Run Frida hooks on system_server without a client

Question

I am using Frida and I want to hook a system_server method but without having the Frida client running on my computer. I want the entire thing to be on the device. I will have to gather the data while I am going about my day (possibly without any network connectivity either). I know about frida-gadget but frida-gadget looks under /data/app/<APP_NAME>/lib for its config file, and system_server has no such (writable) directory. Is there any workaround for this? I would of course also consider non-frida solutions.

Answer 1

Download frida-inject from https://github.com/frida/frida/releases , push & chmod on device

./frida-inject -p `pidof system_server` -s /data/local/tmp/script.js --runtime=v8

Other CLI options @ https://github.com/frida/frida-core/blob/master/inject/inject.vala#L12

Edit:

For gadget you will need to repack ( & sign ) the apk with frida-gadget.so and somehow load the gadget to the memory.

The approach I use is to find the c'tor of the welcome-activity and insert the smali code that uses java.lang.System.loadLibrary to load the so.

The is how I find the activity

$ aapt dump badging $APK | grep "launchable-activity:" | grep -Po "(?<=name=').*?(?=')"

aapt is part of android sdk

You will need to increment local variables.. and handle if it's static c'tor ( or not ) but mostly this is the smali

  const-string v0, "frida-gadget"
  invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V