Merge pull request #1868 from HackTricks-wiki/update_clsdumper___Android_Dynamic_Class_Dumper__dump_all_20260206_185400

clsdumper — Android Dynamic Class Dumper (dump all DEX files...

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md

@@ -114,7 +114,7 @@ If the APK is debuggable (android:debuggable="true"), you can attach over JDWP a
 - Repo: https://github.com/frankheat/frida-jdwp-loader
 - Requirements: ADB, Python 3, USB/Wireless debugging. App must be debuggable (emulator with `ro.debuggable=1`, rooted device with `resetprop`, or rebuild manifest).
 
-Quick start
+Quick start:
 ```bash
 git clone https://github.com/frankheat/frida-jdwp-loader.git
 cd frida-jdwp-loader
@@ -285,6 +285,49 @@ Java.perform(function () {
 
 Run the script with `frida -U -f <package> -l disable-flag-secure.js --no-pause`, interact with the UI, and screenshots/recordings will work again. Because everything happens on the UI thread there is no flicker, and you can still combine the hook with HTTP Toolkit/Burp to capture the traffic that revealed the `/channel` PIN leak.
 
+## Dynamic DEX dumping / unpacking with clsdumper (Frida)
+
+`clsdumper` is a Frida-based dynamic **DEX/class dumper** that survives hardened apps by combining an anti-Frida pre-stage with native and Java discovery strategies (works even if `Java.perform()` dies). Requirements: Python 3.10+, rooted device with `frida-server` running, USB or `--host` TCP connection.
+
+**Install & quick use**
+```bash
+pip install clsdumper
+# Attach to a running app
+clsdumper com.example.app
+# Spawn first (hooks before early loaders)
+clsdumper com.example.app --spawn
+# Select strategies
+clsdumper com.example.app --strategies fart_dump,oat_extract
+```
+
+**CLI options (most useful)**
+- `target`: package name or PID.  
+- `--spawn`: spawn instead of attach.  
+- `--host <ip>`: connect to remote frida-server.  
+- `--strategies <comma>`: limit/choose extractors; default is all except `mmap_hook` (expensive).  
+- `--no-scan` / `--deep-scan`: disable or slow deep memory scan (adds CDEX scanning).  
+- `--extract-classes`: post-process dumps into `.smali` via androguard.  
+- `--no-anti-frida`: skip the pre-hook bypass stage.  
+- `--list` / `--list-apps`: enumerate running processes or installed packages.
+
+**Anti-instrumentation bypass (phase 0)**
+- Hooks `sigaction`/`signal` to block registration of crash/anti-debug handlers.  
+- Serves a filtered `/proc/self/maps` via `memfd_create` to hide Frida regions.  
+- Monitors `pthread_create` to catch/neutralize watchdog threads hunting Frida.
+
+**DEX discovery (phases 1–2)** — multiple complementary strategies with per-hit metadata + deduplication (agent-side djb2, host-side SHA-256):
+- Native (no Java bridge needed): `art_walk` (walk ART Runtime→ClassLinker→DexFile), `open_common_hook` (hook `DexFile::OpenCommon`), `memory_scan` (DEX magic in readable maps), `oat_extract` (parse mapped .vdex/.oat), `fart_dump` (hook `DefineClass` + walk `class_table_`), `dexfile_constructor` (hook `OatDexFile` constructors), `mmap_hook` (watch `mmap/mmap64`, off by default for perf).  
+- Java (when available): `cookie` (read `mCookie` from ClassLoaders), `classloader_hook` (monitor `loadClass`, `DexClassLoader`, `InMemoryDexClassLoader`).
+
+**Output layout**
+```
+dump_<target>/
+  dex/classes_001.dex ...
+  classes/                 # only when --extract-classes
+  metadata.json            # strategy per hit + hashes
+```
+
+Tip: protected apps often load code from several sources (in-memory payload, vdex/oat, custom loaders). Running with the default multi-strategy set plus `--spawn` maximizes coverage; enable `--deep-scan` only when needed to avoid performance hits.
 
 ## Tutorials
 
@@ -479,5 +522,6 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
 - ["Super secure" MAGA-themed messaging app leaks everyone’s phone number](https://ericdaigle.ca/posts/super-secure-maga-messaging-app-leaks-everyones-phone-number/)
 - [Android Frida Hooking: Disabling FLAG_SECURE](https://www.securify.nl/en/blog/android-frida-hooking-disabling-flagsecure/)
 - [frida-ui](https://github.com/adityatelange/frida-ui)
+- [clsdumper — Android Dynamic Class Dumper](https://github.com/TheQmaks/clsdumper)
 
 {{#include ../../../banners/hacktricks-training.md}}