Skip to content

clsdumper — Android Dynamic Class Dumper (dump all DEX files... #1868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+45 −1
Open

clsdumper — Android Dynamic Class Dumper (dump all DEX files... #1868

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 45 additions & 1 deletion src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ If the APK is debuggable (android:debuggable="true"), you can attach over JDWP a
- Repo: https://github.com/frankheat/frida-jdwp-loader
- Requirements: ADB, Python 3, USB/Wireless debugging. App must be debuggable (emulator with `ro.debuggable=1`, rooted device with `resetprop`, or rebuild manifest).

Quick start
Quick start:
```bash
git clone https://github.com/frankheat/frida-jdwp-loader.git
cd frida-jdwp-loader
Expand Down Expand Up @@ -285,6 +285,49 @@ Java.perform(function () {

Run the script with `frida -U -f <package> -l disable-flag-secure.js --no-pause`, interact with the UI, and screenshots/recordings will work again. Because everything happens on the UI thread there is no flicker, and you can still combine the hook with HTTP Toolkit/Burp to capture the traffic that revealed the `/channel` PIN leak.

## Dynamic DEX dumping / unpacking with clsdumper (Frida)

`clsdumper` is a Frida-based dynamic **DEX/class dumper** that survives hardened apps by combining an anti-Frida pre-stage with native and Java discovery strategies (works even if `Java.perform()` dies). Requirements: Python 3.10+, rooted device with `frida-server` running, USB or `--host` TCP connection.

**Install & quick use**
```bash
pip install clsdumper
# Attach to a running app
clsdumper com.example.app
# Spawn first (hooks before early loaders)
clsdumper com.example.app --spawn
# Select strategies
clsdumper com.example.app --strategies fart_dump,oat_extract
```

**CLI options (most useful)**
- `target`: package name or PID.
- `--spawn`: spawn instead of attach.
- `--host <ip>`: connect to remote frida-server.
- `--strategies <comma>`: limit/choose extractors; default is all except `mmap_hook` (expensive).
- `--no-scan` / `--deep-scan`: disable or slow deep memory scan (adds CDEX scanning).
- `--extract-classes`: post-process dumps into `.smali` via androguard.
- `--no-anti-frida`: skip the pre-hook bypass stage.
- `--list` / `--list-apps`: enumerate running processes or installed packages.

**Anti-instrumentation bypass (phase 0)**
- Hooks `sigaction`/`signal` to block registration of crash/anti-debug handlers.
- Serves a filtered `/proc/self/maps` via `memfd_create` to hide Frida regions.
- Monitors `pthread_create` to catch/neutralize watchdog threads hunting Frida.

**DEX discovery (phases 1–2)** — multiple complementary strategies with per-hit metadata + deduplication (agent-side djb2, host-side SHA-256):
- Native (no Java bridge needed): `art_walk` (walk ART Runtime→ClassLinker→DexFile), `open_common_hook` (hook `DexFile::OpenCommon`), `memory_scan` (DEX magic in readable maps), `oat_extract` (parse mapped .vdex/.oat), `fart_dump` (hook `DefineClass` + walk `class_table_`), `dexfile_constructor` (hook `OatDexFile` constructors), `mmap_hook` (watch `mmap/mmap64`, off by default for perf).
- Java (when available): `cookie` (read `mCookie` from ClassLoaders), `classloader_hook` (monitor `loadClass`, `DexClassLoader`, `InMemoryDexClassLoader`).

**Output layout**
```
dump_<target>/
dex/classes_001.dex ...
classes/ # only when --extract-classes
metadata.json # strategy per hit + hashes
```

Tip: protected apps often load code from several sources (in-memory payload, vdex/oat, custom loaders). Running with the default multi-strategy set plus `--spawn` maximizes coverage; enable `--deep-scan` only when needed to avoid performance hits.

## Tutorials

Expand Down Expand Up @@ -479,5 +522,6 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
- ["Super secure" MAGA-themed messaging app leaks everyone’s phone number](https://ericdaigle.ca/posts/super-secure-maga-messaging-app-leaks-everyones-phone-number/)
- [Android Frida Hooking: Disabling FLAG_SECURE](https://www.securify.nl/en/blog/android-frida-hooking-disabling-flagsecure/)
- [frida-ui](https://github.com/adityatelange/frida-ui)
- [clsdumper — Android Dynamic Class Dumper](https://github.com/TheQmaks/clsdumper)

{{#include ../../../banners/hacktricks-training.md}}