Awesome
⚠️ Important Note: ⚠️
Notice: This project is deprecated and no longer actively maintained. For a more comprehensive and feature-rich alternative, we recommend checking out The Codex Rebirth, which includes Ultimap functionality and provides a more advanced and up-to-date solution. We encourage you to migrate to The Codex Rebirth for better performance and a wider range of features.
Frida Ultimap
Frida Ultimap is a Python script that uses Frida to list all function calls of a process, including those that are not exported. It can also dump strings that appear in function arguments.
Getting Started
Prerequisites
- In order to sort functions by type, it is necessary to have IDA Pro software.
- clone this repository to your local machine:
Installation
pip3 install frida psutil
Usage
-
Use the exportFuncs.py script to export the IDA functions. It is recommended to read the notice inside the script before using it.
-
Run ultimap with the --platform argument to specify which platform you want to use
python frida-ultimap/ultimap.py --platform windows
-
A small configuration will be saved the first time the script is run, which can be loaded to avoid filling in some variables.
-
Follow the prompts to configure the script.
-
Timeout must be greater than 2000
-
Set the "dump string" value to 0 to improve tracing performance.
The frida script is written inside the metadata directory
TODO
- Fix the arm Android bug if it has not been fixed already (difficulty: hard)
- Write a tool to compare saved traces (e.g. intersection, only in <trace>, etc.) (difficulty: easy)
Android
While the issue is still being resolved, I have found a solution for Android users. However, it requires Windows 11. Please follow the installation instructions provided and then install the APK and Frida. Once completed, you should be able to use Frida without encountering any crashes due to the x64-x86 architecture. [Update] It seems to work with Frida 16.0.10 on arm64, at least.
Limitation
-
There is an issue with Android where function hooking causes a crash. See this issue for more information.
-
If the process is spawned, it must be running for at least 10 seconds.
-
Library backtraces are not reliable, so the script only prints the library function name
-
Backend scripts are written in Quick JavaScript, which leads to a loss of performance compared to native gum-js