Adding Frida Dynamic Analysis Capabilities

[ArkaprabhaChakraborty]

Hi!

I read about this https://github.com/mandiant/flare-gsoc/blob/2025/doc/project-ideas.md#capa-add-frida-dynamic-analysis-for-android and I wanted to contribute towards it. I had an initial idea to build the sandbox environment first if it doesn't exist within capa and then add the Frida instrumentation module in such a way that it could be extended to include any other dynamic instrumentation like DynamoRIO or TinyInst.

I would need some more info on this to proceed.

Thanks!
Arkaprabha Chakraborty

[mike-hunhoff]

Hi @ArkaprabhaChakraborty , thanks for reaching out! Presently, capa does not support any sandboxing or instrumentation, instead, capa consumes output from various "feature extractors" that individually support translating the output from a tool (e.g. Ghidra, IDA Pro, CAPE, VMRay) into a format that capa can parse. The goal of this project would be to create a new feature extractor for capa that consumes output from Frida, specifically some level of API trace. My understanding is that vanilla Frida does not support capturing full API traces so part of this project may include developing scripts/plugins/etc. for Frida that enable API trace -like functionality.

@larchchen may have some additional guidance here. In the mean time, if you're interested in applying, we have a non-exhaustive list of contributor guidance. When you have a question, reach out here and mention @mandiant/flare-gsoc.

[larchchen]

Hi @ArkaprabhaChakraborty thanks for your interests and questions.

the user is supposed to have the proper Android environment setup first

Yes. The basic Android environment setup will need an Android Emulator and Frida server. I find this blog post described roughly the preparations before some "real" capa work.

what more depth are we planning to achieve in API tracing?

Personally I imagine there would be several different potentail implementation paths to achieve the same/similar goal of this project.

1. You can provide the trace with general Frida tools, like frida-trace for syscalls and JNI-trace for JNI calls; then you can use CAPA to match the calls by adding one or more feature creators.
2. You write their own scripts and log the trace with desired format; then you can use CAPA to match the calls by adding feature creators
3. With given CAPA rules, you can write a translator that convert the CAPA rules to Frida scripts, and you can use the Frida scripts to produce CAPA recognisable final results.

If you have some more ideas, that would be definitely great to share. To choose the implementation path I believe is part of the GSoC project, about researching, deciding, and presenting your thoughts. The general principle is achievable (within the timeline), easily usable, and flexible for further modification and extentions.

One key-point to keep in mind though, that Android ELF files are commonly using JNI calls to interact with Android Runtime. The be-called Java method names and arguments using the JNI reflection are the emphasis of Android ELF behaviour analysis.

[ArkaprabhaChakraborty]

I already have an automated script to setup a production Android emulator device, root it with magisk and install Frida server in it (utilizes project rootAVD for it). I use this setup for pentesting Android applications. I'll need to debug it a bit and make it a bit more verbose. Fortunately I did follow that blogpost while doing it.

Now do we utilise jnitrace and frida-trace tools, which have been there for a long time and make the capa feature extractor kinda depend on them? Or we implement them in a capa specific fashion (jnitrace can be used as a script: https://codeshare.frida.re/@chame1eon/jnitrace). I believe the latter would be better but please feel free to correct me.

I have a good collection of Frida scripts and Frida codeshare too has multiple javascript snippets which can be generalized to custom scripts and can be used with Capa's yaml based rules!

[ArkaprabhaChakraborty]

1. You can provide the trace with general Frida tools, like frida-trace for syscalls and JNI-trace for JNI calls; then you can use CAPA to match the calls by adding one or more feature creators.

Do we have any provision to show all syscalls and jni calls to help the user somehow?

2. You write their own scripts and log the trace with desired format; then you can use CAPA to match the calls by adding feature creators
3. With given CAPA rules, you can write a translator that convert the CAPA rules to Frida scripts, and you can use the Frida scripts to produce CAPA recognisable final results.

I'll need some help to figure out how to make a new rule format, add the processing of rules etc.

[larchchen]

Do we have any provision to show all syscalls and jni calls to help the user somehow?

Showing everything wouldn't much helpful, because the full trace would be super long and tedious. That is also the reason why we need to capa rules, to catch some specific patterns in the call traces.

And also different use cases may have different requirements, so we need to be flexible and generalise a solution.

I'll need some help to figure out how to make a new rule format, add the processing of rules etc.

What do you mean by new rule format? I don't see where we need a new rule format here.

[ArkaprabhaChakraborty]

I'll have to dig into capa-rules before I comment on the new rule format if it is at all required. You are right we don't need any for now but just in case..... :). I'll do my background research and let you know!

[ArkaprabhaChakraborty]

@mandiant/flare-gsoc. I'm having trouble importing capa after installing capa from the source. I ran pip install -e .[dev,scripts,build] inside the capa folder. The installation was successful, but now when I do python scripts/cache-ruleset.py rules/ cache/ or let's say python .\show-features.py ..\..\capa-tests\socks_client.exe I get the error: ModuleNotFoundError: No module named 'capa'.

I have done this after removing all previous installations of flare-capa. I'm getting the same error inside a venv and without it (tried both installations).

Error dump:

PS D:\capa-workspace\capa> python scripts/cache-ruleset.py rules/ cache/
Traceback (most recent call last):
  File "D:\capa-workspace\capa\scripts\cache-ruleset.py", line 30, in <module>
    import capa.main
ModuleNotFoundError: No module named 'capa'

PS D:\capa-workspace\capa\scripts>python .\show-features.py ..\..\capa-tests\socks_client.exe
  File "D:\capa-workspace\capa\scripts\show-features.py", line 77, in <module>
    import capa.main
ModuleNotFoundError: No module named 'capa'

[mike-hunhoff]

While following dev installation, is this step required for importing capa?

Generate rule cache
Generate cache for all rules in the rules folder and save the output in the cache folder.

$ python scripts/cache-ruleset.py rules/ cache/

Run Pyinstaller
$ pyinstaller .github/pyinstaller/pyinstaller.spec

You can find the compiled binary in the created directory dist/.

Not for development tasks.

[ArkaprabhaChakraborty]

Can you break down your environment for us (OS, Python version, etc.)? Also, can you pip install flare-capa successfully?

Its windows and python version is 3.11.

[ArkaprabhaChakraborty]

I have uninstalled and installed capa as shown below:

Uninstalling flare-capa-9.1.0:
  Would remove:
    c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages\__editable__.flare_capa-9.1.0.pth
    c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages\__editable___flare_capa_9_1_0_finder.py
    c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages\flare_capa-9.1.0.dist-info\*
    c:\users\chakr\appdata\local\programs\python\python312\scripts\capa.exe
Proceed (Y/n)? y
  Successfully uninstalled flare-capa-9.1.0
PS D:\capa-workspace> pip install flare-capa  
Collecting flare-capa
  Downloading flare_capa-9.1.0-py3-none-any.whl.metadata (40 kB)
Requirement already satisfied: pyyaml>=6 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (6.0.2)
Requirement already satisfied: colorama>=0.4 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (0.4.6)
Requirement already satisfied: ida-settings>=2 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (2.1.0)
Requirement already satisfied: ruamel.yaml>=0.18 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (0.18.10)      
Requirement already satisfied: pefile>=2023.2.7 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (2023.2.7)      
Requirement already satisfied: pyelftools>=0.31 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (0.32)
Requirement already satisfied: pydantic>=2 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (2.10.6)
Requirement already satisfied: rich>=13 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (13.9.4)
Requirement already satisfied: humanize>=4 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (4.12.1)
Requirement already satisfied: protobuf>=5 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (6.30.0)
Requirement already satisfied: msgspec>=0.18.6 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (0.19.0)
Requirement already satisfied: xmltodict>=0.13.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (0.14.2)       
Requirement already satisfied: viv-utils>=0.7.9 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from viv-utils[flirt]>=0.7.9->flare-capa) (0.8.0)
Requirement already satisfied: vivisect>=1.1.1 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (1.2.1)
Requirement already satisfied: dncil>=1.0.2 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (1.0.2)
Requirement already satisfied: networkx>=3 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (3.4.2)
Requirement already satisfied: dnfile>=0.15.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from flare-capa) (0.15.1)
Requirement already satisfied: ida-netnode in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from ida-settings>=2->flare-capa) (3.0)
Requirement already satisfied: six in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from ida-settings>=2->flare-capa) (1.17.0)
Requirement already satisfied: annotated-types>=0.6.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from pydantic>=2->flare-capa) (0.7.0)
Requirement already satisfied: pydantic-core==2.27.2 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from pydantic>=2->flare-capa) (2.27.2)
Requirement already satisfied: typing-extensions>=4.12.2 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from pydantic>=2->flare-capa) (4.12.2)
Requirement already satisfied: markdown-it-py>=2.2.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from rich>=13->flare-capa) (3.0.0)
Requirement already satisfied: pygments<3.0.0,>=2.13.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from rich>=13->flare-capa) (2.19.1)
Requirement already satisfied: ruamel.yaml.clib>=0.2.7 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from ruamel.yaml>=0.18->flare-capa) (0.2.12)
Requirement already satisfied: funcy>=2.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from viv-utils>=0.7.9->viv-utils[flirt]>=0.7.9->flare-capa) (2.0)
Requirement already satisfied: intervaltree>=3.1.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from viv-utils>=0.7.9->viv-utils[flirt]>=0.7.9->flare-capa) (3.1.0)
Requirement already satisfied: python-flirt>=0.9.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from viv-utils[flirt]>=0.7.9->flare-capa) (0.9.7)
Requirement already satisfied: pyasn1<0.6.0,>=0.5.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from vivisect>=1.1.1->flare-capa) (0.5.1)
Requirement already satisfied: pyasn1-modules<0.4.0,>=0.3.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from vivisect>=1.1.1->flare-capa) (0.3.0)
Requirement already satisfied: cxxfilt<0.4.0,>=0.3.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from vivisect>=1.1.1->flare-capa) (0.3.0)
Requirement already satisfied: msgpack<1.1.0,>=1.0.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from vivisect>=1.1.1->flare-capa) (1.0.8)
Requirement already satisfied: pycparser>=2.20 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from vivisect>=1.1.1->flare-capa) 
(2.22)
Requirement already satisfied: sortedcontainers<3.0,>=2.0 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from intervaltree>=3.1.0->viv-utils>=0.7.9->viv-utils[flirt]>=0.7.9->flare-capa) (2.4.0)
Requirement already satisfied: mdurl~=0.1 in c:\users\chakr\appdata\local\programs\python\python312\lib\site-packages (from markdown-it-py>=2.2.0->rich>=13->flare-capa) (0.1.2)
Downloading flare_capa-9.1.0-py3-none-any.whl (1.2 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.2/1.2 MB 6.0 MB/s eta 0:00:00
Installing collected packages: flare-capa
Successfully installed flare-capa-9.1.0

Still when I do python .\show-features.py ..\..\capa-tests\socks-sample\socks_client.exe I get:

PS D:\capa-workspace\capa\scripts> python .\show-features.py ..\..\capa-tests\socks-sample\socks_client.exe
Traceback (most recent call last):
  File "D:\capa-workspace\capa\scripts\show-features.py", line 77, in <module>
    import capa.main
ModuleNotFoundError: No module named 'capa'

[mike-hunhoff]

Can you try using the command python -m pip install <package> instead?

[ArkaprabhaChakraborty]

I uninstalled python and installed it again. Everything works fine now!

[HelixY2J]

Hii, I am Aryan, a final year student majoring in Computer Science with a specialization in Cybersecurity. I am familiar with tools such as Ghidra, IDA and GDB from my time in CTFs and I am excited to contribute on this capa - Frida integration project.

here is a snapshot of what I had worked on so far -

• I had experimented on different APKs to test various use cases of Frida for Android instrumentation. I learnt about runtime instrumentation, patched x86 assembly instructions to bypass some security checks, altered execution flow in order to get the flag
  frida-exp

• I have been developing Friza, an open-source ZAP extension that simplifies mobile pentesting by automating Frida based function hooking. By using Frida, the extension can abstract away the complexity of reverse engineering and reimplementing encryption functions, making pentesting processes faster and more accessible for security researchers. So I decided to use RPC to load and execute dynamic hooks on Android applications. After having a discussion with ZAP core team, I realized that I didn't follow many UI guidlines and everything was tightly coupled so am rebuilding it now. Currently its a work in progress Friza

I have a firm grasp in JS, golang and java along with hands on experience using Frida and emulator. I also have got an understanding of this project from above discussion and yes I agree that we will need to design the custom frida scripts to log function calls. And so we can integrate these logs with capa rule engine. I already have environment setup with emulator and frida server. Can I get some guidance on what I should focus on next for this project

[larchchen]

Thank you Aryan for your interestes in this project.

I'm glad that you have moved far on preparing for this project. At this stage, it is time for candidates comming up more ideas and discussing with the team. I have some personal thoughts which already shared in the earlier threads. Surely you can already experimenting with some of the ideas.

And most importantly, we need a formal process from you to apply for this GSoC project, as listed in contributor guidance

[p5amruta]

Hello @mandiant/flare-gsoc,

I am interested in contributing to the project "capa: Adding Ghidra Explorer Plugin" for Google Summer of Code 2025.

I have experience with Python, GitHub, and reverse engineering, and I am eager to learn more about Ghidra and its plugin development. My goal is to design an extensible and efficient Ghidra plugin that seamlessly integrates capa’s capability detection. I plan to focus on:

Developing an intuitive GUI to display capa results, including a hierarchical tree view of detected capabilities.
Implementing smooth navigation between capa results and Ghidra’s disassembly and decompiler views.
Optimizing performance when analyzing large binaries by handling capa results efficiently within Ghidra.
I would love to contribute an initial patch to familiarize myself with the codebase. Could you please provide some guidance on how to get started?

I look forward to your response!

Thank you!
Amrutha

[larchchen]

Hi @p5amruta ,

Thanks for your interests in out GSoC projects. However this thread topic is about adding Frida Dynamic Analysis for capa.
For Ghidra Explorer Plugin, there are a few discussion threads under https://github.com/mandiant/flare-gsoc/discussions, and also feel free to start your own as well.

[0x1622]

Hi, I am Shriram Dhumal, a second-year student majoring in Computer Science from Birla Institute of Technology And Science - Pilani with a strong focus on cybersecurity. I have extensive experience in CTFs and have worked on various cybersecurity projects, including web exploitation, reverse engineering, and Digital Forensics.

Snapshot of my work so far:

Reverse Engineering & Exploitation: I have experience using Ghidra, IDA, GDB, and Radare2, with a strong understanding of Android application security. I have worked on binary exploitation, analyzing USB traffic (URB_CONTROL in/out events), and bypassing security mechanisms in CTF challenges.

Web Security & Pentesting: I have built a web-based version of Nuclei, allowing users to execute vulnerability scans through a browser. I also participated in multiple bug bounty programs, reporting critical vulnerabilities, including a high-impact bug affecting 10 million users in a government portal.

Development & AI Research: I developed a QA bot with LangChain, experimented with retrieval algorithms for AI-driven cybersecurity, and built an AI bot for reverse engineering training.

Recently have been working on MCP servers for IDA Pro, Ghidra, and Binary Ninja.

I have a firm grasp of C,JavaScript, Golang, Python, and Java, with hands-on experience in Frida, Android emulation, BurpSuite and security automation.

You can read some of my blogs here

I want to contribute to this project because it is one of the most fascinating opportunities to work on both the static and dynamic aspects of an application.

[0x1622]

@larchchen

I attempted to analyze a .json file that was generated as an output from the CAPE sandbox. Based on this article, the analysis should have worked as expected. However, I encountered file format errors instead. To troubleshoot the issue, I also tested it with the initial 7.0.0 version, but the problem persists. I'm wondering if there are any known compatibility issues or additional steps required to properly process CAPE sandbox output with capa. Any insights or suggestions would be greatly appreciated!

ERROR:capa:--------------------------------------------------------------------------------
ERROR:capa: Input file does not appear to be a supported file.
ERROR:capa: 
ERROR:capa: See all supported file formats via capa's help output (-h).
ERROR:capa: If you don't know the input file type, you can try using the `file` utility to guess it.
ERROR:capa:--------------------------------------------------------------------------------

[mr-tz]

Can you run again with the -d flag and see details in the output?

[0x1622]

I was able to resolve the issue, and it turned out to be a problem with the .json file format. The errors I encountered were due to the file not being structured correctly, which caused capa to fail in processing the output from the CAPE sandbox. After identifying the formatting issue, I made the necessary corrections, and the analysis is now working as expected. If anyone else runs into similar errors when analyzing CAPE sandbox output with capa, I would recommend checking the JSON structure to ensure it adheres to the expected format.

[mr-tz]

Did capa -d gibe you a proper help? Is that something we should improve for the default output so users aren't confused?

[0x1622]

Unfortunately, the -d flag wasn’t very helpful in this case. While it did provide the usual debug information, it didn’t explicitly state what the exact issue was or what caused the error. It would be really useful to have more examples of dynamically analyzed files to better understand the expected format and avoid such issues. Additionally, for the-d debug option, it would be great if it could specify the correct format required for the input files and provide more detailed insights into what’s actually causing the problem. This would make debugging much easier and help users quickly identify and resolve formatting errors.

[0x1622]

@larchchen @mike-hunhoff I know it's quite late, but could you please review the proposal I'm about to send? I can send it in DOC format to your email—let me know if that works for you.