Add Interceptor support for native method hooking in Frida utils

[Copilot]

This PR closes #3360

Description

Extends the Frida utility (utils/frida/) to support native function hooking via Frida's Interceptor API, enabling hooks on native libraries and ObjC methods in addition to existing Java hooks.

Changes

Android (utils/frida/android/base_script.js):

• Added isNativeHook(), resolveNativeSymbol(), registerNativeHook()
• Native hooks processed outside Java.perform(), Java hooks inside as before
• Separate summary emission for native vs Java hooks

iOS (utils/frida/ios/):

• New base_script.js with native and ObjC method hook support
• New run.sh for iOS hook execution

Hook Definition Format

var target = {
  category: "STORAGE",
  hooks: [
    // Native with module
    { native: true, module: "libc.so", symbol: "open", maxFrames: 15 },
    // Global export (no module)
    { native: true, symbol: "SecAccessControlCreateWithFlags" },
    // ObjC method (iOS)
    { native: true, objClass: "LAContext", symbol: "- evaluatePolicy:localizedReason:reply:" }
  ]
}

---

[x] I have read the contributing guidelines.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Frida Util] Add Support for Interceptor to Hook Native Methods</issue_title>
<issue_description>Follow-up from: #3359

The current version of the Frida Util, located in utils/frida/ and used from demos having hooks.js files, supports Java-level hooking using Frida's Java API. This covers most use cases during mobile app penetration testing on Android, especially when working with Java or Kotlin code. However, many critical security-related operations are implemented in native libraries, especially in apps that rely on custom cryptography, native obfuscation, or performance-critical code. And we also need support for iOS apps.

To handle these cases, the script must support Frida's Interceptor API, which allows hooking into native functions.

Proposed Behavior:

• Allow hooks.js definitions to optionally target native functions.
• New hook type for native entries, e.g.:

{
  category: "CRYPTO",
  hooks: [
    {
      native: true,
      module: "libcrypto.so",
      symbol: "AES_encrypt"
    }
  ]
}

• The base script detects if native: true is present and uses Interceptor.attach accordingly.
  • If the module is known it uses Process.getModuleByName(module).getExportByName(symbol)
  • Otherwise, Module.getGlobalExportByName(symbol)

Notes:

• Feel free to suggest a more efficient way of defining the hooks if there is one.
• Feel free to restructure the tool un utils/

---

Use Case Example 1

An app that calls the native method open from libc.so.

Native hook:

Interceptor.attach(
    Process.getModuleByName('libc.so').getExportByName('open'),
    {
        onEnter: function(args) {
            const path = args[0].readCString();
            console.log(path);
        }
    }
);

Instead, we want to define this in hooks.js like (along other different hooks):

var target = {
  category: "STORAGE",
  hooks: [
    {
      class: "android.content.ContentResolver",
      method: "insert",
      overloads: [
        {
          args: ["android.net.Uri", "android.content.ContentValues"]
        }
      ]
    },
    {
      native: true,
      module: "libc.so",
      symbol: "open",
      maxFrames: 15
    }
  ]
}

Use Case Example 2

Swift hook:

Interceptor.attach(Module.getGlobalExportByName('SecAccessControlCreateWithFlags'), {
  onEnter(args) {
    const flags = args[2]
    const flags_description = parseAccessControlFlags(flags)
    console.log(`\SecAccessControlCreateWithFlags(..., 0x${flags.toString(16)}) called with ${flags_description}\n`)
    ...
  }
});

Instead, we want to define this in hooks.js like:

var target = {
  category: "AUTH",
  hooks: [
    {
      native: true,
      symbol: "SecAccessControlCreateWithFlags",
      maxFrames: 15
    }
  ]
}

Use Case Example: MASTG-DEMO-0042

ObjC hook:

Interceptor.attach(ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"].implementation, {
  onEnter(args) {
      const policy = args[2].toInt32();
      console.log(`\nLAContext.canEvaluatePolicy(${args[2]}) called\n`);
    ...
  }
});

Instead, we want to define this in hooks.js like:

var target = {
  category: "AUTH",
  hooks: [
    {
      native: true,
      objClass: "LAContext"
      symbol: "- evaluatePolicy:localizedReason:reply:",
      maxFrames: 15
    }
  ]
}
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes [Frida Util] Add Support for Interceptor to Hook Native Methods #3384

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.