Home

Welcome to Medusa's wiki. Please use the sidebar to navigate to a section:

Medusa Logo Final Quick start and use cases:

https://www.youtube.com/watch?v=4hpjRuNJNDw&t=16s (credits @ByteTheories)
https://www.youtube.com/watch?v=kUqucdkVtSU&t=256s (credits @ByteTheories)
https://www.youtube.com/watch?v=D2-jREzCE9k (credits @cryptax)

Quick start guide (medusa)

Summary

Searching for modules

Use the show command, followed one of the following options:

all to Display all available modules
mods to Display stashed modules
categories to Display the available module categories
mods [category] to Display the available modules for the selected category

Use the info [module name]to get help about a specific module

Stashing / Un-stashing

Use the use [module name]to add a module to the stashed ones:

medusa> use http_communications/multiple_unpinner

Use the rem [module name]to remove a module to the stashed ones

medusa> rem http_communications/multiple_unpinner

Use the add [full-path-to-module]to stash modules saved out of the default directory

medusa> add /full/path/to/module.med

Use the reset to empty the list of stashed modules and clear the unified script
Use the swap to change the compilation order of the stashed modules:

medusa> swap [index 1] [index 2]

Compilation

Use the compile to compile your stashed modules to a unified one:

medusa> compile

Use the compile -t X (X is the delay value in milliseconds) to add a loading delay:

medusa> compile -t 1000

Starting a session

Use the run -f [package name] or to run -n [package number] to start or restart an application and attach to it (you can use the list command to get the package number).

medusa> run -f com.foo.bar

Use the run [package name] to attach to an application.

In session menu

While 'in session' you can use one of the following commands:

    'c'  (c)lear the sreen
    'e'  (e)xit the session
    'r'  (r)eload the script in case it changed
    'rs' (r)e(s)et the scratchpad
    'i'  print (i)nformation about the application
    't'  (t)race a function and print the stack trace (e.g. t com.foo.bar.func)
    '?'  print this help message

Hooking beyond the modules

Use the hook command followed by one of the options bellow to intercept methods which are not present in the currently available modules:

-a [class name] : Set hooks for all the methods of the given class. Example:

medusa> hook -a com.foo.bar.className

-f : Set hooks for a single method. Example

medusa> hook -f 

Enter the full name of the method(s) class: com.foo.bar
Enter a method name (CTRL+C to Exit): fooMethod
Enable backtrace? (y/N) y
[+] Method: fooMethod hook added !
Enter a method name (CTRL+C to Exit):

Same result can be achieved with the jtrace command: medusa> jtrace full_path_to_method

-n : Set hooks for a native method. Example

medusa> hook -n
Library name (e.g.: libnative.so): libfoo.so
Imported or exported function? (i/e) e
Function name or offset (e.g.: 0x1234): 0x1234
Number of function arguments (0 to disable trace): 3
Enable backtrace? (y/N) y
Enable memory read? (y/N) y
Read Buffer size (0-1024): 128
Module scratchpad already added !

-r: Reset the hooks set so far

Use the pad command to edit the scratchpad

Working with native libraries

Use the libs command followed by one of the options bellow to list the application's native libraries:

-a : List all the application's libraries. -s : List only the system's libraries. -j : List only the application's libraries.

Add the --attach to attach to an already running instance of the application (usually has better results)

Example:

medusa> libs -j com.foo.bar libnative.so --attach

Working with the application's memory

You can read/write/search/dump the application's memory by using the memops or memmap command. The former needs a library name to be attached to, while the later uses memory regions.