Detecting and bypassing frida dynamic function call tracing: exploitation and mitigation

Frida is a powerful dynamic analysis tool that uses different mechanisms to hijack the control flow of the analyzed process and is capable of communicating with external tools. The code of the process is manipulated to intercept the function calls and analyze them. Frida is commonly used to analyze suspicious programs and malware. Nevertheless, the function call interception mechanisms can be circumvented by malicious code. In this paper, we describe the different techniques to detect Frida and a novel technique to bypass those interception mechanisms. We also describe a generic mitigation method based on standard Linux capabilities, specifically the page table entry inspection mechanisms. This method is generic and does not depend on specialized hardware. Finally, we present an open source implementation, gopper, a lightweight stand-alone tool that watches a process to detect anomalous and suspicious behaviors without interference.