Skip to main content
SpringerLink
Log in

Detecting and bypassing frida dynamic function call tracing: exploitation and mitigation

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Frida is a powerful dynamic analysis tool that uses different mechanisms to hijack the control flow of the analyzed process and is capable of communicating with external tools. The code of the process is manipulated to intercept the function calls and analyze them. Frida is commonly used to analyze suspicious programs and malware. Nevertheless, the function call interception mechanisms can be circumvented by malicious code. In this paper, we describe the different techniques to detect Frida and a novel technique to bypass those interception mechanisms. We also describe a generic mitigation method based on standard Linux capabilities, specifically the page table entry inspection mechanisms. This method is generic and does not depend on specialized hardware. Finally, we present an open source implementation, gopper, a lightweight stand-alone tool that watches a process to detect anomalous and suspicious behaviors without interference.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. Be careful when writing this kind of code: it is very easy to hit undefined behaviour.

  2. Note that the offset has changed: now it is 0x1296.

  3. Being len the number of bytes to be copied, dest a char pointer with the destination address, and src a char pointer with the source address.

  4. man 5 proc

  5. https://go.dev

  6. https://pkg.go.dev/k8s.io/utils/inotify.

References

  1. Kalleberg, K.T.: Frida: Putting the Open Back into closed software. 2015, Open Source Developers Conference, OSDC Nordic (2015)

  2. Ravnas, A.O.A.V.: The Engineering Behind the Gnireenigne. 2015, Open Source Developers Conference, OSDC Nordic (2015)

  3. Frida github (2022). https://github.com/frida/frida

  4. Filho, A.S., Rodríguez, R.J., Feitosa, E.L.: Evasion and countermeasures techniques to detect dynamic binary instrumentation frameworks. Digit. Threats (2022). https://doi.org/10.1145/3480463

    Article  Google Scholar 

  5. Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software, 1st edn. No Starch Press, USA (2012)

    Google Scholar 

  6. Gravityrat, mitre attack, https://attack.mitre.org/software/S0237/

  7. Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is not transparency: Vmm detection myths and realities. In: Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems, ser. HOTOS’07. USENIX Association, USA (2007)

  8. D’Elia, D.C., Coppa, E., Nicchi, S., Palmaro, F., Cavallaro, L.: Sok: Using dynamic binary instrumentation for security (and how you may get caught red handed). In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 15–27 (2019)

  9. Rodríguez, R.J., Gaston, I.R., Alonso, J.: Towards the detection of isolation-aware malware. IEEE Lat. Am. Trans. 14(2), 1024–1036 (2016)

    Article  Google Scholar 

  10. Sun, K., Li, X., Ou, Y.: Break out of the truman show: active detection and escape of dynamic binary instrumentation. Black Hat Asia (2016)

  11. Kirsch, J., Zhechev, Z., Bierbaumer, B., Kittel, T.: Pwin-pwning intel pin: why dbi is unsuitable for security applications. In: European Symposium on Research in Computer Security, pp. 363–382. Springer, New York (2018)

    Chapter  Google Scholar 

  12. Zhechev, Z.: Security Evaluation of Dynamic Binary Instrumentation Engines. Ph.D. Dissertation, Technical University of Munich Munich, Bavaria (2018)

  13. Rodríguez, R.J., Feitosa, E.L., et al.: Reducing the attack surface of dynamic binary instrumentation frameworks. In: Developments and Advances in Defense and Security, pp. 3–13. Springer, New York (2020)

    Google Scholar 

  14. D’Elia, D.C., Coppa, E., Palmaro, F., Cavallaro, L.: On the dissection of evasive malware. IEEE Trans. Inf. Forensics Secur. 15, 2750–2765 (2020)

    Article  Google Scholar 

  15. Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontana, L., Gritti, F., Zanero, S.: Measuring and defeating anti-instrumentation-equipped malware. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 73–96. Springer, New York (2017)

    Google Scholar 

  16. Hron, M., Jermář, J.: Safemachine: malware needs love, too. Virus Bull. (2014)

  17. Druffel, A., Heid, K.: Davinci: Android app analysis beyond frida via dynamic system call instrumentation. In: Zhou, J., Conti, M., Ahmed, C.M., Au, M.H., Batina, L., Li, Z., Lin, J., Losiouk, E., Luo, B., Majumdar, S., Meng, W., Ochoa, M., Picek, S., Portokalidis, G., Wang, C., Zhang, K. (eds.) Applied Cryptography and Network Security Workshops, pp. 473–489. Springer, Cham (2020)

    Chapter  Google Scholar 

  18. Mobile security testing guide. https://owasp.org/www-project-mobile-security-testing-guide/

  19. Mueller, B.: The jiu-jitsu of detecting frida. https://web.archive.org/web/20181227120751/. http://www.vantagepoint.sg/blog/90-the-jiu-jitsu-of-detecting-frida

  20. Mueller, B.: Frida detection examples github. https://github.com/muellerberndt/frida-detection

  21. Arvind, G.: Detect frida for android. https://darvincitech.wordpress.com/2019/12/23/detect-frida-for-android/

  22. NCR: Anti-instrumentation techniques: I know you’re there, frida! https://crackinglandia.wordpress.com/2015/11/10/anti-instrumentation-techniques-i-know-youre-there-frida/

  23. Thomas, R.: r2-pay: anti-debug, anti-root and anti-frida. https://www.romainthomas.fr/post/20-09-r2con-obfuscated-whitebox-part1/

  24. Frett, D.: Prevent bypassing of ssl certificate pinning in ios applications. https://www.guardsquare.com/blog/iOS-SSL-certificate-pinning-bypassing

  25. Vogt, D., Giuffrida, C., Bos, H., Tanenbaum, A.S.: Lightweight memory checkpointing. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 474–484 (2015)

  26. Criu. https://criu.org/Main_Page

  27. Intel intrinsics guide. https://www.intel.com/content/www/us/en/docs/intrinsics-guide/index.html#text=UMWAIT

  28. The linux kernel user’s and administrator’s guide. https://www.kernel.org/doc/html/v5.0/admin-guide/mm/soft-dirty.html

  29. inotify(7) - linux manual page

  30. Ts’o, T.: Event tracing. https://www.kernel.org/doc/Documentation/trace/events.txt

Download references

Author information

Authors and Affiliations

  1. Universidad Rey Juan Carlos, Madrid, Spain

    Enrique Soriano-Salvador & Gorka Guardiola-Múzquiz

Authors
  1. Enrique Soriano-Salvador
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gorka Guardiola-Múzquiz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Enrique Soriano-Salvador.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This work is partially funded under the Proyectos de Generación de Conocimiento 2021 call of Ministry of Science and Innovation of Spain co-funded by the European Union, project PID2021-126592OB-C22 CASCAR/DMARCE.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Soriano-Salvador, E., Guardiola-Múzquiz, G. Detecting and bypassing frida dynamic function call tracing: exploitation and mitigation. J Comput Virol Hack Tech 19, 503–513 (2023). https://doi.org/10.1007/s11416-022-00458-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-022-00458-7

Keywords

Search

Navigation