Detecting Frida

Developer Tools & Services General
Ferdinand-Activate OP
Created Jul ’24
Replies 0
Boosts 0
Views 467
Participants 1

Hi,

I am writing in to check if there is a way to detect Frida. As we have a Mobile App Penetration Test (MAPT), and the tester uses Frida as the tool for the penetration test.

We have implemented these codes to detect Frida and Objection:

static bool isInjected0(){
  NSArray *suspiciousLibraries = [NSArray arrayWithObjects:@"FridaGadget", @"frida", @"cynject", @"libcycript", nil];
  int count = _dyld_image_count();//Get the number of loaded images
  if (count> 0) {
    for (int i = 0; i <count; i++) {
      //Traverse all image_names. Determine whether there are DynamicLibraries
      const char * dyld = _dyld_get_image_name(i);
      if (strstr(dyld, "DynamicLibraries")) {
        return YES;
      }
      for (NSString *suspiciousLibrary in suspiciousLibraries) {
        if ([[NSString stringWithUTF8String: dyld] rangeOfString:suspiciousLibrary].location != NSNotFound) {
          return YES;
        }
      }
    }
  }
  return NO;
}

We also added these codes to detect the default ports than Frida is using

@interface FridaDetector : NSObject
+ (BOOL)detectFridaPort;
+ (BOOL)isPortOpen:(in_port_t)port;
@end

@implementation FridaDetector

+ (BOOL)detectFridaPort {
    in_port_t port = 27042;
    return [self isPortOpen:port];
}

+ (BOOL)isPortOpen:(in_port_t)port {
    int socketFileDescriptor = socket(AF_INET, SOCK_STREAM, 0);
    if (socketFileDescriptor == -1) {
        NSLog(@"Failed to create socket");
        return NO;
    }

    struct sockaddr_in addr;
    memset(&addr, 0, sizeof(addr));
    addr.sin_len = sizeof(addr);
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port); // Ensuring the port is in network byte order
    addr.sin_addr.s_addr = inet_addr("127.0.0.1");

    struct sockaddr bind_addr;
    memcpy(&bind_addr, &addr, sizeof(addr));

    BOOL result = NO;
    if (bind(socketFileDescriptor, (struct sockaddr*)&bind_addr, sizeof(addr)) == -1) {
        NSLog(@"Failed to bind socket, port might be open");
        result = YES;
    } else if (listen(socketFileDescriptor, SOMAXCONN) == -1) {
        NSLog(@"Failed to listen on socket, port might be open");
        result = YES;
    }

    close(socketFileDescriptor);
    return result;
}

@end

We are able to detect Frida on a normal device, but I believe the tester did some workaround to prevent us from detecting the Frida present on their device.

Is there a better way to detect Frida and Objection?

Replies  0
Boosts  0
Views  467
Participants  1
Detecting Frida
First post date Last post date
 
 
Q