Command Line Usage

The dexray-intercept (or ammm) command is the primary interface for Dexray Intercept. This section covers all command-line options and usage patterns.

Basic Syntax

dexray-intercept [OPTIONS] <target>

Where <target> can be:

Package name: com.example.app
Process ID: 1234
App name: "My Banking App"

Core Options

Target and Connection

<target>

Required. The target application to analyze.

Examples:

dexray-intercept com.banking.app          # Package name
dexray-intercept 1234                     # Process ID
dexray-intercept "Banking App"            # App display name

-s, --spawn

Spawn the application instead of attaching to a running process.

dexray-intercept -s com.example.app

Note

Spawning gives you control from app startup, useful for analyzing initialization behavior.

-fg, --foreground

Attach to the currently foreground (visible) application.

dexray-intercept -fg

-H <ip:port>, --host <ip:port>

Connect to a remote Frida device.

dexray-intercept -H 192.168.1.100:27042 com.example.app

Device and Server Management

-f, --frida

Install and run frida-server on the target device.

dexray-intercept -f  # Install frida-server and exit

--enable_spawn_gating

Enable spawn gating to catch newly spawned processes.

dexray-intercept --enable_spawn_gating com.example.app

Warning

This may catch unrelated processes spawned during analysis.

Output and Debugging

-v, --verbose

Enable verbose output for detailed debugging information.

dexray-intercept -v --hooks-crypto com.example.app

-st, --enable-full-stacktrace

Enable full stack traces showing call origins in binary code.

dexray-intercept -st --hooks-crypto com.example.app

Network Analysis

--enable-fritap

Enable friTap for TLS key extraction and traffic capture.

dexray-intercept --enable-fritap --hooks-network com.example.app

--fritap-output-dir <directory>

Specify directory for friTap output files (default: ./fritap_output).

dexray-intercept --enable-fritap --fritap-output-dir ./network_logs com.example.app

Custom Scripts

--custom-script <path>

Load custom Frida script alongside built-in hooks. Can be used multiple times.

# Single custom script
dexray-intercept --custom-script ./my_hooks.js com.example.app

# Multiple custom scripts
dexray-intercept --custom-script ./script1.js --custom-script ./script2.js com.example.app

Hook Selection

Hook Groups

--hooks-all

Enable all available hooks for comprehensive analysis.

dexray-intercept --hooks-all com.example.app

--hooks-crypto

Enable cryptographic hooks (AES, encodings, keystore).

dexray-intercept --hooks-crypto com.example.app

--hooks-network

Enable network communication hooks (web traffic, sockets).

dexray-intercept --hooks-network com.example.app

--hooks-filesystem

Enable file system hooks (file operations, database access).

dexray-intercept --hooks-filesystem com.example.app

--hooks-ipc

Enable Inter-Process Communication hooks (intents, broadcasts, binder, shared preferences).

dexray-intercept --hooks-ipc com.example.app

--hooks-process

Enable process monitoring hooks (native libraries, runtime, DEX unpacking).

dexray-intercept --hooks-process com.example.app

--hooks-services

Enable system service hooks (bluetooth, camera, clipboard, location, telephony).

dexray-intercept --hooks-services com.example.app

--hooks-bypass

Enable anti-analysis bypass hooks (root, frida, debugger, emulator detection).

dexray-intercept --hooks-bypass com.example.app

Individual Hooks

For fine-grained control, you can enable specific individual hooks:

Cryptographic Hooks

--enable-aes: Enable AES encryption/decryption monitoring.

--enable-keystore: Enable Android keystore operation monitoring.

--enable-encodings: Enable encoding/decoding operation monitoring.

Network Hooks

--enable-web: Enable web traffic monitoring (HTTP/HTTPS, Retrofit, Volley, WebSockets).

--enable-sockets: Enable raw socket communication monitoring.

File System Hooks

--enable-filesystem: Enable file system operation monitoring.

--enable-database: Enable database operation monitoring.

Process Hooks

--enable-dex-unpacking: Enable DEX unpacking detection.

--enable-java-dex: Enable Java DEX loading hooks.

Warning

This hook may crash certain applications.

--enable-native-libs: Enable native library loading monitoring.

--enable-process: Enable process creation monitoring.

--enable-runtime: Enable runtime operation monitoring.

IPC Hooks

--enable-shared-prefs: Enable shared preferences monitoring.

--enable-binder: Enable binder communication monitoring.

--enable-intents: Enable intent passing monitoring.

--enable-broadcasts: Enable broadcast receiver monitoring.

Service Hooks

--enable-bluetooth: Enable Bluetooth API monitoring.

--enable-camera: Enable camera usage monitoring.

--enable-clipboard: Enable clipboard access monitoring.

--enable-location: Enable location/GPS access monitoring.

--enable-telephony: Enable telephony API monitoring.

Bypass Hooks

--enable-bypass: Enable all anti-analysis bypass techniques.

Usage Examples

Basic Analysis

# Attach to running app with minimal monitoring
dexray-intercept com.example.app

# Spawn app with crypto monitoring
dexray-intercept -s --enable-aes com.banking.app

Comprehensive Analysis

# Full monitoring with anti-analysis bypass
dexray-intercept -s --hooks-all --hooks-bypass suspicious.malware

# Verbose analysis with stack traces
dexray-intercept -sv --enable-full-stacktrace --hooks-crypto com.example.app

Network Analysis

# Network monitoring with TLS key extraction
dexray-intercept -s --hooks-network --enable-fritap com.banking.app

# Custom network analysis directory
dexray-intercept --enable-fritap --fritap-output-dir ./analysis_2024 --hooks-network com.example.app

Custom Analysis

# Load custom hooks with built-in crypto monitoring
dexray-intercept --custom-script ./my_analysis.js --hooks-crypto com.target.app

# Multiple custom scripts with comprehensive monitoring
dexray-intercept --custom-script ./script1.js --custom-script ./script2.js --hooks-all com.example.app

Remote Analysis

# Connect to remote device
dexray-intercept -H 192.168.1.100:27042 --hooks-crypto com.example.app

# Remote analysis with spawn gating
dexray-intercept -H 10.0.0.5:27042 --enable_spawn_gating --hooks-all com.example.app

Performance Considerations

Hook Selection Strategy

Start with minimal hooks and add categories as needed:

# Start minimal
dexray-intercept --enable-web com.example.app

# Add crypto if needed
dexray-intercept --enable-web --enable-aes com.example.app

# Avoid --hooks-all unless necessary
dexray-intercept --hooks-crypto --hooks-network com.example.app  # Preferred
dexray-intercept --hooks-all com.example.app                     # Heavy

Resource Usage

--hooks-all can significantly impact app performance
--enable-full-stacktrace adds overhead but provides valuable debugging info
--verbose generates substantial output for complex apps

Memory Considerations

Large apps with many events may require increased system memory
friTap network captures can grow large for traffic-heavy applications
Consider using specific hook categories rather than --hooks-all

Error Handling

Common exit codes:

0 - Successful completion
1 - General error
2 - Frida connection error or invalid arguments

For troubleshooting specific errors, see the ../troubleshooting section.