hluwa/frida-dexdump

★ 4,537PythonAudience · developerComplexity · 3/5Setup · moderate

Mindmap

mindmap
  root((frida-dexdump))
    What it does
      Scan app memory
      Extract DEX files
      Save to disk
    How it works
      Built on Frida
      Runtime inspection
      Deep search mode
    Use Cases
      Malware analysis
      App unpacking
      Security research
    Setup
      pip install
      Frida on device
      One command run

mindmap root((frida-dexdump)) What it does Scan app memory Extract DEX files Save to disk How it works Built on Frida Runtime inspection Deep search mode Use Cases Malware analysis App unpacking Security research Setup pip install Frida on device One command run

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Extract DEX files from a running Android app to inspect its real code that was hidden or encrypted on disk

USE CASE 2

Analyze packed or obfuscated malware by dumping its decrypted code from memory at runtime

USE CASE 3

Recover DEX files with corrupted or deliberately damaged headers using the deep search mode

Tech stack

PythonFridaAndroid

Getting it running

Difficulty · moderate Time to first run · 30min

Requires Frida server running on the Android device over ADB, device must be rooted or have Frida pre-installed.

In plain English

Frida-dexdump is a command-line tool for security researchers and malware analysts who work with Android applications. Its purpose is to extract compiled Android code from a running app's memory so that the analyst can inspect what the app is actually doing. Android apps are distributed in a format that includes compiled code files called DEX files. Some apps, particularly malicious ones, try to hide their real behavior by packing or encrypting these files so they look different on disk than they do at runtime. When the app runs, it unpacks the real code into memory. Frida-dexdump takes advantage of that moment by scanning the device's memory while the app is running and pulling out the DEX data it finds there, saving it to disk for analysis. The tool is built on top of Frida, which is an established framework for instrumenting running processes on Android and other platforms. Because it runs through Frida, it works on all Android versions that Frida supports and does not require modifying the device's system partition. Installation is a single pip command, and typical usage involves one short command to target the app currently in the foreground. A key feature is a deep search mode, enabled with a flag, that looks for DEX files even when their internal header information is damaged or incomplete. This is useful because some apps deliberately corrupt their DEX headers as an additional obfuscation measure. The deep search takes longer but finds more complete results. The output is saved to a folder named after the target app by default, and the output path can be changed with a command-line option.

Copy-paste prompts

Prompt 1

I extracted DEX files from an Android app using frida-dexdump. Write a Python script that opens each DEX file in the output folder and lists all class names and method signatures using androguard.

Prompt 2

How do I use frida-dexdump's deep search mode to recover DEX files when headers are corrupted? Show the exact command and explain what the flag does.

Prompt 3

Write a bash script that automates frida-dexdump extraction: launch a target Android app, wait 5 seconds, run frida-dexdump on the foreground app, and save output to a timestamped folder.

Prompt 4

I have DEX files extracted with frida-dexdump. Show me how to decompile them back to Java source code using jadx from the command line.

Prompt 5

Explain why packed Android apps that encrypt their DEX files on disk still expose the real DEX data in memory at runtime, and how frida-dexdump exploits that window.

Open on GitHub → Explain another repo

← hluwa on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.