fridax
fridax copied to clipboard
NorthwaveSecurity
Can't find mono runtime
I'm trying to hook a Xamarin-based iOS app and am getting the following error:
~/t/s/s/f/fridax > ./fridax.js inject --device usb --scripts scripts/aot_modify_class_function_argument.js
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on iPhone.
? Which application do you want to inject? XXXXX
[*] Happy hacking.
[*] Attached to application (session: 74911).
[*] Injected a test script (this runs from within the injected application)!
Error: Can't find Mono runtime!
at <anonymous> (vendors/frida-mono-api/mono-module.js:33)
at call (native)
at o (node_modules/browser-pack/_prelude.js:1)
at <anonymous> (node_modules/browser-pack/_prelude.js:1)
at <anonymous> (vendors/frida-mono-api/mono-api.js:2)
at call (native)
at o (node_modules/browser-pack/_prelude.js:1)
at <anonymous> (node_modules/browser-pack/_prelude.js:1)
at <anonymous> (vendors/frida-mono-api/index.js:1)
at call (native)
at o (node_modules/browser-pack/_prelude.js:1)
at <anonymous> (node_modules/browser-pack/_prelude.js:1)
at <anonymous> (scripts/aot_modify_class_function_argument.js:1)
at call (native)
at o (node_modules/browser-pack/_prelude.js:1)
at r (node_modules/browser-pack/_prelude.js:1)
at <eval> (/script2.js:1246)
I've looked at https://github.com/NorthwaveSecurity/fridax/issues/1 and the issue was fixed but I'm still having the issue. I've tried poking around but am just getting started with frida. Things I've tried:
- looking for mono using
Process.enumerateModulesSync() - looking for mono using
Process.enumerateExports() - hooking
dlopenand looking for any import of mono
but nothing shows up. Is there anything else I can do to troubleshoot the issue? Sadly I can't share the ipa.
I have the same problem on iOS with a different file.
I have executed grep on the Application folder and this is the result:
grep -ir "mono"
Binary file System.aotdata.arm64 matches
Binary file Seling.Mobile.dll matches
CodeSignature/CodeResources:
Binary file APPNAME.iOS matches
Binary file Mono.Security.aotdata.arm64 matches
Binary file zxing.portable.dll matches
Binary file System.Core.dll matches
Binary file mscorlib.dll matches
Binary file Xamarin.iOS.dll matches
Binary file Xamarin.Forms.Platform.iOS.dll matches
Binary file Mono.Security.dll matches
Binary file SQLitePCLRaw.provider.sqlite3.dll matches
Binary file Firebase.Core.dll matches
Binary file System.Net.Http.dll matches
Binary file APPNAME.iOS.exe matches
Binary file System.dll matches
Furthermore:
grep -ir "mono_thread_attach" Binary file APPNAME.iOS matches
Hey @alexdetrano and @omareltf,
The above mentioned issue arises because, the Xamarin apps are compiled Ahead of Time in case of iOS and they work just like any other native app with ObjC runtime. There is no Mono runtime to begin with, hence you won't be able to find mono module/mono exports/mono runtime using Fridax.
I am pretty sure that is the case, because following this hunch has yielded results. But If someone has successfully used Fridax to hook into iOS applications and has found mono-module (very unlikely), I would love to know how they did it and get the full picture of what's going on.
What one can do to hook into Xamarin apps on iOS?
- Hook into ObjC classes and methods using Objection or Frida scripts and it should work just fine.
References:
- https://www.c-sharpcorner.com/article/how-xamarin-works-on-different-platforms/
- https://learn.microsoft.com/en-us/xamarin/ios/internals/architecture
- https://www.mono-project.com/docs/advanced/embedding/
Update:
- It seems that you can't find the mono module/runtime if the build was compiled without the
DEBUGflag. - Fridax will work fine on debug builds where you'll be able to find the mono module.
- If the app is compiled using these conditional symbols, Fridax is useful
__IOS__;__MOBILE__;__UNIFIED__;DEBUG - if the above mentioned DEBUG flag is missing in the compiler flags then the alternative way is to hook into ObjC classes and methods. For both the cases, hooking into ObjC runtime works totally fine.
