Skip to content

Implement basic Frida JSONL output and parser #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 23, 2025
Merged

Implement basic Frida JSONL output and parser #3

merged 8 commits into from
Jun 23, 2025

Conversation

@xukunzh
Copy link
Owner

@xukunzh xukunzh commented Jun 14, 2025
edited
Loading

Done:

  1. Currently only captures process_id, thread_id, call_id, api_name
  2. JSONL output: Single file format as shown in api_calls.jsonl
  3. Pydantic validation is working correctly

TODO:

  1. Will add arguments after testing the debugLog

mike-hunhoff
mike-hunhoff requested changes Jun 16, 2025
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I've left comments for your review. Also, please configure and run our pre-commit hooks by following the steps outlined in https://github.com/mandiant/capa/blob/master/doc/installation.md#install-development-dependencies. This will run our error, style, and format tools.

capa/features/extractors/frida/extractor.py Outdated
yield Arch(capa_arch), NO_ADDRESS

if process.platform:
# TODO: capa doesn't have a dedicated FORMAT_ANDROID constant yet.
Copy link
Collaborator

@mike-hunhoff mike-hunhoff Jun 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add FORMAT_ANDROID in this PR so we won't run into issues later, e.g. using android vs Android in different places.

Copy link
Collaborator

@larchchen larchchen Jun 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mike-hunhoff Your call though, but do you think "android" is a good name here? another formats are "pe", "elf", "dotnet", don't have similar scope as "android"

Copy link
Collaborator

@mike-hunhoff mike-hunhoff Jun 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point @larchchen , @xukunzh what do you think about FORMAT_FRIDA? This is similar to what we use for VMRay and others.

Copy link
Owner Author

@xukunzh xukunzh Jun 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I realized I misunderstood the meaning of FORMAT. The format should represent the file format (like Android's APK, AAB), not the analysis method or platform. My fault.
We should let Frida access the source file to get the format. @mike-hunhoff @larchchen

@xukunzh xukunzh merged commit 20839a0 into master Jun 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@larchchen larchchen larchchen left review comments

@mike-hunhoff mike-hunhoff mike-hunhoff requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@xukunzh @larchchen @mike-hunhoff