Binder Trace: a tool for intercepting and parsing Android Binder messages

TABLE OF CONTENTS

1 Binder Trace
2 ⚙️ Installation
3 Arguments
4 ▶️ Starting binder trace
5 ⌨️ Controls
6 🔎 Filtering
- 6.1 About The Author
  - 6.1.1 Prakash
- 6.2 Related

Binder Trace

Binder Trace is a tool for intercepting and parsing Android Binder messages. Think of it as “Wireshark for Binder”.

⚙️ Installation

You’ll need a rooted Android device or emulator.

(Linux only) – install xclip or xsel for “copy to clipboard” functionalitysudo apt-get install xclipsudo apt-get install xsel
Clone the repo and install python dependenciespip install -r binder_trace/requirements.txt
Check which version of frida is installed (make sure you’ve pip installed the requirements)pip list | grep frida
Download the matching version of frida-server from the frida releases page
Make sure adb is running as root, push frida-server to your device and run itadb rootadb push frida-server /data/local/tmpchmod u+x /data/local/tmp/frida-serveradb shell /data/local/tmp/frida-server

Arguments

Argument	Description
-h	Prints the argument help.
-d DEVICE	The device to attach to e.g. “emulator-5554”. Use `adb devices` to list available devices. If not provided defaults to the USB device.
-p PID	The pid of the process on DEVICE to attach to.
-n NAME	The name of the process on DEVICE to attach to e.g. “Messaging”.
-s STRUCTPATH	The path to the directory of structure files.

▶️ Starting binder trace

To start binder trace we need to pick a device and process to attach to. In the following example we use adb and frida-ps to identify a process to attach to on a local emulator. As it’s an Android 11 emulator we choose the Android 11 structs directory. Pick the struct directory that most closely matches your version of Android. If you would like structures for a different version of Android, please let us know. Once it’s running start using the target app to generate some binder transactions.

> adb devices
List of devices attached
emulator-5554   device

> frida-ps -Ua
 PID  Name           Identifier
----  -------------  ----------------------------
8334  Messaging      com.android.messaging
7941  Phone          com.android.dialer
9607  Settings       com.android.settings

> cd binder_trace
> python -m binder_trace -d emulator-5554 -n Messaging -s ../structs/android11

⌨️ Controls

Key	Action
`up`	Move up
`down`	Move down
`shift + up`	Page up
`shift + down`	Page down
`home`	Go to top
`end`	Go to bottom
`tab`	Next pane
`shift + tab`	Previous pane
`ctrl + c`	Copy pane to clipboard
`f`	Open filter options
`h`	Open help
`q`	Quit

🔎 Filtering

If you’re interested in specific messages you can filter the displayed results with the following options.

Interface – limit results to interfaces that contain the case sensitive search string e.g. “com.android” or “Sms”.
Method – limit results to function names containing the specified case sensitive string.
Type – Limit results to certain types of messages e.g. requests or responses.

Once you’ve entered your filter options just press Enter to apply them.

Download

Also Read:

Reportly: is an AzureAD user activity report tool.

The Best Kali Linux Tools for Ethical Hackers

PentestGPT: A GPT-empowered penetration testing tool

Can Linux Be Hacked? Debunking the Myths and Facts