Hooking & Intercepting

đź“ŚWhat is hooking?

Hooking is the technique of intercepting and altering the functionality of functions or methods within an application or the Android operating system. For instance, by hooking a method in our app, we can modify its behavior by implementing our own logic.

đź“ŤHow Frida Hooks into Apps

Frida can be injected into an app using two different approaches:

  1. Injected Mode (Recommended)

    • Runs frida-server on your device.

    • Allows you to attach to running apps without modifying the APK.

  2. Embedded Mode

    • Requires modifying the APK manually.

    • You must inject the Frida Gadget (.so file) into the APK, repack it, and resign it.

    • Useful for bypassing anti-debugging protections.

đź“ŤWhen to Run Your Script

Depending on when you want to start hooking the app, use the appropriate command:

  • If the app is already running (attach after objects are loaded):

    frida -U -n package_name

  • If you want to start the app from the beginning (Before app initialization):

    frida -U -f package_name -l script.js

đź“ŚWhat Does Interception Mean?

Interception is the process of hooking into a function at runtime to observe or modify its behavior. With Frida, this lets us:

  • See what arguments are passed to the function.

  • Modify those arguments before they’re used.

  • Run custom code when the function is called.

  • Change the return value before it’s given back to the app.

đź“ŤBasic Frida script

  • This is the skeleton we can use

    // Ensure the script runs inside the Java environment
Java.perform(function () {
    // Store the target class in a variable
    var varName = Java.use("package_name.class_name");

    // Hook the onCreate method
    varName.onCreate.implementation = function (bundle) {
         // Log a message when the method is called
        console.log("onCreate called");

        // Call the original onCreate method to avoid breaking the app
        this.onCreate(bundle);
    };
});

  • A short explanation of the functions

    • Java.perform(function() { ... })

      • Ensures that the script runs within the Java environment of the target app

    • Java.use("com.example.app.className")

      • Loads the specified Java class (className) from the target Android app so it can be manipulated.

    • .implementation is used to hook and modify a method’s behavior at runtime. It allows us to intercept method calls, log data, modify parameters, or even change the method's return value.

đź“ŤIn Java, methods can be overloaded, meaning multiple methods can have the same name but different parameters. For example, an Android Activity class might have multiple onCreate methods:

public void onCreate() { ... }  // No parameters
public void onCreate(Bundle savedInstanceState) { ... }  // Takes a Bundle
public void onCreate(Bundle savedInstanceState, String extra) { ... }  // Two parameters

Since Frida needs to know exactly which method we are targeting, we use .overload(...) to specify the parameter types.

Java.perform(function () {
    var varName = Java.use("com.example.app.className");

    // Hook the onCreate method (assuming it takes a Bundle as a parameter)
    varName.onCreate.overload("android.os.Bundle").implementation = function (bundle) {
        console.log("onCreate called");
        this.onCreate(bundle);
    };
});

đź“ŤModifying a Method's Return Value

This script hooks into the randomDice() method of the DiceGameFragment class and changes its return value to 5.

// Run the script within the Java VM context
Java.perform(function () {

    // 1. Get a reference to the target class
    var DiceGameFragment = Java.use("io.hextree.fridatarget.ui.DiceGameFragment");

    // 2. Hook the 'randomDice' method
    DiceGameFragment.randomDice.implementation = function () {
        // Optional: Call the original method
        this.randomDice();

        // 3. Return a fixed value instead of the original result
        return 5;
    };
});
PreviousFrida OverviewNextCalling Methods