Have you ever written a frida script this good, that you wanted to make it permanent? Well, now you can!
InjectionForge is a tool that allows you to convert your frida scripts into either a standalone executable that when called with a PID injects itself and runs the script or a shared library that can be somehow injected to a process and runs the script.
All desktop platforms are supported (Windows, Linux, macOS).
NOTE: To cross-compile for Windows you can use cargo-xwin
with target x86_64-pc-windows-msvc.
You're gonna have to compile the tool yourself as the frida script gets embedded at compile time.
You only need a working cargo installation to compile it, it's quite simple.
You can feed your script either as a string using the FRIDA_CODE environment
variable or as a file using the FRIDA_CODE_FILE environment variable.
The standalone executable is the easiest to use. You just run it with a PID and it will inject itself and run the frida script.
git clone https://github.com/dzervas/injectionforge
FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo run --bin standalone -- 1234The binary is located at target/debug/standalone (.exe for windows).
The shared library is a bit more complicated to use. You have to inject it to
a process using a tool like LD_PRELOAD (linux) or rundll32.exe (windows).
git clone https://github.com/dzervas/injectionforge
FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo build --lib
LD_PRELOAD=target/debug/libfrida_deepfreeze_rs.so cat
# rundll32.exe target/debug/frida_deepfreeze_rs.dll,inject_self 1234 (windows equivalent)The resulting library is located at target/debug/libfrida_deepfreeze_rs.so
(.dll for windows). You can inject it using your favorite injector.
There are two exported functions that you can call from the library to inject:
void inject(uint32_t pid); // Run the frida script in the process with the given pid
void inject_self(); // Run the frida script in the process that called the functionBy default (so DllMain in windows and .ctor on unix), on load the library
will call inject_self() so you can just inject it and it will run the script.
There's also the option of generating a DLL ready for DLL Proxying use.
That means that you give the DLL myawesome.dll to cargo
(using the DLL_PROXY environment variable) and it will generate a DLL
myawesome.dll that can replace the original DLL. It will tell the linker
that any functions found during compilation (e.g. functions foo and bar
exported by the original myawesome.dll) should be redirected to myawesome-orig.dll
That allows you to make your script completely permanent without having to run any extra commands.
NOTE: This only works on Windows (for now?).
git clone https://github.com/dzervas/injectionforge
DLL_PROXY='../myawesome.dll' FRIDA_CODE='console.log("Hello world from InjectionForge!")' cargo xwin build --lib --target x86_64-pc-windows-msvcSince most people ask about Android and anti-anti-frida techniques, I created some dockerfiles to help with that.
To just wrap a frida script in a shared library that can be injected to an Android process (or APK repacking):
git clone https://github.com/dzervas/injectionforge
cd injectionforge
docker build -t injectionforge-android -f Dockerfile.android .
docker run -e FRIDA_CODE_FILE=/script.js -v $(pwd)/target:/injectionforge/target -v $(pwd)/myscript.js:/script.js injectionforge-android(be sure to change the path to myscript.js)
To use a patched frida to evade some basic anti-frida techniques (based on undetected-frida-patches):
git clone https://github.com/dzervas/injectionforge
cd injectionforge
docker build -t injectionforge-android -f Dockerfile.android .
docker build -t injectionforge-android-undetect -f Dockerfile.android-undetect .
docker run -e FRIDA_CODE_FILE=/script.js -v $(pwd)/target:/injectionforge/target -v $(pwd)/myscript.js:/script.js injectionforge-android-undetectDuring the build of Dockerfile.android you can pass args to specify the
NDK version and more (check the Dockerfile).