This question is about the security framework, Frida. On the target Android device, why can't my Frida-Server [which is loaded onto the Android device] list the running processes?
$ frida-ps -U returns only the Frida-Server process ID and strangely, adb.
I am running Android 4.4.2 (32 bit O/S).
The device is rooted.
I updated the version on my host machine (not target app):
$ sudo easy_install -U frida
I setup the very latest Android Frida server on device dies.
$ curl -O https://build.frida.re/frida/android/arm/bin/frida-server
$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell "/data/local/tmp/frida-server &"
I could list the process ID of my app on the target Android device:
$ adb shell ps | grep myapp
I killed my Frida Server on the Android device and restarted it:
$ kill -9 <process id>
When I try to attach directly to the process ID $ frida -U <process ID> I get a permission denied message.
Two clues helped me solve this. The fact I could see
The adb process.
I was getting a permission error when trying to execute $ frida -U <process ID>
The answer was to adb shell into the target Android device and do a Change Ownership (chown) on the Frida-Server.
When I installed it, the Frida-Server was installed as the owner Shell. When I changed the owner to Root, all my processes listed fine on my Mac when I ran: $ frida-ps -U
The chown command was:
/data/local/tmp # chown root frida-server
Use adb root before you try and install the Frida Server on the Android device.
It is because your frida-server has not enough permission
Make sure frida-server run as root, then you can list all processes
Try to do these:
1. copy frida-server to device
2. run as root on your device, and start frida-server
3. with usb connection, and run frida-ps(client frida must be same version with frida-server)
Then you can list processes
Related
How can I debug my Android NDK project in C++, using the lldb debugger from the command line?
Probably you can try below: (This example steps are based on macOS)
run gdb server and attach process
//Below commands will suspend the execution on the running app, and waits for a debugger to connect to it on port 5045.
adb shell
// to get pid
root#generic_x86:/ # ps | grep <your-app-name>
u0_a54 6510 1196 800157 47442 ffffffff b662df1b S
<your-app-name>
root#generic_x86:/ # gdbserver :5045 --attach 6510 (PID)
Attached; pid = 6510
Listening on port 5045
//The process is now suspended, and gdbserver is listening for debugging clients on port 5045.
attach gdb debugger
//open a new terminal, e.g. terminal2, send below commands from this new terminal
//forward the above port to a local port on the host with the abd forward command
adb forward tcp:5045 tcp:5045
//launch gdb client from your android ndk folder
<your-ndk-home>/android-ndk-r16b/prebuilt/darwin-x86_64/bin/gdb
//Target the gdb to the remote sever
(gdb) target remote :5045
//now the process is successfully attached with the application for debugging, you can see below info from terminal 1.
Remote debugging from host 127.0.0.1
Preparation
Prepare an android device(Root privilege is not required, we will use its /data/local/tmp directory).
Install NDK, CMake, Ninja, adb, lldb, and put them in PATH env var.
Compile program with debugging info (i.e. keep the -g flag)
After compilation, copy them to your device's /data/local/tmp directory.
Copy NDK provided lldb-server to your android phone(prefer the 64bit one), and start it by:
./lldb-server platform --listen "*:10086" --server
10086 is port number, you may change it.
Forward port by running:
adb forward tcp:10086 tcp:10086
Get device name
adb devices #For me, it's 39688bd9
Install LLDB, adding its binary to PATH, typing these commands:
platform select remote-android
platform connect connect://39688bd9:10086
Among whith, 39688bd9 is my device id, 10086 is the port that I choose in previous steps.
Now, you're connected with lldb-server, thus just use lldb like locally:
file some_executable_file_with_debug_info
b main
r
With android-ndk-r25b, I had some luck with the below:
In shell window 1
adb push <ndk_dir>/toolchains/llvm/prebuilt/linux-x86_64/lib64/clang/14.0.6/lib/linux/aarch64/lldb-server /data/local/tmp
adb shell chmod +x /data/local/tmp/lldb-server
adb shell run-as <package_name> killall -9 lldb-server
sleep 1
adb shell run-as <package_name> cp /data/local/tmp/lldb-server /data/data/<package_name>/
adb shell am start -D -n "<package_name>/android.app.NativeActivity"
adb shell run-as <package_name> sh -c '/data/data/<package_name>/lldb-server platform --server --listen unix-abstract:///data/data/<package_name>/debug.socket'"
In shell window 2
# Get the pid of the process you are trying to debug
adb shell run-as <package_name> ps
lldb
> platform select remote-android
> platform connect unix-abstract-connect:///data/data/<package_name>/debug.socket
> attach <pid>
In shell window 3
# You will again need the pid of the process you are trying to debug
adb shell run-as <package_name> ps
adb forward tcp:12345 jdwp:<pid>
jdb -attach localhost:12345
Then go back to lldb running in window 2, and continue your process
I found this script to be useful:
https://github.com/iivke/flutter_android_lldb/blob/main/flutter_lldb.py
From a shell on my PC, I can run adb shell cmd package list packages, and get a list of all installed packages. I would like to run this and similar commands locally on my Android phone (Nexus 6P) in a terminal emulator (currently using Termux).
If I open the same shell with /system/bin/sh, and then try to run /system/bin/cmd package list packages, nothing happens (no errors, just outputs nothing and reloads the prompt).
If I run /system/bin/cmd -l the list of options appears as expected. $PATH and $LD_LIBRARY_PATH are the same in both environments. One major difference is that echo $USER returns "shell" from adb shell, but returns my local username from /system/bin/sh launched from Termux.
Is there any way to replicate the behavior of commands run from adb shell in a terminal emulator locally on Android?
Edit:
My device is rooted, and I am OK with root only solutions.
The problem is Termux. By design, Termux runs only (or is mostly?) the Linux command line programs that you install from within Termux using apt or the newer "native" package management interface, e.g. apt install bsdtar. What you need to run the adb shell commands is a terminal emulator that can truly access the underlying Android file system, not just the Termux that is practically a chroot save for the fact that it's aware it's not running commands from the filesystem root /.
As a simple test, run the following command:
which ls
It should return something like /system/bin/ls. But if it returns something like /data/data/com.termux/files/usr/bin/applets/ls then you have to change your terminal emulator to something else. I suspect that Termux was designed to take into account the more restrictive shell execution policies that Google put into place after KitKat or the Android 4.X.
The Android distribution I'm using, LineageOS 14.1, comes with a built-in shell emulator that allows me to run commands found in /system/bin/ls.
I don't have a rooted Nougat device handy, but something like the following may be a close enough approximation to adb shell (assuming you are using SuperSU):
env -i USER=shell "$(PATH=/system/xbin:/system/bin:/su/bin:/sbin:/magisk/.core/bin which su)" shell --context u:r:shell:s0 --shell /system/bin/sh --command COMMAND
I (very briefly) tested it from Termux on a rooted Marshmallow device.
To elaborate:
the -i flag is used to start with an empty environment
USER=shell isn't specifically required, but for some reason su refuses to run with a completely empty environment
$(PATH=/system/xbin:/system/bin:/su/bin:/sbin:/magisk/.core/bin which su) points to the full path of the su binary on your device and can be hardcoded if you prefer
shell instructs the su binary to login as the shell user (the same as adb shell)
--context u:r:shell:s0 sets the appropriate SELinux context
--shell /system/bin/sh instructs SuperSU to use the system shell rather than it's own sush shell
Another option would be to actually run adb from the device, connecting to itself over TCP. If you need some functionality that is only available via adb (e.g. in my case it was adb forward) then this may be your only option. Unfortunately this isn't particularly convenient.
I wasn't able to find success with any publicly available adb binaries, so I build it myself with a few minor changes. You can see the sources I used and the changes I made at https://github.com/shakalaca/fastboot-adb-android and https://github.com/brbsix/fastboot-adb-android, respectively.
Once you have adb installed, here's an abbreviated list of commands I used to connect to the device:
# Add iptables rules to block external connections to port 9999'
su root iptables -N adbd
su root iptables -A adbd -i lo -p tcp -m tcp --dport 9999 -j ACCEPT
su root iptables -A adbd -p tcp -m tcp --dport 9999 -j DROP
su root iptables -A INPUT -j adbd
# Necessary in order to display authorization prompt
su shell setprop ro.debuggable 1
su shell setprop service.adb.tcp.port 9999
su root start adbd
adb connect 127.0.0.1:9999
adb wait-for-local-device
To shut down:
adb kill-server
su root stop adbd
su shell setprop ro.debuggable 0
su shell setprop service.adb.tcp.port 0
su root iptables -D INPUT -j adbd
su root iptables -F adbd
su root iptables -X adbd
So I tried this recently...if you're rooted you can use a terminal emulator.
su
then the command you want without "adb shell" part of it.
i tried the command "adb shell dumpsys deviceidle force-idle" in order to force device into doze.
I did this on the device via terminal emulator as:
"dumpsys deviceidle force-idle" and it did take effect.
also the dumpsys batterystats command worked.
be careful with commands with extensive text output, as the screen will be flooded with the output and will be unresponsive for some time.
EDIT
I originally answered this without the termux tag in mind. This worked for me while trying to execute shell commands on a vanilla emulator and saw this question while researching, so I tried to answer it differently.
You almost had it there in your question. You only need to execute sh:
int result = -1;
try {
final Process shell = Runtime.getRuntime().exec("sh");
final DataOutputStream commands = new DataOutputStream(shell.getOutputStream());
commands.writeBytes("write a series");
commands.writeBytes("of commands here");
commands.writeBytes("exit\n");
commands.flush();
result = shell.waitFor();
}
} catch (Exception e) {
e.printStackTrace();
}
If result == 0 the commands were succesful, else otherwise
Only rooted android
Busybox must be installed (though you can try without it)
Just write the normal command without the prefix adb
It used to work fine, but today after I connected my Android phone to my machine, and run adb devices, I got the following error:
* daemon not running. starting it now on port 5037 *
cannot bind 'tcp:5037': Address already in use
ADB server didn't ACK
* failed to start daemon *
error: cannot connect to daemon: Operation timed out
How to solve this problem? (I am using a MacBook)
Try with following commands
Find port details by List Open Files lsof command.
sudo lsof -i :5037 and find PID and kill it.
kill -9 <pid here>
Example: kill -9 4363
Then start adb server. adb devices command.
Kill the Adb server and restart.
adb kill-server
adb start-server
I managed to solve this problem on MacBook by first running the following command to list the process which is using port 5037
lsof -n -i4TCP:5037 | grep LISTEN
Then, I kill it:
kill -9 <PID>
Then, adb devices works!
Android Studio Terminal
$ adb devices
List of devices attached
adb server is out of date. killing...
cannot bind 'tcp:5037': Address already in use
ADB server didn't ACK
* failed to start daemon *
error:
error:
OS Terminal
$ adb devices
List of devices attached
adb server is out of date. killing...
* daemon started successfully *
Finally test again at the IDE terminal
$ adb devices
List of devices attached
GL
it is clear that Address already in use. busybox netstat -antp to check who is using the port.
I've fixed the problem by updating the Android SDK.
android update sdk --no-ui
Additionally, I've updated the Platform Tools to the newest version.
If this doesn't work, redownload android sdk.
wget http://dl.google.com/android/android-sdk_r24.2-linux.tgz
tar -xvf android-sdk_r24.2-linux.tgz cd android-sdk-linux/tools
install all sdk packages
./android update sdk --no-ui
I tried it at the OS Terminal, worked.
Try on the OS terminal first
Running the following command at the OS bash helped solve the issue:
sudo adb start-server
I ran adb kill command and then it started working fine
adb kill-server
adb start-server
I have a Host development PC running Ubuntu and I am doing all the android development on it.From this PC I wanted to (adb) push some files(executables) to android filesystem (say /data/dir1) , cd into it and run that executable.Using a shell script (shown below) I can do this from the PC upto to connecting the android device and doing adb shell but I can not run other commands after that .
e.g scripts
adb push <file1> /data/dir1/
adb shell
cd data/dir1
./file1
I can run upto adb shell but not beyond that.How can I achieve the remaining two commands ( changing the directory to data/dir1 and running the ./file1) from the shell script running on the Host PC.
You
don't need to enter into the adb shell
, change the path and more.
You can accomplish everything in a single command , like
adb push my_script_file.sh /data/dir1/
adb shell sh data/dir1/my_script_file.sh
1.first of all go the root by the command sudo -i
write the program
adb shell ls data/dir1
3.execute it -./file
by the above program you can move to the folder in the shell
What's the difference between installing an app using the install command and using the package manager's pm install command? Do they do the exact same job? Does one command actually call the other in the back?
adb install -r APK_FILE
adb shell pm install APK_FILE
adb install is a command to run from a development host, which uploads a package somewhere temporary and then installs it.
pm install is a command to run locally on the device.
adb does indeed utilize the pm program on the device - see the source code at
https://android.googlesource.com/platform/system/core/+/kitkat-mr2.2-release/adb/commandline.c