aeondave/frida
offensive-tools/rev/frida/SKILL.md
Dynamic instrumentation toolkit for hooking functions, tracing APIs, and manipulating running processes across Windows, Linux, macOS, Android, and iOS. Use when performing runtime analysis, bypassing protections, intercepting crypto/network calls, or building custom instrumentation scripts.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill fridaInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 4:54 AM159.4s3 files scanned
SKILL.md
- name:
- frida
- description:
- Dynamic instrumentation toolkit for hooking functions, tracing APIs, and manipulating running processes across Windows, Linux, macOS, Android, and iOS. Use when performing runtime analysis, bypassing protections, intercepting crypto/network calls, or building custom instrumentation scripts.
- license:
- MIT
- compatibility:
- Python/JS; Windows/Linux/macOS/Android/iOS; pip install frida-tools
- author:
- AeonDave
- version:
- 1.1
Frida
Dynamic instrumentation — inject JavaScript into running processes to hook, trace, and modify behavior at runtime.
Installation
# CLI tools
pip install frida-tools
# Python bindings
pip install frida
# For Android: push frida-server to device
# Download from https://github.com/frida/frida/releases (match arch)
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &
Quick Start
# List running processes
frida-ps # Local
frida-ps -U # USB (Android/iOS)
# Attach to process
frida -p PID
frida -n process_name
# Spawn and attach
frida -f /path/to/binary
# Run a script
frida -p PID -l hook.js
# Trace functions matching pattern
frida-trace -i "recv*" -p PID
frida-trace -i "open*" -f ./binary
Core JavaScript API
Interceptor — Hook Functions
// Hook a native function
Interceptor.attach(Module.getExportByName(null, 'connect'), {
onEnter(args) {
const sockaddr = args[1];
const family = sockaddr.readU16();
if (family === 2) { // AF_INET
const port = (sockaddr.add(2).readU8() << 8) | sockaddr.add(3).readU8();
const ip = [
sockaddr.add(4).readU8(), sockaddr.add(5).readU8(),
sockaddr.add(6).readU8(), sockaddr.add(7).readU8()
].join('.');
console.log(`[connect] ${ip}:${port}`);
}
},
onLeave(retval) {
console.log(`[connect] returned ${retval}`);
}
});
Replace Function Return
// Force IsDebuggerPresent to return 0 (Windows anti-debug bypass)
Interceptor.attach(Module.getExportByName('kernel32.dll', 'IsDebuggerPresent'), {
onLeave(retval) {
retval.replace(ptr(0));
}
});
Module and Memory
// List loaded modules
Process.enumerateModules().forEach(m => {
console.log(`${m.name} @ ${m.base} size=${m.size}`);
});
// Find export
const addr = Module.getExportByName('libc.so', 'open');
// Read/write memory
const buf = Memory.readByteArray(ptr(0x401000), 64);
Memory.writeByteArray(ptr(0x401000), [0x90, 0x90, 0x90]);
// Scan memory for pattern
Memory.scan(module.base, module.size, 'MZ', {
onMatch(address, size) { console.log(`Found MZ at ${address}`); },
onComplete() { console.log('Scan done'); }
});
Stalker — Instruction Tracing
Stalker.follow(Process.getCurrentThreadId(), {
events: { call: true, ret: true },
onCallSummary(summary) {
for (const [addr, count] of Object.entries(summary)) {
const mod = Process.findModuleByAddress(ptr(addr));
if (mod) console.log(`${mod.name}+${ptr(addr).sub(mod.base)}: ${count} calls`);
}
}
});
Common Workflows
Malware — trace network calls (Linux)
['connect', 'send', 'sendto', 'recv', 'recvfrom'].forEach(fn => {
const p = Module.getExportByName(null, fn);
if (p) {
Interceptor.attach(p, {
onEnter(args) {
console.log(`[${fn}] fd=${args[0]}, buf=${args[1]}, len=${args[2]}`);
if (fn.startsWith('send')) {
console.log(hexdump(args[1], { length: Math.min(args[2].toInt32(), 128) }));
}
}
});
}
});
Malware — intercept crypto (Windows)
Interceptor.attach(Module.getExportByName('bcrypt.dll', 'BCryptEncrypt'), {
onEnter(args) {
this.plaintext = args[1];
this.len = args[2].toInt32();
console.log(`[BCryptEncrypt] plaintext (${this.len} bytes):`);
console.log(hexdump(this.plaintext, { length: Math.min(this.len, 256) }));
}
});
Android — bypass SSL pinning
Java.perform(() => {
const TrustManager = Java.registerClass({
name: 'com.frida.TrustManager',
implements: [Java.use('javax.net.ssl.X509TrustManager')],
methods: {
checkClientTrusted(chain, authType) {},
checkServerTrusted(chain, authType) {},
getAcceptedIssuers() { return []; }
}
});
const SSLContext = Java.use('javax.net.ssl.SSLContext');
const ctx = SSLContext.getInstance('TLS');
ctx.init(null, [TrustManager.$new()], null);
SSLContext.getInstance.overload('java.lang.String').implementation = function(protocol) {
return ctx;
};
console.log('[bypass] SSL pinning disabled');
});
Android — hook Java methods
Java.perform(() => {
const clazz = Java.use('com.example.app.LoginActivity');
clazz.validatePassword.implementation = function(password) {
console.log(`[hook] validatePassword("${password}")`);
const result = this.validatePassword(password);
console.log(`[hook] returned ${result}`);
return result;
};
});
Windows — trace injection APIs
const apis = ['VirtualAlloc', 'VirtualProtect', 'CreateRemoteThread',
'WriteProcessMemory', 'CreateProcessW'];
apis.forEach(api => {
const p = Module.getExportByName('kernel32.dll', api);
if (p) {
Interceptor.attach(p, {
onEnter(args) {
console.log(`[${api}] called from ${this.returnAddress}`);
console.log(` args: ${args[0]}, ${args[1]}, ${args[2]}, ${args[3]}`);
},
onLeave(retval) {
console.log(`[${api}] returned ${retval}`);
}
});
}
});
frida-trace
# Trace all open* calls
frida-trace -i "open*" -f ./binary
# Trace specific library functions
frida-trace -i "SSL_*" -f ./binary
# Trace ObjC methods (iOS/macOS)
frida-trace -m "-[NSURLSession *]" -p PID
# Trace Java methods (Android)
frida-trace -j "com.example.app.LoginActivity!*" -U -f com.example.app
Python API
import frida
def on_message(message, data):
if message['type'] == 'send':
print(f"[*] {message['payload']}")
device = frida.get_local_device()
session = device.attach("target_process")
script = session.create_script("""
Interceptor.attach(Module.getExportByName(null, 'connect'), {
onEnter(args) { send('connect called'); }
});
""")
script.on('message', on_message)
script.load()
input("Press Enter to detach...")
session.detach()
Resources
| File | When to load | |------|--------------| | references/hooks-catalog.md | Ready-made hook scripts for common scenarios | | references/android-ios.md | Mobile-specific instrumentation patterns |
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026