The Way to Hamida: Artifacts? DFIR Frida?#

What is Hamida?#

Hamida is a modified (patched) Frida version I created by combining some of the most well-known Frida patches out there, updating them, adding the missing pieces, and fixing the errors. I managed to get Hamida working and bypassing some heavy commercial RASPs out there.

NOTE

I will not be releasing Hamida. I’ll take the better approach of sharing my methodology and explaining what these patches are, how they work, and how they were created.

For now, what I’ll be covering is the fingerprints and artifacts Frida leaves behind (mostly while running) — whether it’s the agent, the server, or the gadget. I’ll then explain how it gets detected, how it was patched, and what it looks like after being patched.

I’ll try to explain it in the most noob-friendly way I can.

However, you will need a solid understanding of how Frida works to keep up with me — and of course, a good understanding of Android 🙃

Part 0: Quick Terminology Recap#

Before we go deep into Frida artifacts, here is a small recap of common C/C++, Linux, and Frida terms used in this series.

• thread: A lightweight execution unit inside a process. A process can have many threads.
• loop: Repeated execution of code (for, while, etc.), often used for polling or event handling.
• native: Code compiled to machine code (C/C++) and running outside the JVM/ART managed layer.
• glib: Usually means GNU C library (glibc) or GLib utility library, depending on context.
• .rodata: Read-only data section in ELF binaries, often contains constant strings.
• agent (Frida): The script/runtime injected into the target process to hook and inspect behavior.
• sed: Stream editor used to transform text from shell scripts or pipelines.
• LIEF: Library to parse/modify executable formats (ELF, PE, Mach-O), useful for binary patching.
• .dynstr: ELF dynamic string table that stores symbol/string names used by dynamic linking.
• JNI_OnLoad: Function called when a native library is loaded by JNI; often used to register native methods.
• SDKs: Software Development Kits; collections of APIs/libs/tools for building against a platform.
• GumJS: Frida’s JavaScript runtime layer on top of frida-gum instrumentation primitives.
• rpc (Frida RPC): Exposing JS functions from agent to host via message-based remote procedure calls.
• .vala: Source files written in the Vala language (used in parts of Frida ecosystem tooling).
• exports: Symbols a shared library exposes so other modules can link/call them.
• /proc/<pid>/maps: Process memory map on Linux/Android (regions, perms, backing files).
• /proc/self/fd: Symlinks to currently opened file descriptors for the current process.
• dlopen: Runtime API to load a shared library (.so) dynamically.
• dlsym: Runtime API to resolve a symbol address from a loaded library.
• gum-js-loop: Internal event/message loop used by Frida JS runtime components.
• /proc/<pid>/task/: Directory listing all threads (TIDs) in a process.
• /proc/<pid>/task/<tid>/comm: Thread name for a specific thread id.
• frida-gum: Core Frida instrumentation engine used for hooking, stalking, and low-level runtime patches.

If any of these terms are new, keep this section as your mini dictionary while reading the next parts.

At the end of each topic, you’ll find a Noob Section, which is super important. But why at the end? Because the aim of this blog is to deep dive into the technical details of this topic, not just a quick summary. Will reading only the noob section be enough? 90% yes — but you’ll miss all the fun. Maybe the technical details give you a hint or a lead for a new bypass? Maybe even a new tool? Who knows?

Hamida was built on top of 4 main patched Frida versions along with some custom scripts by me. I’ll be giving links and full credits to every author — and I hope you speak a little Chinese.

References#

• https://github.com/feicong/strong-frida
• https://github.com/qtfreet00/AntiFrida
• https://t.zsxq.com/miIunQN
• https://github.com/darvincisec/DetectFrida
• https://github.com/b-mueller/frida-detection-demo
• https://bbs.kanxue.com/thread-276111.htm
• https://github.com/CrackerCat/strongR-frida-android
• https://github.com/hzzheyang/strongR-frida-android
• https://github.com/AeonLucid/MagiskFrida
• https://github.com/Ylarod/Florida
• https://github.com/thau0x01/frida-patches
• https://github.com/soyasoya5/strongR-frida-patches
• https://github.com/Exo1i/MagiskHluda