Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • 1. Install frida and root your emulator/device
  • 2. Use frida scripts to bypass (fast way)
  • 3. Dynamic analysis and frida script (manual)
  • Souce-code analysis
  • Finding the root validation
  • Frida script (hook)
  • BONUS - PATCH the APK

Was this helpful?

  1. Mobile
  2. Reverse Android APKs

Bypass root + Frida

Bypass Android root protection with frida.

PreviousAndroid Dynamic AnalysisNextSSL unpining frida + Fiddler/Burp

Last updated 3 years ago

Was this helpful?

1. Install frida and root your emulator/device

2. Use frida scripts to bypass (fast way)

It works in the hardest applications. So, you need to create a file called "frida.js", and paste the code below.

Java.perform(function() {
    var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
        "com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.koushikdutta.rommanager",
        "com.koushikdutta.rommanager.license", "com.dimonvideo.luckypatcher", "com.chelpus.lackypatch",
        "com.ramdroid.appquarantine", "com.ramdroid.appquarantinepro", "com.devadvance.rootcloak", "com.devadvance.rootcloakplus",
        "de.robv.android.xposed.installer", "com.saurik.substrate", "com.zachspong.temprootremovejb", "com.amphoras.hidemyroot",
        "com.amphoras.hidemyrootadfree", "com.formyhm.hiderootPremium", "com.formyhm.hideroot", "me.phh.superuser",
        "eu.chainfire.supersu.pro", "com.kingouser.com"
    ];

    var RootBinaries = ["su", "busybox", "supersu", "Superuser.apk", "KingoUser.apk", "SuperSu.apk"];

    var RootProperties = {
        "ro.build.selinux": "1",
        "ro.debuggable": "0",
        "service.adb.root": "0",
        "ro.secure": "1"
    };

    var RootPropertiesKeys = [];

    for (var k in RootProperties) RootPropertiesKeys.push(k);

    var PackageManager = Java.use("android.app.ApplicationPackageManager");

    var Runtime = Java.use('java.lang.Runtime');

    var NativeFile = Java.use('java.io.File');

    var String = Java.use('java.lang.String');

    var SystemProperties = Java.use('android.os.SystemProperties');

    var BufferedReader = Java.use('java.io.BufferedReader');

    var ProcessBuilder = Java.use('java.lang.ProcessBuilder');

    var StringBuffer = Java.use('java.lang.StringBuffer');

    var loaded_classes = Java.enumerateLoadedClassesSync();

    send("Loaded " + loaded_classes.length + " classes!");

    var useKeyInfo = false;

    var useProcessManager = false;

    send("loaded: " + loaded_classes.indexOf('java.lang.ProcessManager'));

    if (loaded_classes.indexOf('java.lang.ProcessManager') != -1) {
        try {
            //useProcessManager = true;
            //var ProcessManager = Java.use('java.lang.ProcessManager');
        } catch (err) {
            send("ProcessManager Hook failed: " + err);
        }
    } else {
        send("ProcessManager hook not loaded");
    }

    var KeyInfo = null;

    if (loaded_classes.indexOf('android.security.keystore.KeyInfo') != -1) {
        try {
            //useKeyInfo = true;
            //var KeyInfo = Java.use('android.security.keystore.KeyInfo');
        } catch (err) {
            send("KeyInfo Hook failed: " + err);
        }
    } else {
        send("KeyInfo hook not loaded");
    }

    PackageManager.getPackageInfo.implementation = function(pname, flags) {
        var shouldFakePackage = (RootPackages.indexOf(pname) > -1);
        if (shouldFakePackage) {
            send("Bypass root check for package: " + pname);
            pname = "set.package.name.to.a.fake.one.so.we.can.bypass.it";
        }
        return this.getPackageInfo.call(this, pname, flags);
    };

    NativeFile.exists.implementation = function() {
        var name = NativeFile.getName.call(this);
        var shouldFakeReturn = (RootBinaries.indexOf(name) > -1);
        if (shouldFakeReturn) {
            send("Bypass return value for binary: " + name);
            return false;
        } else {
            return this.exists.call(this);
        }
    };

    var exec = Runtime.exec.overload('[Ljava.lang.String;');
    var exec1 = Runtime.exec.overload('java.lang.String');
    var exec2 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;');
    var exec3 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;');
    var exec4 = Runtime.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File');
    var exec5 = Runtime.exec.overload('java.lang.String', '[Ljava.lang.String;', 'java.io.File');

    exec5.implementation = function(cmd, env, dir) {
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
            var fakeCmd = "grep";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        if (cmd == "su") {
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        return exec5.call(this, cmd, env, dir);
    };

    exec4.implementation = function(cmdarr, env, file) {
        for (var i = 0; i < cmdarr.length; i = i + 1) {
            var tmp_cmd = cmdarr[i];
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmdarr + " command");
                return exec1.call(this, fakeCmd);
            }

            if (tmp_cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmdarr + " command");
                return exec1.call(this, fakeCmd);
            }
        }
        return exec4.call(this, cmdarr, env, file);
    };

    exec3.implementation = function(cmdarr, envp) {
        for (var i = 0; i < cmdarr.length; i = i + 1) {
            var tmp_cmd = cmdarr[i];
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmdarr + " command");
                return exec1.call(this, fakeCmd);
            }

            if (tmp_cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmdarr + " command");
                return exec1.call(this, fakeCmd);
            }
        }
        return exec3.call(this, cmdarr, envp);
    };

    exec2.implementation = function(cmd, env) {
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
            var fakeCmd = "grep";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        if (cmd == "su") {
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        return exec2.call(this, cmd, env);
    };

    exec.implementation = function(cmd) {
        for (var i = 0; i < cmd.length; i = i + 1) {
            var tmp_cmd = cmd[i];
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id" || tmp_cmd == "sh") {
                var fakeCmd = "grep";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }

            if (tmp_cmd == "su") {
                var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
                send("Bypass " + cmd + " command");
                return exec1.call(this, fakeCmd);
            }
        }

        return exec.call(this, cmd);
    };

    exec1.implementation = function(cmd) {
        if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id" || cmd == "sh") {
            var fakeCmd = "grep";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        if (cmd == "su") {
            var fakeCmd = "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled";
            send("Bypass " + cmd + " command");
            return exec1.call(this, fakeCmd);
        }
        return exec1.call(this, cmd);
    };

    String.contains.implementation = function(name) {
        if (name == "test-keys") {
            send("Bypass test-keys check");
            return false;
        }
        return this.contains.call(this, name);
    };

    var get = SystemProperties.get.overload('java.lang.String');

    get.implementation = function(name) {
        if (RootPropertiesKeys.indexOf(name) != -1) {
            send("Bypass " + name);
            return RootProperties[name];
        }
        return this.get.call(this, name);
    };

    Interceptor.attach(Module.findExportByName("libc.so", "fopen"), {
        onEnter: function(args) {
            var path = Memory.readCString(args[0]);
            path = path.split("/");
            var executable = path[path.length - 1];
            var shouldFakeReturn = (RootBinaries.indexOf(executable) > -1)
            if (shouldFakeReturn) {
                Memory.writeUtf8String(args[0], "/notexists");
                send("Bypass native fopen");
            }
        },
        onLeave: function(retval) {

        }
    });

    Interceptor.attach(Module.findExportByName("libc.so", "system"), {
        onEnter: function(args) {
            var cmd = Memory.readCString(args[0]);
            send("SYSTEM CMD: " + cmd);
            if (cmd.indexOf("getprop") != -1 || cmd == "mount" || cmd.indexOf("build.prop") != -1 || cmd == "id") {
                send("Bypass native system: " + cmd);
                Memory.writeUtf8String(args[0], "grep");
            }
            if (cmd == "su") {
                send("Bypass native system: " + cmd);
                Memory.writeUtf8String(args[0], "justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled");
            }
        },
        onLeave: function(retval) {

        }
    });

    /*

    TO IMPLEMENT:

    Exec Family

    int execl(const char *path, const char *arg0, ..., const char *argn, (char *)0);
    int execle(const char *path, const char *arg0, ..., const char *argn, (char *)0, char *const envp[]);
    int execlp(const char *file, const char *arg0, ..., const char *argn, (char *)0);
    int execlpe(const char *file, const char *arg0, ..., const char *argn, (char *)0, char *const envp[]);
    int execv(const char *path, char *const argv[]);
    int execve(const char *path, char *const argv[], char *const envp[]);
    int execvp(const char *file, char *const argv[]);
    int execvpe(const char *file, char *const argv[], char *const envp[]);

    */


    BufferedReader.readLine.implementation = function() {
        var text = this.readLine.call(this);
        if (text === null) {
            // just pass , i know it's ugly as hell but test != null won't work :(
        } else {
            var shouldFakeRead = (text.indexOf("ro.build.tags=test-keys") > -1);
            if (shouldFakeRead) {
                send("Bypass build.prop file read");
                text = text.replace("ro.build.tags=test-keys", "ro.build.tags=release-keys");
            }
        }
        return text;
    };

    var executeCommand = ProcessBuilder.command.overload('java.util.List');

    ProcessBuilder.start.implementation = function() {
        var cmd = this.command.call(this);
        var shouldModifyCommand = false;
        for (var i = 0; i < cmd.size(); i = i + 1) {
            var tmp_cmd = cmd.get(i).toString();
            if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd.indexOf("mount") != -1 || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd.indexOf("id") != -1) {
                shouldModifyCommand = true;
            }
        }
        if (shouldModifyCommand) {
            send("Bypass ProcessBuilder " + cmd);
            this.command.call(this, ["grep"]);
            return this.start.call(this);
        }
        if (cmd.indexOf("su") != -1) {
            send("Bypass ProcessBuilder " + cmd);
            this.command.call(this, ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"]);
            return this.start.call(this);
        }

        return this.start.call(this);
    };

    if (useProcessManager) {
        var ProcManExec = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.io.File', 'boolean');
        var ProcManExecVariant = ProcessManager.exec.overload('[Ljava.lang.String;', '[Ljava.lang.String;', 'java.lang.String', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'java.io.FileDescriptor', 'boolean');

        ProcManExec.implementation = function(cmd, env, workdir, redirectstderr) {
            var fake_cmd = cmd;
            for (var i = 0; i < cmd.length; i = i + 1) {
                var tmp_cmd = cmd[i];
                if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") {
                    var fake_cmd = ["grep"];
                    send("Bypass " + cmdarr + " command");
                }

                if (tmp_cmd == "su") {
                    var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"];
                    send("Bypass " + cmdarr + " command");
                }
            }
            return ProcManExec.call(this, fake_cmd, env, workdir, redirectstderr);
        };

        ProcManExecVariant.implementation = function(cmd, env, directory, stdin, stdout, stderr, redirect) {
            var fake_cmd = cmd;
            for (var i = 0; i < cmd.length; i = i + 1) {
                var tmp_cmd = cmd[i];
                if (tmp_cmd.indexOf("getprop") != -1 || tmp_cmd == "mount" || tmp_cmd.indexOf("build.prop") != -1 || tmp_cmd == "id") {
                    var fake_cmd = ["grep"];
                    send("Bypass " + cmdarr + " command");
                }

                if (tmp_cmd == "su") {
                    var fake_cmd = ["justafakecommandthatcannotexistsusingthisshouldthowanexceptionwheneversuiscalled"];
                    send("Bypass " + cmdarr + " command");
                }
            }
            return ProcManExecVariant.call(this, fake_cmd, env, directory, stdin, stdout, stderr, redirect);
        };
    }

    if (useKeyInfo) {
        KeyInfo.isInsideSecureHardware.implementation = function() {
            send("Bypass isInsideSecureHardware");
            return true;
        }
    }

});

Next, after installing the target apk on your mobile device, you need to start frida server and execute the script from your attacker machine.

.\adb.exe connect localhost:21503
.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'

frida-ps.exe -U (to obtain the app)
frida.exe -U -f 'com.xxx.xxx.xxx' -l .\frida.js --no-pause

For more details about frida, you can check the next section.

3. Dynamic analysis and frida script (manual)

Many times, when the root protection is made manually, it's difficult to bypass the protection. In that scenarios, you need:

  • Analyse the APK java code to understand how and where the root validation is performed

  • Create a frida specially crafted script to bypass it

Souce-code analysis

To start, we can use an online decompiler like this:

or just doing it by using the tool dex2jar:

My favorite approach is: jadx Java decompiler:

There is also a prepared VM you can find with all the tools installed called Mobexler:

BONUS: A lot of times I use Bytecode Viewer - a lightweight user friendly Java Bytecode Viewer. This tool allow you compare the decompiled Java code using different tools, and choosing the best one for you.

After that, using the ByteCode Viewer or JADX, you can export your project (source files) and use Visual Studio Code in order to analyze the code and taking advantage of cross-references, and all the available plugins to better understand the Android code. For instance, you can also install a Java Decompiler plugin.

Finding the root validation

By using the "Search" feature, we try to get some information about where the root function is called.

We can see that an object (r0) is returned if the "Device is rooted", and r0 is returned with "none" when the device is not rooted. Next, we are presenting the general block of code we analyzed.

 package d.a.a.a.c.g;
 
 (...)
 public enum g {
 (...)
   
     public static final class e extends g {
        public e(String str, int i) {
            super(str, i, (q.v.c.f) null);
        }         
        
                        
      public java.lang.Object doProcedure(android.content.Context r17, q.s.d<? super d.a.a.a.c.g.a> r18) {                                                  
              (...)   
                
              d.a.a.a.c.g.a$a r0 = d.a.a.a.c.g.a.g
                java.lang.String r2 = "Device rooted"
                d.a.a.a.c.g.a r0 = r0.a(r1, r2)
                return r0
            L_0x01ee:
                d.a.a.a.c.g.a$a r0 = d.a.a.a.c.g.a.g
                java.lang.String r2 = "none"
                d.a.a.a.c.g.a r0 = r0.a(r1, r2)
                return r0
           
               (...)
      } 
  }     

To bypass this protection, we need to:

  • Create the target path: Package of the class + Add the "public enum g" + Add the target class (d.a.a.a.c.g.g$e)

  • Implement the code on the target method (doProcedure)

  • Create an object from "d.a.a.a.c.g.a" to return something using its constructor

We can see the constructor can be "empty" or we can passing it 5 args. Analysing the code we can understand that. For instance:

 return new d.a.a.a.c.g.a(r6, r7, r8, (android.content.DialogInterface.OnClickListener) null, 8);

Frida script (hook)

Now, it's time to write our frida script:

console.log("Starting hook ...");
Java.perform(function() {
	//package d.a.a.a.c.g;
	//d.a.a.a.c.g.g$e
	var my = Java.use("d.a.a.a.c.g.g$e");
	my.doProcedure.implementation = function (func1, func2, func3) {
		 console.log('..doing some stuff..');
		 //var x = Java.use("d.a.a.a.c.g.a").$new(); 
		 var x = Java.use("d.a.a.a.c.g.a").$new("none", "none", null, null, 8);
		 return x;
	}
});

another approach overloading the method:

Java.perform(function () {

	var hookclass = Java.use("d.a.a.a.c.g.g$e");

	hookclass.doProcedure.overload("android.content.Context", "q.s.d").implementation = function(ctx, rsd) {
		var p = Java.use("d.a.a.a.c.g.a").$new("none", "none", null, null, 8);
		var ret = p;
		console.log(ret);
		return ret;
	}
	console.log("hook created!");
});

To execute it:

.\adb.exe connect localhost:21503
.\adb.exe shell '/data/local/temp/frida-server-14.2.18-android-x86 &'

frida.exe -U -f 'com.xxx.xxx.xxxx' -l .\frida.js --no-pause

BONUS - PATCH the APK

Instead using frida, we can patch directly the APK using this approach:

So, we just need, in this case, changing the content of the r2 (v2 smali) variable.

Before

After

and ... we got it!

and, we got it! We bypassed root validations!

After that, we need to follow the steps to build the APK, sign it and align it.

😇
😎
😎
LogoAndroid Dynamic AnalysisRed Teaming and Malware Analysis
LogoAndroid Dynamic AnalysisRed Teaming and Malware Analysis
LogoFrida CodeShare
LogoGitHub - pxb1988/dex2jar: Tools to work with android .dex and java .class filesGitHub
LogoGitHub - skylot/jadx: Dex to Java decompilerGitHub
LogoBackdooring/patch APKsRed Teaming and Malware Analysis
LogoJava decompiler online / APK decompiler - Decompiler.com
LogoMobexler - Mobile Application Penetration Testing Platform