I am using Frida and I want to hook a system_server method but without having the Frida client running on my computer. I want the entire thing to be on the device. I will have to gather the data while I am going about my day (possibly without any network connectivity either). I know about frida-gadget but frida-gadget looks under /data/app/<APP_NAME>/lib for its config file, and system_server has no such (writable) directory. Is there any workaround for this? I would of course also consider non-frida solutions.
Download frida-inject from https://github.com/frida/frida/releases , push & chmod on device
./frida-inject -p `pidof system_server` -s /data/local/tmp/script.js --runtime=v8
Other CLI options @ https://github.com/frida/frida-core/blob/master/inject/inject.vala#L12
Edit:
For gadget you will need to repack ( & sign ) the apk with frida-gadget.so and somehow load the gadget to the memory.
The approach I use is to find the c'tor of the welcome-activity and insert the smali code that uses java.lang.System.loadLibrary to load the so.
The is how I find the activity
$ aapt dump badging $APK | grep "launchable-activity:" | grep -Po "(?<=name=').*?(?=')"
aapt is part of android sdk
You will need to increment local variables.. and handle if it's static c'tor ( or not ) but mostly this is the smali
const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V