Memory Dumping

Dumping memory for certain mobile app processes and analyzing the data files generated.

General plan

  • Perform key generation operations 
  • Dump the memory using fridump
  • Pull the boxer_generated_keys.txt file
  • Use the script with -f flag,  providing the boxer_generated_keys.txt
  • Check the output and total finds

Detailed guide (for Android) to analyze AirWatch Boxer:


For information regarding iOS frida-server installation, please follow

1. Have a rooted/jailbroken device or an emulator running in your computer.

2. Install python if you haven’t already, this will allow us to run the scripts.

3. Open a new terminal and install frida, this will be the main framework that will be used by the underlying scripts

pip install frida

4. Once the frida is installed successfully, make sure to download the frida-server binary depending on the device type. The frida-server binary version and the frida version must match for proper dump.

The download links can be found in 

Once the correct device frida-server binary is downloaded, unarchive the compressed file. The frida-server binary file should look like “frida-server-10.7.5-android-x86_64” which will be different depending on the device architecture.

5. Put the frida-server binary in to the Android device (using ADB tool):

adb root # might be required
adb push frida-server /data/local/tmp/ # push the binary frida-server file into the device
adb shell "chmod 755 /data/local/tmp/frida-server" # make the binary file executable via permissions
adb shell "/data/local/tmp/frida-server &" #run

Check if frida-server is running properly, type the following in the terminal:

frida-ps -U

This command will show you all the process running inside the mobile device. 

6. At this point, we have frida-server as well as our application running on the device. It is time to download the fridump library that will allow us to dump the process memory in the device.

Clone the fridump Git repository:

git clone

7. Now lets go ahead and try to dump the memory using fridump 

Provide flag -s so that at the end of the dump process, there will be a separate script which will capture all the strings in generated dump files.

python -s

Dump files will be located under fridump/dump/* strings.txt file is located under fridump/dump/strings.txt For generating dump files in another location, please provide flag -o with the full path.

8. At this point, you will be able to analyze all the strings that reside in memory in strings.txt. However what if you are looking for something that consists of set of random bytes? For this purpose, you will need a separate python script that will analyze the dump files. 

Go to the fridump repo and make sure you are at the root. 

Download the python script and copy the script to fridump folder root. For this script to work properly, your dump files must be located at the original destination which is fridump/dump/*.

Attached Script

MemDumpAnalyzer Python Script

The script supports two functionality which are to search a string in dump files or a file with hex encoded strings to be searched in the file separed with new lines. The string option allows you to search normal strings while file option will let you search random byte in hex. This is particularly useful since our keys are randomly generated keys which fail during encoding. Here are some examples of usages.

-f : file path to search for -s : string to search for -h : help for usage

python -h
python -s boxer
python -f boxer_generated_keys.txt

9. Generate hex encoded keys and store them in a file shown below. All the keys will have to be separated by new lines and have to hex encoded. The scripts supports file with upper and lower case or with ‘0x’ suffix in hex encoding.


10. To pull the file from the device to the current folder, use

adb pull data/data/