frida-discover
frida-discover
Tool for discovering internal functions inside a target process. It instruments the process at runtime, counts calls per function across all threads, then prints a ranked list. The output is typically piped into frida-trace for deeper tracing.
Prerequisites: frida-tools Python package (pip install frida-tools). For remote/USB targets, frida-server must be running on the target device.
Synopsis
frida-discover [options] target
target is a process name, PID, or bundle identifier, specified via the attach flags below.
Device Selection Options
| Flag | Description |
|---|---|
-D ID, --device ID | Connect to device with the given ID (from frida-ls-devices) |
-U, --usb | Connect to USB-attached device |
-R, --remote | Connect to remote frida-server (default host) |
-H HOST, --host HOST | Connect to remote frida-server on HOST |
--certificate CERT | Speak TLS with HOST, expecting CERTIFICATE |
--origin ORIGIN | Set Origin header when connecting to remote server |
--token TOKEN | Authenticate with HOST using TOKEN |
--keepalive-interval N | Keepalive interval in seconds; 0 to disable (default: -1) |
--p2p | Establish peer-to-peer connection with target |
--stun-server ADDRESS | Set STUN server ADDRESS (used with --p2p) |
--relay addr,user,pass,turn-TYPE | Add TURN relay for --p2p (repeatable) |
--device-option option | Override backend-specific option (repeatable) |
Target / Attach Options
| Flag | Description |
|---|---|
-f FILE, --file FILE | Spawn FILE and attach |
-F, --attach-frontmost | Attach to the frontmost application |
-n NAME, --attach-name NAME | Attach to process by NAME |
-N ID, --attach-identifier ID | Attach to application by bundle/package identifier |
-p PID, --attach-pid PID | Attach to process by PID |
-W PATTERN, --await PATTERN | Await a spawn matching PATTERN (gated attach) |
--realm REALM | Realm to attach in: native (default) or emulated |
--runtime RUNTIME | Script runtime: qjs (QuickJS) or v8 |
Global Options
| Flag | Description |
|---|---|
-O FILE, --options-file FILE | Text file containing additional command line options |
--version | Print Frida version and exit |
Usage Examples
1# Discover internal functions in a local process by name
2frida-discover -n Spotify
3
4# Discover functions in a process on a USB device by PID
5frida-discover -U -p 1234
6
7# Discover functions in a spawned binary
8frida-discover -f /usr/bin/ssh
9
10# Discover in an iOS app by bundle ID
11frida-discover -U -N com.apple.mobilesafari
Runtime Behavior
- Attach to the target process.
- Print:
Injecting script... - Print:
Tracing N threads. Press ENTER to stop. - Instrument all threads; accumulate per-function call counts.
- On ENTER: Print
Stopping..., then print the results report.
Output Format
Results are grouped into two sections: Module Functions and Dynamic Functions.
Each section lists entries sorted by call count descending:
module_name
Calls Function
---------- ------------------------------
42 sub_1234abcd
17 sub_5678ef01
...
[Dynamic functions]
Calls Function
---------- ------------------------------
8 0x7fff1a2b3c4d
...
- Module Functions: Functions identified within named modules/libraries (symbol names or
sub_ADDRfor stripped symbols). - Dynamic Functions: Functions detected in dynamically allocated memory regions (displayed as raw addresses).
- Columns are tab-separated with fixed-width formatting:
%-10sfor Calls,%sfor Function name.
Workflow: frida-discover + frida-trace
frida-discover is designed as a reconnaissance step before frida-trace:
1# Step 1: Identify hot functions
2frida-discover -n MyApp
3
4# Step 2: Trace a specific function found above
5frida-trace -n MyApp -a "libfoo.dylib!sub_1234abcd"
Notes
frida-discoveruses Frida’s Stalker engine under the hood to trace execution; this has non-trivial CPU/memory overhead on the target process.- Discovery requires all threads to be instrumented — highly multi-threaded processes may show a large thread count.
- Dynamic functions (JIT-compiled code, thunks) are reported by address only, without symbolic names.
- Useful for finding interesting code in stripped binaries where exported symbols are absent.