc-windows-msvc
Since most people ask about Android and anti-anti-frida techniques, I created some dockerfiles to help with that.
To just wrap a frida script in a shared library that can be injected to an Android process (or APK repacking):
git clone https://github.com/dzervas/injectionforge
cd injectionforge
docker build -t injectionforge-android -f Dockerfile.android .
docker run -e FRIDA_CODE_FILE=/script.js -v $(pwd)/target:/injectionforge/target -v $(pwd)/myscript.js:/script.js injectionforge-android
(be sure to change the path to myscript.js
)
To use a patched frida to evade some basic anti-frida techniques (based on undetected-frida-patches):
git clone https://github.com/dzervas/injectionforge
cd injectionforge
docker build -t injectionforge-android -f Dockerfile.android .
docker build -t injectionforge-android-undetect -f Dockerfile.android-undetect .
docker run -e FRIDA_CODE_FILE=/script.js -v $(pwd)/target:/injectionforge/target -v $(pwd)/myscript.js:/script.js injectionforge-android-undetect
During the build of Dockerfile.android
you can pass args to specify the
NDK version and more (check the Dockerfile).